Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020110053 - MALICIOUS CODE PROTECTION FOR COMPUTER SYSTEMS BASED ON SYSTEM CALL TABLE MODIFICATION AND RUNTIME APPLICATION PATCHING

Publication Number WO/2020/110053
Publication Date 04.06.2020
International Application No. PCT/IB2019/060262
International Filing Date 27.11.2019
IPC
G06F 21/54 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
52during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
54by adding security routines or objects to programs
G06F 21/56 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
56Computer malware detection or handling, e.g. anti-virus arrangements
CPC
G06F 21/54
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
52during program execution, e.g. stack integrity ; ; Preventing unwanted data erasure; Buffer overflow
54by adding security routines or objects to programs
G06F 21/566
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
56Computer malware detection or handling, e.g. anti-virus arrangements
566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Applicants
  • MORPHISEC INFORMATION SECURITY 2014 LTD. [IL]/[IL]
  • TSECHANSKI, Nathaniel [IL]/[US]
  • GORELIK, Michael [IL]/[US]
  • GURI, Mordechai [IL]/[IL]
Inventors
  • TSECHANSKI, Nathaniel
  • GORELIK, Michael
  • GURI, Mordechai
Priority Data
62/773,70630.11.2018US
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) MALICIOUS CODE PROTECTION FOR COMPUTER SYSTEMS BASED ON SYSTEM CALL TABLE MODIFICATION AND RUNTIME APPLICATION PATCHING
(FR) PROTECTION CONTRE LES CODES MALVEILLANTS POUR SYSTÈMES INFORMATIQUES SUR LA BASE D'UNE MODIFICATION DE TABLE D'APPELS DE SYSTÈME ET D'UNE CORRECTION D'APPLICATION D'EXÉCUTION
Abstract
(EN)
Techniques are provided for neutralizing attacks by malicious code on a computer system. In an embodiment, this is achieved by modifying certain aspects of an operating system. For example, a system call table storing pointers to system functions is duplicated to create a shadow system call table. The original table is modified with traps resulting the neutralization of processes that access the table, whereas processes that access the shadow system call table are enabled to execute properly. In order for valid applications to operate with the shadow system call table, index numbers corresponding to the different system function calls are randomized in a system library that maintains function calls to such system functions. Valid applications may be patched in order to reference such randomized index numbers, whereas malicious processes continue to reference the original non-randomized index numbers.
(FR)
L'invention concerne des techniques permettant de neutraliser des attaques par un code malveillant sur un système informatique. Dans un mode de réalisation, ceci est obtenu en modifiant certains aspects d'un système d'exploitation. Par exemple, une table d'appels de système stockant des pointeurs vers des fonctions système est dupliquée pour créer une table d'appels de système secondaire. La table d'origine est modifiée avec des pièges résultant de la neutralisation de processus qui accèdent à la table, tandis que des processus qui accèdent à la table d'appels de système secondaire sont activés pour s'exécuter correctement. Afin que des applications valides puissent fonctionner avec la table d'appels de système secondaire, des numéros d'index correspondant aux différents appels de fonction de système sont randomisés dans une bibliothèque de système qui maintient des appels de fonction vers de telles fonctions de système. Des applications valides peuvent être corrigées afin de référencer de tels nombres d'index randomisés, tandis que des processus malveillants continuent à référencer les numéros d'index non randomisés d'origine.
Latest bibliographic data on file with the International Bureau