Abstract: A method and system for efficient foreign code detection is presented. In one aspect of the invention, an authentication module examines pages which are referenced by thread stacks in a process space, where the pages may contain foreign code. The module can walk up the thread stacks to examine return address that reference such pages. In another aspect, the module checks random pages referenced by the stack. In yet another aspect, the module checks any nearby suspicious pages to checked pages referenced by the stack. Additionally, the module checks the instruction pointer referenced page, the pages and calling code described by the page fault history, and any pages with event handling functions, dynamic link library functions, or other functions that are likely to run.

Abstract: A mechanism is provided, where a post-build utility is used to store stack and call tree information within a section of an executable program or separate file. The stack information aids an authentication module during the execution of the program in walking up a stack in order to obtain return addresses on the stack. In one aspect of the invention, by comparing the return address sequence to the call tree sequence, which specifies the allowed function call sequence of the program, a determination can be made whether the program is executing (as evidenced by the stack) the way it should be executing (as required by the call tree). If the call tree sequence differs from the return address sequence, a suspicion is raised that a hacker is attempting to jump from foreign code into sensitive code of the program by changing the function calling sequence.

Abstract: A method and system are provided that override constructors such that the constructors not only initialize objects but also provide notification about virtual pointers of the objects. This notification is provided to a list that stores which virtual pointers are created and where they are supposed to be pointing. By knowing the address of the virtual tables that the virtual pointers are supposed to be pointing to, a determination can be made whether the virtual tables are the correct virtual tables or whether they may be different virtual tables that have been substituted in by a hacker and that contain pointers to foreign code.

Abstract: A mechanism is provided, where a post-build utility is used to store stack and call tree information within a section of an executable program or separate file. The stack information aids an authentication module during the execution of the program in walking up a stack in order to obtain return addresses on the stack. In one aspect of the invention, by comparing the return address sequence to the call tree sequence, which specifies the allowed function call sequence of the program, a determination can be made whether the program is executing (as evidenced by the stack) the way it should be executing (as required by the call tree). If the call tree sequence differs from the return address sequence, a suspicion is raised that a hacker is attempting to jump from foreign code into sensitive code of the program by changing the function calling sequence.

Abstract: A method and system for efficient foreign code detection is presented. In one aspect of the invention, an authentication module examines pages which are referenced by thread stacks in a process space, where the pages may contain foreign code. The module can walk up the thread stacks to examine return address that reference such pages. In another aspect, the module checks random pages referenced by the stack. In yet another aspect, the module checks any nearby suspicious pages to checked pages referenced by the stack. Additionally, the module checks the instruction pointer referenced page, the pages and calling code described by the page fault history, and any pages with event handling functions, dynamic link library functions, or other functions that are likely to run.

Abstract: A method and system are provided that override constructors such that the constructors not only initialize objects but also provide notification about virtual pointers of the objects. This notification is provided to a list that stores which virtual pointers are created and where they are supposed to be pointing. By knowing the address of the virtual tables that the virtual pointers are supposed to be pointing to, a determination can be made whether the virtual tables are the correct virtual tables or whether they may be different virtual tables that have been substituted in by a hacker and that contain pointers to foreign code.

Abstract: A schema-based Lists service for centralized access to per-user lists, wherein access to data is based on each user's identity. The Lists service includes a schema that defines rules and a structure for each user's data, and also includes methods that provide access to the data in a defined way. The Lists schema thus corresponds to a logical document containing the data for each user. The user manipulates (e.g., reads or writes) data in the logical document by data access requests through defined methods. In one implementation, the Lists schemas are arranged to provide XML documents, and the services provide methods that control access to the data based on the requesting user's identification, defined role and scope for that role. In this way, document data can be accessed by its owner, and shared to an extent determined by the owner.