U.S. patent application number 15/948853 was filed with the patent office on 2018-08-16 for techniques for detecting false positive return-oriented programming attacks.
This patent application is currently assigned to INTEL CORPORATION. The applicant listed for this patent is INTEL CORPORATION. Invention is credited to ASHISH BIJLANI, LIOR MALKA, PALANIVELRAJAN SHANMUGAVELAYUTHAM, KOICHI YAMADA.
Application Number | 20180232541 15/948853 |
Document ID | / |
Family ID | 56129775 |
Filed Date | 2018-08-16 |
United States Patent
Application |
20180232541 |
Kind Code |
A1 |
YAMADA; KOICHI ; et
al. |
August 16, 2018 |
TECHNIQUES FOR DETECTING FALSE POSITIVE RETURN-ORIENTED PROGRAMMING
ATTACKS
Abstract
Various embodiments are generally directed to an apparatus,
method and other techniques to determine whether a target address
of a register for an execution instruction is valid or invalid
based on a comparison between the target address and one or more
valid target addresses stored in a storage, increase a number of
invalid target addresses if the target address is invalid, and
determine whether the number of invalid target addresses is greater
than an invalid target address threshold. Various embodiments may
also include initiating a security measure to prevent a security
breach if the number of invalid target addresses is greater than
the invalid target address threshold or executing the execution
instruction if the number of invalid target addresses is less than
or equal to the invalid target address threshold.
Inventors: |
YAMADA; KOICHI; (Los Gatos,
CA) ; SHANMUGAVELAYUTHAM; PALANIVELRAJAN; (San Jose,
CA) ; MALKA; LIOR; (San Jose, CA) ; BIJLANI;
ASHISH; (Santa Clara, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
INTEL CORPORATION |
SANTA CLARA |
CA |
US |
|
|
Assignee: |
INTEL CORPORATION
SANTA CLARA
CA
|
Family ID: |
56129775 |
Appl. No.: |
15/948853 |
Filed: |
April 9, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14582114 |
Dec 23, 2014 |
9940484 |
|
|
15948853 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 13/404 20130101;
G06F 21/85 20130101; G06F 12/1483 20130101; G06F 21/54 20130101;
G06F 21/552 20130101; G06F 21/805 20130101; G06F 9/30061 20130101;
G06F 13/4282 20130101; G06F 13/387 20130101; G06F 2221/2101
20130101 |
International
Class: |
G06F 21/80 20060101
G06F021/80; G06F 21/55 20060101 G06F021/55; G06F 21/54 20060101
G06F021/54; G06F 13/40 20060101 G06F013/40; G06F 13/42 20060101
G06F013/42; G06F 12/14 20060101 G06F012/14; G06F 21/85 20060101
G06F021/85; G06F 13/38 20060101 G06F013/38 |
Claims
1.-25. (canceled)
26. An apparatus, comprising: a memory; and logic, at least a
portion of which is comprised in circuitry coupled to the memory,
the logic to: identify an intended target address for an indirect
branch instruction; retrieve a predicted target address for the
indirect branch instruction from a lookup table; compare the
intended target address to the predicted target address; and
increment an invalid target address counter and enable execution
tracking when the intended target address differs from the
predicted target address, execution tracking to track a number of
instructions executed with an execution instruction counter.
27. The apparatus of claim 26, the logic to execute the indirect
branch instruction when the invalid target address counter is below
an invalid target address threshold.
28. The apparatus of claim 27, the logic to: identify a second
intended target address for a second indirect branch instruction;
retrieve a second predicted target address for the second indirect
branch instruction from the lookup table; compare the second
intended target address to the second predicted target address; and
increment the execution instruction counter when the second
intended target address matches the second predicted target
address.
29. The apparatus of claim 28, the logic to reset the invalid
target address counter and the execution instruction counter when
the execution instruction counter is above an execution instruction
threshold.
30. The apparatus of claim 29, the logic to disable execution
tracking when the execution instruction counter is above the
execution instruction threshold.
31. The apparatus of claim 28, the logic to execute the second
indirect branch instruction when the execution instruction counter
is below an execution instruction threshold.
32. The apparatus of claim 31, the logic to unlink a translation
block when execution instruction counter is below the execution
instruction threshold.
33. The apparatus of claim 26, the logic to initiate a security
measure when the invalid target address counter is above an invalid
target address threshold, the security measure to protect a
computing device from a return-oriented programming attack.
34. The apparatus of claim 26, the indirect branch instruction
comprising a return instruction.
35. The apparatus of claim 26, the logic to disable a function
routine of a library when execution tracking is enabled.
36. A computer-implemented method, comprising: identifying an
intended target address for an indirect branch instruction;
retrieving a predicted target address for the indirect branch
instruction from a lookup table; comparing the intended target
address to the predicted target address; and incrementing an
invalid target address counter and enabling execution tracking when
the intended target address differs from the predicted target
address, execution tracking to track a number of instructions
executed with an execution instruction counter.
37. The computer-implemented method of claim 36, comprising
executing the indirect branch instruction when the invalid target
address counter is below an invalid target address threshold.
38. The computer-implemented method of claim 37, comprising:
identifying a second intended target address for a second indirect
branch instruction; retrieving a second predicted target address
for the second indirect branch instruction from the lookup table;
comparing the second intended target address to the second
predicted target address; and incrementing the execution
instruction counter when the second intended target address matches
the second predicted target address.
39. The computer-implemented method of claim 38, comprising
resetting the invalid target address counter and the execution
instruction counter when the execution instruction counter is above
an execution instruction threshold.
40. The computer-implemented method of claim 39, comprising
disabling execution tracking when the execution instruction counter
is above the execution instruction threshold.
41. The computer-implemented method of claim 38, comprising
executing the second indirect branch instruction when the execution
instruction counter is below an execution instruction
threshold.
42. The computer-implemented method of claim 41, comprising
unlinking a translation block when execution instruction counter is
below the execution instruction threshold.
43. The computer-implemented method of claim 36, comprising
initiating a security measure when the invalid target address
counter is above an invalid target address threshold, the security
measure to protect a computing device from a return-oriented
programming attack.
44. The computer-implemented method of claim 36, the indirect
branch instruction comprising a return instruction.
45. The computer-implemented method of claim 36, comprising
disabling a function routine of a library when execution tracking
is enabled.
46. At least one non-transitory computer-readable medium comprising
a set of instructions that, in response to being executed by a
processor circuit, cause the processor circuit to: identify an
intended target address for an indirect branch instruction;
retrieve a predicted target address for the indirect branch
instruction from a lookup table; compare the intended target
address to the predicted target address; and increment an invalid
target address counter and enable execution tracking when the
intended target address differs from the predicted target address,
execution tracking to track a number of instructions executed with
an execution instruction counter.
47. The at least one non-transitory computer-readable medium of
claim 46, comprising instructions that, in response to being
executed by the processor circuit, cause the processor circuit to
execute the indirect branch instruction when the invalid target
address counter is below an invalid target address threshold.
48. The at least one non-transitory computer-readable medium of
claim 47, comprising instructions that, in response to being
executed by the processor circuit, cause the processor circuit to:
identify a second intended target address for a second indirect
branch instruction; retrieve a second predicted target address for
the second indirect branch instruction from the lookup table;
compare the second intended target address to the second predicted
target address; and increment the execution instruction counter
when the second intended target address matches the second
predicted target address.
49. The at least one non-transitory computer-readable medium of
claim 48, comprising instructions that, in response to being
executed by the processor circuit, cause the processor circuit to
reset the invalid target address counter and the execution
instruction counter when the execution instruction counter is above
an execution instruction threshold.
50. The at least one non-transitory computer-readable medium of
claim 49, comprising instructions that, in response to being
executed by the processor circuit, cause the processor circuit to
disable execution tracking when the execution instruction counter
is above the execution instruction threshold.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a continuation of, claims the benefit
of, and claims priority to U.S. patent application Ser. No.
14/582,114 filed on Dec. 23, 2014, the subject matter of which is
hereby incorporated herein by reference in its entirety.
TECHNICAL FIELD
[0002] Embodiments described herein generally relate to techniques
for detecting malware and virus attacks against computing systems
and for determining false positive attacks.
BACKGROUND
[0003] Computer exploits are techniques which may be used to
compromise the security of a computer system or data. Such exploits
may take advantage of a vulnerability of a computer system in order
to cause unintended or unanticipated behavior to occur on the
computer system. For example, during a Return-Oriented Programming
(ROP) attack a series of snippets of code that are already
available in executable memory (e.g., portions of existing library
code), and which are followed by a return instruction (e.g., a RET
instruction) may be chained together into a desired execution
sequence by pushing a series of pointer values onto the call stack
and then tricking the code into execution the first pointer value.
