WO2018058414A1 - Détection de débordement - Google Patents

Détection de débordement Download PDF

Info

Publication number
WO2018058414A1
WO2018058414A1 PCT/CN2016/100753 CN2016100753W WO2018058414A1 WO 2018058414 A1 WO2018058414 A1 WO 2018058414A1 CN 2016100753 W CN2016100753 W CN 2016100753W WO 2018058414 A1 WO2018058414 A1 WO 2018058414A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
metadata
code
protection
memory portion
Prior art date
Application number
PCT/CN2016/100753
Other languages
English (en)
Inventor
Wei Xiao
Yanan Wang
Hui Chen
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Priority to PCT/CN2016/100753 priority Critical patent/WO2018058414A1/fr
Publication of WO2018058414A1 publication Critical patent/WO2018058414A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present disclosure relates to detection, in particular to, overflow detection.
  • a buffer overflow condition occurs when an application tries to access, e.g., write to, a memory location outside of a declared buffer’s boundaries. Writing outside the buffer may corrupt data, crash the executing application, and/or may facilitate execution of malicious program code. For example, an attacker may exploit a buffer overflow condition to initiate execution of instructions selected by the attacker rather than the intended instructions of an application programmer.
  • FIG. 1 illustrates a functional block diagram of a buffer overflow detection system consistent with several embodiments of the present disclosure
  • FIG. 2 illustrates a linear address space and elements related to buffer overflow detection according to various embodiments of the present disclosure
  • FIG. 3 is a flowchart of insertion operations according to various embodiments of the present disclosure.
  • FIG. 4 is a flowchart of monitor operations according to various embodiments of the present disclosure.
  • Dynamic binary instrumentation may be utilized to observe (i.e., monitor) the behavior of a target application.
  • DBI include, but are not limited to, Valgrind TM Memcheck, Chaperon and Inspector XE.
  • DBI may be utilized, for example, to model system performance and/or implement runtime enforcement of security policies.
  • DBI may be utilized to detect buffer overrun (i.e., buffer overflow) .
  • the DBI may be configured to intercept a target application’s call to a heap management function, e.g., a heap memory allocation function (malloc () ) and/or a heap memory deallocation function (free () ) .
  • a heap management function e.g., a heap memory allocation function (malloc () ) and/or a heap memory deallocation function (free () ) .
  • the DBI may then be configured to wrap an allocated heap memory block within a plurality of red zones that may then be utilized to detect a buffer overrun (i.e., buffer overflow) .
  • the allocated memory block may contain a plurality of buffers, function pointers and/or data elements.
  • wrapping a heap memory block may correspond to relatively coarse protection granularity.
  • Red zones configured to wrap the allocated memory block may then not support detecting a buffer overrun that is contained within the allocated memory block.
  • Such buffer overrun vulnerability may then be exploited by an attacker to implement a jump oriented programming (JOP) attack.
  • JOP jump oriented programming
  • MPX memory protection extensions
  • MPX are configured to identify buffer overrun and buffer overflow conditions.
  • upper and lower bounds of memory areas to be protected may be stored in bound registers.
  • MPX is configured to check whether a memory dereference (i.e., address pointer) is within the boundary (i.e., is accessible) or outside the boundary (i.e., is not accessible) . For example, if a pointer-based memory access is outside the bounds, a#BR exception will be raised.
  • the protected memory region is deallocated, the boundaries will be removed from bound tables and registers. The formerly protected memory region may then be classified as accessible.
  • guard page i.e., page boundary gaps
  • memory protection granularity is at the page level, e.g., 4kB (kilobytes) .
  • a minimum granularity is one page.
  • An apparatus, method and/or system are configured to identify and/or select a memory element to be protected in a target application.
  • the target application and selected memory element may be stored to a target application linear address space.
  • the target application linear address space may contain a plurality of memory segments.
  • Memory segments include a stack, a heap and a global data memory segment that includes an uninitialized BSS (i.e., block started by symbol) data portion and/or an initialized data portion.
  • the memory element may be stored to the stack, the heap or the global data memory segment included in the target application linear address space.
  • Memory elements may include, but are not limited to, a buffer, a function pointer, a data element, etc.
  • Granularity of overflow detection may correspond to a size of a protected memory element.
  • the apparatus, method and/or system are further configured to include indicator code configured to notify monitor logic of the protection associated with the protected memory element.
  • auxiliary code i.e., auxiliary instructions
  • the auxiliary code is configured to wrap each memory element selected for protection by a first protection memory portion and a second protection memory portion.
  • a protection memory portion corresponds to one or more memory locations positioned adjacent to, and contiguous with, the selected memory element (i.e., the memory element to be protected) .
  • the protection memory portion may then be classified as accessible or inaccessible by monitor logic, as described herein.
  • a protection memory portion classified as inaccessible corresponds to a red zone.
  • the auxiliary code is configured to allocate memory locations corresponding to each protection memory portion in the memory segment that contains the selected memory element.
  • Metadata corresponding to each protection memory portion may be determined. Metadata is configured to provide memory element protection information to monitor logic (e.g., DBI) .
  • the auxiliary code may be configured to allocate memory locations (i.e., metadata memory portion) configured to store the metadata and to store the metadata to the allocated metadata memory portion.
  • the metadata memory portion may be allocated in the stack, the heap and/or global data memory segment of the target application linear address space.
  • the metadata may include one or more records that each includes an address field, a size field, a type field and an action field.
  • the number of records may correspond to the number of protection memory portions associated with the metadata.
  • the address field is configured to point to a corresponding protection memory portion.
  • the size field is configured to indicate the size of the corresponding protection memory portion.
  • the type field is configured to indicate the type of memory segment (i.e., stack, heap, or global data) that includes the corresponding memory element selected for protection (i.e., the memory element to be protected) .
  • the action field is configured to indicate red zone construction or red zone destruction. Red zone construction corresponds to classifying, by monitor logic, an associated protection memory portion as inaccessible. Red zone destruction corresponds to classifying, by monitor logic, an associated protection memory portion as accessible.
  • Accessible and inaccessible are related to memory access (e.g., a memory write) operations. Attempts to access a memory location classified as inaccessible, i.e., within a red zone, may then trigger an overflow fault, as described herein.
  • each record may include one or more user-customizable fields.
  • user-customizable fields may include, but are not limited to, a source code field, a conditional memory protection field, etc.
  • the source code field is configured to contain source code level information.
  • Source code level information may include, for example, a variable and/or definition line number information of a memory element to be protected and/or of a protection memory portion.
  • User-customizable fields may facilitate customizing conditional memory protection, logging and/or diagnosis in memory protection operations and/or overflow situations.
  • a particular user-customizable field selected for inclusion in each record may be set by, for example, policy.
  • Insertion logic may include, but is not limited to, a compiler and/or a just-in-time (JIT) compiler.
  • compilers include, but are not limited to, a Free Software Foundation GNU Compiler Collection (GCC) compiler, an C++compiler, etc.
  • GCC Free Software Foundation GNU Compiler Collection
  • JIT compilers include, but are not limited to, an Player bytecode JIT engine maintained by Systems, Inc., a V8 JavaScript engine developed by The Chromium Project, etc.
  • the insertion logic may be configured by, for example, an application programmer, based, at least in part, on a policy.
  • a memory element may be selected for protection based, at least in part, on the policy.
  • Policy considerations may include, but are not limited to granularity, overhead, susceptibility of a memory element to attack, criticality of a memory element, etc.
  • Overhead includes memory overhead and execution overhead.
  • Memory overhead corresponds to consumption of the target application linear address space for storage of metadata and/or corresponding protection memory portions.
  • Execution overhead corresponds to additional target application execution time associated with execution of auxiliary code and/or execution of indicator code, as described herein.
  • Indicator code may be inserted in the target application by the insertion logic.
  • the indicator code is configured to notify the monitor logic that a target memory element is protected, as described herein.
  • the indicator code is further configured to include a pointer to the corresponding metadata.
  • the indicator code is configured to include one or more instructions that are equivalent to a no-op instruction in execution of the target application.
  • the apparatus, method and/or system are configured to monitor operation of a target application using monitor logic.
  • Monitor logic may include, for example, dynamic binary instrumentation (DBI) .
  • DBI dynamic binary instrumentation
  • the monitor logic is configured to extract the pointer to the metadata and to retrieve the metadata in response to detecting the indicator code.
  • the monitor logic is further configured to classify each protection memory portion as accessible or inaccessible based, at least in part, on the retrieved metadata. For example, the monitor logic may set or reset a corresponding bit in a shadow memory according to whether the protection memory portion is classified as accessible or inaccessible.
  • the shadow memory may be maintained by the monitor logic for at least this purpose.
