Process Code Segment Verification
Comparing the "text" or "code" memory segments to a source of truth.
How it works
A process code segment is an executable portion of computer memory allocated to a particular process. Process Code Segment Verification implements verification to compare a process code segment to some expected value.
Verification can occur during application startup, or continuously during execution. The logic which verifies the process code may be separate in a third-party process, embedded in the application itself at compile time, or dynamically linked at runtime.
System of record
Examples of systems of record:
- On-disk application binary files or checksums
- Remotely stored binary data or checksums
- Embedded binary data or checksums
Post Verification Actions
If the verification function determines a process code segment may have been altered, a capability may invoke Eviction techniques as Process Termination to end the current process, or Executable Blacklisting to prevent the executable from launching in the future.
False positives commonly occur in the case that the layout of code in the process segment is legitimately modified:
Operating system features or third-party security software may modify the layout of process code, for example in the defensive technique Segment Address Offset Randomization, or in the case that a module is rebased. In both of these cases, the alteration occurs before the code is fully loaded into memory, and it would be possible to avoid the false positive by securely feeding this constant offset and any relocation data into the verification logic.
Process code segments may be written to modify themselves or other process code segments; however, this goes against widely-accepted current practices in software development.
False negatives can occur via alteration of the verification logic or source of truth, or insufficient verification logic.
Verification techniques which are executed only locally may be defeated by altering the local verification logic.
Verification that is run only on a recurring basis could be evaded if the malicious alteration is completed before verification is run.
Verification that requests an operation to be performed on a subset of the code segment could be evaded by performing that operation on a copy of the relevant bytes of the code segment.
Verification based on a system of record that can be altered may fail if that system of record is modifiable by a malicious user.