This chained execution sequence does not follow the intended
program execution order that the original program author intended,
but may instead follow an alternative execution sequence. In this
manner, an attacker may create a virtual program sequence without
requiring injection of external code.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] FIG. 1 illustrates an embodiment of a computing device.
[0005] FIG. 2 illustrates an embodiment of an information flow
diagram.
[0006] FIG. 3 illustrates a second embodiment of an information
flow diagram.
[0007] FIG. 4 illustrates a third embodiment of an information flow
diagram.
[0008] FIG. 5 illustrates a fourth embodiment of an information
flow diagram.
[0009] FIG. 6 illustrates a fifth embodiment of an information flow
diagram.
[0010] FIG. 7 illustrates a sixth embodiment of an information flow
diagram.
[0011] FIG. 8 illustrates an embodiment of a logic flow
diagram.
[0012] FIG. 9 illustrates a second embodiment of a logic flow
diagram.
[0013] FIG. 10 illustrates an exemplary embodiment of a computing
system.
[0014] FIG. 11 illustrates an exemplary embodiment of a computing
architecture.
DETAILED DESCRIPTION
[0015] Various embodiments are generally directed to an apparatus,
system and method to detect various types of code reuse attacks
including return-oriented programming (ROP) attacks. More
specifically, valid target addresses for branch instructions may be
determined either prior to or during execution of instructions for
applications and then validated. However, in some instances, a
target address may be determined as invalid even though it is a
valid target address. For example, a target address for an
instruction may change between when the determination process when
the valid target address is determined and the validation process.
Therefore, during the validation process the target address may be
indicated as invalid, however, it is actually a valid target
address. Some embodiments are directed to detecting these
false-positive detections.
[0016] As discussed, during a ROP attack a series of snippets of
code that are already available in executable memory (e.g.,
portions of existing library code), and which are followed by a
return instruction (e.g., a RET instruction) may be chained
together into a desired execution sequence. Moreover, one of the
hallmarks of an ROP attack is that a number of redirecting
instructions may be used to take over control flow. These
redirecting instruction may occur in a row, or in some cases, valid
instructions may be permitted to be executed in between redirecting
instructions during an attack to try to prevent detection of the
attack. Thus, some embodiments may be directed to using a two
counter approach to filter out false positives from actual ROP
attacks.
[0017] For example, some embodiments may include an invalid target
address counter to track a number of detected invalid target
addresses. Additional, an execution instruction counter may be
utilized to determine a number of valid execution instructions
executed in-between each invalid target address detection. Only
when both counters reach determined threshold values will a
security measure be initiated, for example. Thus, the two-counter
approach may be used to filter out a false-positive attack while
also detecting an attackers attempt to insert valid execution
instruction in-between redirecting instructions. These and other
details will become more apparent with the following
description.
[0018] Various embodiments also relate to an apparatus or systems
for performing these operations. This apparatus may be specially
constructed for the required purpose or it may include a
general-purpose computer as selectively activated or reconfigured
by a computer program stored in the computer. The procedures
presented herein are not inherently related to a particular
computer or other apparatus. Various general-purpose machines may
be used with programs written in accordance with the teachings
herein, or it may prove convenient to construct more specialized
apparatus to perform the required method. The required structure
for a variety of these machines will appear from the description
given.
[0019] Reference is now made to the drawings, wherein like
reference numerals are used to refer to like elements throughout.
In the following description, for purposes of explanation, numerous
specific details are set forth in order to provide a thorough
understanding thereof. It may be evident, however, that the novel
embodiments can be practiced without these specific details. In
other instances, well-known structures and devices are shown in
block diagram form in order to facilitate a description thereof.
The intention is to cover all modifications, equivalents, and
alternatives consistent with the claimed subject matter.
[0020] FIG. 1 illustrates an embodiment of a computing device 101
to process information and data. In some embodiments, computing
device 101 may include a number of components, modules and
processing circuitry to detect and process return-oriented
programming (ROP) attacks by verifying target addresses of
instructions. Computing device 101 may also include a number of
components to detect and manage false positive detections of ROP
attacks.
[0021] Computing device 101 may include one or more processing
units 102, memory 104, one or more interfaces 106 and storage 108.
In some embodiments, the one or more processing units 102 may be
one or more of any type of computational element, such as but not
limited to, a microprocessor, a processor, central processing unit,
digital signal processing unit, dual core processor, mobile device
processor, desktop processor, single core processor, a
system-on-chip (SoC) device, complex instruction set computing
(CISC) microprocessor, a reduced instruction set (RISC)
microprocessor, a very long instruction word (VLIW) microprocessor,
or any other type of processor or processing circuit on a single
chip or integrated circuit. The one or more processing units 102
may be connected to and communicate with the other elements of the
computing device 101 via interconnects (now shown), such as one or
more buses, control lines, and data lines. In some embodiments, the
one or more processing units 102 may include processor registers or
a small amount of storage available the processing units to store
information including instructions that and can be accessed during
execution. Moreover, processor registers are normally at the top of
the memory hierarchy, and provide the fastest way to access
data.
[0022] As mentioned, the computing device 101 may include memory
104 to store information. Further, memory 104 may be implemented
using any machine-readable or computer-readable media capable of
storing data, including both volatile and non-volatile memory. In
some embodiments, the machine-readable or computer-readable medium
may include a non-transitory medium. The embodiments are not
limited in this context.
[0023] The memory 104 can store data momentarily, temporarily, or
permanently. The memory 104 stores instructions and data for
computing device 101. The memory 104 may also store temporary
variables or other intermediate information while the one or more
processing units 102 is executing instructions. In some
embodiments, information and data may be loaded from memory 104
into the computing registers during processing of instructions.
Manipulated data is then often stored back in memory 104, either by
the same instruction or a subsequent one. The memory 104 is not
limited to storing the above discussed data; the memory 104 may
store any type of data.
[0024] The one or more interfaces 106 includes any device and
circuitry for processing information or communications over
wireless and wired connections. For example, the one or more
interfaces 106 may include a receiver, a transmitter, one or more
antennas, and one or more Ethernet connections. The specific design
and implementation of the one or more interfaces 106 may be
dependent upon the communications network in which the computing
device 101 is intended to operate.
[0025] For example, the computing device 101 may include a
communication interface designed to operate in GSM with General
Packet Radio Service (GPRS) systems (GSM/GPRS), CDMA/IxRTT systems,
Enhanced Data Rates for Global Evolution (EDGE) systems, Evolution
Data Only or Evolution Data Optimized (EV-DO) systems, Evolution
For Data and Voice (EV-DV) systems, High Speed Downlink Packet
Access (HSDPA) systems, High Speed Uplink Packet Access (HSUPA),
and so forth. data communications networks, and also designed to
operate with any of a variety of voice communications networks,
such as may include Code Division Multiple Access (CDMA) systems,
Global System for Mobile Communications (GSM) systems, North
American Digital Cellular (NADC) systems, Time Division Multiple
Access (TDMA) systems, Extended-TDMA (E-TDMA) systems, Narrowband
Advanced Mobile Phone Service (NAMPS) systems, third generation
(3G) systems such as Wide-band CDMA (WCDMA), CDMA-2000, Universal
Mobile Telephone System (UMTS) systems, and so forth. Other types
of data and voice networks, both separate and integrated, may also
be utilized with computing device 101. The computing device 101 may
also be compliant with other communications standards such as 3GSM,
3GPP, UMTS, 4G, etc. In some embodiments, the computing device 101
may be designed to operate in a plurality of communications
networks and is not limited to a specific network.
[0026] In various embodiments, the one or more interfaces 106 may
include one or more I/O controllers (not shown) to output any
signals and information. The I/O controller may enable
communication over wireless and wired connections. In various
embodiments, the I/O controller may be separate component or module
of computing device 101.
[0027] Computing device 101 may include storage 108 which may be
implemented as a non-volatile storage device such as, but not
limited to, a magnetic disk drive, optical disk drive, tape drive,
an internal storage device, an attached storage device, flash
memory, battery backed-up SDRAM (synchronous DRAM), and/or a
network accessible storage device. In embodiments, storage 108 may
include technology to increase the storage performance enhanced
protection for valuable digital media when multiple hard drives are
included, for example. Further examples of storage 108 may include
a hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM),
Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW),
optical disk, magnetic media, magneto-optical media, removable
memory cards or disks, various types of DVD devices, a tape device,
a cassette device, or the like. The embodiments are not limited in
this context.
