The invention relates to systems and methods for protecting computer systems from malware.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others.
A particular kind of malware consists of a code reuse attack. Some examples of such malware include return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. A typical ROP exploit, also known in the art as a return-into-library attack, includes an illegitimate manipulation of a call stack used by a thread of a process, the illegitimate manipulation intended to alter the original functionality of the respective thread/process. For instance, an exemplary ROP exploit may manipulate the call stack so as to force the host system to execute a sequence of code snippets, known as gadgets, each such gadget representing a piece of legitimate code of the target process. Careful stack manipulation may result in the respective code snippets being executed in a sequence, which differs from the original, intended sequence of instructions of the original process or thread.
A typical JOP attack comprises exploiting a buffer overflow vulnerability to create a dispatch table. Such a dispatch table may be used to re-organize the execution of a legitimate thread or process, by making execution jump from one gadget to another in a pre-determined sequence that carries out a malicious activity instead of the original, intended activity of the targeted process/thread.
By re-using pieces of code from legitimate processes to carry out malicious activities instead of explicitly writing malicious code, ROP and JOP exploits may evade detection by conventional anti-malware techniques. Several anti-malware methods have been proposed to address code-reuse attacks, but such methods typically place a heavy computational burden on the respective host system, negatively impacting user experience. Therefore, there is a strong interest in developing systems and methods capable of effectively targeting code reuse malware, with minimal computational costs.