-
1.发明申请METHOD OF DETECTING PRE-OPERATING SYSTEM MALICIOUS SOFTWARE AND FIRMWARE USING CHIPSET GENERAL PURPOSE DIRECT MEMORY ACCESS HARDWARE CAPABILITIES 审中-公开检测预操作系统恶意软件的方法和使用CHIPSET一般用途的直接存储器访问硬件能力的固件公开(公告)号:US20090089497A1
公开(公告)日:2009-04-02
申请号:US11864794
申请日:2007-09-28
申请人: Yuriy Bulygin , David Samyde
发明人: Yuriy Bulygin , David Samyde
CPC分类号: G06F21/564
摘要: In some embodiments, a method of detecting pre-operating system malicious software and firmware using chipset general purpose direct memory access hardware capabilities is presented. In this regard, a security agent is introduced to access system memory used by instructions executing on a host processor or microcontroller, to copy contents from the system memory to an internal chipset memory, and to scan the internal memory with an embedded processor for a malicious software pattern. Other embodiments are also disclosed and claimed.
摘要翻译: 在一些实施例中,提出了使用芯片组通用直接存储器访问硬件能力来检测操作前系统恶意软件和固件的方法。 在这方面,引入安全代理以访问在主机处理器或微控制器上执行的指令使用的系统存储器,以将来自系统存储器的内容复制到内部芯片组存储器,并且利用用于恶意的嵌入式处理器来扫描内部存储器 软件模式。 还公开并要求保护其他实施例。
-
公开(公告)号:US20170091454A1
公开(公告)日:2017-03-30
申请号:US14865954
申请日:2015-09-25
申请人: Vadim Sukhomlinov , Oleksandr Bazhaniuk , Igor Muttik , Yuriy Bulygin , Alex Nayshtut , Andrew A. Furtak
发明人: Vadim Sukhomlinov , Oleksandr Bazhaniuk , Igor Muttik , Yuriy Bulygin , Alex Nayshtut , Andrew A. Furtak
IPC分类号: G06F21/56
CPC分类号: G06F21/566 , G06F21/52 , G06F2221/034
摘要: Existing performance monitoring and last branch recording processor hardware may be configured and used for detection of return-oriented and jump-oriented programming exploits with less performance impact that software-only techniques. Upon generation of a performance monitoring interrupt indicating that a predetermined number of mispredicted branches have occurred, the control flow and code may be analyzed to detect a return-oriented or jump-oriented exploit.
-
公开(公告)号:US20160180079A1
公开(公告)日:2016-06-23
申请号:US14576665
申请日:2014-12-19
申请人: Ravi L. Sahita , Xiaoning Li , Barry E. Huntley , Ofer Levy , Vedvyas Shanbhogue , Yuriy Bulygin , Ido Ouziel , Michael Lemay , John M. Esper
发明人: Ravi L. Sahita , Xiaoning Li , Barry E. Huntley , Ofer Levy , Vedvyas Shanbhogue , Yuriy Bulygin , Ido Ouziel , Michael Lemay , John M. Esper
IPC分类号: G06F21/52
CPC分类号: G06F21/52 , G06F9/45558 , G06F11/30 , G06F21/554 , G06F2009/45591 , G06F2221/033
摘要: A method comprises filtering branch trap events at a branch event filter, monitoring a branch event filter to capture indirect branch trap events that cause a control flow trap exception, receiving the indirect branch trap events at a handler and the handler processing the indirect branch trap events
摘要翻译: 一种方法包括在分支事件过滤器处过滤分支陷阱事件,监视分支事件过滤器以捕获导致控制流陷阱异常的间接分支陷阱事件,在处理器处接收间接分支陷阱事件,并处理处理间接分支陷阱事件
-
4.发明授权System and method for correct execution of software based on baseline and real time information 有权基于基线和实时信息正确执行软件的系统和方法公开(公告)号:US09003236B2
公开(公告)日:2015-04-07
申请号:US13631317
申请日:2012-09-28
CPC分类号: G06F11/3636 , G06F11/1479 , G06F11/3466 , G06F11/3616 , G06F2201/86 , G06F2201/865 , G06F2201/88
摘要: In an embodiment of the invention an application provider may include “tracing elements” in a target software application. While working with the application the trace elements are detected and provide a “baseline trace” indicating proper application execution. The provider then supplies the application, which still includes the trace elements, and the baseline trace to a user. The user operates the application to produce a “real-time trace” based on the application still having trace elements that produce trace events. A comparator then compares the baseline and real-time traces. If the traces are within a pre-determined range of each other the user has a level of assurance the software is operating correctly. If the level of assurance is low, an embodiment may trigger a hardware interrupt or similar event to prevent further execution of software. Other embodiments are described herein.
