WO2016107082A1 - Processor instruction check method during program execution - Google Patents

Processor instruction check method during program execution Download PDF

Info

Publication number
WO2016107082A1
WO2016107082A1 PCT/CN2015/081034 CN2015081034W WO2016107082A1 WO 2016107082 A1 WO2016107082 A1 WO 2016107082A1 CN 2015081034 W CN2015081034 W CN 2015081034W WO 2016107082 A1 WO2016107082 A1 WO 2016107082A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
instruction
code segment
branch target
code
Prior art date
Application number
PCT/CN2015/081034
Other languages
French (fr)
Chinese (zh)
Inventor
邹鹏
吕雅帅
吴玲达
赵忠文
王宇
杨超
郭静
Original Assignee
中国人民解放军装备学院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国人民解放军装备学院 filed Critical 中国人民解放军装备学院
Publication of WO2016107082A1 publication Critical patent/WO2016107082A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • the present invention relates to the field of computer security and can be used to prevent malicious code constructed using a program abnormal sequence of instructions from being executed on a processor.
  • code reuse attack technology that has emerged in recent years has become a new means of exploiting software vulnerabilities for malicious code attacks.
  • Code reuse attacks do not require code injection, but reorganize the existing code of the program (including the code in the system runtime) through a series of branch transfer instructions (including jump instructions, function call instructions, function return instructions, etc.) Malicious code sequences are attacked. Because the code reuse attack does not write code data to the memory page, but uses the code already in the program, so The mechanism is completely ineffective for code reuse attacks.
  • CISC instruction set processors such as the currently widely used x86 family of processors
  • RISC instruction set processors all instruction lengths are consistent, and the starting address of each instruction is an integral multiple of the instruction length.
  • the RISC processor does not accept instructions starting at an integer multiple of the non-instruction length when executing the instruction.
  • the instruction length of the CISC processor is not fixed. Taking the x86 processor as an example, the instruction length can be from 1 byte to 16 bytes. This means that any address in the code segment may be the starting address of a new instruction. Therefore, constructing malicious code on a CISC processor is easier than on a RISC processor.
  • the invention is a program runtime processor instruction verification method, characterized in that the verification method steps are as follows:
  • the code segment information is used to obtain the address of the first instruction at the beginning of the code segment, and then the code segment is disassembled from the first instruction, and all the code segments are obtained through disassembly.
  • the length of the instruction, after which the address of each instruction is the address of the previous instruction plus the previous instruction Length of the order;
  • the initial load address of the merged code segment be a 0 and the end address be a 1 .
  • the address is the starting address of a correct instruction, which is represented by a bit "1". Otherwise, it is represented by a "0", or a "0" indicates the starting address of a correct instruction, one "1""No, during the running of the program, the address check data is placed in the memory for query when the processor verifies the instruction.
  • the branch target buffer stored branch target address of the branch instruction just executed successfully is, when the branch address to be verified branch target buffer with a t If one of the addresses is the same, the verification is successful, and the processor continues to execute normally. Otherwise, 2) is required.
  • the second byte (a t -a 0)% 8 + 1 bit is the parity of the data address a t, where% indicates modulo operation; when the check data indicates that address a t For the start address of a correct instruction, the verification is successful, the processor continues to execute normally, and the branch target check cache is updated with the address a t , otherwise the verification fails, causing a processor exception.
  • This method can completely block the execution of the application code and the abnormal instructions in the system library code. After applying this method, the risk of the code reusing attack of the CISC processor can be greatly reduced.
  • the ELF format is an executable file format adopted by the current Linux operating system.
  • the operating system can know the starting address of the first instruction of each code segment in the memory. .
  • the binary data of the entire code segment can be disassembled into a legal x86 instruction sequence in turn from the first instruction, and the length of each instruction according to the first instruction address and disassembly. , you can calculate the address of each instruction in memory in turn.
