Detection of return oriented programming attacks in a processor

Assignee

• McAfee, LLC · US

Inventors

• Yuriy Bulygin · Beaverton, US
• Gideon Gerzon · Jerusalem, IL
• Sameer Desai · Folsom, US
• Hisham Shafi · Beer Sheva, IL
• Andrew A. Furtak · Beaverton, US
• Oleksandr Bazhaniuk · Hillsboro, US
• Mikhail V. Gorobets · Hillsboro, US
• Ravi L. Sahita · Portland, US
• Ofer Levy · Atlit, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2101
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

In an embodiment, a processor for Return Oriented Programming (ROP) detection includes at least one execution unit; a plurality of event counters, each event counter associated with a unique type of a plurality of types of control transfer events; and a ROP detection unit. The ROP detection unit may be to: adjust a first event counter in response to detection of a first type of control transfer events; in response to a determination that the first event counter exceeds a first threshold, access a first configuration register associated with the first event counter to read configuration data; identify a set of ROP heuristic checks based on the configuration data read from the first configuration register; and perform each ROP heuristic check of the identified set of ROP heuristic checks. Other embodiments are described and claimed.