Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

A method may include operating a program using an input that causes buffer overflow and determining minimum input length that causes buffer overflow and maximum input length that does not cause buffer overflow. The method may include operating program using first input that includes the maximum input length and second input that includes the minimum input length. The method may include collecting call/return pairs for each function of the program using the first and second input and determining, based on a difference between call/return pairs, a function that causes buffer overflow. The method may include determining whether a number of calls exceeds a threshold. In response to the number of calls exceeding the threshold, the method may include inserting a patch configured to prevent buffer overflow in a calling function.

Techniques are described herein that are capable of containing an application in an immersive non-windowed environment. For instance, the application may be configured for use in a windowed environment. Containing the application in the immersive non-windowed environment may involve selectively implementing functionality that is associated with the application based at least in part on whether the functionality is applicable to the immersive non-windowed environment. For example, when a request to implement functionality that is not applicable to the immersive non-windowed environment is received, functionality that is applicable to the immersive non-windowed environment may be implemented in lieu of the functionality that is not applicable to the immersive non-windowed environment. In another example, no action may be taken with regard to the request.

Systems of the present disclosure provide a versatile, reusable mock server to respond to Application-Programming-Interface (API) requests. The mock server receives an API request and a cookie associated with the API request. The API server identifies response instructions found in the cookie. The response instructions may include a static response value, a name of an API server for the mock server to imitate, or code for the mock server to execute in the process of generating a mock API response. The mock server generates a mock API response based on the response instructions and sends the mock API response in reply to the API request.

Some examples described herein relate to dynamically applying a patch to a computer application. An external process may be invoked to bring a target process of the computer application to a safe point. A dynamic loader may load a patch library into an address space of the target process, wherein the patch library includes a patched version of a target function or a new function. A specific function in the dynamic loader may be directed to route a function call for the target function to the patched version of the target function or the new function in the patch library.

A method may include operating a program using an input that causes buffer overflow and determining minimum input length that causes buffer overflow and maximum input length that does not cause buffer overflow. The method may include operating program using first input that includes the maximum input length and second input that includes the minimum input length. The method may include collecting call/return pairs for each function of the program using the first and second input and determining, based on a difference between call/return pairs, a function that causes buffer overflow. The method may include determining whether a number of calls exceeds a threshold. In response to the number of calls exceeding the threshold, the method may include inserting a patch configured to prevent buffer overflow in a calling function.

A static multi-entry point function with more than one entry point is provided. The function allows callers to enter the function at different entry points using an offset. Each entry point of the function is associated with a different offset, and includes instructions that identify data that is associated with the entry point. Each entry point further includes an instruction that jumps to a common prologue of the function. The common prologue loads the identified data into local variables. The function also includes a functional component that performs different actions depending on the data in the local variables. The function includes a default entry point that is used when the function is called without any offset, so that the function appears to behave like a normal function to scanners.

In an embodiment, a processor for Return Oriented Programming (ROP) detection includes at least one execution unit; a plurality of event counters, each event counter associated with a unique type of a plurality of types of control transfer events; and a ROP detection unit. The ROP detection unit may be to: adjust a first event counter in response to detection of a first type of control transfer events; in response to a determination that the first event counter exceeds a first threshold, access a first configuration register associated with the first event counter to read configuration data; identify a set of ROP heuristic checks based on the configuration data read from the first configuration register; and perform each ROP heuristic check of the identified set of ROP heuristic checks. Other embodiments are described and claimed.

Provided is a technology for reducing a time when the information processing device is not controllable by a program update accompanying with a function change. An information processing device includes a storage unit and a processing unit, wherein the storage unit stores a program which contains a function and a jump table which defines calling of the function by the program, and wherein the processing unit determines the function to be called with reference to the jump table when the program is executed and, when the program is updated accompanying with a change of the function, writes a new function which is a function after the change and update the jump table to call the new function.

A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.