  • the pipeline commit unit When the pipeline commit unit is to submit the result of a non-direct branch instruction, the branch target address of the branch instruction is verified. If the branch target address is valid, the processor continues to execute normally, otherwise a processor exception is raised.
  • the verification process is as follows:
  • the branch target address is verified by a branch target check buffer, and the branch target check cache stores the branch target address of the branch instruction that has been successfully executed recently.
  • the branch target check cache is set near the submit unit of the processor, and the access speed is faster. When the branch target address to be verified hits the cache, it indicates that the branch target is legal, and the processor can continue to execute normally. If there is no hit, then step (2) is required;
  • the current mainstream processor usually has at least one branch predictor, because the branch predictor is usually located near the fetch unit of the processor, so the delay of accessing the branch predictor is usually greater than the branch target near the direct access commit unit. Cache is checked, but the branch target check cache can set fewer check items to save hardware overhead.
  • the BTB (branch target cache) component exists in the branch predictor. When the target address of the branch to be verified does not hit the branch target check buffer near the commit unit, the BTB in the branch predictor can be queried. The branch target is legal, and the processor can continue to execute normally, otherwise step (3) is required;
  • the code segment check query table cache is a partial cache image of the code segment check query table stored in the memory in the processor, and stores the recently accessed code segment information table entry. If the branch target address to be verified finds the corresponding code segment information in the code segment check query table cache, step (4) is performed, otherwise an interrupt is generated, and the operating system checks the query in the complete code segment during the interrupt process. Find in the table to be verified The code segment corresponding to the branch target address, if the search fails, indicates that the branch target address is illegal, causing a processor exception. If the corresponding code segment is found, the code segment information is used to update the code segment check query table cache, and the interrupt is returned. , proceed to step (4);
  • the branch target address to be verified is a t
  • the first instruction address of the code segment queried in step (3) is a 0
  • the address check data of the code segment is stored at the memory address a c , in the memory address
  • the (a t -a 0 )%8+1 bits of the byte at which it is located are the parity data of the address a t .
  • the address will need to be The ITLB (Instruction Translation Lookaside Buffer) is converted into a physical address, and then the verification data at the address is accessed through the level 1 instruction cache and the secondary cache as if the instruction data in the memory is accessed.
  • ITLB Instruction Translation Lookaside Buffer
  • a separate check cache can be set instead of the first level instruction cache. After obtaining calibration data, if the check data is "1" in the address a t the start address of a proper instruction, the processor may continue to perform normally, with the address and a t updated branch target cache check, or validation fails , causing a processor exception.

Abstract

A processor instruction check method during program execution, mainly comprising the following contents: before program execution, calculating an address of each correct instruction in all the code segments of a program, then converting the address of the correct instruction into address check data, and finally, in the program execution process, when a processor calculates a branch target address of a branch transfer instruction and does not submit a result, checking the calculated branch target address. The method can be used for stopping a malicious code constructed by using an abnormal instruction sequence of a program from being executed on a processor.

Description

一种程序运行时处理器指令校验方法Program instruction verification method for program runtime 技术领域Technical field
本发明涉及计算机安全领域,可用于阻止利用程序非正常指令序列构造出的恶意代码在处理器上执行。The present invention relates to the field of computer security and can be used to prevent malicious code constructed using a program abnormal sequence of instructions from being executed on a processor.
背景技术Background technique
利用软件漏洞进行代码注入攻击是长期以来最流行的一种恶意代码攻击手段。但是近年来的计算机系统均引入了一种软硬件结合的存储保护机制
Figure PCTCN2015081034-appb-000001
该保护机制使得代码注入攻击变得非常困难。
Figure PCTCN2015081034-appb-000002
机制规定了操作系统一个存储页的写入和执行是互斥的,即存放可执行代码的内存页不能被写入,可写入内存页中的内容不能被执行。这意味着即使恶意代码被植入一个内存页,由于这个内存页不能被执行,所以恶意代码也不能发挥作用。The use of software vulnerabilities for code injection attacks is the most popular type of malicious code attack for a long time. However, in recent years, computer systems have introduced a combination of software and hardware storage protection mechanism.