  • Execution of the target application may then be monitored and attempts to access a red zone may be detected by the monitor logic.
  • the monitor logic may then notify an overflow fault. In other words, the target application is not configured to access the red zones, thus, attempts to access a memory location included in a red zone may correspond to an overflow fault.
  • a memory element stored to the stack, the heap or global data may be protected.
  • the granularity of the protected memory element may be as fine as one memory location.
  • monitor logic e.g., DBI.
  • FIG. 1 illustrates a functional block diagram of a buffer overflow detection system 100 consistent with several embodiments of the present disclosure.
  • Buffer overflow detection system 100 may include, but is not limited to, a mobile telephone including, but not limited to a smart phone (e.g., phone, phone, phone, etc. ) ; a wearable device (e.g., wearable computer, “smart” watches, smart glasses, smart clothing, etc. ) and/or system; an Internet of Things (IoT) networked device including, but not limited to, a sensor system (e.g., environmental, position, motion, etc.
  • IoT Internet of Things
  • a computing system e.g., a server, a workstation computer, a desktop computer, a laptop computer, a tablet computer (e.g., and the like) , an ultraportable computer, an ultramobile computer, a netbook computer and/or a subnotebook computer; etc.
  • System 100 may include a processor 102, a communication interface 104 and a memory 106.
  • Processor 102 may include one or more processing units, e.g., processing unit 120, cache memory 122 and/or one or more processor registers 124.
  • Processor registers 124 may include for example, a stack pointer.
  • Memory 106 may be configured to store one or more linear address spaces, e.g., target linear address space 140, and one or more shadow memories, e.g., shadow memory 142. Each linear address space, e.g., target linear address space 140, may correspond to a target application, e.g., target application 134.
  • System 100 may further include storage device (s) 108 and/or a user interface (UI) 110.
  • UI user interface
  • System 100 may include an operating system (OS) 130, a compiler 132, one or more target applications, e.g., a target application 134, monitor logic 136, insertion logic 138 and a policy store 144.
  • the policy store 144 may be configured to store one or more indicators related to policy considerations, as described herein.
  • Communication interface 104 is configured to provide communication capability, wired and/or wireless, to system 100.
  • Storage device (s) 108 may include internal and/or external storage devices including, but not limited to, hard disk drives, solid-state storage devices, etc.
  • User interface 110 may include, but is not limited to, a user input device (e.g., keyboard, a keypad, touchpad, mouse, microphone, etc. ) , a display (including a touch sensitive display) , etc.
  • User interface 110 may be utilized by, e.g., an application programmer, to set policy and/or to receive hints, as described herein.
  • system 100 may include memory 106 and insertion code 138, as described herein.
  • the memory 106 is configured to store a target application, e.g., target application 134.
  • Insertion logic 138 is configured to insert auxiliary code and indicator code into the target application 134.
  • the auxiliary code is configured to allocate a metadata memory portion to store metadata that includes an address and a size of a protection memory portion.
  • the protection memory portion is configured to protect a memory element of the target application.
  • the indicator code is configured to notify monitor logic 136 of the protection and to point to the metadata memory portion that is to store the metadata.
  • FIG. 2 illustrates a linear address space 202 and elements related to buffer overflow detection according to various embodiments of the present disclosure.
  • Linear address space 202 is one example of target linear address space 140 of FIG. 1. The following description may be best understood when FIG. 2 is considered in combination with FIG. 1.
  • the linear address space 202 includes a plurality of regions.
  • the linear address space 202 may include a stack 204, a heap 206, a global data segment 208 and a code segment 210.
  • the stack 204 may be located in high memory, e.g., relatively higher memory addresses, and is configured to expand “down” into memory locations corresponding to lower memory addresses.
  • the heap 206 may be located in mid and/or lower memory and is configured to expand “up” into memory locations corresponding to higher memory addresses.
  • the code segment 210 is configured to store an executable application, e.g., the executable code corresponding to target application 134.
  • the stack 204 is configured to temporarily store information (e.g., local variables) during execution of at least a portion of a target application, e.g., target application 134.
  • the stack 204 is configured to store a return address associated with a function call.
  • the stack 204 may be configured to store data, e.g., local variables, utilized by the called function.
  • the local data is configured to exist between the function call operation and the function return operation. In other words, local data stored on the stack by the function may no longer be available after the function returns.
  • Memory locations may be allocated on the stack by a push operation, deallocated by a pop operation and/or by manipulating a stack pointer. Stack operations are configured as last in–first out.
  • the heap 206 is configured to be utilized by one or more functions included in target application 134.
  • Memory may be allocated on the heap 206 by calling a heap memory allocation function, e.g., malloc () , and may be deallocated by calling a heap memory deallocation function, e.g., free () .
  • a heap memory allocation function e.g., malloc ()
  • a heap memory deallocation function e.g., free ()
  • the heap may be utilized to store data for recursive and/or nested functions.
  • Global data segment 208 may include uninitialized BSS (i.e., “block started by symbol” ) data 212 and/or initialized data 214.
  • Global data segment 208 is configured to store global variables, global buffers, static variables and/or static buffers. The global and/or static variables may be allocated when a target application launches and may exist until the target application exits. Thus, global data segment 208 may be utilized by one or more functions included in target application 134.
  • Memory elements may be protected, as described herein, whether they are stored to the stack 204, the heap 206, and/or global data segment 208.
  • the protection memory portions may be allocated on the stack 204, in the heap 206 and/or in global data segment 208.
  • Metadata containing one or more records associated with each protection memory portion may also be stored on the stack 204, in the heap 206 and/or in global data 208.
  • the metadata may or may not be stored in a same memory segment as the corresponding protection memory portion.
  • a lifecycle of the metadata is configured to be at least as long as a corresponding lifecycle of an associated protected memory element.
  • the metadata may be stored to the stack 204, on the heap 206 and/or in global data 208.
  • the metadata may be stored on the heap 206 and/or in global data 208.
  • a target memory element to be protected may be identified and/or selected.
  • the target memory element may correspond to one or more memory locations.
  • the target memory element may correspond to a function pointer.
  • the target memory element may correspond to a buffer that includes one or more memory locations.
  • the target memory element may be selected based, at least in part, on policy considerations.
  • Policy considerations may include, for example, a target granularity, a criticality of an associated function and/or data and/or susceptibility to attack.
  • a target memory element may be selected or may not be selected based, at least in part, on overhead associated with the protection memory portions.
  • target memory elements that are writable may be selected.
  • target memory elements that may be accessed by an external, e.g., a library, function may be selected.
  • target memory elements that are read-only and/or are accessible only by internal functions may not be selected.
  • the insertion logic 138 may be configured to provide a “hint” to an application programmer, via user interface 110, related to whether a target memory element should be protected.
  • the insertion logic 138 may be configured to request input from the application programmer related to whether a target memory element should be protected or not.
  • the insertion logic 138 may be configured to perform data flow analysis to track external input propagation to aid in identifying sensitive data and thus, target memory elements that should be protected.
  • a size of each protection memory portion may then be determined.
  • Each target memory element may be wrapped by a first protection memory portion and a second protection memory portion.
  • the first protection memory portion may precede the target memory element and the second protection memory portion may follow the target memory element in a sequence of memory locations.
  • a size of each protection memory portion may be set based, at least in part, on a policy and/or based, at least in part, on application programmer input.
  • a minimum size of each protection memory portion may correspond to a number of bytes in a pointer.
  • a size of a selected protection memory portion may be configured to align boundaries of the protection memory portion wrapped memory element to, e.g., multiples of four bytes or eight bytes.
  • a size of a selected protection memory portion may be relatively larger for target memory elements associated with relatively more severe security concerns.
  • the relatively larger protection memory portion may provide a relatively larger “target” configured to capture relatively more buffer overflow attack attempts.
  • protection memory portion s positioned between a first protected memory element and a second protected memory element may be combined into a combined protection memory portion.
  • two protected memory elements may be wrapped by a first protection memory portion preceding the first protected memory element, a combined protection memory portion positioned between the first protected memory element and the second protected memory element and a second protection memory portion following the second memory element.
  • a size of the combined protection memory portion may be determined and/or selected based, at least in part, on a relative size of the first protected memory element and the second protected memory element.
  • the combined protection memory portion may correspond to a size of the larger of the first protected memory element and the second protected memory element.
  • Combining protection memory portion s is configured to reduce an amount of memory consumed by the protection memory portion s, and thus memory overhead.
