US 12,380,212 B2
Return address validation watchdog to discover ROP chains in exploits engineering cloud delivered security services (CDSS)
Tao Yan, San Jose, CA (US); Edouard Bochin, Santa Clara, CA (US); Bo Qu, Saratoga, CA (US); Zhibin Zhang, Santa Clara, CA (US); and Michael Harbison, Salisbury, MD (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Mar. 16, 2023, as Appl. No. 18/122,268.
Prior Publication US 2024/0311479 A1, Sep. 19, 2024
Int. Cl. G06F 21/50 (2013.01); G06F 21/53 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/566 (2013.01) [G06F 21/53 (2013.01)] 23 Claims
OG exemplary drawing
 
1. A system for detecting Return Oriented Programming (ROP) exploits, comprising:
one or more processors configured to:
intercept a memory attribute change function for a sample;
determine whether a memory attribute is changed to be executable;
in response to determining that the memory attribute is changed to be executable, determine if a return address is associated with a shellcode address; and
in response to determining that the return address is associated with the shellcode address, determine that the sample is an ROP exploit; and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.