[0028] Further and as illustrated in FIG. 1, the computing device
101 may include a number of components and modules to store and
process information and instructions to detect and manage ROP
attacks. For example, computing device 101 may include a translator
component 142, a comparison component 144, a validation component
146 and a security component 148. Computing device 101 may also
include one or more libraries 112, white list data 114, an invalid
target address counter 116, and an execution instruction counter
118. The computing device 101 may also include one or more
applications 120 that each may have a main routine 122 and
execution instructions 124 that can be executed and process
information and data. In some embodiments, the computing device 101
may also include cache 130 having a translator cache 132 and one or
more lookup tables 134 which may be stored in storage 108 and/or
memory 104.
[0029] As will become apparent with the following description, the
components, libraries, data, counters, and cache may be utilized to
detect and manage ROP attacks of applications. Further and in some
embodiments, one or more components, such as the translator
component 142, the comparison component 144, the validation
component 146, and the security component, may be stored in storage
108. Similarly, libraries 112, white list data 114, counters 116
and 118, and the application 120 including the main routine 122 and
execution instructions 124 may also be stored in storage 108 and
executed while in memory 104. However, various embodiments are not
limited in this manner and in some embodiments the components,
libraries 112, white list data 114, counters 116 and 118, and
applications 120 may be stored in memory 104 or remotely and
accessed via one or more wireless or wired connections.
[0030] In various embodiments, the computing device 101 including
the translator component 142, the comparison component 144, the
validation component 146 and the security component 148 may be used
to detect ROP attacks, detect false positive, perform security
measures, and so forth for applications 120 executing on computing
device 101. Applications 120 may be any type of application
including, but not limited to, word processing applications,
spreadsheet applications, database applications, gaming
applications, business applications, drafting applications,
portable document format applications, Internet applications,
web-based applications, email applications, and so forth.
[0031] Each of the applications 120 may execute a main routine 122
which may incorporate a sequence of execution instructions 124
operative on the one or more processing units 102 in its role as a
main processor component of the computing device 101 to implement
logic to perform various functions. The execution instructions 124
may be loaded into memory 104 or one or more registers of the
processing units 102 to execute tasks and operations for a
particular application. To detect a ROP attack, target addresses of
instructions may be verified to ensure ROP malware does not take
over control flow of the execution instructions and main routine.
To verify target addresses, valid target addresses of the main
routine 122 including the execution instructions 124 and libraries
112 may be determined during a translation operation or routine and
stored in cache 130.
[0032] More specifically, the computing device 101 may include a
translation component 142 to perform a translation routine to
translate portions of one or both of the main routine 122 and the
libraries 112 into translated portions which may be stored in a
translation cache 132 for execution. It is during translation that
target addresses of variables and instructions are generally
derived. Thus, for direct branch instructions, i.e. instructions
specifying targets with offsets, the target addresses of their
targets are calculated during translation, and those target
addresses are directly incorporated into those direct branch
instructions as portions of routines are placed in the translation
cache 132.
[0033] For at least some indirect branch instructions that
incorporate an identifier of their intended targets, the
translation component 142 attempts to determine their target
addresses by using those identifiers to refer to one or more
tables, such as an entry point table to retrieve target addresses
therefrom that are known to be valid.
[0034] In some embodiments, the translation component 142 may use
identifiers incorporated into indirect branch instructions to
retrieve indications of target addresses known to be valid from one
or more alternate or additional tables such as the whitelist data
114. For example, one or more sizable libraries, such as libraries
112, may be included with an operating system that may normally be
stored at predictable addresses locations in storages across a
variety of computing devices. Due to the reliance of what may be a
great many other routines on the function routines of those
libraries, those who create those libraries are likely to make
changes to those libraries only very infrequently for fear of
causing unforeseen and undesirable effects on the other routines
that use them. Thus, the content of such libraries tends to change
only infrequently over time such that it becomes feasible to
construct a viable whitelist, such as white list data 114, of valid
target of the function routines and execution instructions 124 to
which a branch instruction may validly jump.
[0035] Further and in some embodiments, the translation component
142 can derive valid target addresses once the addresses of
libraries, such as libraries 112 are known. More specifically, the
white list data 114 may be populated and/or filled with indications
of valid target addresses as the address locations the libraries
112 are determined. It should also be noted that tables, white list
data 114, and so forth may be implemented as any of a variety of
types of data structure in which indications of valid target
addresses may be stored in any of a variety of formats.
[0036] In various embodiments, the translation component 142 may
store the valid target addresses for the direct and indirect branch
instructions in cache 130, and in particular, a lookup table 134.
The lookup table 134 may be any type of lookup table including a
fast lookup table which may be used during execution of an
application 120 to validate target addresses for instructions. For
example, during execution the target address of an instruction,
such as a return (RET) instruction, may be verified by a validation
component 146 by a comparison made between the target address of
the instruction and a valid known target address stored in lookup
table 134. In some embodiments, the valid RET target address may be
dynamically populated in the lookup table 134 when a call (CALL)
instruction is executed. The CALL instruction may indicate the next
target address after the CALL instruction is the valid target
address following the RET instruction.
[0037] In some embodiments, the computing device 101 may include a
validation component 146 which may be used to verify target
addresses for both direct and indirect branch instructions, such as
call (CALL) instructions, jump (JMP) instruction, and RET
instructions. When there is a match between a target address of an
executing instruction and a valid target address in lookup table
134, the instruction may be allowed to be executed. However, if the
target address cannot be verified by the validation component 146
further evaluation may be required to determine if an ROP attack is
being attempted or not. In some embodiments, a target address may
not be validated by the validation component 146 however it may be
a valid target address. For example, a target address for an
instruction may have changed during the time between the
translation and execution of a main routine 122 and execution
instructions 124 for an application 120. Thus various embodiments
may be directed to determining and managing these false positive
cases.
[0038] One of the hallmarks of an ROP attack is that a number of
redirecting instructions may be used to take over control flow.
These redirecting instruction may occur in a row, or in some cases,
valid instructions may be permitted to be executed in between
redirecting instructions during an attack to try to prevent
detection of the attack. Thus, some embodiments may be directed to
using a two counter approach to filter out false positives from
actual ROP attacks.
[0039] As illustrated in FIG. 1, computing device 101 may include
an invalid target address counter 116 and an execution instruction
counter 118 which may be used to filter out false positive ROP
attacks. Moreover, the invalid target address counter 116 may be
any type of counter and may be incremented or decremented until an
invalid target address threshold is reach or surpassed as
determined by a comparison component 144. For example, the invalid
target address counter 116 may be set at zero and may be
incremented by one until the invalid target address threshold is
reached and determined by the comparison component 144.
Alternatively and in another example, the invalid target address
counter 116 may be set and decremented by one until zero is reached
or any other threshold value. Further, the invalid target address
threshold may be value set or determined based on a particular
application 120 executing on or by computing device 101. More
specifically and in some embodiments, the invalid target address
threshold may be different for each application 120 for execution
on the computing device 101. Applications 120 determined to be more
at risk of being attacked by an ROP attack may set the invalid
target address threshold less than other applications 120 less
likely to be attacked, for example. Other factors may also
contributed to determining the invalid target address threshold
including the ease of attacking the application, a user
configuration, previous attempts of attacking the application, and
so forth. Various embodiments are not limited in this manner.
[0040] The execution instruction counter 118 may keep track of the
number of execution instructions that validly occurred while
execution tracking is enabled or an application is being monitored
for a possible ROP attack. In some embodiments, the execution
instruction counter 118 may keep track of a number of execution of
basic blocks as a coarse grain approach. The execution instruction
counter 118 may be any type of counter and may be incremented or
decremented until an execution instruction threshold is reach or
surpassed as determined the comparison component 144. In some
embodiments, the execution instruction counter 118 may be set to
the execution instruction threshold and may be decremented by one
until zero is reached. Various embodiments are not limited in this
manner. As similarly discussed above, the execution instruction
threshold may be a value determined or based on a number of factors
for each application 120 including, but not limited to, application
attack risk, user configuration, previous attack attempts and so
forth. In some embodiments, one or both of the invalid target
address threshold and the execution instruction threshold may be
set by another application such as an anti-virus application.
[0041] The invalid target address counter 116 and the execution
instruction counter 118, in combination, may be used to detect ROP
attacks while filtering out possible false positive detections. For
example, a security measure to thwart an ROP attack may only be
initiated on the computing device 101 by a security component 148
if the invalid target address threshold is reached prior to the
execution instruction threshold being reached. Alternatively, if
the execution instruction threshold is reached prior to a security
measure being initiated and the invalid target address threshold
being reached, one or both counters may be reset to zero and
execution tracking may be disabled. These and other details will
become more apparent with the following description.
