An example method includes determining, based on a static scan, that a software container image or an intended execution environment of the software container image meets one or more first criteria required to exploit a software vulnerability. Based on the determining, runtime behavior of a software container instantiated from the software container image is monitored. The monitoring including determining whether the software container meets one or more second criteria required to exploit the software vulnerability, wherein the one or more first second criteria differs from the one or more second criteria. Based on the runtime monitoring, a risk score that indicates a magnitude of a risk the software vulnerability poses for the software container is determined, and a notification of the risk score is provided. A system for assessing software containers for vulnerabilities is also disclosed.

A method and a device for managing a node includes: initiating, by an application program, a first request by calling an interface function, where the first request is used to perform an operation on a feature node in a kernel; searching, based on a keyword of the interface function, a table used for node management for an entry corresponding to the feature node, where the entry includes a node identifier of the feature node and a user handle identifier of the feature node; and performing, by the user program, the operation on the feature node based on the user handle identifier. A program running in user space can be prevented from directly accessing a feature node in kernel space, thereby improving system security.

A method and a device for managing a node includes: initiating, by an application program, a first request by calling an interface function, where the first request is used to perform an operation on a feature node in a kernel; searching, based on a keyword of the interface function, a table used for node management for an entry corresponding to the feature node, where the entry includes a node identifier of the feature node and a user handle identifier of the feature node; and performing, by the user program, the operation on the feature node based on the user handle identifier. A program running in user space can be prevented from directly accessing a feature node in kernel space, thereby improving system security.

A method can be used for verifying an execution of a compiled software program stored in a program memory of a processor and executed by the processor. A write operation includes assigning a destination address in a register of the processor and writing a datum at a location pointed to by the destination address contained in the register. A verification operation includes reassigning the same destination address in the same register, reading the datum contained at the location pointed to by the destination address contained in the register after the reassignment, and comparing the read datum and the written datum.

A method can be used for verifying an execution of a compiled software program stored in a program memory of a processor and executed by the processor. A write operation includes assigning a destination address in a register of the processor and writing a datum at a location pointed to by the destination address contained in the register. A verification operation includes reassigning the same destination address in the same register, reading the datum contained at the location pointed to by the destination address contained in the register after the reassignment, and comparing the read datum and the written datum.

Methods and systems for allowing software components that operate at a specific exception level (e.g., EL-3 to EL-1, etc.) to repeatedly or continuously observe or evaluate the integrity of software components operating at a lower exception level (e.g., EL-2 to EL-0) to ensure that the software components have not been corrupted or compromised (e.g., subjected to malware, cyberattacks, etc.) include a computing device that identifies, by a component operating at a higher exception level (“HEL component”), at least one of a current vector base address (VBA), an exception raising instruction (ERI) address, or a control and system register value associated with a component operating at a lower exception level (“LEL component”). The computing device may perform a responsive action in response to determining that the current VBA, the ERT address, or control and system register value do not match the corresponding reference data.

Systems and methods are disclosed for event-based application control. A system extension is configured to leverage an endpoint security API for monitoring event activity within operating system kernel processes. The system extension registers with the endpoint security API particular event types for which the system extension would like to receive notifications. In response to receiving notifications regarding detected events corresponding to the registered event types, the system extension determines if the event, and its corresponding process, are safe and allowable to execute. In various embodiments, the system leverages whitelists, blacklists, and rules policies for making a safeness determination regarding the event notification. The system extension transmits this determination to the operating system via the endpoint security API.

Processing circuitry has a handler mode and a thread mode. In response to an exception condition, a switch to handler mode is made. In response to an intermodal calling branch instruction specifying a branch target address when the processing circuitry is in the handler mode, an instruction decoder controls the processing circuitry to save a function return address to a function return address storage location; switch a current mode of the processing circuitry to the thread mode; and branch to an instruction identified by the branch target address. This can be useful for deprivileging of exceptions.

A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

In one implementation, a method for providing security on an externally connected controller includes launching, by the controller, a security layer that includes a whitelist of permitted processes on the controller, the whitelist including (i) signatures for processes that are authorized to be executed and (ii) context information identifying permitted controller contexts within which the processes are authorized to be executed; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the determined signature with a verified signature for the particular process from the whitelist; identifying, by the security layer, a current context for the controller; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the current context with one or more permitted controller contexts for the particular process from the whitelist.