Patent · US Active

Method to identify buffer overflows and RLIBC attacks

US7945953B1 · kind B1 · utility

30Cited by

8References

5Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Govind Salinas · Sunnyvale, US
Matthew Conover · Mountain View, US
Sourabh Satish · Fremont, US

Key dates

Filing date	Jul 6, 2005
Grant date	May 17, 2011
Priority date	—
Expiry date	Nov 12, 2028

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/577
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

A method and system detect buffer overflows and RLIBC attacks by determining if a critical call initiating function is a “potential threat”. In one embodiment, a critical call initiating function is considered a potential threat if the value of the return address of the critical call initiating function points to a location in memory between the location of the highest Thread Environment Block (TEB) or Process Environment Block (PEB) and the location of the lowest Thread Environment Block (TEB) or PEB. In another embodiment, a critical call initiating function making a call to a predefined critical operating system function is considered a potential threat if the value of the return address of the critical call initiating function points to the beginning of a new function with a zero offset.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.