News Column

Researchers Submit Patent Application, "Identifying Exploitation of Vulnerabilities Using Error Reports", for Approval

September 9, 2014

By a News Reporter-Staff News Editor at Life Science Weekly -- From Washington, D.C., NewsRx journalists report that a patent application by the inventors Lambert, John J. (Redmond, WA); Thomlinson, Matthew W. (Seattle, WA); Lucas, Alexander R.G. (Cheltenham, GB); Kelly, James P. (Cheltenham, GB); Carter, David S. (Cheltenham, GB); Diver, Matthew I. (Cheltenham, GB); Crowe, Emma L. (Cheltenham, GB), filed on April 25, 2014, was made available online on August 28, 2014 (see also Microsoft Corporation).

The patent's assignee is Microsoft Corporation.

News editors obtained the following quote from the background information supplied by the inventors: "Computer viruses, spyware, other types of malware, and hacker's unauthorized access/use of computer systems have been a problem for many years. Often, a first step in such unauthorized access/use of a computer is to gain a foothold on the target computer via a security vulnerability. The executable code, script, macro, or other technique to gain this initial foothold may be referred to as an exploit, or exploit code. Once the foothold has been accomplished, the actual malware may be installed and executed, although in some cases, the exploit and malware may be the same executable. An industry has developed around detection of viruses, malware, and detection of known techniques for infiltrating computers. Numerous companies deliver virus protection and removal software and firewall products each targeted at identifying known threats and preventing known hacking techniques from infiltrating a computer.

"Similarly, operating system and application program vendors are watchful for vulnerabilities that allow hackers and malware authors to gain access to a system. However, hackers and virus authors are both clever and persistent. New exploit code and methods are always being developed and deployed. To date, the only source of information for preventative measures was to analyze successful hacks and determine after the fact how to identify and block attempts or remove results of a previously unknown incursion. However, in some cases, after successfully installing the malware, the exploit code may be 'cleaned up,' to cover the actual vulnerability."

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors' summary information for this patent application: "A tool that analyzes error reports, such as crash dumps and hang reports, allows detection of unsuccessful attempts to subvert a computer's defenses, allowing preventative measures to be implemented before exploit code or an exploit technique can be fine tuned and widely distributed, i.e. 'weaponized.' A small, but measurable, number of reportable computer errors are due to failed exploit attempts. Exploit attempts are often trial and error procedures and may fail for a number of reasons, including reaching an incorrect memory location, triggering a data execution protection fault, etc. Users will rarely associate an error report with such a failed exploit attempt, so the hacker or exploit writer has other chances to perfect an exploit before the exploit is discovered.

"The tool that examines error reports does not simply look for known malware or already-discovered exploit code, but rather looks for evidence of tampering associated with attacks, to determine what area of an operating system or application is being targeted for subversion. Even error reports unrelated to failure of an exploit, for example, an crash related to defective video card, may reveal an exploit or malware. The tool may determine not only the presence of an exploit, but its location and current state. For example, a malware decoder simply in memory may not be as interesting to an investigator as a malware decoder that was being executed when the error report occurred. Decoder loops and other evidence of a hack-in-progress, such as NOPsleds and common types of shellcode, can be detected in an error report, along with evidence of inconsistent control structures or disabled internal defenses. This information can then be used to paint a picture of how the attack was initiated and what vulnerability or potential vulnerability was being targeted.

"The tool may also be used to track a hierarchy of the attack so even if an initial infection/security subversion attempt was successful, and subsequent installation of malware was successful, the failure of an attempt to steal a password may cause an error report that leaves a forensic trail back to the original infection/subversion.


"FIG. 1 is a block diagram showing a system-level view of a networked computer environment;

"FIG. 2 is a block diagram of showing an electronic device in the form of a computer supporting error report analysis for exploit detection;

"FIG. 3 is a block diagram showing selected portions of a computer similar to that of FIG. 2 in more detail; and

"FIG. 4 is a flow chart illustrating a method of examining an error report for exploits."

For additional information on this patent application, see: Lambert, John J.; Thomlinson, Matthew W.; Lucas, Alexander R.G.; Kelly, James P.; Carter, David S.; Diver, Matthew I.; Crowe, Emma L. Identifying Exploitation of Vulnerabilities Using Error Reports. Filed April 25, 2014 and posted August 28, 2014. Patent URL:

Keywords for this news article include: Microsoft Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Life Science Weekly

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters