The use of computer systems and computer-related technologies continues to increase at a rapid pace. This increased use of computer systems has influenced the advances made to computer-related technologies. Indeed, computer systems have increasingly become an integral part of the business world and the activities of individual consumers. Computer systems are used to carry out several business, industry, and academic endeavors.
An operating system is the software component of a computer system that manages and coordinates processes executed by the system. In addition, the operating system manages and coordinates the various resources of the computer system. Operating systems also act as a host for computer programs that are ran on the computer system.
Most modern operating systems provide libraries to implement the majority of services provided by the computer system. Libraries include code and data that provide services to individual computer programs. The code may be executable code. Some operating systems have implemented dynamic linked libraries (DLLs) which allow code and data to be shared among various computer programs. For example, the code and/or data needed by multiple computer programs may be stored in one central DLL.
A dynamic linked library may be stored in an address space in the memory of the computer system. Because the DLL may include executable code, a malicious user may launch an attack, such as a buffer overflow, against the computer system if the user gains access to the executable code in the DLL. In order to hinder a malicious user from gaining access to the code within a DLL, an address space layout randomization (ASLR) technique may be used. The ASLR technique randomly arranges the position of libraries within address spaces of memory. This technique helps prevent the malicious user from locating a DLL in order to gain access to the code contained within the DLL.
However, a malicious user may load a module that appears benign to the computer system, but the module may expand and occupy numerous address spaces within the memory of the computer system. As a result, the malicious user may predict the address spaces that DLLs with executable code will be loaded because the module has exhausted many of the address space locations. The effectiveness of the ASLR technique is greatly reduced because many of the address space locations are not available when the DLL with executable code is randomly assigned an address space. As such, benefits may be realized by detecting and preventing benign modules from loading into the address space if the probability exists that the module may exhaust the available address spaces in memory.