Abstract: In an embodiment, a data processing method comprises receiving a first instance of computer program data at a security unit having one or more processors; executing the first instance of the computer program data in a monitored environment; observing and recording identification information for each of a plurality of functions called by the first instance of the computer program data; sending the identification information to one or more security enforcement endpoints over a computer network; and generating one or more instructions describing security protections to implement for function calls not included in the identification information in a second instance of the computer program data, and sending the instructions to one or more security enforcement endpoints over a computer network.

Abstract: In an embodiment, a data processing method comprises: in a computer executing a supervisor program, the supervisor program establishing different memory access permissions comprising any combination of read, write, and execute permissions for one or more different regions of memory of a first domain, receiving a request from a process to execute a particular memory page of the regions of memory, the particular memory page comprising a memory access permission set to read-writeable or read-only, throwing an execute fault for the particular memory page, performing one or more responsive actions to restore execution access or content of the particular memory page, and after performing the one or more responsive actions, setting the memory access permission to execute only.

Abstract: In an embodiment, a data processing method comprises: in a computer executing a supervisor program, the supervisor program establishing different memory access permissions comprising any combination of read, write, and execute permissions for one or more different regions of memory of a first domain, receiving a request from a process to execute a particular memory page of the regions of memory, the particular memory page comprising a memory access permission set to read-writeable or read-only, throwing an execute fault for the particular memory page, performing one or more responsive actions to restore execution access or content of the particular memory page, and after performing the one or more responsive actions, setting the memory access permission to execute only.

Abstract: In an embodiment, a data processing method comprises, in a computer executing a supervisor program: the supervisor program establishing a plurality of different memory access permissions comprising any combination of read, write, and execute permissions for one or more different regions of memory of a first domain; setting the memory access permissions of a first set of the regions of memory to execute only; in response to a request from a process to read or write a particular region of memory in the first set, performing one or more responsive actions that prevent the process from reading or modifying one or more instructions or one or more embedded immediate values of the particular region of memory. Embodiments provide selective access to executable memory.

Abstract: In an embodiment, a data processing method comprises implementing a memory event interface to a hypercall interface of a hypervisor or virtual machine operating system to intercept page faults associated with writing pages of memory that contain a computer program; receiving a page fault resulting from a guest domain attempting to write a memory page that is marked as not executable in a memory page permissions system; determining a first set of memory page permissions for the memory page that are maintained by the hypervisor or virtual machine operating system; determining a second set of memory page permissions for the memory page that are maintained independent of the hypervisor or virtual machine operating system; determining a particular memory page permission for the memory page based on the first set and the second set; processing the page fault based on the particular memory page permission, including performing at least one security function associated with regulating access of the guest domain to th

Abstract: In one embodiment, methods are described to provide a binary translation and randomization system. Relocation metadata is received, which comprises, for each of a plurality of execution units in an executable file, a mapping from the executable file into an address space range. For at least one of the plurality of execution units, the mapping is modified to replace instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. An order of the plurality of execution units may thus be modified. An image is generated from the executable file using the relocation metadata, and an execution of the image is caused. The randomization may be carried out in two passes to provide executable files that are uniquely randomized for each computer and for each execution.

Abstract: In an embodiment, a data processing method comprises implementing a memory event interface to a hypercall interface of a hypervisor or virtual machine operating system to intercept page faults associated with writing pages of memory that contain a computer program; receiving a page fault resulting from a guest domain attempting to write a memory page that is marked as not executable in a memory page permissions system; determining a first set of memory page permissions for the memory page that are maintained by the hypervisor or virtual machine operating system; determining a second set of memory page permissions for the memory page that are maintained independent of the hypervisor or virtual machine operating system; determining a particular memory page permission for the memory page based on the first set and the second set; processing the page fault based on the particular memory page permission, including performing at least one security function associated with regulating access of the guest domain to th

Abstract: In an embodiment, a data processing method comprises implementing a memory event interface to a hypercall interface of a hypervisor or virtual machine operating system to intercept page faults associated with writing pages of memory that contain a computer program; receiving a page fault resulting from a guest domain attempting to write a memory page that is marked as not executable in a memory page permissions system; determining a first set of memory page permissions for the memory page that are maintained by the hypervisor or virtual machine operating system; determining a second set of memory page permissions for the memory page that are maintained independent of the hypervisor or virtual machine operating system; determining a particular memory page permission for the memory page based on the first set and the second set; processing the page fault based on the particular memory page permission, including performing at least one security function associated with regulating access of the guest domain to th

Abstract: In an embodiment, a data processing method comprises receiving a first instance of computer program data at a security unit having one or more processors; executing the first instance of the computer program data in a monitored environment; observing and recording identification information for each of a plurality of functions called by the first instance of the computer program data; sending the identification information to one or more security enforcement endpoints over a computer network; and generating one or more instructions describing security protections to implement for function calls not included in the identification information in a second instance of the computer program data, and sending the instructions to one or more security enforcement endpoints over a computer network.

Abstract: In an embodiment, a data processing method comprises obtaining access to computer program code; identifying a plurality of code segments in the computer program code; reorganizing the computer program code into reorganized code, by re-ordering the plurality of code segments into a new order that is potentially different than an original order of the plurality of code segments; wherein the new order is unpredictable based on the original order; rewriting one or more pointers of the reorganized code to point to new locations in the reorganized code consistent with the order of the reorganized code; wherein the method is performed by one or more computing devices.

Abstract: In an embodiment, a data processing method comprises receiving computer program data at a security unit having one or more processors; implementing one or more security-related modifications to the computer program data, resulting in creating modified computer program data; executing the modified computer program data in a monitored environment; analyzing output from the modified computer program data and identifying one or more variances from an expected output; performing a responsive action selected from one or more of: disabling one or more security protections that have been implemented in the modified computer program data; reducing or increasing the stringency of one or more security protections that have been implemented in the modified computer program data; updating the security unit based on the variances.

Abstract: In one embodiment, methods are described to provide a binary translation and randomization system. Relocation metadata is received, which comprises, for each of a plurality of execution units in an executable file, a mapping from the executable file into an address space range. For at least one of the plurality of execution units, the mapping is modified to replace instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. An order of the plurality of execution units may thus be modified. An image is generated from the executable file using the relocation metadata, and an execution of the image is caused. The randomization may be carried out in two passes to provide executable files that are uniquely randomized for each computer and for each execution.

Abstract: In an embodiment, a data processing method comprises receiving computer program data at a security unit having one or more processors; implementing one or more security-related modifications to the computer program data, resulting in creating modified computer program data; executing the modified computer program data in a monitored environment; analyzing output from the modified computer program data and identifying one or more variances from an expected output; performing a responsive action selected from one or more of: disabling one or more security protections that have been implemented in the modified computer program data; reducing or increasing the stringency of one or more security protections that have been implemented in the modified computer program data; updating the security unit based on the variances.

Abstract: In an embodiment, a data processing method comprises obtaining access to computer program code; identifying a plurality of code segments in the computer program code; reorganizing the computer program code into reorganized code, by re-ordering the plurality of code segments into a new order that is potentially different than an original order of the plurality of code segments; wherein the new order is unpredictable based on the original order; rewriting one or more pointers of the reorganized code to point to new locations in the reorganized code consistent with the order of the reorganized code; wherein the method is performed by one or more computing devices.