Hardware heuristic-driven binary translation-based execution analysis for return-oriented programming malware detection

Assignee

• McAfee, LLC · US

Inventors

• Palanivelrajan Rajan Shanmugavelayutham · San Jose, US
• Koichi Yamada · Los Gatos, US
• Vadim Sukhomlinov · Santa Clara, US
• Igor Muttik · Aylesbury, GB
• Oleksandr Bazhaniuk · Hillsboro, US
• Yuriy Bulygin · Beaverton, US
• Dmitri Rubakha · San Jose, US
• Jennifer Eligius Mankin · San Jose, US
• Carl D. Woodward · Santa Clara, US
• Sevin F. Varoglu · Santa Clara, US
• Dima Mirkin · Mevaseret Tsiyon, IL
• Alex Nayshtut · Gan Yavne, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/033
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A combination of hardware monitoring and binary translation software allow detection of return-oriented programming (ROP) exploits with low overhead and low false positive rates. Embodiments may use various forms of hardware to detect ROP exploits and indicate the presence of an anomaly to a device driver, which may collect data and pass the indication of the anomaly to the binary translation software to instrument the application code and determine whether an ROP exploit has been detected. Upon detection of the ROP exploit, the binary translation software may indicate the ROP exploit to an anti-malware software, which may take further remedial action as desired.