Figure PCTCN2015081034-appb-000001
This protection mechanism makes code injection attacks very difficult.
Figure PCTCN2015081034-appb-000002
The mechanism stipulates that the writing and execution of a memory page of the operating system are mutually exclusive, that is, the memory page storing the executable code cannot be written, and the content that can be written into the memory page cannot be executed. This means that even if malicious code is embedded in a memory page, the malicious code will not work because the memory page cannot be executed.
但是,近年来出现的代码重用攻击技术成为了新的利用软件漏洞进行恶意代码攻击的手段。代码重用攻击不用进行代码注入,而是通过一系列分支转移指令(包括跳转指令、函数调用指令、函数返回指令等)将程序已有的代码(包括系统运行库中的代码)重新组织,构成恶意代码序列进行攻击。由于代码重用攻击不用向内存页中写入代码数据,而是利用程序已有的代码,所以
Figure PCTCN2015081034-appb-000003
机制对代码重用攻击是完全无效的。However, the code reuse attack technology that has emerged in recent years has become a new means of exploiting software vulnerabilities for malicious code attacks. Code reuse attacks do not require code injection, but reorganize the existing code of the program (including the code in the system runtime) through a series of branch transfer instructions (including jump instructions, function call instructions, function return instructions, etc.) Malicious code sequences are attacked. Because the code reuse attack does not write code data to the memory page, but uses the code already in the program, so
Figure PCTCN2015081034-appb-000003
The mechanism is completely ineffective for code reuse attacks.
代码重用攻击对于CISC指令集处理器(如目前广泛使用的x86系列处理器)的威胁要远大于RISC指令集处理器。这是因为在RISC处理器中,所有指令长度均是一致的,每条指令的起始地址都是指令长度的整倍数。RISC处理器在执行指令时,不接受起始于非指令长度整倍数地址的指令。但是CISC处理器的指令长度是不固定的。以x86处理器为例,指令长度可以是1个字节至16个字节。 这意味着代码段中的任何一个地址都可能是一条新指令的起始地址。因此,在CISC处理器上构造恶意代码要比在RISC处理器上容易。目前已公布的研究显示,面向x86处理器的代码重用攻击所使用的90%以上的恶意代码都是由程序的非正常指令序列构成。由此可见,如果能够阻止这些非正常指令序列的执行,将会极大地降低计算机系统被进行代码重用攻击的风险。Code reuse attacks pose a much greater threat to CISC instruction set processors (such as the currently widely used x86 family of processors) than RISC instruction set processors. This is because in the RISC processor, all instruction lengths are consistent, and the starting address of each instruction is an integral multiple of the instruction length. The RISC processor does not accept instructions starting at an integer multiple of the non-instruction length when executing the instruction. However, the instruction length of the CISC processor is not fixed. Taking the x86 processor as an example, the instruction length can be from 1 byte to 16 bytes. This means that any address in the code segment may be the starting address of a new instruction. Therefore, constructing malicious code on a CISC processor is easier than on a RISC processor. Currently published research shows that more than 90% of the malicious code used by code reuse attacks for x86 processors consists of a program's abnormal sequence of instructions. Thus, if the execution of these abnormal instruction sequences can be prevented, the risk of the computer system being attacked by the code reuse will be greatly reduced.
