Systems, methods, and apparatus for detecting control flow attacks
US10984096B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Mar 28, 2018 |
| Grant date | Apr 20, 2021 |
| Priority date | — |
| Expiry date | Nov 23, 2039 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/033
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
After a heuristic event counter in a processor has triggered a performance monitoring interrupt (PMI) when the processor was executing a target program in user mode, and after the processor has switched to kernel mode in response to the PMI, a heuristic event handler automatically performs preliminary analysis in kernel mode, without switching back to user mode, to determine whether heavyweight code analysis is warranted. The preliminary analysis comprises (a) obtaining an instruction pointer (IP) for the target program from a last branch record (LBR) buffer in the processor, (b) using transaction hardware in the processor to determine whether the IP from LBR buffer points to a readable page in memory, and (c) determining that heavyweight code analysis is not warranted in response to a determination that the page pointed to by the IP from LBR buffer is not readable. Other embodiments are described and claimed.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.