摘要翻译: 在本发明的实施例中,应用提供者可以在目标软件应用中包括“跟踪元素”。 在处理应用程序时,将检测到跟踪元素,并提供一个“基线跟踪”,指示正确的应用程序执行。 然后,提供商将仍然包含跟踪元素的应用程序和基准跟踪提供给用户。 用户根据仍然具有产生跟踪事件的微量元素的应用来操作应用以产生“实时跟踪”。 比较器然后比较基线和实时迹线。 如果迹线在彼此的预定范围内,则用户具有软件正确操作的保证级别。 如果保证级别低,则实施例可以触发硬件中断或类似事件以防止进一步执行软件。 本文描述了其它实施例。
-
公开(公告)号:US09858411B2
公开(公告)日:2018-01-02
申请号:US14576665
申请日:2014-12-19
申请人: Ravi Sahita , Xiaoning Li , Barry E. Huntley , Ofer Levy , Vedvyas Shanbhogue , Yuriy Bulygin , Ido Ouziel , Michael Lemay , John M. Esper
发明人: Ravi Sahita , Xiaoning Li , Barry E. Huntley , Ofer Levy , Vedvyas Shanbhogue , Yuriy Bulygin , Ido Ouziel , Michael Lemay , John M. Esper
CPC分类号: G06F21/52 , G06F9/45558 , G06F11/30 , G06F21/554 , G06F2009/45591 , G06F2221/033
摘要: A method comprises filtering branch trap events at a branch event filter, monitoring a branch event filter to capture indirect branch trap events that cause a control flow trap exception, receiving the indirect branch trap events at a handler and the handler processing the indirect branch trap events.
-
6.发明申请公开(公告)号:US20160283714A1
公开(公告)日:2016-09-29
申请号:US14670988
申请日:2015-03-27
申请人: Michael LeMay , Ravi L. Sahita , Beeman C. Strong , Thilo Schmitt , Yuriy Bulygin , Markus T. Metzger
发明人: Michael LeMay , Ravi L. Sahita , Beeman C. Strong , Thilo Schmitt , Yuriy Bulygin , Markus T. Metzger
摘要: Technologies for control flow exploit mitigation include a computing device having a processor with real-time instruction tracing support. During execution of a process, the processor generates trace data indicative of control flow of the process. The computing device analyzes the trace data to identify suspected control flow exploits. The computing device may use heuristic algorithms to identify return-oriented programming exploits. The computing device may maintain a shadow stack based on the trace data. The computing device may identify indirect branches to unauthorized addresses based on the trace data to identify jump-oriented programming exploits. The computing device may check the trace data whenever the process is preempted. The processor may detect mispredicted return instructions in real time and invoke a software handler in the process space of the process to verify and maintain the shadow stack. Other embodiments are described and claimed.
