Data processor
US-2017091125-A1 · Mar 30, 2017 · US
Memory Space Protection
US2018074976A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2018074976-A1 |
| Application number | US-201715638114-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 29, 2017 |
| Priority date | Sep 9, 2016 |
| Publication date | Mar 15, 2018 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Executable memory space is protected by receiving, from a process, a request to configure a portion of memory with a memory protection attribute that allows the process to perform at least one memory operation on the portion of the memory. Thereafter, the request is responded to with a grant, configuring the portion of memory with a different memory protection attribute than the requested memory protection attribute. The different memory protection attribute restricting the at least one memory operation from being performed by the process on the portion of the memory. In addition, it is detected when the process attempts, in accordance with the grant, the at least one memory operation at the configured portion of memory. Related systems and articles of manufacture, including computer program products, are also disclosed.
First claim
Opening claim text (preview).
1 . A system, comprising: at least one processor; and at least one memory including program code which when executed by the at least one processor provides operations comprising: receiving, from a process, a request to configure a portion of memory with a memory protection attribute that allows the process to perform a memory operation on the portion of the memory; responding to the request with a grant; configuring the portion of memory with a reduced memory protection attribute that prohibits, contrary to the requested memory protection attribute, the memory operation from being performed by the process on the portion of the memory; and detecting when the process violates the reduced memory protection attribute by at least attempting, in accordance with the grant, the memory operation prohibited by the reduced memory protection attribute. 2 . The system of claim 1 , wherein the requested memory protection attribute allows the process to read, write, and execute at the portion of memory. 3 . The system of claim 2 , wherein the reduced memory protection attribute prohibits the process from executing at the portion of memory but allows the process to read and write at the portion of memory. 4 . The system of claim 3 , wherein the process violates the reduced memory protection attribute by at least attempting to execute at the portion of the memory. 5 . The system of claim 4 , further comprising: in response to detecting that the process violated the reduced memory protection attribute by at least attempting to execute at the portion of the memory, determining whether one or more instructions previously written by the process to the portion of memory are malicious or benign. 6 . The system of claim 5 , wherein the determining comprises performing a scan of the portion of memory. 7 . The system of claim 5 , further comprising: modifying the reduced memory protection attribute to prohibit the process from writing at the portion of memory but to allow the process to read and execute from the portion of memory, when the one or more instructions previously written by the process to the portion of memory are determined to be benign; and detecting when the process violates the reduced memory protection attribute by at least attempting to write at the portion of the memory. 8 . The system of claim 7 , wherein the attempt to write at the portion of the memory results from executing the one or more instructions previously written by the process to the portion of memory. 9 . The system of claim 8 , wherein the process exhibits self-modifying behavior when the execution of the one or more instructions previously written by the process to the portion of memory results in the attempt to write at the portion of the memory. 10 . The system of claim 9 , further comprising: in response to detecting that the process has violated the reduced memory protection attribute by at least attempting to write at the portion of the memory, emulating the one or more instructions previously written by the process to the portion of memory. 11 . The system of claim 10 , wherein the emulating of the one or more instructions includes: modifying the reduced memory protection attribute to allow the process to write at the portion of memory, the allowance enabling the process to generate a different instruction stream at the portion of memory; and determining whether the different instruction stream is malicious or benign. 12 . The system of claim 11 , further comprising: modifying the reduced memory protection attribute to allow the process to read and execute at the portion of memory but to prohibit the process from writing at the portion of memory, when the different instruction stream is determined to be benign. 13 . The system of claim 11 , further comprising: terminating the process, when the different instruction stream is determined to be malicious. 14 . The system of claim 1 , wherein the request comprises a request to allocate the portion of memory with the requested memory protection attribute or a request to modify an existing memory protection attribute of the portion of memory to the requested memory protection attribute. 15 . The system of claim 1 , wherein the request is sent from the process to an operating system, and wherein the receiving of the request comprises intercepting the request sent from the process. 16 . The system of claim 15 , wherein configuring the portion of the memory with the reduced memory protection attribute includes sending, to the operating system, a different request to configure the portion of memory with the reduced memory protection, the different request being sent to the operating system instead of the intercepted request. 17 . The system of claim 15 , wherein the detecting comprises detecting a fault generated at the operating system, the fault indicating that the process violated the reduced memory protection attribute by at least attempting the memory operation prohibited by the reduced memory protection attribute. 18 . A method, comprising: receiving, from a process, a request to configure a portion of memory with a memory protection attribute that allows the process to perform a memory operation on the portion of the memory; responding to the request with a grant; configuring the portion of memory with a reduced memory protection attribute that prohibits, contrary to the requested memory protection attribute, the memory operation from being performed by the process on the portion of the memory; and detecting when the process violates the reduced memory protection attribute by at least attempting, in accordance with the grant, the memory operation prohibited by the reduced memory protection attribute. 19 . The method of claim 18 , wherein the requested memory protection attribute allows the process to read, write, and execute at the portion of memory. 20 . The method of claim 19 , wherein the reduced memory protection attribute prohibits the process from executing at the portion of memory but allows the process to read and write at the portion of memory. 21 . The method of claim 20 , wherein the process violates the reduced memory protection attribute by at least attempting to execute at the portion of the memory. 22 . The method of claim 21 , further comprising: in response to detecting that the process violated the reduced memory protection attribute by at least attempting to execute at the portion of the memory, determining whether one or more instructions previously written by the process to the portion of memory are malicious or benign. 23 . The method of claim 22 , wherein the determining comprises performing a scan of the portion of memory. 24 . The method of claim 22 , further comprising: modifying the reduced memory protection attribute to prohibit the process from writing at the portion of memory but to allow the process to read and execute from the portion of memory, when the one or more instructions previously written by the process to the portion of memory are determined to be benign; and detecting when the process violates the reduced memory protection attribute by at least attempting to write at the portion of the memory. 25 . The method of claim 24 , wherein the attempt to write at the portion of the memory results from executing the one or more instructions previously written by the process to the portion of memory.
Assignees
Inventors
Classifications
- G06F12/1441Primary
for a range · CPC title
the protection being physical, e.g. cell, word, block · CPC title
at program execution time, where the protection is within the operating system · CPC title
Security improvement · CPC title
in semiconductor storage media, e.g. directly-addressable memories · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2018074976A1 cover?
- Executable memory space is protected by receiving, from a process, a request to configure a portion of memory with a memory protection attribute that allows the process to perform at least one memory operation on the portion of the memory. Thereafter, the request is responded to with a grant, configuring the portion of memory with a different memory protection attribute than the requested memor…
- Who is the assignee on this patent?
- Cylance Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F12/1441. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Mar 15 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).