US2018314825A1PendingUtilityA1

Time varying address space layout randomization

55
Assignee: QUALCOMM INCPriority: Mar 31, 2016Filed: Jul 2, 2018Published: Nov 1, 2018
Est. expiryMar 31, 2036(~9.7 yrs left)· nominal 20-yr term from priority
G06F 17/30233G06F 21/52G06F 3/0631G06F 3/0623G06F 12/1009G06F 3/0683G06F 21/554G06F 3/0653G06F 17/30138G06F 16/188G06F 16/1727
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of time varying address space layout randomization on a computing device, comprising:
 receiving a first request to execute the system service from a first application;   randomly selecting a first version of the system service from a first plurality of versions of the system service, wherein each of the first plurality of versions of the system service is assigned a random virtual address space layout; and   executing the system service using data of the first version of the system service.   
     
     
         2 . The method of  claim 1 , further comprising:
 receiving a second request to execute the system service from the first application;   randomly selecting a second version of the system service from the first plurality of versions of the system service; and   executing the system service using data of the second version of the system service.   
     
     
         3 . The method of  claim 1 , further comprising:
 assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;   correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;   storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;   correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and   storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.   
     
     
         4 . The method of  claim 3 , wherein:
 the first request to execute the system service includes the system service identifier;   randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier;   the method further comprising:
 providing the first application with a first system service version identifier of the first version of the system service; and 
 receiving a request to execute the first version of the system service having the first system service version identifier from the first application. 
   
     
     
         5 . The method of  claim 4 , further comprising:
 locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;   translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and   retrieving the data of the first version of the system service.   
     
     
         6 . The method of  claim 3 , further comprising assigning a process identifier to each of the first plurality of versions of the system service,
 wherein the process identifier for each of the first plurality of versions of the system service is the same, and   wherein assigning a system service version identifier to each of the first plurality of versions of the system service and correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.   
     
     
         7 . The method of  claim 1 , further comprising:
 receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;   randomly selecting a code buffer address;   determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and   storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.   
     
     
         8 . The method of  claim 1 , further comprising:
 receiving a second request to execute the system service from a second application;   detecting the second request to execute the system service from the second application is an attack on the system service;   launching a second plurality of versions of the system service;   assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;   randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and   executing the system service using data of the second version of the system service.   
     
     
         9 . The method of  claim 1 , further comprising:
 launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures,
 wherein randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched, and 
 wherein executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core; 
   transferring the first request to execute the system service from the first application to the first heterogeneous processor core;   receiving an output of the execution of the system service by the first heterogeneous processor core; and   returning the output to the first application.   
     
     
         10 . A computing device, comprising:
 a request coordinator configured to perform operations comprising;
 receiving a first request to execute the system service from a first application; 
 randomly selecting a first version of the system service from a first plurality of versions of the system service, wherein each of the first plurality of versions of the system service is assigned a random virtual address space layout; and 
   a processor communicatively connected to the request coordinator and configured with executable instructions to perform operations comprising executing the system service using data of the first version of the system service.   
     
     
         11 . The computing device of  claim 10 , wherein:
 the request coordinator is configured to perform operations further comprising:
 receiving a second request to execute the system service from the first application; and 
 randomly selecting a second version of the system service from the first plurality of versions of the system service; and 
   the processor is configured with executable instructions to perform operations further comprising executing the system service using data of the second version of the system service.   
     
     
         12 . The computing device of  claim 10 , further comprising a launcher communicatively connected to the request coordinator and configured to perform operations comprising assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;
 wherein the request coordinator is configured to perform operations further comprising:
 correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service; and 
 storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier; and 
   wherein the processor is configured with executable instructions to perform operations further comprising:
 correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and 
 storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service. 
   
     
     
         13 . The computing device of  claim 12 , wherein:
 the request coordinator is configured to perform operations such that:
 receiving the first request to execute the system service from the first application comprises receiving the system service identifier; 
 randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier; and 
   the processor is configured with executable instructions to perform operations further comprising:
 providing the first application with a first system service version identifier of the first version of the system service; and 
 receiving a request to execute the first version of the system service having the first system service version identifier from the first application. 
   
     
     
         14 . The computing device of  claim 13 , wherein the processor is configured with executable instructions to perform operations further comprising:
 locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;   translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and   retrieving the data of the first version of the system service.   
     
     
         15 . The computing device of  claim 12 , wherein:
 the launcher is configured to perform operations further comprising assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same;   the launcher is configured to perform operations such that assigning a system service version identifier to each of the first plurality of versions of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier; and   the processor is configured with executable instructions to perform operations such that correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.   
     
     
         16 . The computing device of  claim 10 , further comprising a memory allocator communicatively connected to the request coordinator and configured to perform operations comprising:
 receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;   randomly selecting a code buffer address;   determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and   storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.   
     
     
         17 . The computing device of  claim 10 ,
 wherein the request coordinator is configured to perform operations further comprising:
 receiving a second request to execute the system service from a second application; 
 detecting the second request to execute the system service from the second application is an attack on the system service; 
   the computing device further comprising:
 a launcher communicatively connected to the request coordinator and configured to perform operations further comprising launching a second plurality of versions of the system service; 
 a mapper communicatively connected to the launcher and configured to perform operations further comprising assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different; 
   wherein the request coordinator is configured to perform operations further comprising randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and   wherein the processor is configured with executable instructions to perform operations further comprising executing the system service using data of the second version of the system service.   
     
