MALICIOUS CODE PROTECTION FOR COMPUTER SYSTEMS BASED ON SYSTEM CALL TABLE MODIFICATION AND RUNTIME APPLICATION PATCHING

摘要

Techniques are provided for neutralizing attacks by malicious code on a computer system. In an embodiment, this is achieved by modifying certain aspects of an operating system. For example, a system call table storing pointers to system functions is duplicated to create a shadow system call table. The original table is modified with traps resulting the neutralization of processes that access the table, whereas processes that access the shadow system call table are enabled to execute properly. In order for valid applications to operate with the shadow system call table, index numbers corresponding to the different system function calls are randomized in a system library that maintains function calls to such system functions. Valid applications may be patched in order to reference such randomized index numbers, whereas malicious processes continue to reference the original non-randomized index numbers.