Abstract: A method, computer program product, and computer system are provided. A processor receives an executable file for execution by an operating system, where the executable file includes a plurality of sections in a first order. A processor determines a second order that indicates a loading order for the plurality of sections, where the second order is distinct from the first order. A processor loads the plurality of sections of the executable file into a plurality of locations in memory of a device based on the second order. A processor resolves one or more memory references for the plurality of sections based on the plurality of locations in memory. A processor executes the plurality of sections of the executable file in the plurality of locations in memory.

Abstract: Input is received during runtime of a program. The input is a return instruction address of a called function and a return target address of the program. A determination is made whether the instruction immediately prior to the return target address is a call to the called function. If the instruction immediately prior to the return target address is not a call to the called function, a notification is transmitted that return-oriented programming is suspected.

Abstract: Mitigating return-oriented programming attacks. From program code and associated components needed by the program code for execution, machine language instruction sequences that may be combined and executed as malicious code are selected. A predetermined number of additional copies of each of the selected machine language instruction sequences are made, and the additional copies are marked as non-executable. The machine language instruction sequences and the non-executable copies are distributed in memory. If a process attempts to execute a machine language instruction sequence that has been marked non-executable, the computer may initiate protective action.

Abstract: Input is received during runtime of a program. The input is a return instruction address of a called function and a return target address of the program. A determination is made whether the instruction immediately prior to the return target address is a call to the called function. If the instruction immediately prior to the return target address is not a call to the called function, a notification is transmitted that return-oriented programming is suspected.

Abstract: A method, computer program product, and computer system are provided. A processor receives an executable file for execution by an operating system, where the executable file includes a plurality of sections in a first order. A processor determines a second order that indicates a loading order for the plurality of sections, where the second order is distinct from the first order. A processor loads the plurality of sections of the executable file into a plurality of locations in memory of a device based on the second order. A processor resolves one or more memory references for the plurality of sections based on the plurality of locations in memory. A processor executes the plurality of sections of the executable file in the plurality of locations in memory.

Abstract: Mitigating return-oriented programming (ROP) attacks. Program code and associated components are received and loaded into memory. From the program code and associated components, a predetermined number of sequences of machine language instructions that terminate in a return instruction are selected. The sequences of machine language instructions include: machine language instruction sequences that are equivalent to a conditional statement “if-then-else return,” sequences of machine language instructions corresponding to known malicious code sequences, and sequences of machine language instructions corresponding to machine language instructions in known toolkits for assembling malicious code sequences.

Abstract: Mitigating return-oriented programming attacks. Program code and associated components are received and loaded into memory. From the program code and associated components, a predetermined number of sequences of machine language instructions that terminate in a return instruction are selected. The sequences of machine language instructions include: machine language instruction sequences that are equivalent to a conditional statement “if-then-else return,” sequences of machine language instructions corresponding to known malicious code sequences, and sequences of machine language instructions corresponding to machine language instructions in known toolkits for assembling malicious code sequences.

Abstract: Mitigating return-oriented programming attacks. From program code and associated components needed by the program code for execution, machine language instruction sequences that may be combined and executed as malicious code are selected. A predetermined number of additional copies of each of the selected machine language instruction sequences are made, and the additional copies are marked as non-executable. The machine language instruction sequences and the non-executable copies are distributed in memory. If a process attempts to execute a machine language instruction sequence that has been marked non-executable, the computer may initiate protective action.

Abstract: Mitigating return-oriented programming (ROP) attacks. Program code and associated components are received and loaded into memory. From the program code and associated components, a predetermined number of sequences of machine language instructions that terminate in a return instruction are selected. The sequences of machine language instructions include: machine language instruction sequences that are equivalent to a conditional statement “if-then-else return,” sequences of machine language instructions corresponding to known malicious code sequences, and sequences of machine language instructions corresponding to machine language instructions in known toolkits for assembling malicious code sequences.

Abstract: Mitigating return-oriented programming attacks. Program code and associated components are received and loaded into memory. From the program code and associated components, a predetermined number of sequences of machine language instructions that terminate in a return instruction are selected. The sequences of machine language instructions include: machine language instruction sequences that are equivalent to a conditional statement “if-then-else return,” sequences of machine language instructions corresponding to known malicious code sequences, and sequences of machine language instructions corresponding to machine language instructions in known toolkits for assembling malicious code sequences.

Abstract: Mitigating return-oriented programming attacks. From program code and associated components needed by the program code for execution, machine language instruction sequences that may be combined and executed as malicious code are selected. A predetermined number of additional copies of each of the selected machine language instruction sequences are made, and the additional copies are marked as non-executable. The machine language instruction sequences and the non-executable copies are distributed in memory. If a process attempts to execute a machine language instruction sequence that has been marked non-executable, the computer may initiate protective action.

Abstract: A method for identifying trends in system faults. During a generating stage, monitoring via a software based performance monitoring unit, a state of a server on a network and generating hardware or software performance information which indicate system faults of the server. During an analysis stage including, creating a dataset from the hardware or software performance information and isolating events from the dataset and categorizing each of the isolated events into a type, each type representing one application program call return. For each event in the dataset, assigning a trend score which decays with time such that recent events receive greater weight in the assigning than less recent events. Finally, performing one or more of: outputting a notification of the trend score, utilizing an optimization unit or triggering operation of a fault system handler for the event, when the trend score is above a threshold.

Abstract: A method for identifying trends in system faults. During a generating stage, monitoring via a software based performance monitoring unit, a state of a server on a network and generating hardware or software performance information which indicate system faults of the server. During an analysis stage including, creating a dataset from the hardware or software performance information and isolating events from the dataset and categorizing each of the isolated events into a type, each type representing one application program call return. For each event in the dataset, assigning a trend score which decays with time such that recent events receive greater weight in the assigning than less recent events. Finally, performing one or more of: outputting a notification of the trend score, utilizing an optimization unit or triggering operation of a fault system handler for the event, when the trend score is above a threshold.