Abstract: A CFI system constituted of: at least one protection module, each comprising a respective allowable flow model associated with at least one of a plurality of portions of a process; and at least one process protection manager, arranged, responsive to a control flow instruction in one of the plurality of portions of the process, to: compare one or more parameters of the control flow instruction to the allowable flow model of the associated protection module; and responsive to an outcome of the comparison indicating that the compared parameters do not meet a respective parameter of the allowable flow model, generate a predetermined signal, wherein each protection module is implemented as a shared object, wherein each process protection manager is implemented as a shared object, and wherein the at least one protection module and the process protection manager are loaded into the process.

Abstract: A risk determination method constituted of: receiving incident information associated with an item, the incident information comprising information regarding detected anomalous behavior in the item or information regarding a detected vulnerability in the item; based at least in part on the received incident information, identifying one or more attack steps of one or more attack paths, each of the one or more attack paths associated with a respective one of a plurality of assets contained within the item; and for each respective asset, adjusting one or more respective risk levels based at least in part on the identified one or more attack steps associated with the respective asset.

Abstract: A security control method, constituted of: receiving risk analysis information comprising data regarding a plurality of threats, each of the plurality of threats associated with a respective asset; loading a control database comprising data regarding a plurality of security controls; for each of the plurality of threats, matching one or more of the plurality of security controls to one or more attack steps of one or more attack paths associated with the respective threat; for each of the plurality of threats, selecting at least a subset of the matched security controls; and for each of the plurality of threats, outputting information regarding the selected security controls.

Abstract: An ROP attack protection method for a plurality of ECUs, the method constituted of: receiving data destined for one of the plurality of ECUs; determining which of the plurality of ECUs the received data is destined for; responsive to a unique model associated with the determined ECU, analyzing the received data to identify control flow instructions addressed to one or more predetermined addresses; responsive to the analyzation, generate a statistical analysis of the identified control flow instructions; and responsive to the generated statistical analysis, outputting a signal indicating a possibility of an attack.

Abstract: An ROP attack protection apparatus constituted of: a first region of memory having stored therein a protection function, the first region of memory set as executable; and a second region of memory having stored thereon a plurality of operation functions, the second region of memory set as non-executable, wherein the protection function is arranged to: responsive to a call to one of the plurality of operation functions and further responsive to at least one predetermined rule, allow execution of the called operation function; and after receiving a return from the executed operation function, set the executed operation function as non-executable.

Abstract: A CFI system constituted of: at least one protection module, each comprising a respective allowable flow model associated with at least one of a plurality of portions of a process; and at least one process protection manager, arranged, responsive to a control flow instruction in one of the plurality of portions of the process, to: compare one or more parameters of the control flow instruction to the allowable flow model of the associated protection module; and responsive to an outcome of the comparison indicating that the compared parameters do not meet a respective parameter of the allowable flow model, generate a predetermined signal, wherein each protection module is implemented as a shared object, wherein each process protection manager is implemented as a shared object, and wherein the at least one protection module and the process protection manager are loaded into the process.

Abstract: A system for monitoring intrusion anomalies in an automotive vehicle, the system constituted of: at least one electronic control unit; at least one security monitor arranged to detect intrusion anomalies for the at least one electronic control unit and output information regarding the detected intrusion anomalies; and an anomaly analyzer arranged to: accumulate the output information re-garding the detected intrusion anomalies; receive at least one vehicle status signal; compare, responsive to the received at least one vehicle status signal, the accumulated output information regarding the detected intrusion anomalies with an anomaly incident list, the anomaly incident list comprising at least one anomaly incident; and responsive to a predetermined outcome of the comparison, output a predetermined incident signal.

Abstract: An ROP attack protection method for a plurality of ECUs, the method constituted of: receiving data destined for one of the plurality of ECUs; determining which of the plurality of ECUs the received data is destined for; responsive to a unique model associated with the determined ECU, analyzing the received data to identify control flow instructions addressed to one or more predetermined addresses; responsive to the analyzation, generate a statistical analysis of the identified control flow instructions; and responsive to the generated statistical analysis, outputting a signal indicating a possibility of an attack.

Abstract: An ROP attack protection apparatus constituted of: a first region of memory having stored therein a protection function, the first region of memory set as executable; and a second region of memory having stored thereon a plurality of operation functions, the second region of memory set as non-executable, wherein the protection function is arranged to: responsive to a call to one of the plurality of operation functions and further responsive to at least one predetermined rule, allow execution of the called operation function; and after receiving a return from the executed operation function, set the executed operation function as non-executable.