  • Metadata may then be determined. Metadata may include entry metadata (related to allocation of a protection memory portion) and/or exit metadata (related to deallocation of a protection memory portion) . Metadata is configured to contain one or more records, each record associated with a corresponding protection memory portion. Each record is configured to contain an address field, a size field, a type field and an action field. The address field is configured to contain an address, e.g., a pointer, of the corresponding protection memory portion and the size field is configured to contain a size of the corresponding protection memory portion. The type field is configured to indicate the type of memory segment, e.g., stack, heap or global data, protected by the corresponding protection memory portion.
  • entry metadata related to allocation of a protection memory portion
  • exit metadata related to deallocation of a protection memory portion
  • Metadata is configured to contain one or more records, each record associated with a corresponding protection memory portion. Each record is configured to contain an address field, a size field, a type field and an action field.
  • the address field is
  • metadata associated with a memory element to be protected by a first protection memory portion and a second protection memory portion may include a first record and a second record.
  • the first record may contain a first address, a first size, a type and a first action associated with the first protection memory portion.
  • the second record may contain a second address, a second size, the type and a second action associated with the second protection memory portion.
  • metadata associated with a first plurality of memory elements to be protected by a second plurality of protection memory portions may include the second plurality of records. A subset of the second plurality of protection memory portions may correspond to combined protection memory portions, as described herein.
  • the action field is configured to indicate red zone construction or red zone destruction.
  • Red zone construction corresponds to the associated protection memory portion being classified as inaccessible.
  • Red zone destruction corresponds to an associated protection memory portion being classified as accessible.
  • the action field in entry metadata is configured to indicate red zone construction and thus, the memory locations occupied by the corresponding protection memory portion may be classified as inaccessible by monitor logic.
  • the action field in exit metadata may be configured to indicate red zone construction or red zone destruction, i.e., whether the corresponding protection memory portion is to be classified as accessible or inaccessible, respectively, after being deallocated.
  • Whether the corresponding protection memory portion is to be classified as accessible or inaccessible may be related to achieving a balance between a likelihood of false positives and a likelihood of undetected overflows. If the corresponding protection memory portion continues to be classified as inaccessible after being deallocated, false positive overflow faults may be triggered. If the corresponding protection memory portion is classified as accessible after being deallocated, then a buffer overflow may be missed, i.e., a buffer overflow may not trigger a buffer overflow fault. Whether the corresponding protection memory portion is to be classified as accessible or inaccessible after being deallocated may be determined based, at least in part, on policy.
  • a subset of memory elements in a target application may be selected for protection by protection memory portions, and one or more unselected memory elements may not be protected with protection memory portions.
  • the action field in a record contained in the exit metadata indicates red zone construction, then the memory locations of the deallocated protection memory portion may remain classified as inaccessible. Such classification may mitigate use after return attacks. If the memory locations of the deallocated protection memory portion are later allocated to an unselected memory element, a false positive memory overflow fault may be triggered. In other words, a legitimate memory access to the deallocated protection memory portion may result in a buffer overflow fault.
  • auxiliary code may be inserted in target application 134 by insertion logic 138.
  • Auxiliary code may include one or more auxiliary instructions configured to allocate and deallocate the protection memory portions during execution of the target application.
  • the auxiliary code may further include one or more auxiliary instructions configured to allocate and/or set the metadata.
  • Auxiliary code may include entry auxiliary code and/or exit auxiliary code. The entry auxiliary code may be configured to allocate the protection memory portions and the exit auxiliary code may be configured to deallocate the protection memory portions.
  • the operations performed by the auxiliary code are related to the type of memory element and corresponding memory segment, i.e., stack, heap and/or global data.
  • indicator code may be inserted in the target application 134.
  • the indicator code may be inserted by insertion logic 138.
  • Indicator code may include a plurality of indicator instructions. Indicator code is configured to provide an indication to monitor logic that a target memory element is protected, i.e., wrapped, by protection memory portions, as described herein.
  • the indicator code is further configured to include a first instruction containing a pointer to corresponding metadata, i.e., a pointer to a corresponding metadata memory portion.
  • the indicator code is configured to include one or more relatively low overhead instructions that are equivalent to a no-op instruction in execution of the target application. Relatively low overhead instructions include, for example, some integer instructions, bit shifting instructions, etc.
  • the indicator code may include pseudocode:
  • nop is a no-op instruction
  • PTR is a pointer to the corresponding metadata memory portion
  • eax corresponds to a processor register included in, e.g., processor registers 124
  • rol is a rotate left instruction.
  • the rotate left instructions operating on the processor register eax are examples of instructions that would not normally occur in a target application and are instead configured as indicators to monitor logic.
  • entry auxiliary code and entry indicator code may be inserted in a function prologue and exit auxiliary code and exit indicator code may be inserted in the function epilogue.
  • the memory element to be protected may be stored to the stack, e.g., stack 204.
  • the memory element to be protected may correspond to a local variable, buffer and/or function pointer configured to exist only between the function call and function return.
  • the entry auxiliary code is configured to allocate a portion of the stack 204 for the corresponding protection memory portions.
  • the entry auxiliary code may be further configured to allocate the corresponding metadata.
  • the function prologue may be configured to allocate the memory element, e.g., stackbuffer, that is to be protected by the protection memory portions.
  • the entry indicator code is configured to include a pointer to entry metadata and the exit indicator code is configured to include a pointer to exit metadata.
  • the exit auxiliary code is configured to deallocate the portion of the stack corresponding to the protection memory portions.
  • the exit auxiliary code may be further configured to deallocate the corresponding metadata.
  • the function epilogue may be configured to deallocate the memory element (s) that were protected by the protection memory portions.
  • the entry and/or exit auxiliary code may be configured to manipulate a stack pointer.
  • compiler 132 and/or insertion logic 138 may be configured to optimize allocation of the protection memory portions and the protected memory element (s) .
  • a sequence of individual instructions configured to allocate the first protection memory portion, the memory element (s) , combined protection memory portion (s) , if any, and the second protection memory portion may be combined into one instruction configured to allocate the first protection memory portion, the memory element (s) , combined protection memory portion (s) , if any, and the second protection memory portion.
  • the one instruction may be configured to manipulate the stack pointer.
  • Stack portion 204A illustrates one example allocation of metadata and a protection memory portion wrapped memory element to the stack 204.
  • Stack portion 204A contains entry metadata 220 and exit metadata 222.
  • Stack portion 204A further includes a first stack red zone 224, a stack protected region (i.e., protected memory element) 226 and a second stack red zone 228.
  • the first stack red zone 224 precedes the stack protected region 226 and the second stack red zone 228 follows the stack protected region 226.
  • a buffer overflow attack configured to access either the first stack red zone 224 or the second stack red zone 228 may be detected by monitor logic 136, as described herein.
  • entry auxiliary code and entry indicator code may be inserted, e.g., hooked, into a heap memory allocation function (e.g., malloc () ) and exit auxiliary code and exit indicator code may be inserted, e.g., hooked, into a heap memory deallocation function (e.g., free () ) .
  • Hooking allows the entry auxiliary code and entry indicator code to execute when the heap memory allocation function is called and/or the exit auxiliary code and exit indicator code to execute when the heap memory deallocation function is called.
  • the memory element to be protected may be stored on the heap, e.g., heap 206. In this embodiment, for example, the memory element to be protected may be accessed in a recursive function.
  • the entry auxiliary code may be configured to increase a heap size to accommodate the corresponding protection memory portions.
  • the entry auxiliary code may be further configured to increase the heap size to accommodate the corresponding metadata.
  • the heap memory allocation function may be configured to allocate the memory element, e.g., heap buffer, that is to be protected by the protection memory portions.
  • the entry indicator code is configured to include a pointer to entry metadata and the exit indicator code is configured to include a pointer to exit metadata.
  • the exit auxiliary code is configured to deallocate, i.e., free, the heap memory locations for the corresponding protection memory portions.
  • the exit auxiliary code may be further configured to free the heap memory locations for the corresponding metadata.
  • Heap portion 206A illustrates one example allocation of metadata and a protection memory portion wrapped protected region to the heap 206.
  • Heap portion 206A contains entry metadata 230 and exit metadata 232.
