Abstract:
Methods, and computing devices implementing the methods, that enable client computing devises to work in conjunction with a server device to identify and temporarily defend against non-benign applications (e.g., malware, etc.) and other threats before a more permanent solution or defense (e.g., a patch or software upgrade) becomes available and installed on the client computing device. The server device may be configured to receive reports from the client computing devices, receive threat feeds from a third-party server (e.g., threat intelligence servers, etc.), and use information included in the received threat feed and information included in the received reports to analyze, in the server computing device, a software application that is operating on a client device in multiple passes. The server may generate one or more threat scores and send the one or more threat scores to the client computing device for use in devising a customized security response.
Abstract:
Various embodiments enhance protections against stack buffer overflow attacks in a computing device by dynamically updating stack canaries. Canary values on the stack of a child process may be replaced with new canary values in response to determining that a condition for generating new canary values is satisfied. Canary values on the stack of a child process may be replaced with new canary values when a child process is forked following a crash of a previous child process of the parent process. Canary values on the stack of a child process may be replaced with new canary values in response to expiration of a canary timeout time. The locations of the canaries to replace may be determined by walking the stack to locate entries in each stack frame that match a previous value of the canary or by walking the stack according to a predefined stack frame format.
Abstract:
Various embodiments include methods for dynamically modifying shared libraries on a client computing device. Various embodiment methods may include receiving a first set of code segments and a first set of code sites associated with a first application. Each code in the first set of code sites may include an address within a compiled shared library stored on the client computing device. The compiled shared library may include one or more dummy instructions inserted at each code site in the first set of code sites, and each code segment in the first set of code segments may be associated with a code site in the first set of code sites. The client computing device may insert each code segment in the first set of code segments at its associated code site in the compiled shared library.
Abstract:
Various embodiments include methods and a memory data collection processor for performing online memory data collection for memory forensics. Various embodiments may include determining whether an operating system executing in a computing device is trustworthy. In response to determining that the operating system is not trustworthy, the memory data collection processor may collect memory data directly from volatile memory. Otherwise, the operating system to collect memory data from volatile memory. Memory data may be collected at a variable memory data collection rate determined by the memory data collection processor. The memory data collection rate may depend upon whether an available power level of the computing device exceeds a threshold power level, whether an activity state of the processor of the computing device equals a sleep state whether a security risk exists on the computing device, and whether a volume of memory traffic in the volatile memory exceeds a threshold volume.
Abstract:
Mobile computing devices may be configured to compile and execute portions of a general purpose software application in an auxiliary processor (e.g., a DSP) of a multiprocessor system by reading and writing information to a shared memory. A first process (P1) on the applications processor may request address negotiation with a second process (P2) on the auxiliary processor, obtain a first address map from a first operating system, and send the first address map to the auxiliary processor. The second process (P2) may receive the first address map, obtain a second address map from a second operating system, identify matching addresses in the first and second address maps, store the matching addresses as common virtual addresses, and send the common virtual addresses back to the applications processor. The first and second processes (i.e., P1 and P2) may each use the common virtual addresses to map physical pages to the memory.
Abstract:
Various embodiments include systems, methods and devices for reducing the burden on mobile devices of memory data collection for memory forensics. Various embodiments may include monitoring for changes sections or portions of memory within the computing device that been identified by a network device based on a prior memory snapshot. When changes are detected, the computing device may determine whether data changes in the monitored sections or portions of memory satisfy a criterion for transmitting an incremental snapshot of memory. Such criteria may be defined in information received from the network device. When the criteria are satisfied, the computing device may transmit an incremental memory snapshot to the network device. The computing device may transmit to the network device results of analysis of the data changes observed in the memory. Various embodiments may be performed in a secure environment or in a memory collection processor within the computing device.
Abstract:
Methods and devices for detecting suspicious or performance-degrading mobile device behaviors may include performing behavior monitoring and analysis operations to intelligently, dynamically, and/or adaptively determine the mobile device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the behaviors are to be observed. Such behavior monitoring and analysis operations may be performed continuously (or near continuously) in a mobile device without consuming an excessive amount of processing, memory, or energy resources of the mobile device by identifying hot application programming interfaces (APIs) and hot action patterns that are invoked or used most frequently by software applications of the mobile device and storing information regarding these hot APIs and hot action patterns separately and more efficiently.
Abstract:
Mobile computing devices may be configured to intelligently select, compile, and execute portions of a general purpose software application in an auxiliary processor (e.g., a DSP) of a multiprocessor system. A processor of the mobile device may be configured to determine whether portions of a software application are suitable for execution in an auxiliary processor, monitor operating conditions of the system, determine a historical context based on the monitoring, and determine whether the portions that were determined to suitable for execution in an auxiliary processor should be compiled for execution in the auxiliary processor based on the historical context. The processor may also be configured to continue monitoring the system, update the historical context information, and determine whether code previously compiled for execution on the auxiliary processor should be invoked or executed in the auxiliary processor based on the updated historical context information.
Abstract:
Various embodiments include methods for detecting software attacks on a process executing on a computing device. Various embodiment methods may include monitoring structural attributes of a plurality of virtual memory regions utilized by the process, and comparing the monitored structural attributes to the expected structural attributes of the plurality of VMRs. Various embodiment methods may further include determining whether the monitored structural attributes represent anomalous behavior of the process based on the comparison between the monitored structural attributes and the expected structural attributes.
Abstract:
Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.