1. Field of the Invention
This invention pertains in general to computer security and in particular to detecting attempted exploits of vulnerabilities of applications and other programs executing on a computer.
2. Description of the Related Art
Applications executed on modern computers are often susceptible to a wide variety of attacks. Web browsers, for example, are particularly susceptible to attacks because browsers receive large amounts of content from the Internet. Other types of applications are also vulnerable. For example, email programs and even word processors provide interfaces that are vulnerable to attack.
Malicious attackers can compromise such applications by crafting specially-formulated inputs that exploit vulnerabilities in the applications. Such an input contains data that, when received by an application, gives the attackers control over the application and allows them to perform malicious acts such as capturing keystrokes, sending messages on the network, deleting files, installing malicious software (malware) such as spyware and adware, etc. Specifically, this type of attack exploits an application's vulnerability in order to inject or otherwise write malicious code into the application's address space. The application then executes the malicious code and gives the attacker control of the application.
To stop these sorts of attacks, modern security products monitor address spaces used by applications to detect behaviors that signify malicious code being written to the address space. Attackers have thus turned to new techniques that use data already present in an application's address space to carry out an attack. Since these new techniques do not write data into an application's address space, they are not detected by the security products.