目前,采用CISC指令集的计算机系统(如使用x86系列处理器的计算机)没有任何保护机制来阻止上述非正常指令序列的执行。一些学术研究虽然提出了防止非正常x86指令执行的方法,但均采用软件手段实现,这些方法均要求应用程序必须在一个软件虚拟机环境中运行,从而导致应用程序的运行性能大大降低。本发明提出了一种软硬件相结合的保护机制来阻止处理器执行非正常指令序列,该机制不依赖于虚拟机环境,应用程序不用进行任何修改,且程序运行性能损失非常小。本发明的方法可以应用于x86以及其他CISC处理器系列。到目前为止,采用类似方法来实现阻止非正常指令执行的方法尚未见报道。Currently, computer systems that use the CISC instruction set (such as computers using x86 series processors) do not have any protection mechanisms to prevent the execution of such abnormal instruction sequences. Although some academic researches have proposed methods to prevent the execution of abnormal x86 instructions, they are all implemented by software. These methods require that the application must run in a software virtual machine environment, resulting in greatly reduced application performance. The invention proposes a protection mechanism combining software and hardware to prevent the processor from executing an abnormal instruction sequence. The mechanism does not depend on the virtual machine environment, the application does not need to be modified, and the program running performance loss is very small. The method of the present invention can be applied to x86 and other CISC processor families. So far, a similar approach to implementing methods to prevent the execution of abnormal instructions has not been reported.
发明内容Summary of the invention
本发明目的在于降低计算机系统被进行代码重用以及其他利用非正常指令进行恶意代码攻击的风险。It is an object of the present invention to reduce the risk of computer systems being coded for reuse and other malicious code attacks using abnormal instructions.
本发明一种程序运行时处理器指令校验方法,其特征是该校验方法步骤如下:The invention is a program runtime processor instruction verification method, characterized in that the verification method steps are as follows:
(1)在程序运行之前,计算出程序所有代码段中每条正确指令的地址,其方法是:(1) Before the program runs, calculate the address of each correct instruction in all code segments of the program by:
对于每个代码段,通过代码段信息获取该代码段起始处第一条指令的地址,然后从第一条指令起对该代码段进行反汇编,并通过反汇编依次获得该代码段中所有指令的长度,此后每条指令的地址即为前一条指令的地址加上前一条指 令的长度;For each code segment, the code segment information is used to obtain the address of the first instruction at the beginning of the code segment, and then the code segment is disassembled from the first instruction, and all the code segments are obtained through disassembly. The length of the instruction, after which the address of each instruction is the address of the previous instruction plus the previous instruction Length of the order;
(2)将正确指令的地址转换成地址校验数据,其方法是:(2) Convert the address of the correct instruction into address verification data by:
将地址上连续的代码段合并为一个代码段进行处理,设合并后代码段的起始加载地址是a0,结束地址为a1,对于a0至a1范围内的每一个地址,当该地址是一条正确指令的起始地址,则用一位“1”来表示,否则用一位“0”来表示,或用一位“0”表示一条正确指令的起始地址,一位“1”表示否,在程序运行过程中,地址校验数据放在内存中,供处理器校验指令时进行查询,将所有合并后代码段的起始加载地址、代码段的大小和地址校验数据的地址记录到一个表中,供程序运行时查询使用;Combine consecutive code segments on the address into one code segment for processing. Let the initial load address of the merged code segment be a 0 and the end address be a 1 . For each address in the range from a 0 to a 1 , The address is the starting address of a correct instruction, which is represented by a bit "1". Otherwise, it is represented by a "0", or a "0" indicates the starting address of a correct instruction, one "1""No, during the running of the program, the address check data is placed in the memory for query when the processor verifies the instruction. The start load address, the code segment size and the address check data of all the merged code segments. The address is recorded in a table for query use when the program is running;
(3)在程序运行过程中,当处理器计算出一条分支转移指令的分支目标地址,未提交结果时,对计算出的分支目标地址进行校验,设待校验的分支目标地址为at,其校验方法是:(3) During the running of the program, when the processor calculates the branch target address of a branch transfer instruction and fails to submit the result, the calculated branch target address is verified, and the branch target address to be verified is set to a t The verification method is:
1)通过一个分支目标校验缓存对该地址at进行校验,该分支目标缓存中存放了刚成功执行过的分支指令的分支目标地址,当待校验的分支地址at与分支目标缓存中的一个地址一致,则校验成功,处理器则继续正常执行,否则需执行2),1) by a branch target address of a t the parity check cache, the branch target buffer stored branch target address of the branch instruction just executed successfully is, when the branch address to be verified branch target buffer with a t If one of the addresses is the same, the verification is successful, and the processor continues to execute normally. Otherwise, 2) is required.