  • Heap portion 206A further contains a first heap red zone 234, a heap protected region (e.g., protected memory element) 236 and a second heap red zone 238.
  • a buffer overflow attack configured to access either the first heap red zone 234 or the second heap red zone 238 may be detected by monitor logic 136, as described herein.
  • entry auxiliary code and entry indicator code may be inserted at an initialization function and exit auxiliary code and exit indicator code may be inserted at a termination function.
  • the memory element to be protected may be stored in global data, e.g., global data segment 208.
  • the memory element to be protected may be stored in uninitialized (BSS) data 212.
  • the memory element to be protected may be stored in initialized data 214.
  • the memory element to be protected may correspond to a global variable, buffer and/or function pointer and/or a static variable, buffer and/or function pointer configured to exist for the life of the application.
  • the entry auxiliary code is configured to allocate global data for the corresponding protection memory portions.
  • the entry auxiliary code may be further configured to allocate the corresponding metadata.
  • the initialization function may be configured to allocate the memory element, e.g., global data buffer, that is to be protected by the protection memory portions.
  • the entry indicator code is configured to include a pointer to entry metadata and the exit indicator code is configured to include a pointer to exit metadata.
  • the entry indicator code is configured to execute before any access to protected global data memory elements.
  • the exit indicator code is configured to execute after a final access to protected global data memory elements.
  • the exit auxiliary code is configured to deallocate the global data for the corresponding protection memory portions.
  • the exit auxiliary code may be further configured to deallocate the corresponding metadata.
  • the termination function may be configured to deallocate the memory element that was protected by the protection memory portions.
  • the initialization function may be pointed to by a constructor (e.g., “. ctors” ) and termination function may be pointed to by a destructor (e.g., “. dtors) .
  • the initialization function may be configured to execute once during application, e.g., target application 134, start up and the termination function may be configured to execute when the application terminates.
  • Global data portion 208A illustrates one example allocation of metadata and a protection memory portion wrapped memory element to global data 208.
  • Global data portion 208A contains entry metadata 240 and exit metadata 242.
  • Global data portion 208A further includes a first global red zone 244, a global protected region (e.g., protected memory element) 246 and a second global red zone 248.
  • the first global red zone 244 precedes the global protected region 246 and the second global red zone 248 follows the global protected region 246.
  • a buffer overflow attack configured to access either the first global red zone 244 or the second global red zone 248 may be detected by monitor logic 136, as described herein.
  • Application executable portion 210A illustrates one example configuration of auxiliary code (i.e., auxiliary instructions) and indicator code (i.e., indicator instructions) .
  • Application executable portion 210A contains entry auxiliary instructions 250 followed by entry indicator instructions 252.
  • Application executable portion 210A further includes exit auxiliary instructions 254 followed by exit indicator instructions 256.
  • the entry instructions 250, 252 may be separated from the exit instructions 254, 256 by instructions associated with target application 134.
  • target memory elements to be protected may be selected.
  • Auxiliary code configured to allocate metadata and/or protection memory portions may be inserted into a target application.
  • Indicator code configured to point to metadata and to indicate presence of the protection memory portions to monitor logic may also be inserted into the target application.
  • monitor logic 136 is configured to monitor execution of an application, e.g., target application 134.
  • Monitor logic 136 is configured to extract the pointer to metadata and to retrieve the metadata in response to detecting the presence of indicator code in target application 134.
  • Monitor logic 136 is further configured to determine and/or identify the address, size, type and action information included in the retrieved metadata.
  • Monitor logic 136 may then classify corresponding protection memory portions as accessible or inaccessible.
  • Monitor logic 136 may maintain a shadow memory, e.g., shadow memory 142, that includes accessibility indicators that correspond to one or more memory locations (e.g., memory addresses) .
  • the accessibility indicators may be binary values with a first value corresponding to accessible and a second value corresponding to inaccessible.
  • Each accessibility indicator may be associated with one or more memory addresses.
  • Monitor logic 136 may thus set or reset respective accessibility indicators based, at least in part, on the information in the retrieved metadata.
  • Monitor logic 136 may be configured to determine whether a memory access request (e.g., write request) is directed to a red zone. For example, monitor logic 136 may be configured to read shadow memory locations corresponding to target memory addresses to determine protection memory portion classification. If the memory access request is directed to an accessible memory location, monitor logic 136 is configured to continue monitoring execution of the target application. If the memory access request is directed to a memory location included in a red zone, monitor logic 136 may be configured to notify an overflow fault. Monitor logic 136 may be further configured to halt execution of the target application.
  • a memory access request e.g., write request
  • a memory element e.g., a buffer, a function pointer, a data element, etc.
  • Monitor logic may then be configured to classify each protection memory portion as accessible or inaccessible based, at least in part, on a corresponding action indicator (i.e., red zone construction or red zone destruction) .
  • the memory elements to be protected may be selected based, at least in part, on a policy. Attempts by an attacker to access red zones may be detected by monitor logic and an overflow fault may be generated.
  • FIG. 3 is a flowchart 300 of insertion operations according to various embodiments of the present disclosure.
  • the flowchart 300 illustrates identifying and/or selecting target memory elements to be protected and inserting corresponding auxiliary code and indicator code into a target application.
  • the operations may be performed, for example, by compiler 122 and/or insertion logic 128 of FIG. 1.
  • a target memory element to protect may be identified and/or selected at operation 304.
  • a protection memory portion size may be determined at operation 306. For example, the protection memory portion size may be determined based, at least in part, on a policy.
  • Entry and/or exit metadata values may be allocated and/or set at operation 308.
  • Entry auxiliary code may be inserted at operation 310.
  • the entry auxiliary code may be inserted relative to a function call and/or allocation of memory locations on the stack, in the heap and/or in global data.
  • Exit auxiliary code may be inserted at operation 312.
  • the exit auxiliary code may be configured to deallocate at least the protection memory portions.
  • Indicator code may be inserted at operation 314.
  • the indicator code is configured to include a first function that includes a pointer to the entry or exit metadata as well as a sequence of other instructions, e.g., bit shifting instructions, that do not perform useful operations for the target application.
  • the sequence of instructions is configured to be detected by monitor logic, as described herein.
  • the instructions inserted by insertion logic may be optimized by, e.g., a compiler, e.g., compiler 122.
  • Program flow may then continue at operation 318.
  • target memory elements to be protected may be identified, entry and/or exit auxiliary code may be inserted, indicator code may be inserted and metadata values may be allocated and/or set.
  • the operations of flowchart 300 may be performed prior to execution of the target application, e.g., prior to run time at compile time, and/or during run time, e.g., by a just-in-time compiler.
  • FIG. 4 is a flowchart 400 of monitor operations according to various embodiments of the present disclosure.
  • the flowchart 400 illustrates monitoring a target application to detect attempted memory accesses to a red zone.
  • the operations may be performed, for example, by monitor logic 126 of FIG. 1.
  • the indicator code may include a sequence of instructions that would not normally be included in a target application.
  • the sequence of instructions are configured to provide an indicator to, e.g., monitor logic, of a protected memory element.
  • a pointer to metadata may be extracted at 406.
  • the indicator code is configured to include one instruction that includes a pointer to the metadata.
  • the pointer to metadata may be extracted in response to detecting the presence of the indicator code.
  • the metadata may be retrieved at operation 408.
  • the metadata may be stored on the stack, in the heap or in the global data memory segment of the target linear address space.
  • the metadata may include at least one record that includes an address field, a size field, a type field and an action field.
  • the metadata is related to a protected region (i.e., protected memory element) , as described herein.
  • a corresponding protection memory portion may be classified as accessible or inaccessible at operation 412.
  • the protection memory portion may be classified as accessible or inaccessible based, at least in part, on the contents of the action field of the metadata.
  • Classifying each protection memory portion may include setting or resetting a corresponding address bit in a shadow memory maintained by monitor logic.
  • the shadow memory may be used by, e.g., monitor logic 126 to determine whether an attempt to access, e.g., write to, amemory location is legitimate or not. An attempt to write to a memory location classified as inaccessible may correspond to a malicious attack.
  • Execution of the target application may be monitored at operation 414. Whether an attempt to access a memory location corresponds to an attempt to access a red zone may be determined at operation 416. If the attempt does not correspond to an attempt to access a red zone, program flow may proceed to operation 414. If the attempt does correspond to an attempt to access a red zone, an overflow fault may be notified at operation 418. Program flow may then end at operation 420.
