Patent attributes
Described systems and methods allow protecting a host computer system from malicious software, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters storing a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a sequence of instructions. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold, and/or when a branch instruction redirects execution to a critical OS function. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack.
