Search

CA-3027728-C - SYSTEMS AND METHODS FOR REMEDIATING MEMORY CORRUPTION IN A COMPUTER APPLICATION

CA3027728CCA 3027728 CCA3027728 CCA 3027728CCA-3027728-C

Abstract

In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at run time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Inventors

  • Satya Vrat Gupta

Assignees

  • Virsec Systems, Inc.

Dates

Publication Date
20260505
Application Date
20170616
Priority Date
20160616

Claims (18)

  1. CLAIMS: 1. A computer-implemented method comprising: extracting a model of a computer application during load time, the extracted model including address bounds attributes of the computer application; storing the model of the computer application; inserting instructions into the computer application to collect data at runtime; analyzing the data collected at runtime against the stored model including address bounds attributes of the computer application to perform detection of one or more security events, wherein the one or more security events is associated with malicious action outside the address bounds attributes of the computer application, the malicious action being a malicious movement to a different code path within the computer application; and based upon the detection of the one or more security events: temporarily pausing execution of at least one active process or thread associated with the computer application; modifying, in a manner that preserves continued execution of the computer application, at least one computer routine associated with the at least one active process or thread associated with the computer application, the modifying creating a trampoline from vulnerable code to non-vulnerable code; and after modifying the at least one computer routine, resuming execution of the at least one active process or thread.
  2. 2. The method of Claim 1, wherein the at least one computer routine is executed in association with the at least one active process.
  3. 3. The method of Claim 1, wherein modifying includes verifying a patch or configuration associated with the computer application. 36
  4. 4. The method of Claim 1, further comprising: in response to receipt of one or more aggregate patches by a user, performing at least one of: modifying or removing the at least one computer routine; and modifying or removing one or more individual patches associated with the computer application.
  5. 5. The method of Claim 1, further comprising: modifying one or more stacks associated with the at least one computer routine.
  6. 6. The method of Claim 1, further comprising: modifying one or more heaps associated with the at least one computer routine.
  7. 7. The method of Claim 1, further comprising: modifying the at least one computer routine associated with the at least one active process, while the at least one active process is executing the at least one computer routine.
  8. 8. A computer system comprising: one or more processors; and a memory coupled to the one or more processors, the memory storing executable instructions that, in response to execution by the one or more processors, cause the one or more processors, to: extract a model of a computer application during load time, the extracted model including address bounds attributes of the computer application; store the model of the computer application; insert instructions into the computer application to collect data at runtime; 37 analyze the data collected at runtime against the stored model including address bounds attributes of the computer application to perform detection of one or more security events, wherein the one or more security events is associated with malicious action outside the address bounds attributes of the computer application, the malicious action being a malicious movement to a different code path within the computer application; and based upon the detection of the one or more security events: temporarily pause execution of at least one active process or thread associated with the computer application; modify, in a manner that preserves continued execution of the computer application, at least one computer routine associated with the at least one active process or thread associated with the computer application, the modifying creating a trampoline from vulnerable code to non-vulnerable code; and after modifying the at least one computer routine, resume execution of the at least one active process or thread.
  9. 9. The system of Claim 8, wherein the at least one computer routine is executed in association with the at least one active process.
  10. 10. The system of Claim 8, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to verify a patch or configuration associated with the computer application.
  11. 11. The system of Claim 8, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to: in response to receipt of one or more aggregate patches by a user, perform at least one of: modifying or removing the at least one computer routine; and 38 modifying or removing one or more individual patches associated with the computer application.
  12. 12. The system of Claim 8, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to modify one or more stacks associated with the at least one computer routine.
  13. 13. The system of Claim 8, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to modify one or more heaps associated with the at least one computer routine.
  14. 14. The system of Claim 8, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to modify the at least one computer routine associated with the at least one active process, while the at least one active process is executing the at least one computer routine.
  15. 15. A computer-implemented method comprising: extracting a model of a computer application during load time, the extracted model including address bounds attributes of the computer application; storing the model of the computer application; inserting instructions into the computer application to collect data at runtime; analyzing the data collected at runtime against the stored model including address bounds attributes of the computer application to perform detection of one or more security events wherein the one or more security event is (i) associated with malicious action outside the address bounds attributes of the computer application and (ii) associated with a memory corruption associated with the computer application, the malicious action being a malicious movement to a different code path within the computer application; upon the detection of the one or more security events and prior to executing a return instruction, temporarily remediating the memory corruption associated with the computer application; 39 reporting actionable information based upon the one or more detected security events; and based upon the detection of the one or more security events: temporarily pausing execution of at least one active process or thread associated with the computer application; modifying, in a manner that preserves continued execution of the computer application, at least one computer routine associated with the at least one active process or thread associated with the computer application, the modifying creating a trampoline from vulnerable code to non-vulnerable code; and after modifying the at least one computer routine, resuming execution of the at least one active process or thread.
  16. 16. The method of Claim 15, further comprising: modifying at least one computer instruction associated with at least one process, while the at least one process is executing.
  17. 17. A computer system comprising: one or more processors; and a memory coupled to the one or more processors, the memory storing executable instructions that, in response to execution by the one or more processors, cause the one or more processors, to: extract a model of a computer application during load time, the extracted model including address bounds attributes of the computer application; store the model of the computer application; insert instructions into the computer application to collect data at runtime; analyze the data collected at runtime against the stored model including address bounds attributes of the computer application to perform detection of one or more security events, wherein the one or more security events is (i) associated with malicious action outside the address bounds attributes of the computer application and (ii) associated with a memory corruption associated with the computer application, the malicious action being a malicious movement to a different code path within the computer application; upon the detection of the one or more security events and prior to executing a return instruction, temporarily remediate the memory corruption associated with the computer application; report actionable information based upon the one or more detected security events; and based upon the detection of the one or more security events: temporarily pause execution of at least one active process or thread associated with the computer application; modify, in a manner that preserves continued execution of the computer application, at least one computer routine associated with the at least one active process or thread associated with the computer application, the modifying creating a trampoline from vulnerable code to non-vulnerable code; and after modifying the at least one computer routine, resume execution of the at least one active process or thread.
  18. 18. The system of Claim 17, wherein the executable instructions, in response to execution by the one or more processors, cause the one or more processors to modify at least one computer instruction associated with at least one process, while the at least one process is executing.

