Over the last decade, network devices that access the Internet or other publicly accessible networks have been increasingly subjected to malicious attacks. These malicious attacks may simply involve the use of stolen credentials by an unauthorized person in efforts to illicitly gain access to information stored within a network device. However, other malicious attacks may be more complex.
In general, a malicious attack may be carried out as an exploit attack. An exploit attack is an attempt to take advantage of a vulnerability in computer software or systems by adversely influencing or attacking normal operations of a targeted computer. Typically, exploit attacks are conducted as “user-mode” attacks, where a vulnerability associated with a specific application (e.g., web browser, PDF reader application, Microsoft® Office®) operating in user mode is targeted. In User mode (lesser privileged operating domain such as Ring-3), an executing application has no ability to directly access system resources (e.g., physical or virtual hardware). Instead, the executing application utilizes system-based functions, such as Application Programming Interfaces (APIs) for example, to access the system resources.
Recently, however, there have been an increased level of exploit attacks targeting certain plug-ins as software components operating within the kernel mode. The “kernel mode” is a privileged mode, where a processor in this mode can access the entire address space and execute the entire instruction set (privileged and non-privileged instructions). In kernel mode, an executing software component normally has complete and unrestricted access to the underlying system resources. Hence, kernel mode is generally reserved for low-level, trusted functions of the operating system. One of these targeted software components is a script interpreter.
A script interpreter is a software component that is configured to interpret and execute a script, namely code that is not native to an operating system for the electronic device targeted to receive the script, but features a higher level construct. The script interpreter typically translates content of the scripts (e.g., instructions within bytecode from an interpreted flash file, command lines from an interpreted JavaScript®, etc.) in context of a corresponding application. For ease of deployment, when a receiving electronic device is implemented with a particular script interpreter, such as kernel-based font interpreter (e.g., in win32k.sys) that is operating in kernel mode and having a higher privileged access to resources within the electronic device than an application running in the user mode for example, content within a received script is commonly translated from non-native to native code. In other words, the bytecode instructions or higher-level language code are translated without any consideration that the script may be malicious. Thereafter, after being interpreted (i.e. converted from non-native to native code for execution), the script is executed.
Scripts placed within documents or web pages are typically interpreted and executed within the application's container. This allows for vulnerabilities in the interpreter to be exploited by constructing specific conditions in the script, where early stage detection of an exploit attack on the interpreter is extremely difficult. Once an exploit is triggered, one type of malicious code injected by the script (referred to as “shellcode”) may execute and compromise the receiving electronic device and perhaps an entire network if the malicious attack can propagate to other devices. The shellcode may cause the interpreter to perform operations beyond its limited functionality. Additionally, after the shellcode has executed, full remediation of the shellcode may be difficult to achieve.