Patent · US Active

Detecting return-to-LIBC buffer overflows via dynamic disassembly of offsets

US7552477B1 · kind B1 · utility

11Cited by

1References

13Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Sourabh Satish · Fremont, US
Matthew Conover · Mountain View, US

Key dates

Filing date	Feb 23, 2005
Grant date	Jun 23, 2009
Priority date	—
Expiry date	Jun 30, 2027

Classification

Technology area (CPC G)Physics
CPC primaryG06F2209/542
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

A method makes use of the fact that call modules, such as APIS, making calls to a critical operating system (OS) function are typically called by a call instruction while, in contrast, a RLIBC attack typically uses call modules that are jumped to, returned to, or invoked by some means other than a call instruction. The method includes stalling a call to critical OS function and checking to ensure that the call module making the call to the critical OS function was called by a call instruction. If it is determined that the call module making the call to the critical OS function was not called by a call instruction, the method further includes taking protective action to protect a computer system.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.