公开(公告)号：WO2015119522A3

公开(公告)日：2015-11-26

申请号：PCT/RO2014050002

申请日：2014-11-03

Applicant: BITDEFENDER IPR MAN LTD ,  TOSA RAUL-VASILE

Inventor： TOSA RAUL-VASILE

IPC: G06F21/52

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/556 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/2101

Abstract: Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.

Abstract translation: 所描述的系统和方法允许保护计算机系统免受恶意软件的攻击，诸如返回导向编程（ROP）漏洞。 在一些实施例中，在由目标进程的线程使用的调用堆栈内标识一组引用，每个引用指向由目标进程加载的可执行模块的存储器空间。 分析每个这样的参考以确定它是否指向ROP小工具，以及是否通过合法的函数调用将相应的参考压入堆栈。 在一些实施例中，ROP分数指示目标进程是否受到ROP攻击，分数根据相应模块的堆栈覆盖区根据对加载模块的引用的计数来确定，并且进一步根据 在相应模块内识别的ROP小配件的数量。