WO2001037094A1 - Method for secure function execution by calling address validation - Google Patents
Method for secure function execution by calling address validation Download PDFInfo
- Publication number
- WO2001037094A1 WO2001037094A1 PCT/US2000/030812 US0030812W WO0137094A1 WO 2001037094 A1 WO2001037094 A1 WO 2001037094A1 US 0030812 W US0030812 W US 0030812W WO 0137094 A1 WO0137094 A1 WO 0137094A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- call
- intercepted
- library
- routine
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 172
- 238000010200 validation analysis Methods 0.000 title description 12
- 230000008569 process Effects 0.000 claims abstract description 109
- 230000006870 function Effects 0.000 description 43
- 239000000872 buffer Substances 0.000 description 18
- 238000010586 diagram Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1441—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4482—Procedural
- G06F9/4484—Executing subprograms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/542—Intercept
Definitions
- the present invention relates generally to a method for detecting and preventing unauthorized or illegal access attempts within a computer system. More specifically, the present invention relates to a
- Procedures or functions are computer programs.
- a procedure call or a function call is a high-level abstraction that alters the flow of the calling program execution.
- a procedure or a function after the execution of its own code, returns control to the instruction immediately following the call.
- a memory device called a stack is utilized to implement procedure or function calls in the manner described.
- a stack is a contiguous block of memory containing data. Its size is dynamically adjusted by the operating system routines at run time. The data is inserted to and removed from the stack by Central
- CPU Central Processing Unit
- Assembler language instructions such as "push” or "pop”.
- the stack consists of logical stack frames or Procedure
- the stack frame itself contains
- the return address is the instruction pointer of the
- One such objective is inserting an
- attack code in the form of an executable binary code native to the
- Another such objective is to change the return
- Another strategy is to detect buffer
- said operating system including a kernel space and a process
- process space including a user application running in
- process space said user application operative to intercept system calls
- the present invention a method of secure function execution within a
- intercepted system call originated and responsive to process creation
- said operating system including a kernel space and a process
- process space including a user application running in
- said user application operative to intercept library calls
- said method comprising the step of examining said intercepted library
- said method comprising the step of examining said intercepted library call validity by comparing said intercepted library call originating address with range of process valid addresses associated with said process from which said intercepted library call originated and responsive to system call loading dynamic link library hooking and patching library routines associated with said dynamic link library and responsive to system call unloading dynamic link library updating process valid addresses table.
- said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to system and function
- caller routine return address from said process memory device, determining whether caller routine address is valid by comparing said caller address routine with process valid address table and providing notification as to the validity of said caller routine return address or performing user predetermined acts associated with said validity of caller routine address.
- the same method further comprising the step of determining said caller routine calling address by determining the address preceding said caller routine address.
- said operating system including a kernel space and a process space, said process space including a user application running in
- said process memory device further comprises the step of determining
- said caller routine calling address by determining the address preceding said caller routine address.
- Fig. 1 is a block diagram of the Secure Function Execution
- system environment generally referenced to as system 100;
- Fig. 2 is a high-level flow diagram of the Secure Function
- Fig. 3 is a high-level flow diagram of the operation of the
- Fig. 4 is a high-level diagram of Secure Function Execution
- Fig. 5 is a high-level flow diagram of the operation of the 94
- Fig. 6 is a high-level flow diagram of the operation of the Calling Address Validation Routine module
- Fig. 7 is a high-level flow diagram of the Calling Address
- Validation Routine module relating to an another embodiment of the present invention.
- the present invention overcomes the disadvantages of the prior art by providing a novel method, which detects if an attempt to exploit the buffer overflow weakness is occurring by validating use of system or other calls within a computerized system.
- FIG. 1 a schematic illustration of the system environment wherein the Secure Function Execution System is operating, generally referred to as
- the present invention is related to Israel Patent Application
- system 100 of Fig. 1 may comprise of four
- Secure Function Execution Server 116 is an active
- Secure Function Execution Server 116 is the operational center of the Secure Function Execution System 100. Secure Function Execution Server 116 loads and controls System Call Interception Component 124, loads and controls API Interception Module 134, 140, and 146, responds to diverse system and library calls and acts as an interface towards the user. The Secure Function Execution Server 116 is loaded into the user space memory device 112 of a computer system. Secure Function Execution Server 116 incorporates the API Interception Control Server operations that were described in detail in Israel Patent Application No. XXXXXXX.
- API Interception Module 134 140, 146 and the like are
- API Interception Module 134, 140, 146 and the like operations are described in detail in
- API Interception Module 134, 140, 146 and the like consist of Dispatch Routine, Depatch Routine, Hook and Patch Routine, Pre-Entry Routine, and Post-Entry Routine. The operations of the said routines are also described in
- API routine 132, 138, 144 and the like are passive components.
