Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: Examples of systems, methods and media are shown for iteratively emulating potentially malicious code involving, for each offset of a microarchitecture for the code, emulating a first ring of an operating system, executing a segment of code in the emulated first ring, checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Some examples include emulating a second ring of the operating system having a higher level of privilege than the first ring, such that the second ring emulation returns results to the executing code segment, but does not actually perform the functionality in a host platform.

Abstract: Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

Abstract: Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points.