2)首先找到地址at所对应的代码段,即要知道地址at是在哪个代码段的地址范围内,当没有找到对应的代码段,则地址at为非法地址,此时应引发处理器异常,终止校验过程;当找到地址at对应的代码段后,假设该代码段的第一个指令的起始地址为a0,则根据地址at相对于a0的偏移量找出相应的地址校验数据,其方法是:设该代码段的地址校验数据存放于地址ac处,取出地址
Figure PCTCN2015081034-appb-000004
处的一个字节,其中运算
Figure PCTCN2015081034-appb-000005
表示不超过n的最大整数,该字节的第(at-a0)%8+1位即为地址at的校验数据,其中%表示取模运算;当校验数据表 明地址at为一条正确指令的起始地址,则校验成功,处理器继续正常执行,并用地址at更新分支目标校验缓存,否则校验失败,引发处理器异常。2) First find the code segment corresponding to the address a t , that is, to know the address a t is in the address range of the code segment, when the corresponding code segment is not found, the address a t is an illegal address, and the processing should be triggered at this time. abnormality, calibration process terminates; when you find the code section address corresponding to a T, assuming a start address of the first instruction of the code segment is a 0, then the address T a 0 offset with respect to a search The corresponding address check data is obtained by setting the address check data of the code segment to be stored at the address a c and fetching the address.
Figure PCTCN2015081034-appb-000004
One byte at which the operation
Figure PCTCN2015081034-appb-000005
Denotes the largest integer not exceeding n, the second byte (a t -a 0)% 8 + 1 bit is the parity of the data address a t, where% indicates modulo operation; when the check data indicates that address a t For the start address of a correct instruction, the verification is successful, the processor continues to execute normally, and the branch target check cache is updated with the address a t , otherwise the verification fails, causing a processor exception.
将该方法可以完全阻止应用程序代码以及系统库代码中非正常指令的执行,应用该方法后可以极大地降低CISC处理器遭受代码重用攻击的风险。This method can completely block the execution of the application code and the abnormal instructions in the system library code. After applying this method, the risk of the code reusing attack of the CISC processor can be greatly reduced.
具体实施方式detailed description
下面以采用x86系列处理器,操作系统为Linux的计算机系统为例,说明本发明的具体实施方式,下面叙述中所提到的内存地址均是指虚地址。In the following, a computer system using an x86 series processor and an operating system of Linux is taken as an example to describe a specific embodiment of the present invention. The memory addresses mentioned in the following description all refer to virtual addresses.
1、操作系统加载完应用程序或动态共享库后,计算出各个代码段中每条正确指令的地址:1. After the operating system loads the application or the dynamic shared library, calculate the address of each correct instruction in each code segment:
ELF格式是目前Linux操作系统所采用的可执行文件格式,当ELF格式的可执行程序或共享库加载到内存后,操作系统可以获知每个代码段的第一条指令在内存中的起始地址。根据x86指令集的编码规则,可以从第一条指令处开始,依次将整个代码段的二进制数据反汇编成合法的x86指令序列,并且根据第一条指令地址和反汇编出的每条指令长度,可以依次计算出每条指令在内存中的地址。The ELF format is an executable file format adopted by the current Linux operating system. When an executable program or a shared library of the ELF format is loaded into the memory, the operating system can know the starting address of the first instruction of each code segment in the memory. . According to the encoding rules of the x86 instruction set, the binary data of the entire code segment can be disassembled into a legal x86 instruction sequence in turn from the first instruction, and the length of each instruction according to the first instruction address and disassembly. , you can calculate the address of each instruction in memory in turn.
