This invention concerns a method for processing input data in a computer system, including at least one step to detect a specific word present among said data.
These types of methods are commonly used to detect attack programs coming from outside the computer system aimed at disrupting the operation of the system by making it execute unauthorized actions developed by a system attacker. These attacks can therefore adversely affect the integrity, the availability and the confidentiality of a computer system. They cause considerable damage and affect both administrations and private enterprises, and therefore all of modern society. It is therefore desirable to equip computer systems with means allowing them to reliably and routinely detect such attacks.
The invention is related to the following considerations:
Most attacks identified take advantage of flaws present in the systems for which these attacks are intended. The most commonly observed attacks use a principle known as “buffer overflow.” These attacks use a property of certain computer systems according to which, when the length of a flow of information intended for a memory zone with a pre-determined length exceeds said pre-determined length, the word or words that cannot then be stored in the memory zone due to a lack of available memory space and that therefore “exceed” said memory zone are considered by a central processing unit to be included in the system as immediately executable instructions, and are therefore executed without any verification of their legitimacy by the processing system. These types of instructions can also trigger a call to a program stored by the attacker either previously anywhere in the memory space or simultaneously in the memory zone that the attacker has chosen to cause to overflow.
In the current state of the art, two methods are used to detect attacks via buffer overflow.
A first detection method identifies very long data chains, since a large number of data is generally necessary to cause the targeted memory zone to overflow. This first method is not entirely satisfactory, and will be less and less effective as more and more complex computer tools appear, necessitating exchanges of data chains with ever increasing lengths during normal operation. It will thus be increasingly difficult to differentiate a long but inoffensive data chain from a pernicious data chain of comparable length.
A second detection method looks for data chains containing a large number of instructions of a type known in Assembler language under the term NOP, which are in themselves inoffensive, since they order the central unit to do nothing, but an accumulation of which can be used to cause the targeted memory zone to overflow. This second detection method, more precise than the first, is also destined to lose its effectiveness as new ways of encoding NOP instructions appear. In the current state of the art, fifty-three different ways of producing NOP instructions have been listed following analysis of known attacks. The number of combinations offered to disguise NOP instruction chains is therefore very large and exceeds the detection capabilities of most of the current data processing systems.