[0042] In some embodiments, the validation component 146 may enable
execution tracking when the first invalid target address is
determined for an application 120. During execution tracking
various functions and routines may be disabled, such as
optimizations may be disabled, fast lookup tables may be disabled,
translation blocks may be unlinked and so forth to protect
computing device 101 from a possible ROP attack. Further, execution
tracking may be disabled such that an accurate number of valid
execution instructions is kept track of. Execution tracking may be
enabled when a suspected ROP attack is occurring and may be
disabled once a determination is made that the detection was a
false positive. More specifically, the execution tracking may be
disabled when the execution instruction counter reaches or
surpasses the execution instruction threshold and execution
tracking may be re-enabled.
[0043] FIGS. 2-7 illustrate embodiments of information flow
diagrams and illustrates examples of various events that may occur
on a computing device while executing an application and performing
translations. For example, FIG. 2 illustrates information flow 200
during a translation routine, FIG. 3 illustrates information flow
300 during a successful validation of an execution instruction,
FIG. 4 illustrates information flow 400 during a detection of
invalid target address prior to reaching an invalid target address
threshold, FIG. 5 illustrates information flow 500 during a
detection of an invalid target address and performing a security
measure, FIG. 6 illustrates information flow 600 during a valid
target address detection while execution tracking is enabled, and
FIG. 7 illustrates information flow 700 during a valid target
address detection and the execution instruction threshold being
reached or surpassed. Various embodiments are not limited to these
particular flow diagrams and other flows and may be
contemplated.
[0044] In some embodiments, information flow diagram 200 may
process a main routine 122 and execution instructions 124 of an
application 120 by translator component 142. As previously
discussed, the translator component 142 may translate execution
instructions 124 to determine valid target addresses. At line 202,
the translator component 142 may read or receive execution
instructions 124 for an application 120 to be translated prior to
the application 120 actually being executed or during the execution
of the application 120. In some embodiments, the translation of
some execution instructions 124 may occur while other, already
translated execution instructions, are executing. In another words,
an entire application 120 does not need to be translated prior to
the beginning of execution of the application 120 on a computing
device.
[0045] At line 204, the translator component 142 may determine
valid target addresses for execution instructions 124 from one or
more libraries 112 stored on a computing device including with an
operating system, for example. As previously mentioned, an
operating system may include libraries that change infrequently
over time, and therefore, target addresses for instructions of
these libraries 112 may be easily determined. Further and at line
206, the translator component 142 may also determine target
addresses for execution instructions 124 based on information
stored in a white list data 114.
[0046] At line 208, the translator component 142 may communicate
translated execution instructions to cache 130, and in particular,
translation cache 132. The translated execution instructions may be
stored in the translation cache 132 as execution instructions 224.
The translated execution instructions 224 may be used for execution
of the application 120 instead of execution instructions 124.
Further, the translator component 142 may send determined valid
target addresses 226 for storage in lookup table 134 at line 210.
The valid target addresses 226 may be used by the validation
component 146 to validate target addresses during the actual
execution of the application 120 and determine whether an ROP
attack is occurring.
[0047] In various embodiments, the translator component 142 may
perform a translation routine prior to execution of an application
120 or dynamically during execution of an application 120. Further,
the translator component 142 may determine valid target addresses
for indirect branch instructions from the executable files stored
in storage or the execution instructions that are loaded into a
memory, such as memory 104, during runtime of an application 120.
Various embodiments are not limited in this manner.
[0048] In some embodiments, the translated execution instructions
224 may include relative offsets for direct branch instructions
within the translation cache 132 and stubs for indirect branch
instructions that cause the flow of execution to be directed back
to a translator component 144 or directly to the lookup table 134
to check whether target addresses stored in the lookup table 134
are valid. Presuming that there has not been a stack overflow or
other malicious action during execution of a translated portion of
whatever routine was placed in the translation cache 367 up to that
stub instruction, there should be a match for the target address of
the target to which the indirect branch instruction would direct
the flow of execution. Upon determining that there is a match, the
translation routine 340 permits that indirect branch instruction to
be executed. Different types of stub instruction are substituted
for different types of indirect branch instruction. Thus, a
different type of stub instruction may be associated with each of
indirect jump instructions, call instructions and return
instructions. In some instances, a target validating instruction
may be placed in the translated execution instructions 224 instead
of using the stub instruction.
[0049] FIG. 3 illustrates an embodiment of an information flow
diagram 300 to process and execute an application 120 and
translated execution instructions 224. More specifically,
information flow diagram 300 illustrates an application 120 and
executions instructions 224 executing on a computing device. In
FIG. 3, the translator component 142 may control and manage the
execution of the translated executions instructions 224. For
example, the translator component 142 control the flow of the
translated execution instructions 224 including executing direct
branch instructions and indirect branch instructions once they are
verified based on valid target addresses.
[0050] At line 302, the validation component 146 may receive an
intended target address for a translated execution instruction 224,
and in particular, an indirect branch instruction. The intended
target must be validated by the validation component 146 before the
instruction is executed on the computing device. The validation
component 146 may read and retrieve a valid target address 226 from
the lookup table 134 at line 304. The validation component 146 may
do a comparison to ensure that the intended target address matches
the valid target address for the execution instruction that is be
executed. In this illustrated example in FIG. 3, the validation
component 146 determines that the intended target address is valid
based on the comparison.
[0051] At line 306, the validation component 146 may communicate
information to the translator component 142 indicated that the
translated execution instruction 224 has been validated and may be
executed on the computing device. The translator component 142 may
proceed with executing the execution instruction. Information flow
diagram 300 may be repeated any number of times and each time a
target address for a translated execution instruction 224 needs to
be validated.
[0052] FIG. 4 illustrates an embodiment of an information flow
diagram 400 to process and execute an application 120 and
translated execution instructions 224. More specifically,
information flow diagram 400 illustrates an application 120 and
translated execution instructions 224 including direct and indirect
branch instructions executing on a computing device. In FIG. 4, the
translator component 142 may control and manage the execution of
the translated executions instructions 224. In this embodiment, an
intended target address for an execution instruction 224 is not
validated by the validation component 146.
[0053] At line 402, the validation component 146 may receive an
intended target address for a translated execution instruction 224,
and in particular, an indirect branch instruction. The intended
target address may be validated by the validation component 146
before the instruction is executed on the computing device. The
validation component 146 may read and retrieve a valid target
address 226 from the lookup table 134 at line 404. The validation
component 146 may do a comparison to ensure that the intended
target address matches the valid target address for the translated
execution instruction 224 that is be executed. As mentioned, in
this example, the intended target address for the instruction
cannot be validated by the validation component 146 because the
intended target address does not match the valid target address in
the lookup table 134.
[0054] The validation component 146 may communicate information to
the invalid target address counter 116 indicate that an invalid
target address has been detected and to increment (or decrement) by
one. Further, the validation component 146 may communicate similar
information to the translator component 142 which may enable
execution tracking if it is not enabled at line 408. The validation
component 146 may communicate the information to the invalid target
address counter 116 and the translator component 142 concurrently
in some embodiments and various embodiments are not limited in this
manner.
[0055] Further and at line 410, the comparison component 144 may
determine whether the invalid target address counter 116 reaches
(or exceeds) an invalid target address threshold. As previously
mentioned, the invalid target address threshold may be based on one
or more factors, such as application attack risk, user
configuration, and previous attack attempts. In some embodiments,
when the invalid target address counter 116 reaches (or exceeds)
the invalid target threshold one or more security measures may be
initiated. However, in this example, the comparison component 144
determines that the invalid target address counter 116 has not
reached (or exceeded) the invalid target address threshold and the
execution instruction is permitted to be executed. More
specifically and at line 412, the translator component 142 executes
the translated execution instruction 224 with the invalid target
address.
[0056] FIG. 5 illustrates an embodiment of an information flow
diagram 500 to process and execute an application 120 and
translated execution instructions 224. More specifically,
information flow diagram 500 illustrates an application 120 and
translated execution instructions 224 including direct and indirect
branch instructions executing on a computing device. In FIG. 5, the
translator component 142 may control and manage the execution of
the translated executions instructions 224. In this embodiment, an
intended target address for an execution instruction 224 is not
validated by the validation component 146, as similarly discussed
above with respect to FIG. 4.
[0057] For example and a line 502, the validation component 146 may
receive or retrieve an intended target address for an indirect
branch instruction. Further, at line 504 the validation component
146 may compare the intended target address with the valid target
address 226 in lookup table 134. The validation component 146 may
determine that the intended target address is invalid and send
information to the invalid target address counter 116 at line 506,
and in some embodiments the translator component 142 and comparison
component 144. Further, execution tracking may be enabled if it is
disabled when the validation component 146 invalidates the intended
target address.