摘要翻译: 用于控制流利用减轻的技术包括具有具有实时指令跟踪支持的处理器的计算设备。 在处理过程中,处理器产生指示过程控制流的跟踪数据。 计算设备分析跟踪数据以识别可疑的控制流攻击。 计算设备可以使用启发式算法来识别返回导向的编程漏洞。 计算设备可以基于跟踪数据来维护阴影栈。 计算设备可以基于跟踪数据来识别对未授权地址的间接分支,以识别面向跳跃的编程漏洞。 每当进程被抢占时,计算设备可以检查跟踪数据。 处理器可以实时地检测错误的返回指令,并且在该过程的过程空间中调用软件处理程序以验证和维护该影子栈。 描述和要求保护其他实施例。
-
7.发明申请公开(公告)号:US20150220927A1
公开(公告)日:2015-08-06
申请号:US14129543
申请日:2013-09-25
申请人: Ned M. SMITH , Thomas J. SAWICKI , Rajiv MATHUR , Tolga ACAR , Yuriy BULYGIN , Thomas G. WILLIS , Intel Corporation
发明人: Ned M. Smith , Thomas J. Sawicki , Rajiv Mathur , Tolga Acar , Yuriy Bulygin , Thomas G. Willis
CPC分类号: G06Q20/4016 , G06Q30/06 , G06Q40/08 , H04L67/10
摘要: Techniques and mechanisms to provide indemnification for a transaction involving communications between networked devices. In an embodiment, attestation logic of a first device sends to a second device attestation information to indicate a trustworthiness level of first device. Based on the attestation information, indemnification logic of the second device determines an indemnification value representing a cost of an indemnification for a first transaction. Indemnification logic of the first device receives the indemnification value and determines, based on the indemnification value, whether a participation in the transaction is to take place.
摘要翻译: 为涉及网络设备之间通信的交易提供赔偿的技术和机制。 在一个实施例中,第一设备的认证逻辑发送到第二设备认证信息以指示第一设备的可信赖级别。 基于认证信息,第二设备的赔偿逻辑确定代表第一交易的赔偿成本的赔偿价值。 第一设备的赔偿逻辑接收赔偿价值,并根据赔偿价值确定是否要进行交易。
-
公开(公告)号:US20140123286A1
公开(公告)日:2014-05-01
申请号:US13799663
申请日:2013-03-13
IPC分类号: G06F21/56
CPC分类号: G06F21/552 , G06F9/30145 , G06F21/566 , G06F2221/034
摘要: In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification.
摘要翻译: 在一个实施例中,处理器包括至少一个执行单元和返回定向编程(ROP)检测逻辑。 ROP检测逻辑可以基于多个控制传送事件来确定ROP度量。 ROP检测逻辑还可以确定ROP度量是否超过阈值。 ROP检测逻辑还可以响应于ROP度量超过阈值的确定,提供ROP攻击通知。
-
9.发明申请公开(公告)号:US20160180085A1
公开(公告)日:2016-06-23
申请号:US14581099
申请日:2014-12-23
申请人: Igor Muttik , Alex Nayshtut , Yuriy Bulygin , Andrew A. Furtak , Roman Dementiev
发明人: Igor Muttik , Alex Nayshtut , Yuriy Bulygin , Andrew A. Furtak , Roman Dementiev
CPC分类号: G06F9/467 , G06F12/1475 , G06F21/56 , G06F2212/1052
摘要: A technique allows for memory bounds checking for dynamically generated code by using transactional memory support in a processor. The memory bounds checking includes creating output code, identifying read-only memory regions in the output code and creating a map that is provided to a security monitoring thread. The security monitoring thread executes as a transaction and determines if a transactional conflict occurs to the read-only memory region during parallel execution of a monitored thread in the output code.
摘要翻译: 一种技术允许通过在处理器中使用事务内存支持来检查动态生成的代码的内存边界。 存储器边界检查包括创建输出代码,识别输出代码中的只读存储器区域并创建提供给安全监控线程的映射。 安全监视线程作为事务执行,并确定在输出代码中被监视线程的并行执行期间是否只向只读存储器区域发生事务冲突。
-
公开(公告)号:US20140123281A1
公开(公告)日:2014-05-01
申请号:US13664532
申请日:2012-10-31
IPC分类号: G06F21/00
CPC分类号: G06F21/552 , G06F9/30145 , G06F21/566 , G06F2221/034
摘要: In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification.
摘要翻译: 在一个实施例中,处理器包括至少一个执行单元和返回定向编程(ROP)检测逻辑。 ROP检测逻辑可以基于多个控制传送事件来确定ROP度量。 ROP检测逻辑还可以确定ROP度量是否超过阈值。 ROP检测逻辑还可以响应于ROP度量超过阈值的确定,提供ROP攻击通知。
-
-
-
-
-
-
-
-
-
搜索结果
11 条记录 (耗时 0.015 秒)