  • Protection memory portions may be classified based, at least in part, on metadata (i.e., action indicator) and in response to detecting indicator code. Attempts to access red zones may then be utilized to detect buffer overflow.
  • FIGS. 3 and 4 illustrate operations according various embodiments, it is to be understood that not all of the operations depicted in FIGS. 3 and 4 are necessary for other embodiments.
  • the operations depicted in FIGS. 3 and/or 4 and/or other operations described herein may be combined in a manner not specifically shown in any of the drawings, and such embodiments may include less or more operations than are illustrated in FIGS. 3 and 4.
  • claims directed to features and/or operations that are not exactly shown in one drawing are deemed within the scope and content of the present disclosure.
  • a memory element stored to the stack, the heap or global data may be protected.
  • the granularity of the protected memory element may be as fine as one memory location.
  • a buffer overflow of a buffer included in an allocated memory block may be detected by monitor logic, e.g., DBI.
  • logic may refer to an app, software, firmware and/or circuitry configured to perform any of the aforementioned operations.
  • Software may be embodied as a software package, code, instructions, instruction sets and/or data recorded on non-transitory computer readable storage medium.
  • Firmware may be embodied as code, instructions or instruction sets and/or data that are hard-coded (e.g., nonvolatile) in memory devices.
  • Circuitry may comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry such as computer processors comprising one or more individual instruction processing cores, state machine circuitry, and/or firmware that stores instructions executed by programmable circuitry.
  • the logic may, collectively or individually, be embodied as circuitry that forms part of a larger system, for example, an integrated circuit (IC) , an application-specific integrated circuit (ASIC) , a system on-chip (SoC) , desktop computers, laptop computers, tablet computers, servers, smart phones, etc.
  • IC integrated circuit
  • ASIC application-specific integrated circuit
  • SoC system on-chip
  • the processor may include one or more processor cores and may be configured to execute system software.
  • System software may include, for example, an operating system.
  • Device memory may include I/O memory buffers configured to store one or more data packets that are to be transmitted by, or received by, a network interface.
  • the operating system may be configured to manage system resources and control tasks that are run on, e.g., system 100.
  • the OS may be implemented using or although other operating systems may be used.
  • the OS may be implemented using Android TM , iOS, Windows or
  • the OS 130 may be replaced by a virtual machine monitor (or hypervisor) which may provide a layer of abstraction for underlying hardware to various operating systems (virtual machines) running on one or more processing units.
  • the operating system and/or virtual machine may implement one or more protocol stacks.
  • a protocol stack may execute one or more programs to process packets.
  • An example of a protocol stack is a TCP/IP (Transport Control Protocol/Internet Protocol) protocol stack comprising one or more programs for handling (e.g., processing or generating) packets to transmit and/or receive over a network.
  • TCP/IP Transport Control Protocol/Internet Protocol
  • Memory 106 may include one or more of the following types of memory: semiconductor firmware memory, programmable memory, non-volatile memory, read only memory, electrically programmable memory, random access memory, flash memory, magnetic disk memory, and/or optical disk memory. Either additionally or alternatively system memory may include other and/or later-developed types of computer-readable memory.
  • Embodiments of the operations described herein may be implemented in a computer-readable storage device having stored thereon instructions that when executed by one or more processors perform the methods.
  • the processor may include, for example, a processing unit and/or programmable circuitry.
  • the storage device may include a machine readable storage device including any type of tangible, non-transitory storage device, for example, any type of disk including floppy disks, optical disks, compact disk read-only memories (CD-ROMs) , compact disk rewritables (CD-RWs) , and magneto-optical disks, semiconductor devices such as read-only memories (ROMs) , random access memories (RAMs) such as dynamic and static RAMs, erasable programmable read-only memories (EPROMs) , electrically erasable programmable read-only memories (EEPROMs) , flash memories, magnetic or optical cards, or any type of storage devices suitable for storing electronic instructions.
  • ROMs read-only memories
  • RAMs random access memories
  • a hardware description language may be used to specify circuit and/or logic implementation (s) for the various logic and/or circuitry described herein.
  • the hardware description language may comply or be compatible with a very high speed integrated circuits (VHSIC) hardware description language (VHDL) that may enable semiconductor fabrication of one or more circuits and/or logic described herein.
  • VHSIC very high speed integrated circuits
  • VHDL may comply or be compatible with IEEE Standard 1076-1987, IEEE Standard 1076.2, IEEE 1076.1, IEEE Draft 3.0 of VHDL-2006, IEEE Draft 4.0 of VHDL-2008 and/or other versions of the IEEE VHDL standards and/or other hardware description standards.
  • a Verilog hardware description language may be used to specify circuit and/or logic implementation (s) for the various logic and/or circuitry described herein.
  • the HDL may comply or be compatible with IEEE standard 62530-2011: SystemVerilog-Unified Hardware Design, Specification, and Verification Language, dated July 07, 2011; IEEE Std 1800 TM -2012: IEEE Standard for SystemVerilog-Unified Hardware Design, Specification, and Verification Language, released February 21, 2013; IEEE standard 1364-2005: IEEE Standard for Verilog Hardware Description Language, dated April 18, 2006 and/or other versions of Verilog HDL and/or SystemVerilog standards.
  • Examples of the present disclosure include subject material such as a method, means for performing acts of the method, a device, or of an apparatus or system related to overflow detection, as discussed below.
  • Example 1 there is provided an apparatus.
  • the apparatus includes a memory to store a target application and insertion logic to insert auxiliary code and indicator code into the target application.
  • the auxiliary code is to allocate a metadata memory portion to store metadata including an address and a size of a protection memory portion.
  • the protection memory portion is to protect a memory element of the target application.
  • the indicator code is to notify monitor logic of the protection and to point to the metadata memory portion that is to store the metadata.
  • Example 2 This example includes the elements of example 1, wherein the memory element includes at least one of a buffer, a function pointer and/or a data element.
  • Example 3 includes the elements of example 1, wherein the memory element is to be stored to a memory segment selected from the group including a stack, a heap and a global data memory segment.
  • Example 4 includes the elements of example 1, wherein the metadata includes a record including an address field, a size field, a type field and an action field.
  • Example 5 includes the elements according to any one of examples 1 to 4, wherein the indicator code includes a first instruction and at least one other instruction, the first instruction including a pointer to the metadata memory portion and the at least one other instruction including a relatively low execution overhead instruction.
  • Example 6 includes the elements according to any one of examples 1 to 4, wherein the insertion logic is to insert an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • the insertion logic is to insert an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • Example 7 includes the elements according to any one of examples 1 to 4, wherein the memory element is to be stored to a stack, the auxiliary code includes a stack pointer manipulation instruction and the auxiliary code and the indicator code are inserted into a function prologue.
  • Example 8 This example includes the elements according to any one of examples 1 to 4, wherein one protection memory portion is to protect a first memory element and a second memory element, the one protection memory portion positioned between the two memory elements, the two memory elements and the one protection memory portion contiguous in the memory.
  • Example 9 includes the elements according to any one of examples 1 to 4, wherein the memory element is to be stored to a heap, the auxiliary code includes a heap memory allocation instruction and the metadata memory portion is allocated in the heap or in a global data memory segment.
  • Example 10 This example includes the elements according to any one of examples 1 to 4, wherein the memory element is to be stored to a global data memory segment and the auxiliary code includes a global data initialization instruction.
  • Example 11 This example includes the elements according to any one of examples 1 to 4, wherein the insertion logic is further to select the memory element from a plurality of memory elements included in the target application.
  • Example 12 there is provided a method.
  • the method includes storing, by a memory, a target application and inserting, by insertion logic, auxiliary code and indicator code into the target application.
  • the auxiliary code is to allocate a metadata memory portion to store metadata including an address and a size of a protection memory portion.
  • the protection memory portion is to protect a memory element of the target application.
  • the indicator code is to notify monitor logic of the protection and to point to the metadata memory portion that is to store the metadata.
  • Example 13 This example includes the elements of example 12, wherein the memory element includes at least one of a buffer, a function pointer and/or a data element.
  • Example 14 This example includes the elements of example 12, wherein the memory element is to be stored to a memory segment selected from the group including a stack, a heap and a global data memory segment.
  • Example 15 includes the elements of example 12, wherein the metadata includes a record including an address field, a size field, a type field and an action field.
  • Example 16 This example includes the elements of example 12, wherein the indicator code includes a first instruction and at least one other instruction, the first instruction including a pointer to the metadata memory portion and the at least one other instruction including a relatively low execution overhead instruction.