[0058] At line 508, the comparison component 144 may make a
comparison to determine whether the invalid target address counter
116 has reached (or exceeded) the invalid target address threshold.
In this example, the invalid target address counter 116 has reached
(or exceeded) the target address threshold indicating that a
possible ROP attack may be occurring. At line 510, the security
component 148 may initiate one or more security measures to protect
the computing device from the ROP attack. For example, the security
component 148 may kill the execution of the application 120 that is
suspected for the ROP attack. In another example, the security
component 148 may try and quarantine the execution instructions
that are being taken over by the ROP attack. In a third example,
the security component 148 may notify another piece of software,
such as an anti-virus software application, so that it may handle
the ROP attack. Various embodiments are not limited in this manner
and other security measures may be initiated.
[0059] FIG. 6 illustrates an embodiment of an information flow
diagram 600 to process and execute an application 120 and
translated execution instructions 224 when execution tracking is
enabled. As previously mentioned, execution tracking may be enabled
when an invalid target address is detected. The execution tracking
may remain enabled until a security measure is initiated due to a
possible ROP attack or a predetermined number of valid execution
instructions occur after the first invalid target address is found.
In this illustrated embodiment of FIG. 6 the execution tracking is
enabled, a target address is verified, but the execution
instruction counter is not greater than an execution instruction
threshold.
[0060] As similarly discussed above with respect to FIGS. 3 through
5, the validation component 146 may receive an intended target
address for an indirect branch instruction at line 602. Further,
the validation component 146 may validate the intended target
address by comparing it with a valid target address 226 in the
lookup table 134 at line 604. As mentioned, in this example the
intended target address is valid. At line 606, the validation
component 146 may increment (or decrement) the execution
instruction counter 118 since execution tracking is enabled.
[0061] At line 608, the comparison component 144 may compare the
execution instruction counter 118 with an execution instruction
threshold which may be predetermined or based on one or more
factors, such as an ROP attack risk, user configuration, or
previously ROP attack attempts. For example, the execution
instruction threshold may be adjusted based on a number of "valid"
target addresses between invalid target addresses that were
detected during previous ROP attacks. In other words, the
components may "learn" from previous ROP attacks an appropriate
number of valid target addresses between invalid target addresses
that indicate whether an attack is occurring or if a false positive
has been detected. In this example, the execution instruction
counter 118 is not greater than the execution instruction
threshold. At line 610, the current execution instruction may be
processed or executed, execution tracking may remain enabled.
[0062] FIG. 7 illustrates an embodiment of an information flow
diagram 700 to process and execute an application 120 and
translated execution instructions 224 when execution tracking is
enabled. As previously mentioned, execution tracking may be enabled
when an invalid target address is detected. The execution tracking
may remain enabled until a security measure is initiated due to a
possible ROP attack or a predetermined number of valid execution
instructions occur after the first invalid target address is found.
In this illustrated embodiment of FIG. 7 the execution tracking is
enabled, a target address is verified, and the execution
instruction counter is greater than the execution instruction
threshold.
[0063] In FIG. 7, lines 702 through 706 are the same as lines 602
through 606 of FIG. 6. However, at line 708 the comparison
component 144 determines that the execution instruction counter 118
is greater than the execution instruction threshold. Thus, the
execution tracking may be disabled and a false positive was likely
detected. Further and at line 710, the translator component 142 may
reset one or both of the invalid target address counter 116 and the
execution instruction counter 118. The counters may be reset to
zero or any other starting value.
[0064] FIGS. 2 through 7 illustrate certain communication occurring
in a certain order. However, various embodiments are not limited in
this manner and one or more communications may occur in parallel or
concurrently. In addition, FIGS. 2 through 7 only show a limited
number of communications occurring between the various components
of a computing device. Various embodiments may not be limited in
this manner as well. Other information may be communicated between
the components of the computing device such that ROP attacks and
false positives may be detected and readily handle without causing
harm to the device.
[0065] FIG. 8 illustrates an embodiment of a logic flow 800 for
processing execution instructions including direct branch
instruction and indirect branch instructions. In various
embodiments, logic flow 800 may be implemented and executed on any
computing system or computing device, such as computing device 101
as illustrated in FIG. 1. Further, logic flow 800 shows a number of
logic steps or blocks occurring in certain order or sequence.
Various embodiments are not limited in this manner and certain
blocks may occur before and/or after other blocks, as one
contemplated in the art will understand.
[0066] At block 802, an execution instruction may analyzed during
execution of an application and a determination may be made as to
whether the execution instruction is a return (RET) instruction or
another type of instruction, such as an indirect branch instruction
or a direct branch instruction at block 804. Further and as
previously mentioned, execution instructions may be translated
prior execution of an application or dynamically when an
application is being executed. During translation, execution
instructions may be analyzed and if they are direct branch
instructions that may be copied and stored in the cache with
offsets. However, if the execution instructions are indirect branch
instructions, a stub instruction may be placed in the cache in
place of the execution instruction and a return target address may
be predicted and stored in a lookup table.
[0067] If the execution instruction is a RET instruction, a
comparison may be made to determine whether the intended target
address of the RET instruction matches the predicted target address
at block 806. More specifically, the predicted target address for
the RET instruction may be read or retrieved from a lookup table
and compared to the intended target address for the RET instruction
being executed. As mentioned, during an ROP attack a different
target address may be substituted for a RET instruction to redirect
the execution of the application to a different portion of memory
or instructions such that malicious code may be executed.
[0068] At decision block 808, a determination may be made as to
whether the predicted target address matches the intended target
address for the RET instruction. If they do match, a determination
as to whether execution tracking is enabled may be made at decision
block 818 and the instruction may be executed at block 828.
However, if the predicted target address does not match the
intended target address an invalid target address counter may be
increment (or decremented) at block 810. Further, execution
tracking may be enabled at block 812 if it is not already
enabled.
[0069] In some embodiments, as determined at decision block 814 if
the invalid target address counter is greater than an invalid
target address threshold one or more security measures may be
initiated at block 816. For example, execution of the application
may be suspended or halted, execution instructions with the invalid
target addresses may be quarantined, and/or an anti-virus program
may be notified to handle the ROP attack. Alternatively, if the
invalid target address counter is not greater than the invalid
target address threshold, the execution instruction may be executed
at block 828. Although decision block 814 indicates the counter
must be greater than the threshold, various embodiments are not
limited in this manner. The counter and threshold may be configured
in any number of ways. For example, the security measure may be
initiated when the invalid target address counter equals the
invalid target address threshold.
[0070] In some embodiments, a determination may be made as to
whether execution tracking is enabled at block 818. For example, if
the execution is not a RET instruction, or if the predicted target
address matches the intended target address, block 818 may occur.
Execution tracking may be used to filter out false positive
detections and be enabled if a previous execution instruction had
an invalid target address. As mentioned, one of the hallmarks of an
ROP attack is back-to-back execution instructions with invalid
target addresses or in some instances a predictable number of a
valid execution instruction in between invalid target instructions.
Thus, execution tracking may be enabled until a number of valid
execution instructions is greater than an execution instruction
threshold.
[0071] More specifically and if execution tracking is enabled at
block 818, an execution instruction counter may be incremented (or
decremented) at block 820. Further, a determination may be made at
decision block 822 as to whether the execution instruction counter
is greater than an execution instruction threshold. The execution
instruction threshold may be predetermined, or determined based on
a number of factors including previously ROP attacks, user
configuration, anti-virus software configuration, security
configuration, and so forth. Further, decision block 822 indicates
the counter must be greater than the threshold, various embodiments
are not limited in this manner. The counter and threshold may be
configured in any number of ways.
[0072] At block 826, one or both of the execution instruction
counter and the invalid target address counter may be reset to
initial values, such as zero, one or any other initial value. In
addition, execution tracking may be disabled and, at block 828, the
current execution instruction may be executed. If at decision block
822, the execution instruction counter is not greater than the
execution instruction threshold, translation blocks may be unlinked
at block 824, and the execution instruction may be executed at
block 828. The translation blocks may be unlinked such that a
translator component can get control of execution flow on every
translation block. The translator component may track the number of
instructions of basic blocks executed for use in updating an
execution instruction counter.
[0073] FIG. 9 illustrates an embodiment of a logic flow 900. The
logic flow may be representative of some or all of the operations
executed by one or more embodiments described herein. For example,
the logic flow 900 may illustrate operations performed by the
systems and logic flows of FIGS. 1-8.