2、将步骤1中计算出的正确指令地址转换成地址校验数据:2. Convert the correct instruction address calculated in step 1 into address verification data:
将地址上连续的多个代码段合并为一个代码段进行处理,假设合并后某个代码段的起始加载地址是A,结束地址为B,对于A至B范围内的每一个地址,若该地址是一条正确指令的起始地址,则用一位“1”来表示,否则用一位“0”来表示。因为地址校验数据是只读的,所以该数据放在程序的代码段空间中,处理器访问时通过指令cache或单独的指令校验cache访问。此外,将所有合并后代码段的起始加载地址、代码段的大小和地址校验数据的地址记录到一个表中,记作代码段校验查询表,作为操作系统进程数据结构的一部分,供程序运 行时查询使用。Combine multiple consecutive code segments on the address into one code segment for processing. It is assumed that the initial load address of a code segment after the merge is A, and the end address is B. For each address in the range of A to B, if The address is the starting address of a correct instruction, which is represented by a bit "1", otherwise it is represented by a "0". Because the address check data is read-only, the data is placed in the code segment space of the program, and the processor accesses the cache access by means of an instruction cache or a separate instruction. In addition, the start load address of all merged code segments, the size of the code segment, and the address of the address check data are recorded into a table, which is recorded as a code segment check query table, as part of the operating system process data structure. Program operation Line-time queries are used.
3、在程序运行过程中,当处理器计算出一条分支转移指令的分支目标地址但还未提交结果时,对计算出的分支目标地址进行校验:3. During the running of the program, when the processor calculates the branch target address of a branch transfer instruction but has not submitted the result, the calculated branch target address is verified:
当流水线的提交单元要提交一条非直接分支指令的结果时,对分支指令的分支目标地址进行校验,若该分支目标地址合法则处理器继续正常执行,否则将引发一个处理器异常。该校验过程如下:When the pipeline commit unit is to submit the result of a non-direct branch instruction, the branch target address of the branch instruction is verified. If the branch target address is valid, the processor continues to execute normally, otherwise a processor exception is raised. The verification process is as follows:
(1)首先,通过一个分支目标校验缓存对分支目标地址进行校验,该分支目标校验缓存中存放了最近成功执行过的分支指令的分支目标地址。硬件实现上,该分支目标校验缓存设置在处理器的提交单元附近,访问速度较快。当待校验的分支目标地址命中该缓存时,表明该分支目标合法,此时处理器可继续正常执行。若没有命中,则需进行步骤(2);(1) First, the branch target address is verified by a branch target check buffer, and the branch target check cache stores the branch target address of the branch instruction that has been successfully executed recently. In hardware implementation, the branch target check cache is set near the submit unit of the processor, and the access speed is faster. When the branch target address to be verified hits the cache, it indicates that the branch target is legal, and the processor can continue to execute normally. If there is no hit, then step (2) is required;
(2)目前的主流处理器通常会有至少一个分支预测器,因为分支预测器通常位于处理器的取指单元附近,所以访问分支预测器的延迟通常要大于直接访问提交单元附近的分支目标校验缓存,但分支目标校验缓存可以设置较少的校验项以节省硬件开销。而分支预测器中会存在一个BTB(分支目标缓存)部件,当待校验分支目标地址没有命中提交单元附近的分支目标校验缓存时,可以查询分支预测器中的BTB,若命中则表明该分支目标合法,此时处理器可继续正常执行,否则需进行步骤(3);(2) The current mainstream processor usually has at least one branch predictor, because the branch predictor is usually located near the fetch unit of the processor, so the delay of accessing the branch predictor is usually greater than the branch target near the direct access commit unit. Cache is checked, but the branch target check cache can set fewer check items to save hardware overhead. The BTB (branch target cache) component exists in the branch predictor. When the target address of the branch to be verified does not hit the branch target check buffer near the commit unit, the BTB in the branch predictor can be queried. The branch target is legal, and the processor can continue to execute normally, otherwise step (3) is required;