- API routines 132, 138, 144 and the like are
- FIG. 2 there is provided a high-level flow
- SFE Server 116 initializes the application in step 150. Consequently SFE Server 116 commences its run-time operation in step 152 by constantly monitoring system calls made by diverse applications that run in the host operating system (step 152) and responding appropriately to the said system calls (step 154) as described in detail in Fig. 4. SFE Server is also constantly
- step 156 SFE Server responds appropriately to the
- First SFE Server 116 loads System Call Interception
- step 186 For the list of active processes 118, 120, 122 and the like (step 186).
- Server 116 creates a list of valid address ranges for each active
- DLL Dynamic Link Library
- Dynamic Link Library is a set of callable subroutines
- SFE Server will insert API Interception Module 134,
- FIG. 4 is a high-level flow diagram of
- step 160 determines in step 160
- Server determines whether said system call is valid by comparing said
- SFE Server 116 may notify a user
- SFE Sen/er 116 may perform another or other series of
- decision in step 162 is negative SFE Server optionally performs any
- step 166 If and when it
- SFE Server 116 updates Process Valid Address Range List (step 171 )
- FIG. 5 is a high-level flow diagram of the
- SFE Server 116 determines in step 172 if the
- SFE Server determines whether
- said library call is valid by comparing said library call originating
- detected SFE Server 116 optionally terminates the illegal library
- SFE Server 116 notifies a user
- Server 116 performs any other user predetermined or instructed action (step 182).
- step 174 If the decision in step 174 is affirmative than SFE Server 116
- process 118 is now operative to intercept calls made to said library calls
- step 172 decision in step 172 is negative SFE Server 116 determines if the
- the Calling Address Validation Routine module may operate in
- Pre-Entry routine may be activated when an API 132 or the
- Calling Address Validation Routine mcdule is executing a set of
- Caller Routine also includes caller Application
- the stack frame is a dynamic area of the process
- stack segment is a dynamic area of memory belonging to a process.
- step 192 the caller Routine calling address is calculated (step 192) and
- step 194 it is determined whether
- Routine calling address is matched with said valid address range limit.
- Fig. 7 is a high-level flow
- Routine return address is significantly faster and more accurate.
- Such determination is accomplished by compa ⁇ ng said caller Routine calling address with address limits of said process stack
- Pre-Entry routine or the like notifies SFE Server 116 or the like about
- step 210 and step 212 the result of the examination.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU17587/01A AU1758701A (en) | 1999-11-14 | 2000-11-10 | Method for secure function execution by calling address validation |
EP00980307A EP1236115A4 (en) | 1999-11-14 | 2000-11-10 | Method for secure function execution by calling address validation |
JP2001539120A JP2003515218A (en) | 1999-11-14 | 2000-11-10 | How to execute a safe function by confirming the call address |
CA002390862A CA2390862A1 (en) | 1999-11-14 | 2000-11-10 | Method for secure function execution by calling address validation |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL132915 | 1999-11-14 | ||
IL13291599A IL132915A (en) | 1999-11-14 | 1999-11-14 | Method for secure function execution by calling address validation |
US09/561,011 US6412071B1 (en) | 1999-11-14 | 2000-04-28 | Method for secure function execution by calling address validation |
US09/561,011 | 2000-04-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001037094A1 true WO2001037094A1 (en) | 2001-05-25 |
Family
ID=26323903
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/030812 WO2001037094A1 (en) | 1999-11-14 | 2000-11-10 | Method for secure function execution by calling address validation |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1236115A4 (en) |
JP (1) | JP2003515218A (en) |
AU (1) | AU1758701A (en) |
CA (1) | CA2390862A1 (en) |
WO (1) | WO2001037094A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003050660A1 (en) * | 2001-12-12 | 2003-06-19 | Schlumberger Systemes | Method and system for module chaining control in a modular software architecture |
JP2004126854A (en) * | 2002-10-01 | 2004-04-22 | Mitsubishi Electric Corp | Attack countermeasure system |
EP1507185A1 (en) * | 2003-08-11 | 2005-02-16 | Axalto S.A. | Method and device for protecting against unauthorized access to a secure routine |
FR2859548A1 (en) * | 2003-09-09 | 2005-03-11 | France Telecom | Monitoring procedure for computer program includes use of description file which is checked prior to operations to ensure program actions are as initially intended |
EP1851666A1 (en) * | 2005-02-02 | 2007-11-07 | Universitetet I Oslo | Intrusion detection for computer programs |