[0074] In the illustrated embodiment shown in FIG. 9, the logic
flow 900 may include determining whether a target address of a
register for an execution instruction is valid or invalid based on
a comparison between the target address and one or more valid
target addresses stored in a storage at block 905. As previously
mentioned, one or more valid target address for execution
instructions, such as indirect branch instructions, may be
determined during a translation routine or process and stored in
memory or storage, such as in a fast lookup table. During execution
of the execution instruction, an intended target address for the
instruction may be determined and compared with the stored valid
target address.
[0075] At block 910, the logic flow 900 may include increasing a
number of invalid target addresses if the target address is
invalid. For example, a counter, such as an invalid target address
counter, may be incremented (or decremented) when the comparison
determines that the intended target address is invalid. Further,
the logic flow 900 may include determining whether the number of
invalid target addresses is greater than an invalid target address
threshold at block 915. More specifically, a comparison may be made
to determine whether the counter is greater than or equal to a
threshold value. In some embodiments when the counter is counter
down to a threshold value, the comparison may determine whether the
number is less than the threshold value. Various embodiments are
not limited in this manner.
[0076] The logic flow 900 may also include initiating a security
measure to prevent a security breach if the number of invalid
target addresses is greater than the invalid target address
threshold at block 920. As previously discussed, a number of
security measures, such as halted the execution of an application,
performing an anti-virus scan, and quarantining the suspected
execution instruction, may be initiated if an attack is suspected.
However, in some embodiments the logic flow 900 includes execute
the execution instruction if the number of invalid target addresses
is less than or equal to the invalid target address threshold at
block 925. As previously mentioned a predetermined or defined
number of invalid target addresses are permitted before a security
measure is initiated to filter out false positive detections.
Various embodiments are not limited in this manner.
[0077] FIG. 10 illustrates one embodiment of a system 1000. In
various embodiments, system 1000 may be representative of a system
or architecture suitable for use with one or more embodiments
described herein, such as system 100 of FIG. 1. The embodiments are
not limited in this respect.
[0078] As shown in FIG. 10, system 1000 may include multiple
elements. One or more elements may be implemented using one or more
circuits, components, registers, processors, software subroutines,
modules, or any combination thereof, as desired for a given set of
design or performance constraints. Although FIG. 10 shows a limited
number of elements in a certain topology by way of example, it can
be appreciated that more or less elements in any suitable topology
may be used in system 1000 as desired for a given implementation.
The embodiments are not limited in this context.
[0079] In various embodiments, system 1000 may include a computing
device 1005 which may be any type of computer or processing device
including a personal computer, desktop computer, tablet computer,
netbook computer, notebook computer, laptop computer, server,
server farm, blade server, or any other type of server, and so
forth.
[0080] Other examples of computing device 1005 also may include
computers that are arranged to be worn by a person, such as a wrist
computer, finger computer, ring computer, eyeglass computer,
belt-clip computer, arm-band computer, shoe computers, clothing
computers, and other wearable computers. In embodiments, for
example, a computing device 1005 may be implemented as a smart
phone capable of executing computer applications, as well as voice
communications and/or data communications. Although some
embodiments may be described with a computing device 1005
implemented as a smart phone by way of example, it may be
appreciated that other embodiments may be implemented using other
wireless computing devices as well. The embodiments are not limited
in this context.
[0081] In various embodiments, computing device 1005 may include
processor circuit 1002. Processor circuit 1002 may be implemented
using any processor or logic device. The processing circuit 1002
may be one or more of any type of computational element, such as
but not limited to, a microprocessor, a processor, central
processing unit, digital signal processing unit, dual core
processor, mobile device processor, desktop processor, single core
processor, a system-on-chip (SoC) device, complex instruction set
computing (CISC) microprocessor, a reduced instruction set (RISC)
microprocessor, a very long instruction word (VLIW) microprocessor,
or any other type of processor or processing circuit on a single
chip or integrated circuit. The processing circuit 1002 may be
connected to and communicate with the other elements of the
computing system via an interconnect 1043, such as one or more
buses, control lines, and data lines.
[0082] In one embodiment, computing device 1005 may include a
memory unit 1004 to couple to processor circuit 1002. Memory unit
1004 may be coupled to processor circuit 1002 via communications
bus 1043, or by a dedicated communications bus between processor
circuit 1002 and memory unit 1004, as desired for a given
implementation. Memory unit 04 may be implemented using any
machine-readable or computer-readable media capable of storing
data, including both volatile and non-volatile memory. In some
embodiments, the machine-readable or computer-readable medium may
include a non-transitory medium. The embodiments are not limited in
this context.
[0083] Computing device 1005 may include a graphics processing unit
(GPU) 1006, in various embodiments. The GPU 1006 may include any
processing unit, logic or circuitry optimized to perform
graphics-related operations as well as the video decoder engines
and the frame correlation engines. The GPU 1006 may be used to
render 2-dimensional (2-D) and/or 3-dimensional (3-D) images for
various applications such as video games, graphics, computer-aided
design (CAD), simulation and visualization tools, imaging, etc.
Various embodiments are not limited in this manner; GPU 1006 may
process any type of graphics data such as pictures, videos,
programs, animation, 3D, 2D, objects images and so forth.
[0084] In some embodiments, computing device 1005 may include a
display controller 1008. Display controller 1008 may be any type of
processor, controller, circuit, logic, and so forth for processing
graphics information and displaying the graphics information. The
display controller 1008 may receive or retrieve graphics
information from one or more buffers, such as buffer(s) 220. After
processing the information, the display controller 1008 may send
the graphics information to a display.
[0085] In various embodiments, system 1000 may include a
transceiver 1044. Transceiver 1044 may include one or more radios
capable of transmitting and receiving signals using various
suitable wireless communications techniques. Such techniques may
involve communications across one or more wireless networks.
Exemplary wireless networks include (but are not limited to)
wireless local area networks (WLANs), wireless personal area
networks (WPANs), wireless metropolitan area network (WMANs),
cellular networks, and satellite networks. In communicating across
such networks, transceiver 1044 may operate in accordance with one
or more applicable standards in any version. The embodiments are
not limited in this context.
[0086] In various embodiments, computing device 1005 may include a
display 1045. Display 1045 may constitute any display device
capable of displaying information received from processor circuit
1002, graphics processing unit 1006 and display controller
1008.
[0087] In various embodiments, computing device 1005 may include
storage 1046. Storage 1046 may be implemented as a non-volatile
storage device such as, but not limited to, a magnetic disk drive,
optical disk drive, tape drive, an internal storage device, an
attached storage device, flash memory, battery backed-up SDRAM
(synchronous DRAM), and/or a network accessible storage device. In
embodiments, storage 1046 may include technology to increase the
storage performance enhanced protection for valuable digital media
when multiple hard drives are included, for example. Further
examples of storage 1046 may include a hard disk, floppy disk,
Compact Disk Read Only Memory (CD-ROM), Compact Disk Recordable
(CD-R), Compact Disk Rewriteable (CD-RW), optical disk, magnetic
media, magneto-optical media, removable memory cards or disks,
various types of DVD devices, a tape device, a cassette device, or
the like. The embodiments are not limited in this context.
[0088] In various embodiments, computing device 1005 may include
one or more I/O adapters 1047. Examples of I/O adapters 1047 may
include Universal Serial Bus (USB) ports/adapters, IEEE 1394
Firewire ports/adapters, and so forth. The embodiments are not
limited in this context.
[0089] FIG. 11 illustrates an embodiment of an exemplary computing
architecture 1100 suitable for implementing various embodiments as
previously described. In one embodiment, the computing architecture
1100 may include or be implemented as part of systems 100.
[0090] As used in this application, the terms "system" and
"component" are intended to refer to a computer-related entity,
either hardware, a combination of hardware and software, software,
or software in execution, examples of which are provided by the
exemplary computing architecture 1100. For example, a component can
be, but is not limited to being, a process running on a processor,
a processor, a hard disk drive, multiple storage drives (of optical
and/or magnetic storage medium), an object, an executable, a thread
of execution, a program, and/or a computer. By way of illustration,
both an application running on a server and the server can be a
component. One or more components can reside within a process
and/or thread of execution, and a component can be localized on one
computer and/or distributed between two or more computers. Further,
components may be communicatively coupled to each other by various
types of communications media to coordinate operations. The
coordination may involve the uni-directional or bi-directional
exchange of information. For instance, the components may
communicate information in the form of signals communicated over
the communications media. The information can be implemented as
signals allocated to various signal lines. In such allocations,
each message is a signal. Further embodiments, however, may
alternatively employ data messages. Such data messages may be sent
across various connections. Exemplary connections include parallel
interfaces, serial interfaces, and bus interfaces.