  • Example 17 includes the elements of example 12, and further includes inserting, by the insertion logic, an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • Example 18 includes the elements of example 12, wherein the memory element is to be stored to a stack, the auxiliary code includes a stack pointer manipulation instruction and the auxiliary code and the indicator code are inserted into a function prologue.
  • Example 19 includes the elements of example 12, wherein one protection memory portion is to protect a first memory element and a second memory element, the one protection memory portion positioned between the two memory elements, the two memory elements and the one protection memory portion contiguous in the memory.
  • Example 20 This example includes the elements of example 12, wherein the memory element is to be stored to a heap, the auxiliary code includes a heap memory allocation instruction and the metadata memory portion is allocated in the heap or in a global data memory segment.
  • Example 21 This example includes the elements of example 12, wherein the memory element is to be stored to a global data memory segment and the auxiliary code includes a global data initialization instruction.
  • Example 22 This example includes the elements of example 12, and further includes selecting, by the insertion logic, the memory element from a plurality of memory elements included in the target application.
  • Example 23 there is provided a computer readable storage device.
  • the computer readable storage device having stored thereon instructions that when executed by one or more processors result in the following operations including: storing a target application; and inserting auxiliary code and indicator code into the target application.
  • the auxiliary code is to allocate a metadata memory portion to store metadata including an address and a size of a protection memory portion.
  • the protection memory portion is to protect a memory element of the target application.
  • the indicator code is to notify monitor logic of the protection and to point to the metadata memory portion that is to store the metadata.
  • Example 24 This example includes the elements of example 23, wherein the memory element includes at least one of a buffer, a function pointer and/or a data element.
  • Example 25 This example includes the elements of example 23, wherein the memory element is to be stored to a memory segment selected from the group including a stack, a heap and a global data memory segment.
  • Example 26 This example includes the elements of example 23, wherein the metadata includes a record including an address field, a size field, a type field and an action field.
  • Example 27 This example includes the elements according to any one of examples 23 through 26, wherein the indicator code includes a first instruction and at least one other instruction, the first instruction including a pointer to the metadata memory portion and the at least one other instruction including a relatively low execution overhead instruction.
  • Example 28 This example includes the elements according to any one of examples 23 through 26, wherein the instructions that when executed by one or more processors results in the following additional operations including inserting an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • Example 29 This example includes the elements according to any one of examples 23 through 26, wherein the memory element is to be stored to a stack, the auxiliary code includes a stack pointer manipulation instruction and the auxiliary code and the indicator code are inserted into a function prologue.
  • Example 30 This example includes the elements according to any one of examples 23 through 26, wherein one protection memory portion is to protect a first memory element and a second memory element, the one protection memory portion positioned between the two memory elements, the two memory elements and the one protection memory portion contiguous in the memory.
  • Example 31 This example includes the elements according to any one of examples 23 through 26, wherein the memory element is to be stored to a heap, the auxiliary code includes a heap memory allocation instruction and the metadata memory portion is allocated in the heap or in a global data memory segment.
  • Example 32 This example includes the elements according to any one of examples 23 through 26, wherein the memory element is to be stored to a global data memory segment and the auxiliary code includes a global data initialization instruction.
  • Example 33 This example includes the elements according to any one of examples 23 through 26, wherein the instructions that when executed by one or more processors results in the following additional operations including selecting the memory element from a plurality of memory elements included in the target application.
  • Example 34 there is provided a device.
  • the device includes means for storing, by a memory, a target application; and means for inserting, by insertion logic, auxiliary code and indicator code into the target application.
  • the auxiliary code is to allocate a metadata memory portion to store metadata including an address and a size of a protection memory portion.
  • the protection memory portion is to protect a memory element of the target application.
  • the indicator code is to notify monitor logic of the protection and to point to the metadata memory portion that is to store the metadata.
  • Example 35 This example includes the elements of example 34, wherein the memory element includes at least one of a buffer, a function pointer and/or a data element.
  • Example 36 This example includes the elements of example 34, wherein the memory element is to be stored to a memory segment selected from the group including a stack, a heap and a global data memory segment.
  • Example 37 This example includes the elements of example 34, wherein the metadata includes a record including an address field, a size field, a type field and an action field.
  • Example 38 This example includes the elements according to any one of examples 34 through 37, wherein the indicator code includes a first instruction and at least one other instruction, the first instruction including a pointer to the metadata memory portion and the at least one other instruction including a relatively low execution overhead instruction.
  • Example 39 This example includes the elements according to any one of examples 34 through 37, and further includes means for inserting, by the insertion logic, an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • Example 40 This example includes the elements according to any one of examples 34 through 37, wherein the memory element is to be stored to a stack, the auxiliary code includes a stack pointer manipulation instruction and the auxiliary code and the indicator code are inserted into a function prologue.
  • Example 41 This example includes the elements according to any one of examples 34 through 37, wherein one protection memory portion is to protect a first memory element and a second memory element, the one protection memory portion positioned between the two memory elements, the two memory elements and the one protection memory portion contiguous in the memory.
  • Example 42 This example includes the elements according to any one of examples 34 through 37, wherein the memory element is to be stored to a heap, the auxiliary code includes a heap memory allocation instruction and the metadata memory portion is allocated in the heap or in a global data memory segment.
  • Example 43 This example includes the elements according to any one of examples 34 through 37, wherein the memory element is to be stored to a global data memory segment and the auxiliary code includes a global data initialization instruction.
  • Example 44 This example includes the elements according to any one of examples 34 through 37, and further includes means for selecting, by the insertion logic, the memory element from a plurality of memory elements included in the target application.
  • Example 45 there is provided a system.
  • the system includes a processor including at least one processor register; a user interface; a memory to store a target application; and insertion logic to insert auxiliary code and indicator code into the target application.
  • the auxiliary code is to allocate a metadata memory portion to store metadata including an address and a size of a protection memory portion.
  • the protection memory portion is to protect a memory element of the target application and the indicator code is to notify monitor logic of the protection and to point to the metadata memory portion that is to store the metadata.
  • Example 46 This example includes the elements of example 45, wherein the memory element includes at least one of a buffer, a function pointer and/or a data element.
  • Example 47 This example includes the elements of example 45, wherein the memory element is to be stored to a memory segment selected from the group including a stack, a heap and a global data memory segment.
  • Example 48 This example includes the elements of example 45, wherein the metadata includes a record including an address field, a size field, a type field and an action field.
  • Example 49 This example includes the elements according to any one of examples 45 through 48, wherein the indicator code includes a first instruction and at least one other instruction, the first instruction including a pointer to the metadata memory portion and the at least one other instruction including a relatively low execution overhead instruction.
  • Example 50 This example includes the elements according to any one of examples 45 through 48, wherein the insertion logic is to insert an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code, the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion, the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion, the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • the insertion logic is to insert an entry auxiliary code, an exit auxiliary code, an entry indicator code and an exit indicator code
  • the entry auxiliary code to allocate a first protection memory portion and a second protection memory portion
  • the exit auxiliary code to deallocate the first protection memory portion and the second protection memory portion
  • the entry indicator code to point to entry metadata and the exit indicator code to point to exit metadata.
  • Example 51 This example includes the elements according to any one of examples 45 through 48, wherein the memory element is to be stored to a stack, the auxiliary code includes a stack pointer manipulation instruction and the auxiliary code and the indicator code are inserted into a function prologue.
  • Example 52 This example includes the elements according to any one of examples 45 through 48, wherein one protection memory portion is to protect a first memory element and a second memory element, the one protection memory portion positioned between the two memory elements, the two memory elements and the one protection memory portion contiguous in the memory.
