The present invention relates generally to protecting electronic devices against attacks designed to disrupt the processing flow of programs executing on the electronic devices by manipulating the code pointer, and in particular, to protecting an electronic device from attacks on processing flow by updating a code pointer complement in parallel with updating the code pointer.
Both electronic communication and digital commerce can be powerful yet dangerous tools. With the widespread availability of network technology, such as the Internet, there is an ever-increasing use of and dependence upon online tools for communication and commerce. Each year more users find it easier or quicker to conduct important transactions using computers and other computerized devices over computer networks. However, there is always the risk that the security of electronic transactions can be compromised through interception by third parties who do not have the right to partake in the transactions. When malicious third parties obtain access to otherwise private transactions and data there is risk of economic loss, privacy loss, and jeopardized physical safety.
One type of attack against the sensitive information that is stored in security devices is the Buffer Overflow Attack. Buffer overflow is an attack model that is based on stack allocation. Buffer overflows occur when data is written outside of the allocated space for a particular data structure. If the operating system does not guard against such out-of-bounds writing of data, an attacker may write into space that is intended as the return address for procedure calls. By doing so, the attacker may redirect the return to a malicious code, which would run with the same permissions and privileges as the targeted code. Thus, the malicious code may perform any function that can otherwise be programmed. One mechanism would be to open a remote shell on the compromised machine. In that case, the injected malicious code is referred to as shellcode.
Attacks against processing flow are also often used to circumvent certain critical portions of programs. For example, many programs include code that verifies that a user has been authorized to execute the program. By circumventing the processing flow to bypass such verification code, a malicious user may use the program without the requisite credential allowing legitimate use thereof.
On an embedded operating system—for example, IOS from Apple Inc., Cupertino, Calif., USA—some protections like address-space layout randomization (ASLR) or using page code that is not writable prevent attackers from tampering with applications to run malicious code. However, such techniques may be circumvented by an attacker by tracking the existing application code using a debugger that causes the application to execute in an alternate order specified by the attacker.
Another defence against processing-flow attacks include embedding security countermeasures directly in the programs. These countermeasures use specific and often complex techniques in an attempt to verify that critical sections of code have been executed and where possible that the order of execution is correct. This type of secure programming requires a specialized area of knowledge as the developer must understand both the types of attacks that can be performed as well as efficient methods of protection against those attacks. Thus, there are at least two problems associated with that solution: (1) it requires modification of individual programs and places the burden of implementing the countermeasures on the application developer, and (2) it adds significant overhead cost in development time and personnel needs. Furthermore, in most cases there is no guarantee that these countermeasures fully protect against skipped code or other processing flow modifications.
From the foregoing it will be apparent that there is still a need for an improved technology to provide a secure mechanism that is computationally efficient, that does not require excessively large registers or other storage, and in which enables a portable security device to have the capability of protecting against attacks on processing flow such as buffer overflow, stack overflow, shellcode attacks and other code pointer manipulations.