[0091] The computing architecture 1100 includes various common
computing elements, such as one or more processors, multi-core
processors, co-processors, memory units, chipsets, controllers,
peripherals, interfaces, oscillators, timing devices, video cards,
audio cards, multimedia input/output (I/O) components, power
supplies, and so forth. The embodiments, however, are not limited
to implementation by the computing architecture 1100.
[0092] As shown in FIG. 11, the computing architecture 1100
includes a processing unit 1104, a system memory 1106 and a system
bus 1108. The processing unit 1104 can be any of various
commercially available processors.
[0093] The system bus 1108 provides an interface for system
components including, but not limited to, the system memory 1106 to
the processing unit 1104. The system bus 1108 can be any of several
types of bus structure that may further interconnect to a memory
bus (with or without a memory controller), a peripheral bus, and a
local bus using any of a variety of commercially available bus
architectures. Interface adapters may connect to the system bus
1108 via slot architecture. Example slot architectures may include
without limitation Accelerated Graphics Port (AGP), Card Bus,
(Extended) Industry Standard Architecture ((E)ISA), Micro Channel
Architecture (MCA), NuBus, Peripheral Component Interconnect
(Extended) (PCI(X)), PCI Express, Personal Computer Memory Card
International Association (PCMCIA), and the like.
[0094] The computing architecture 1100 may include or implement
various articles of manufacture. An article of manufacture may
include a computer-readable storage medium to store logic. Examples
of a computer-readable storage medium may include any tangible
media capable of storing electronic data, including volatile memory
or non-volatile memory, removable or non-removable memory, erasable
or non-erasable memory, writeable or re-writeable memory, and so
forth. Examples of logic may include executable computer program
instructions implemented using any suitable type of code, such as
source code, compiled code, interpreted code, executable code,
static code, dynamic code, object-oriented code, visual code, and
the like. Embodiments may also be at least partly implemented as
instructions contained in or on a non-transitory computer-readable
medium, which may be read and executed by one or more processors to
enable performance of the operations described herein.
[0095] The system memory 1106 may include various types of
computer-readable storage media in the form of one or more higher
speed memory units, such as read-only memory (ROM), random-access
memory (RAM), dynamic RAM (DRAM), Double-Data-Rate DRAM (DDRAM),
synchronous DRAM (SDRAM), static RAM (SRAM), programmable ROM
(PROM), erasable programmable ROM (EPROM), electrically erasable
programmable ROM (EEPROM), flash memory, polymer memory such as
ferroelectric polymer memory, ovonic memory, phase change or
ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS)
memory, magnetic or optical cards, an array of devices such as
Redundant Array of Independent Disks (RAID) drives, solid state
memory devices (e.g., USB memory, solid state drives (SSD) and any
other type of storage media suitable for storing information. In
the illustrated embodiment shown in FIG. 11, the system memory 1106
can include non-volatile memory 1110 and/or volatile memory 1112. A
basic input/output system (BIOS) can be stored in the non-volatile
memory 1110.
[0096] The computer 1102 may include various types of
computer-readable storage media in the form of one or more lower
speed memory units, including an internal (or external) hard disk
drive (HDD) 1114, a magnetic floppy disk drive (FDD) 1116 to read
from or write to a removable magnetic disk 1118, and an optical
disk drive 1120 to read from or write to a removable optical disk
1122 (e.g., a CD-ROM or DVD). The HDD 1114, FDD 1116 and optical
disk drive 1120 can be connected to the system bus 1108 by a HDD
interface 1124, an FDD interface 1126 and an optical drive
interface 1128, respectively. The HDD interface 1124 for external
drive implementations can include at least one or both of Universal
Serial Bus (USB) and IEEE 1394 interface technologies.
[0097] The drives and associated computer-readable media provide
volatile and/or nonvolatile storage of data, data structures,
computer-executable instructions, and so forth. For example, a
number of program modules can be stored in the drives and memory
units 1110, 1112, including an operating system 1130, one or more
application programs 1132, other program modules 1134, and program
data 1136. In one embodiment, the one or more application programs
1132, other program modules 1134, and program data 1136 can
include, for example, the various applications and/or components of
the system 100.
[0098] A user can enter commands and information into the computer
1102 through one or more wire/wireless input devices, for example,
a keyboard 1138 and a pointing device, such as a mouse 1140. Other
input devices may include microphones, infra-red (IR) remote
controls, radio-frequency (RF) remote controls, game pads, stylus
pens, card readers, dongles, finger print readers, gloves, graphics
tablets, joysticks, keyboards, retina readers, touch screens (e.g.,
capacitive, resistive, etc.), trackballs, track pads, sensors,
styluses, and the like. These and other input devices are often
connected to the processing unit 1104 through an input device
interface 1142 that is coupled to the system bus 1108, but can be
connected by other interfaces such as a parallel port, IEEE 1394
serial port, a game port, a USB port, an IR interface, and so
forth.
[0099] A monitor 1144 or other type of display device is also
connected to the system bus 1108 via an interface, such as a video
adaptor 1146. The monitor 1144 may be internal or external to the
computer 1102. In addition to the monitor 1144, a computer
typically includes other peripheral output devices, such as
speakers, printers, and so forth.
[0100] The computer 1102 may operate in a networked environment
using logical connections via wire and/or wireless communications
to one or more remote computers, such as a remote computer 1148.
The remote computer 1148 can be a workstation, a server computer, a
router, a personal computer, portable computer,
microprocessor-based entertainment appliance, a peer device or
other common network node, and typically includes many or all of
the elements described relative to the computer 1102, although, for
purposes of brevity, only a memory/storage device 1150 is
illustrated. The logical connections depicted include wire/wireless
connectivity to a local area network (LAN) 1152 and/or larger
networks, for example, a wide area network (WAN) 1154. Such LAN and
WAN networking environments are commonplace in offices and
companies, and facilitate enterprise-wide computer networks, such
as intranets, all of which may connect to a global communications
network, for example, the Internet.
[0101] When used in a LAN networking environment, the computer 1102
is connected to the LAN 1152 through a wire and/or wireless
communication network interface or adaptor 1156. The adaptor 1156
can facilitate wire and/or wireless communications to the LAN 1152,
which may also include a wireless access point disposed thereon for
communicating with the wireless functionality of the adaptor
1156.
[0102] When used in a WAN networking environment, the computer 1102
can include a modem 1158, or is connected to a communications
server on the WAN 1154, or has other means for establishing
communications over the WAN 1154, such as by way of the Internet.
The modem 1158, which can be internal or external and a wire and/or
wireless device, connects to the system bus 1108 via the input
device interface 1142. In a networked environment, program modules
depicted relative to the computer 1102, or portions thereof, can be
stored in the remote memory/storage device 1150. It will be
appreciated that the network connections shown are exemplary and
other means of establishing a communications link between the
computers can be used.
[0103] The computer 1102 is operable to communicate with wire and
wireless devices or entities using the IEEE 1102 family of
standards, such as wireless devices operatively disposed in
wireless communication (e.g., IEEE 1102.11 over-the-air modulation
techniques). This includes at least Wi-Fi (or Wireless Fidelity),
WiMax, and Bluetooth.TM. wireless technologies, among others. Thus,
the communication can be a predefined structure as with a
conventional network or simply an ad hoc communication between at
least two devices. Wi-Fi networks use radio technologies called
IEEE 1102.11x (a, b, g, n, etc.) to provide secure, reliable, fast
wireless connectivity. A Wi-Fi network can be used to connect
computers to each other, to the Internet, and to wire networks
(which use IEEE 1102.3-related media and functions).
[0104] The various elements of the systems 100, 1500, 1100 as
previously described with reference to FIGS. 1-16 may include
various hardware elements, software elements, or a combination of
both. Examples of hardware elements may include devices, logic
devices, components, processors, microprocessors, circuits,
processors, circuit elements (e.g., transistors, resistors,
capacitors, inductors, and so forth), integrated circuits,
application specific integrated circuits (ASIC), programmable logic
devices (PLD), digital signal processors (DSP), field programmable
gate array (FPGA), memory units, logic gates, registers,
semiconductor device, chips, microchips, chip sets, and so forth.
Examples of software elements may include software components,
programs, applications, computer programs, application programs,
system programs, software development programs, machine programs,
operating system software, middleware, firmware, software modules,
routines, subroutines, functions, methods, procedures, software
interfaces, application program interfaces (API), instruction sets,
computing code, computer code, code segments, computer code
segments, words, values, symbols, or any combination thereof.