EP2113859A1 (en) * | 2007-02-21 | 2009-11-04 | NEC Corporation | Computer, operation rule application method, and operating system |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210216667A1 (en) | 2020-01-10 | 2021-07-15 | Acronis International Gmbh | Systems and methods for protecting against unauthorized memory dump modification |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5287504A (en) * | 1989-08-01 | 1994-02-15 | Silicon Graphics, Inc. | File alteration monitor for computer operating and file management system |
US5974549A (en) * | 1997-03-27 | 1999-10-26 | Soliton Ltd. | Security monitor |
US5987611A (en) * | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB1561482A (en) * | 1976-11-18 | 1980-02-20 | Ibm | Protection of data processing system against unauthorised programmes |
-
2000
- 2000-11-10 CA CA002390862A patent/CA2390862A1/en not_active Abandoned
- 2000-11-10 EP EP00980307A patent/EP1236115A4/en not_active Withdrawn
- 2000-11-10 JP JP2001539120A patent/JP2003515218A/en not_active Withdrawn
- 2000-11-10 AU AU17587/01A patent/AU1758701A/en not_active Abandoned
- 2000-11-10 WO PCT/US2000/030812 patent/WO2001037094A1/en not_active Application Discontinuation
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5287504A (en) * | 1989-08-01 | 1994-02-15 | Silicon Graphics, Inc. | File alteration monitor for computer operating and file management system |
US5987611A (en) * | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
US5974549A (en) * | 1997-03-27 | 1999-10-26 | Soliton Ltd. | Security monitor |
Non-Patent Citations (1)
Title |
---|
See also references of EP1236115A4 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003050660A1 (en) * | 2001-12-12 | 2003-06-19 | Schlumberger Systemes | Method and system for module chaining control in a modular software architecture |
JP2004126854A (en) * | 2002-10-01 | 2004-04-22 | Mitsubishi Electric Corp | Attack countermeasure system |
EP1507185A1 (en) * | 2003-08-11 | 2005-02-16 | Axalto S.A. | Method and device for protecting against unauthorized access to a secure routine |
FR2859548A1 (en) * | 2003-09-09 | 2005-03-11 | France Telecom | Monitoring procedure for computer program includes use of description file which is checked prior to operations to ensure program actions are as initially intended |
EP1851666A1 (en) * | 2005-02-02 | 2007-11-07 | Universitetet I Oslo | Intrusion detection for computer programs |
EP2113859A1 (en) * | 2007-02-21 | 2009-11-04 | NEC Corporation | Computer, operation rule application method, and operating system |
EP2113859A4 (en) * | 2007-02-21 | 2010-04-14 | Nec Corp | Computer, operation rule application method, and operating system |
Also Published As
Publication number | Publication date |
---|---|
EP1236115A4 (en) | 2004-05-26 |
EP1236115A1 (en) | 2002-09-04 |
AU1758701A (en) | 2001-05-30 |
CA2390862A1 (en) | 2001-05-25 |
JP2003515218A (en) | 2003-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6412071B1 (en) | Method for secure function execution by calling address validation | |
US8661541B2 (en) | Detecting user-mode rootkits | |
US8719924B1 (en) | Method and apparatus for detecting harmful software | |
US6973578B1 (en) | System, method and computer program product for process-based selection of virus detection actions | |
CN103886252B (en) | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space | |
US7934261B1 (en) | On-demand cleanup system | |
US8307432B1 (en) | Generic shellcode detection | |
US7779062B2 (en) | System for preventing keystroke logging software from accessing or identifying keystrokes | |
US7845005B2 (en) | Method for preventing malicious software installation on an internet-connected computer | |
US7779472B1 (en) | Application behavior based malware detection | |
US5974549A (en) | Security monitor | |
US20070050848A1 (en) | Preventing malware from accessing operating system services | |
US7823201B1 (en) | Detection of key logging software | |
US20070250927A1 (en) | Application protection | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
US7797702B1 (en) | Preventing execution of remotely injected threads | |
US20080005797A1 (en) | Identifying malware in a boot environment | |
US8539578B1 (en) | Systems and methods for defending a shellcode attack | |
US7251735B2 (en) | Buffer overflow protection and prevention | |
EP1236114A1 (en) | Method and system for intercepting an application program interface | |
US9659173B2 (en) | Method for detecting a malware | |
EP2876572A1 (en) | Firmware-level security agent supporting operating system-level security in computer system | |
EP1236115A1 (en) | Method for secure function execution by calling address validation | |
Raffetseder et al. | Building anti-phishing browser plug-ins: An experience report | |
US7620983B1 (en) | Behavior profiling |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA JP |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2390862 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000980307 Country of ref document: EP Ref document number: 17587/01 Country of ref document: AU |
|
ENP | Entry into the national phase |
Ref document number: 2001 539120 Country of ref document: JP Kind code of ref document: A |
|
WWP | Wipo information: published in national office |
Ref document number: 2000980307 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000980307 Country of ref document: EP |