Description

SYSTEMS AND METHODS FOR REMEDIATING MEMORY CORRUPTION IN A COMPUTER APPLICATION RELATED APPLICATION [0001] This application claims the benefit of U.S. Provisional Application No. 62/350,917, filed on June 16, 2016. BACKGROUND [0002] Network accessible applications are often vulnerable to memory corruption attacks triggered remotely by malicious attackers. Malicious attackers have strived hard to exploit such vulnerability since it gives them unprecedented access to the remote user's computer network, often with elevated privileges. Once control has been seized, arbitrary code of the attacker's choosing can be executed by the attacker, as if the remote user owns the compromised machine. Usually the objective of the malicious attacker is to extract personal and/or confidential information from the user, but the objective could also include disrupting personal or business activity of the user for the purpose of inflicting loss of productivity. [0003] Preparatory attacks may help to set the stage by placing strategic data in buffers on the stack, the heap segments, and other jump tables, including imports, exports, virtual pointers (VPTRs ), and system call/system dispatch tables in the memory address space of the application. This allows subsequently launched attacks to manipulate the flow of execution, with the ultimate objective of causing code designed by a malicious hacker to execute instead of code that is natively part of the application. The most sophisticated attackers do not even need to insert their malicious code directly into the target application's memory space, instead, the attackers can re-purpose existing code by stitching together selectively chosen (i.e., cherry picked) chunks of code from the legitimately loaded application code and thereby execute their nefarious intent. There is an urgent need to protect the application at runtime from such advanced runtime memory corruption attacks. Date Re9ue/Date Received 2022-06-24 WO 2017/218872 PCT/0S2017/037841 SUMMARY [0004] Embodiments of the present disclosure are directed to example systems and methods for protection against malicious attacks that are facilitated through memory corruption within one or more running processes. In some embodiments, the systems include one or more instrumentation engines and one or more analysis engines for performing operations to protect against malicious attacks. The one or more instrumentation engines may be located on the same or different hardware or computer system as the one or more analysis engines. In some embodiments, the systems and methods may extract a model of a computer application as the application code first loads into memory. The model may include, but is not limited to, building pairs oflegal source and destination memory addresses, transitions, basic block boundary information, code segment bounds, import and export address table bounds, jump table bounds, or any other type of computer-routinerelated information known to one skilled in the art. In some embodiments, the systems and methods may store the model of the computer application. [0005] In some embodiments, the systems and methods may insert instructions into the computer application (optionally, at run time) prior to the computer application instructions being executed in memory in order to collect data at runtime and/or the execution state of the application. In some embodiments, the systems and methods may analyze the collected data at runtime against the stored model of the computer application to perform detection of one or more security events. In some embodiments, the systems and methods may, based upon the detection of the one or more security events, modify, in a manner that preserves continued execution of the computer application, at least one computer routine associated with at least one active process associated with the computer application (i.e., insert a patch). [0006] According to some embodiments, the computer routine may be executed in association with the at least one process. In some embodiments, the one or more detected security events may be associated with a malicious movement to a different (unusual) code path within the computer application. Such a malicious movement may include, but is not limited to, a malicious jump routine, a trampoline to malicious code, an indirect jump vector, or any other malicious movement known to one skilled in the art. [0007] In response to receipt of one or more aggregate patches by a user, some embodiments may perform at least one operation that modifies or removes the at least one WO 2017/218872 PCT/0S2017/037841 computer routine associated with the computer application, and modifying or removing one or more individual patches associated with the computer application. According to some embodiments, modifying may include verifying a patch or configuration associated with the computer application. According to some embodiments, the systems and methods may modify the stack associat