However, determining whether an embodiment is implemented using
hardware elements and/or software elements may vary in accordance
with any number of factors, such as desired computational rate,
power levels, heat tolerances, processing cycle budget, input data
rates, output data rates, memory resources, data bus speeds and
other design or performance constraints, as desired for a given
implementation.
[0105] The detailed disclosure now turns to providing examples that
pertain to further embodiments. Examples one through twenty-five
(1-25) provided below are intended to be exemplary and
non-limiting.
[0106] In a first example, an article comprising a non-transitory
computer-readable storage medium comprising a plurality of
instructions that when executed enable processing circuitry to
determine whether a target address of a register for an execution
instruction is valid or invalid based on a comparison between the
target address and one or more valid target addresses stored in a
storage, increase a number of invalid target addresses when the
target address is invalid, determine whether the number of invalid
target addresses is greater than an invalid target address
threshold, and initiate a security measure to prevent a security
breach when the number of invalid target addresses is greater than
the invalid target address threshold.
[0107] In a second example and in furtherance of the first example,
a plurality of instructions that when executed enable a processing
circuitry to determine whether a number of valid execution
instructions is greater than an execution instruction threshold,
and reset a counter for the number of invalid target addresses and
a counter for the number of valid execution instructions when the
number of valid execution instructions is greater than the
execution instruction threshold.
[0108] In a third example and in furtherance of any of the previous
examples, a plurality of instructions that when executed enable a
processing circuitry to enable an execution tracking routine when
the target address of the register is invalid, the execution
tracking routine to disable one or more optimizations and fast
lookup tables.
[0109] In a fourth example and in furtherance of any of the
previous examples, a plurality of instructions that when executed
enable a processing circuitry to perform the execution instruction
when the target address is valid or if the number of invalid target
addresses is less than or equal to the invalid target address
threshold.
[0110] In a fifth example and in furtherance of any of the previous
examples, wherein the execution instruction is part of a main
routine of an application stored in the storage. In a sixth example
and in furtherance of any of the previous examples, a plurality of
instructions that when executed enable a processing circuitry to
perform a translation routine on one or more routines to determine
one or more valid target addresses and store the one or more valid
target addresses in a lookup table.
[0111] In a seventh example and in furtherance of any of the
previous examples, a plurality of instructions that when executed
enable a processing circuitry to determine at least one of the
invalid target address threshold and the execution instruction
threshold based on a security setting.
[0112] In an eighth example and in furtherance of any of the
previous examples, a plurality of instructions that when executed
enable a processing circuitry the security measure comprising a
plurality of instructions that when executed enable the processing
circuitry to disable a main routine for the execution instruction
and/or report a security breach attempt to a security
component.
[0113] In a ninth example and in furtherance of any of the previous
examples, a method may include determining whether a target address
of a register for an execution instruction is valid or invalid
based on a comparison between the target address and one or more
valid target addresses stored in a storage, increase, a number of
invalid target addresses when the target address is invalid,
determining whether the number of invalid target addresses is
greater than or equal to an invalid target address threshold and
initiating a security measure to prevent a security breach when the
number of invalid target addresses is greater than or equal to the
invalid threshold.
[0114] In a tenth example and in furtherance of any of the previous
examples, a method may include determining whether a number of
valid execution instructions is greater than an execution
instruction threshold, and resetting a counter for the number of
invalid target addresses and a counter for the number of valid
execution instructions when the number of valid execution
instructions is greater than the execution instruction
threshold.
[0115] In an eleventh example and in furtherance of any of the
previous examples, a method may include enabling an execution
tracking routine when the target address of the register is
invalid, the execution tracking routine to disable one or more
optimizations and one or more fast lookup tables.
[0116] In a twelfth example and in furtherance of any of the
previous examples, a method may include performing the execution
instruction when the target address is valid or if the number of
invalid target addresses is less than or equal to the invalid
target address threshold.
[0117] In a thirteenth example and in furtherance of any of the
previous examples, a method may include the execution instruction
is part of a main routine of an application stored in the
storage.
[0118] In a fourteenth example and in furtherance of any of the
previous examples, a method may include performing a translation
routine on one or more routines to determine one or more valid
target addresses, and storing the one or more valid target
addresses in a lookup table.
[0119] In a fifteenth example and in furtherance of any of the
previous examples, a method may include determining at least one of
an invalid target address threshold and an execution instruction
threshold based on a security setting.
[0120] In a sixteenth example and in furtherance of any of the
previous examples, a method may include the security measure
comprising disabling a main routine for the execution instruction
and/or report a security breach attempt to a security
component.
[0121] In a seventeenth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
memory, storage, processing circuitry comprising one or more
registers, and a validation component executable on the processing
circuitry to determine whether a target address of a register of
the one or more registers for an execution instruction is valid or
invalid based on a comparison between the target address and one or
more valid target addresses stored in the storage and decrease a
number of invalid target addresses when the target address is
invalid. The apparatus may include a comparison component
executable on the processing circuitry to determine whether a
number of invalid target addresses is less than or equal to an
invalid target address threshold and a security component
executable on the processing circuitry to initiate a security
measure to prevent a security breach when the number of invalid
target addresses is equal to or less than the invalid
threshold.
[0122] In an eighteenth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the comparison component to determine whether a number of valid
execution instructions is greater than an execution instruction
threshold, and the translator component to reset a counter for the
number of invalid target addresses and a counter for the number of
valid execution instructions when the number of valid execution
instructions is greater than the execution instruction
threshold.
[0123] In a nineteenth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the translator component to enable an execution tracking routine
when the target address of the register is invalid, the execution
tracking routine to disable one or more optimizations and one or
more fast lookup tables.
[0124] In a twentieth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the translator component to perform the execution instruction when
the target address is valid or if the number of invalid target
addresses is less than or equal to the invalid target address
threshold.
[0125] In a twenty-first example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the execution instruction is part of a main routine of an
application stored in the storage.
[0126] In a twenty-second example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the translator component to perform a translation routine on one or
more routines to determine one or more valid target addresses, and
store the one or more valid target addresses in a lookup table.
[0127] In a twenty-third example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the security component to determine at least one of an invalid
target address threshold and an execution instruction threshold
based on a security setting.
[0128] In a twenty-fourth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
the security measure to disable a main routine for the execution
instruction and/or report a security breach attempt to a security
agent.
[0129] In a twenty-fifth example and in furtherance of any of the
previous examples, a system, a device or an apparatus may include
an input/output (I/O) adapter, a transceiver, and a display
controller coupled with a display, and wherein the I/O adapter, the
transceiver, the display controller, the display, the memory,
storage, and the processing circuitry all coupled via a bus.
[0130] Some embodiments may be described using the expression "one
embodiment" or "an embodiment" along with their derivatives. These
terms mean that a particular feature, structure, or characteristic
described in connection with the embodiment is included in at least
one embodiment. The appearances of the phrase "in one embodiment"
in various places in the specification are not necessarily all
referring to the same embodiment. Further, some embodiments may be
described using the expression "coupled" and "connected" along with
their derivatives. These terms are not necessarily intended as
synonyms for each other. For example, some embodiments may be
described using the terms "connected" and/or "coupled" to indicate
that two or more elements are in direct physical or electrical
contact with each other. The term "coupled," however, may also mean
that two or more elements are not in direct contact with each
other, but yet still co-operate or interact with each other.
[0131] It is emphasized that the Abstract of the Disclosure is
provided to allow a reader to quickly ascertain the nature of the
technical disclosure. It is submitted with the understanding that
it will not be used to interpret or limit the scope or meaning of
the claims. In addition, in the foregoing Detailed Description, it
can be seen that various features are grouped together in a single
embodiment for the purpose of streamlining the disclosure. This
method of disclosure is not to be interpreted as reflecting an
intention that the claimed embodiments require more features than
are expressly recited in each claim. Rather, as the following
claims reflect, inventive subject matter lies in less than all
features of a single disclosed embodiment. Thus the following
claims are hereby incorporated into the Detailed Description, with
each claim standing on its own as a separate embodiment. In the
appended claims, the terms "including" and "in which" are used as
the plain-English equivalents of the respective terms "comprising"
and "wherein," respectively. Moreover, the terms "first," "second,"
"third," and so forth, are used merely as labels, and are not
intended to impose numerical requirements on their objects.
[0132] What has been described above includes examples of the
disclosed architecture. It is, of course, not possible to describe
every conceivable combination of components and/or methodologies,
but one of ordinary skill in the art may recognize that many
further combinations and permutations are possible. Accordingly,
the novel architecture is intended to embrace all such alterations,
modifications and variations that fall within the spirit and scope
of the appended claims.
* * * * *