     
         18 . The computing device of  claim 10 , further comprising a launcher communicatively connected to the request coordinator and configured to perform operations comprising launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures;
 wherein the request coordinator is configured to perform operations such that randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched;   wherein the processor is the first heterogeneous processor core and is configured with executable instructions to perform operations such that executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core; and   wherein the request coordinator is configured to perform operations further comprising:
 transferring the first request to execute the system service from the first application to the first heterogeneous processor core; 
 receiving an output of the execution of the system service by the first heterogeneous processor core; and 
 returning the output to the first application. 
   
     
     
         19 . A computing device, comprising:
 means for receiving a first request to execute the system service from a first application;   means for randomly selecting a first version of the system service from the first plurality of versions of the system service, wherein each of the first plurality of versions of the system service is assigned a random virtual address space layout; and   means for executing the system service using data of the first version of the system service.   
     
     
         20 . The computing device of  claim 19 , further comprising:
 means for receiving a second request to execute the system service from the first application;   means for randomly selecting a second version of the system service from the first plurality of versions of the system service; and   means for executing the system service using data of the second version of the system service.   
     
     
         21 . The computing device of  claim 19 , further comprising:
 means for assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;   means for correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;   means for storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;   means for correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and   means for storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.   
     
     
         22 . The computing device of  claim 21 , wherein:
 the first request to execute the system service includes the system service identifier; and   means for randomly selecting a first version of the system service from the first plurality of versions of the system service comprises means for randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier,   the computing device further comprising:
 means for providing the first application with a first system service version identifier of the first version of the system service; and 
 means for receiving a request to execute the first version of the system service having the first system service version identifier from the first application. 
   
     
     
         23 . The computing device of  claim 22 , further comprising:
 means for locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;   means for translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and   means for retrieving the data of the first version of the system service.   
     
     
         24 . The computing device of  claim 21 , further comprising means for assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same,
 wherein:
 means for assigning a system service version identifier to each of the first plurality of versions of the system service comprises means for assigning the system service version identifier to each of the first plurality of versions of the system service for each of the first plurality of versions of the system service assigned the process identifier; and 
 means for correlating the system service version identifier of each of the first plurality of versions of the system service to the system service identifier of a system service comprises means for correlating the system service version identifier of each of the first plurality of versions of the system service to the system service identifier of the system service for each of the first plurality of versions of the system service assigned the process identifier. 
   
     
     
         25 . The computing device of  claim 19 , further comprising:
 means for receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;   means for randomly selecting a code buffer address;   means for determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and   means for storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.   
     
     
         26 . The computing device of  claim 19 , further comprising:
 means for receiving a second request to execute the system service from a second application;   means for detecting the second request to execute the system service from the second application is an attack on the system service;   means for launching a second plurality of versions of the system service;   means for assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;   means for randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and   means for executing the system service using data of the second version of the system service.   
     
     
         27 . The computing device of  claim 19 , further comprising:
 means for launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures, wherein:
 means for randomly selecting a first version of the system service from the first plurality of versions of the system service comprises means for randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched; 
 means for executing the system service using data of the first version of the system service comprises means for executing the system service by the first heterogeneous processor core; 
   means for transferring the first request to execute the system service from the first application to the first heterogeneous processor core;   means for receiving an output of the execution of the system service by the first heterogeneous processor core; and   means for returning the output to the first application.   
     
     
         28 . A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to perform operations comprising:
 receiving a first request to execute the system service from a first application;   randomly selecting a first version of the system service from the first plurality of versions of the system service, wherein each of the first plurality of versions of the system service is assigned a random virtual address space layout; and   executing the system service using data of the first version of the system service.   
     
     
         29 . The non-transitory processor-readable storage medium of  claim 28 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 receiving a second request to execute the system service from the first application;   randomly selecting a second version of the system service from the first plurality of versions of the system service; and   executing the system service using data of the second version of the system service.   
     
     
         30 . The non-transitory processor-readable storage medium of  claim 28 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;   correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;   storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;   correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and   storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.   
     
     
         31 . The non-transitory processor-readable storage medium of  claim 30 , wherein:
 the first request to execute the system service includes the system service identifier;   the stored processor-executable instructions are configured to cause the processor to perform operations such that randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier; and   the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 providing the first application with a first system service version identifier of the first version of the system service; and 
 receiving a request to execute the first version of the system service having the first system service version identifier from the first application. 
   
     
     
         32 . The non-transitory processor-readable storage medium of  claim 31 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;   translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and   retrieving the data of the first version of the system service.   
     
     
         33 . The non-transitory processor-readable storage medium of  claim 30 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same, and
 wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that assigning a system service version identifier to each of the first plurality of versions of the system service and correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.   
     
     
         34 . The non-transitory processor-readable storage medium of  claim 28 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;   randomly selecting a code buffer address;   determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and   storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.   
     
     
         35 . The non-transitory processor-readable storage medium of  claim 28 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
 receiving a second request to execute the system service from a second application;   detecting the second request to execute the system service from the second application is an attack on the system service;   launching a second plurality of versions of the system service;   assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;   randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and   executing the system service using data of the second version of the system service.   
     
     
         36 . The non-transitory processor-readable storage medium of  claim 28 , wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures,
 wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that:
 randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched; and 
 executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core, and 
   wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:   transferring the first request to execute the system service from the first application to the first heterogeneous processor core;   receiving an output of the execution of the system service by the first heterogeneous processor core; and   returning the output to the first application.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.