  • Example 53 This example includes the elements according to any one of examples 45 through 48, wherein the memory element is to be stored to a heap, the auxiliary code includes a heap memory allocation instruction and the metadata memory portion is allocated in the heap or in a global data memory segment.
  • Example 54 This example includes the elements according to any one of examples 45 through 48, wherein the memory element is to be stored to a global data memory segment and the auxiliary code includes a global data initialization instruction.
  • Example 55 This example includes the elements according to any one of examples 45 through 48, wherein the insertion logic is further to select the memory element from a plurality of memory elements included in the target application.
  • Example 56 According to this example, there is provided a system.
  • the system includes at least one device arranged to perform the method of any one of examples 12 to 22.
  • Example 57 there is provided a device.
  • the device includes means to perform the method of any one of examples 12 to 22.
  • Example 58 there is provided a computer readable storage device.
  • the device having stored thereon instructions that when executed by one or more processors result in the following operations including: the method according to any one of examples 12 to 22.
  • Example 59 there is provided an apparatus.
  • the apparatus includes a memory and monitor logic.
  • the memory is to store a target linear address space and a shadow memory.
  • the target linear address space includes a target application.
  • the monitor logic is to extract a pointer to metadata in response to detecting indicator code, to classify a corresponding protection memory portion as accessible or inaccessible based, at least in part, on retrieved metadata and to notify an overflow fault if an attempt to access a red zone is detected.
  • Example 60 This example includes the elements of example 59, wherein the metadata includes at least one record, each record corresponding to a respective protection memory portion and including an address field, a size field, a type field and an action field.
  • Example 61 This example includes the elements of example 59, wherein classifying the corresponding protection memory portion as accessible or inaccessible corresponds to setting or resetting a corresponding bit in the shadow memory.
  • Example 62 This example includes the elements of example 59, wherein the monitor logic is further to monitor execution of the target application.
  • Example 63 This example includes the elements of example 59, wherein the monitor logic is to retrieve the metadata based, at least in part, on the pointer to the metadata.
  • Example 64 This example includes the elements of example 59, wherein the monitor logic corresponds to dynamic binary instrumentation.
  • Example 65 there is provided a method.
  • the method includes storing, by a memory, a target linear address space and a shadow memory.
  • the target linear address space includes a target application.
  • the method further includes extracting, by monitor logic, a pointer to metadata in response to detecting indicator code; classifying, by the monitor logic, a corresponding protection memory portion as accessible or inaccessible based, at least in part, on retrieved metadata; and notifying, by the monitor logic, an overflow fault if an attempt to access a red zone is detected.
  • Example 66 This example includes the elements of example 65, wherein the metadata includes at least one record, each record corresponding to a respective protection memory portion and including an address field, a size field, a type field and an action field.
  • Example 67 This example includes the elements of example 65, wherein classifying the corresponding protection memory portion as accessible or inaccessible corresponds to setting or resetting a corresponding bit in the shadow memory.
  • Example 68 This example includes the elements of example 65, and further includes monitoring, by the monitor logic, execution of the target application.
  • Example 69 This example includes the elements of example 65, wherein the metadata is retrieved based, at least in part, on the pointer to the metadata.
  • Example 70 there is provided a computer readable storage device.
  • the device having stored thereon instructions that when executed by one or more processors results in the following operations including: storing a target linear address space and a shadow memory.
  • the target linear address space includes a target application.
  • the operations further include extracting a pointer to metadata in response to detecting indicator code; classifying a corresponding protection memory portion as accessible or inaccessible based, at least in part, on retrieved metadata; and notifying an overflow fault if an attempt to access a red zone is detected.
  • Example 71 This example includes the elements of example 70, wherein the metadata includes at least one record, each record corresponding to a respective protection memory portion and including an address field, a size field, a type field and an action field.
  • Example 72 This example includes the elements of example 70, wherein classifying the corresponding protection memory portion as accessible or inaccessible corresponds to setting or resetting a corresponding bit in the shadow memory.
  • Example 73 This example includes the elements of example 70, wherein the instructions that when executed by one or more processors results in the following additional operations including monitoring execution of the target application.
  • Example 74 This example includes the elements of example 70, wherein the metadata is retrieved based, at least in part, on the pointer to the metadata.
  • Example 75 there is provided a device.
  • the device includes means for storing, by a memory, a target linear address space and a shadow memory.
  • the target linear address space including a target application.
  • the device further includes means for extracting, by monitor logic, a pointer to metadata in response to detecting indicator code; means for classifying, by the monitor logic, a corresponding protection memory portion as accessible or inaccessible based, at least in part, on retrieved metadata; and means for notifying, by the monitor logic, an overflow fault ifan attempt to access a red zone is detected.
  • Example 76 This example includes the elements of example 75, wherein the metadata includes at least one record, each record corresponding to a respective protection memory portion and including an address field, a size field, a type field and an action field.
  • Example 77 This example includes the elements of example 75, wherein classifying the corresponding protection memory portion as accessible or inaccessible corresponds to setting or resetting a corresponding bit in the shadow memory.
  • Example 78 This example includes the elements of example 75, and further includes means for monitoring, by the monitor logic, execution of the target application.
  • Example 79 This example includes the elements of example 75, wherein the monitor logic is to retrieve the metadata based, at least in part, on the pointer to the metadata.
  • Example 80 According to this example, there is provided a system.
  • the system includes at least one device arranged to perform the method of any one of examples 65 to 69.
  • Example 81 According to this example, there is provided a device.
  • the device includes means to perform the method of any one of examples 65 to 69.
  • Example 82 According to this example, there is provided a computer readable storage device.
  • the device having stored thereon instructions that when executed by one or more processors result in the following operations including: the method according to any one of examples 65 to 69.
  • Example 83 This example includes the elements of example 4, wherein the record further includes a source code field to contain source code information.
  • Example 84 This example includes the elements of example 6, wherein the exit metadata includes an action field to indicate red zone construction or red zone destruction.
  • Example 85 This example includes the elements of example 15, wherein the record further includes a source code field to contain source code information.
  • Example 86 This example includes the elements of example 17, wherein the exit metadata includes an action field to indicate red zone construction or red zone destruction.
  • Example 87 This example includes the elements of example 26, wherein the record further includes a source code field to contain source code information.
  • Example 88 This example includes the elements of example 28, wherein the exit metadata includes an action field to indicate red zone construction or red zone destruction.
  • Example 89 This example includes the elements of example 37, wherein the record further includes a source code field to contain source code information.
  • Example 90 This example includes the elements of example 39, wherein the exit metadata includes an action field to indicate red zone construction or red zone destruction.
  • Example 91 This example includes the elements of example 48, wherein the record further includes a source code field to contain source code information.
  • Example 92 This example includes the elements of example 50, wherein the exit metadata includes an action field to indicate red zone construction or red zone destruction.
  • Example 93 This example includes the elements of example 60, wherein each record further includes a source code field to contain source code information.
  • Example 94 This example includes the elements of example 66, wherein each record further includes a source code field to contain source code information.
  • Example 95 This example includes the elements of example 71, wherein each record further includes a source code field to contain source code information.
  • Example 96 This example includes the elements of example 76, wherein each record further includes a source code field to contain source code information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un appareil, l'appareil comprenant une mémoire pour stocker une application cible; et une logique d'insertion. La logique d'insertion est destinée à insérer un code auxiliaire et un code indicateur dans l'application cible. Le code auxiliaire est destiné à attribuer une partie de mémoire de métadonnées pour stocker des métadonnées comprenant une adresse et une taille d'une partie de mémoire de protection. La partie de mémoire de protection est destinée à protéger un élément de mémoire de l'application cible. Le code indicateur est destiné à indiquer à la logique de contrôle la protection et à viser la partie de mémoire de métadonnées qui doit stocker les métadonnées.
PCT/CN2016/100753 2016-09-29 2016-09-29 Détection de débordement WO2018058414A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100753 WO2018058414A1 (fr) 2016-09-29 2016-09-29 Détection de débordement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100753 WO2018058414A1 (fr) 2016-09-29 2016-09-29 Détection de débordement

