Systems and methods for preventing heap-spray attacks
    1.
    发明授权
    Systems and methods for preventing heap-spray attacks 有权
    防止堆喷射攻击的系统和方法

    公开(公告)号:US08788785B1

    公开(公告)日:2014-07-22

    申请号:US13006705

    申请日:2011-01-14

    申请人: Uri Mann

    发明人: Uri Mann

    IPC分类号: G06F12/00

    CPC分类号: G06F21/52

    摘要: A computer-implemented method for preventing heap-spray attacks may include identifying an object-oriented program. The computer-implemented method may also include identifying, within the object-oriented program, a request to allocate memory for a polymorphic object. The polymorphic object may include a pointer to a virtual method table that supports dynamic dispatch for at least one method of the polymorphic object. The computer-implemented method may further include identifying an area of memory reserved for polymorphic objects. The computer-implemented method may additionally include allocating memory for the polymorphic object from the reserved area of memory. Various other methods, systems, and computer-readable media are also disclosed.

    摘要翻译: 用于防止堆喷射攻击的计算机实现的方法可以包括识别面向对象的程序。 计算机实现的方法还可以包括在面向对象的程序内识别为多态对象分配存储器的请求。 多态对象可以包括指向虚拟方法表的指针,该指针支持多态对象的至少一个方法的动态分派。 计算机实现的方法还可以包括识别保留用于多态对象的存储器的区域。 计算机实现的方法可以另外包括从存储器的保留区域分配用于多态对象的存储器。 还公开了各种其它方法,系统和计算机可读介质。

    Fake exception handler detection
    2.
    发明授权
    Fake exception handler detection 有权
    假异常处理程序检测

    公开(公告)号:US08707433B1

    公开(公告)日:2014-04-22

    申请号:US13100001

    申请日:2011-05-03

    申请人: Uri Mann

    发明人: Uri Mann

    IPC分类号: G06F11/00

    摘要: Fake exception handlers resulting from malicious stack buffer overflows that overwrite an exception handling record on the stack are detected. The operating system exception processing logic is monitored. Responsive to an exception occurring, an exception handler to be called by the monitored operating system exception processing logic is identified. A specific number of the first bytes of the identified exception handler are scanned to determine whether a return instruction is present therein. Instructions of the identified exception handler that are positioned prior to the return instruction are analyzed to determine whether they modify the value of the stack pointer so as to shrink the stack. The identified exception handler is adjudicated as being fake, responsive to determining that a return instruction is present in the first specific number of bytes of the exception handler and/or that the instructions positioned prior to the return instruction shrink the stack.

    摘要翻译: 检测到由覆盖堆栈上的异常处理记录的恶意堆栈缓冲区溢出导致的异常处理程序。 监视操作系统异常处理逻辑。 响应于异常发生,被监视的操作系统异常处理逻辑调用的异常处理程序被识别。 扫描识别的异常处理程序的特定数量的第一个字节以确定是否存在返回指令。 分析位于返回指令之前的识别的异常处理程序的指令,以确定它们是否修改堆栈指针的值以缩小堆栈。 识别的异常处理程序被判定为假的,响应于确定在异常处理程序的第一特定数量的字节中存在返回指令和/或位于返回指令之前的指令收缩堆栈。

    Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process
    3.
    发明授权
    Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process 有权
    用于防止由可信过程托管的基于非进程的组件引发的威胁的系统和方法

    公开(公告)号:US08205257B1

    公开(公告)日:2012-06-19

    申请号:US12510828

    申请日:2009-07-28

    IPC分类号: H04K1/00

    摘要: A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.

    摘要翻译: 描述了用于防止由可信过程托管的基于非基于过程的组件引起的威胁的计算机实现的方法。 监视可信过程的加载活动。 当将未验证的组件加载到可信过程中时,与受信任进程相关联的信任级别会被更改。 监视受信任进程执行的事件。 确定发起事件的未验证组件。 可信过程基于与发生事件的未验证组件相关联的安全风险而终止。