A processor is to execute a first instruction to perform a simulated return in a program from a callee function to a caller function based on a first input stack pointer encoded with a first security context of a first callee stack frame. To perform the simulated return is to include generating a first simulated stack pointer to the caller stack frame. The processor is further to, in response to identifying an exception handler in the first caller function, execute a second instruction to perform a simulated call based on a second input stack pointer encoded with a second security context of the caller stack frame. To perform the simulated call is to include generating a second simulated stack pointer to a new stack frame containing an encrypted instruction pointer associated with the exception handler. The second simulated stack pointer is to be encoded with a new security context.

A system and method of protecting against control-flow attacks provides two complementary, transparent, and strong security policies for the RTL design at a hardware level. The approach performs static analysis of controller, followed by lightweight instrumentation, such that CFI is enforced in-place and at runtime. The modified controller follows conservative CFG with the help of a monitor.

A system and method of protecting against control-flow attacks provides two complementary, transparent, and strong security policies for the RTL design at a hardware level. The approach performs static analysis of controller, followed by lightweight instrumentation, such that CFI is enforced in-place and at runtime. The modified controller follows conservative CFG with the help of a monitor.

An exemplary system and method facilitate the identify and/or extract content hiding software, e.g., in a software curation environment (e.g., Apple's App Store). In some embodiments, the exemplary system and method may be applied to U.S.-based platforms as well as international platforms in Russia, India, China, among others.

Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

A method for monitoring control-flow integrity in a low-level execution environment, the method comprising receiving, at a monitor, a message from the execution environment indicating that the execution environment has entered a controlled mode of operation, receiving, at the monitor, a data packet representing execution of a selected portion of a control-flow process at the execution environment, identifying, using the data packet, a pathway corresponding to the selected portion of the control-flow process from a set of permissible control-flow pathways and determining whether the identified pathway corresponds to an expected control-flow behaviour.

Embodiments of the present disclosure relate to anti-tamper computer systems, in particular to methods and systems which can embed protection code into software. Among other things, the protection code helps prevent (and make it more costly) to reverse engineer to tamper with the protected software with malicious intent, such as, but not restricted to: the removal of a license protection mechanism; the removal of code displaying advertisements; the injection of a malicious thread into the program memory space; illicit usage; or any other kind of unauthorized modification of the software.

Provided is a method of analyzing a container system call configuration error, including: profiling a set of trusted images that are uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on the trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile with an essential and non-malicious system call by scanning the custom service layer to remove a malicious program or a vulnerable system call. Accordingly, it is possible to reduce overhead by omitting re-analysis of known images in a container image scanning process.

Provided is a method of analyzing a container system call configuration error, including: profiling a set of trusted images that are uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on the trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile with an essential and non-malicious system call by scanning the custom service layer to remove a malicious program or a vulnerable system call. Accordingly, it is possible to reduce overhead by omitting re-analysis of known images in a container image scanning process.

The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.