Publications (1)

Publication Number Publication Date
WO2018058414A1 true WO2018058414A1 (fr) 2018-04-05

Family

ID=61763057

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/100753 WO2018058414A1 (fr) 2016-09-29 2016-09-29 Détection de débordement

Country Status (1)

Country Link
WO (1) WO2018058414A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101630350A (zh) * 2008-07-14 2010-01-20 西门子(中国)有限公司 缓冲区溢出漏洞的检测方法、装置和代码插装方法、装置
EP2256659A1 (fr) * 2009-05-27 2010-12-01 NTT DoCoMo, Inc. Procédé et appareil pour la prévention de modification du flux d'exécution d'un programme
CN102298677A (zh) * 2011-08-29 2011-12-28 瑞斯康达科技发展股份有限公司 一种堆栈溢出的保护方法和装置
US20130013965A1 (en) * 2011-07-08 2013-01-10 Stmicroelectronics (Rousset) Sas Microprocessor protected against stack overflow

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101630350A (zh) * 2008-07-14 2010-01-20 西门子(中国)有限公司 缓冲区溢出漏洞的检测方法、装置和代码插装方法、装置
EP2256659A1 (fr) * 2009-05-27 2010-12-01 NTT DoCoMo, Inc. Procédé et appareil pour la prévention de modification du flux d'exécution d'un programme
US20130013965A1 (en) * 2011-07-08 2013-01-10 Stmicroelectronics (Rousset) Sas Microprocessor protected against stack overflow
CN102298677A (zh) * 2011-08-29 2011-12-28 瑞斯康达科技发展股份有限公司 一种堆栈溢出的保护方法和装置

Similar Documents

Publication Publication Date Title
Canella et al. KASLR: Break it, fix it, repeat
US10540181B2 (en) Managing branch prediction information for different contexts
EP3084615B1 (fr) Détection de modification et d'accès mémoire non autorisés par une mémoire transactionnelle
JP6494744B2 (ja) リターン指向プログラミング攻撃の透過的な検出及び抽出
US10565379B2 (en) System, apparatus and method for instruction level behavioral analysis without binary instrumentation
Volckaert et al. Cloning your gadgets: Complete ROP attack immunity with multi-variant execution
EP2776971B1 (fr) Procédés, dispositifs et systèmes pour détecter des exploits de programmation orientés retour
US7886293B2 (en) Optimizing system behavior in a virtual machine environment
CN110032867B (zh) 一种主动切断隐蔽通道应对缓存侧信道攻击的方法及系统
US7251735B2 (en) Buffer overflow protection and prevention
US10599437B2 (en) Managing obscured branch prediction information
US10114948B2 (en) Hypervisor-based buffer overflow detection and prevention
EP3877874A1 (fr) Systèmes et procédés pour suspendre le fonctionnement d'un processeur hôte
US20150370496A1 (en) Hardware-Enforced Prevention of Buffer Overflow
US10467410B2 (en) Apparatus and method for monitoring confidentiality and integrity of target system
TW201935305A (zh) 用於後快取互鎖之系統和方法
Zhang et al. Android ion hazard: The curse of customizable memory management system
Cho et al. Smokebomb: effective mitigation against cache side-channel attacks on the arm architecture
US11126721B2 (en) Methods, systems and apparatus to detect polymorphic malware
CN112416821A (zh) 在计算系统中定义存储器信息泄漏区域的装置、系统和方法
US20220258955A1 (en) Non-disruptive mitigation of malware attacks
US20180004947A1 (en) Enhanced control transfer security
WO2018058414A1 (fr) Détection de débordement
CN115033411A (zh) 一种用于微处理器缓冲区溢出的硬件检测与防御机制
Arora et al. Architectural support for run-time validation of program data properties

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16917168

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16917168

Country of ref document: EP

Kind code of ref document: A1