Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: Examples of systems, methods and media are shown for iteratively emulating potentially malicious code involving, for each offset of a microarchitecture for the code, emulating a first ring of an operating system, executing a segment of code in the emulated first ring, checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Some examples include emulating a second ring of the operating system having a higher level of privilege than the first ring, such that the second ring emulation returns results to the executing code segment, but does not actually perform the functionality in a host platform.

Abstract: Systems and methods are shown for detecting potential attacks on a domain, where one or more servers, in response to a failure event, obtain a lambda value from a baseline model of historical data associated with a current time interval corresponding to the failure event, determine a probability of whether a total count of failure events for the current time interval is within an expected range using a cumulative density function based on the lambda value, and identify a possible malicious attack if the probability is less than or equal to a selected alpha value.

Abstract: Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

Abstract: Systems, methods and media are shown for detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.

Abstract: Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points.

Abstract: Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points.