(3)通过代码段校验查询表缓存来查找该分支目标地址所处的代码段。代码段校验查询表缓存是存放在内存中的代码段校验查询表在处理器里的一个部分缓存映像,存放了最近访问过的代码段信息表项。若待校验的分支目标地址在代码段校验查询表缓存中找到相应的代码段信息时执行步骤(4),否则将引发一个中断,在中断过程中操作系统在完整的代码段校验查询表中查找待校验 的分支目标地址所对应的代码段,若查找失败则表明该分支目标地址非法,引发处理器异常,若找到相应的代码段,则用该代码段信息更新代码段校验查询表缓存,中断返回,继续执行步骤(4);(3) Check the query table cache by the code segment to find the code segment where the branch target address is located. The code segment check query table cache is a partial cache image of the code segment check query table stored in the memory in the processor, and stores the recently accessed code segment information table entry. If the branch target address to be verified finds the corresponding code segment information in the code segment check query table cache, step (4) is performed, otherwise an interrupt is generated, and the operating system checks the query in the complete code segment during the interrupt process. Find in the table to be verified The code segment corresponding to the branch target address, if the search fails, indicates that the branch target address is illegal, causing a processor exception. If the corresponding code segment is found, the code segment information is used to update the code segment check query table cache, and the interrupt is returned. , proceed to step (4);
(4)假设待校验的分支目标地址为at,在步骤(3)中查询到的代码段的第一条指令地址为a0,代码段的地址校验数据存放于内存地址ac处,则在内存地址
Figure PCTCN2015081034-appb-000006
处的字节的第(at-a0)%8+1位为地址at的校验数据。为了正确访问该地址,需经将地址
Figure PCTCN2015081034-appb-000007
通过ITLB(Instruction Translation Lookaside Buffer,指令翻译后备缓冲器)转换成物理地址,然后像访问内存中的指令数据一样通过1级指令cache和二级cache等访问该地址处的校验数据。为了提升校验性能,可以设置一个单独的校验cache来代替一级指令cache。获得校验数据后,若校验数据为“1”则表明地址at为一条正确指令的起始地址,处理器可继续正常执行,并用地址at更新分支目标校验缓存,否则校验失败,引发处理器异常。(4) Assuming that the branch target address to be verified is a t , the first instruction address of the code segment queried in step (3) is a 0 , and the address check data of the code segment is stored at the memory address a c , in the memory address
Figure PCTCN2015081034-appb-000006
The (a t -a 0 )%8+1 bits of the byte at which it is located are the parity data of the address a t . In order to properly access the address, the address will need to be
Figure PCTCN2015081034-appb-000007
The ITLB (Instruction Translation Lookaside Buffer) is converted into a physical address, and then the verification data at the address is accessed through the level 1 instruction cache and the secondary cache as if the instruction data in the memory is accessed. In order to improve the verification performance, a separate check cache can be set instead of the first level instruction cache. After obtaining calibration data, if the check data is "1" in the address a t the start address of a proper instruction, the processor may continue to perform normally, with the address and a t updated branch target cache check, or validation fails , causing a processor exception.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. All should be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (1)

  1. 一种程序运行时处理器指令校验方法,其特征是该校验方法步骤如下:A program runtime processor instruction verification method, characterized in that the verification method steps are as follows:
    (1)在程序运行之前,计算出程序所有代码段中每条正确指令的地址,其方法是:(1) Before the program runs, calculate the address of each correct instruction in all code segments of the program by:
    对于每个代码段,通过代码段信息获取该代码段起始处第一条指令的地址,然后从第一条指令起对该代码段进行反汇编,并通过反汇编依次获得该代码段中所有指令的长度,此后每条指令的地址即为前一条指令的地址加上前一条指令的长度;For each code segment, the code segment information is used to obtain the address of the first instruction at the beginning of the code segment, and then the code segment is disassembled from the first instruction, and all the code segments are obtained through disassembly. The length of the instruction, after which the address of each instruction is the address of the previous instruction plus the length of the previous instruction;
    (2)将正确指令的地址转换成地址校验数据,其方法是:(2) Convert the address of the correct instruction into address verification data by:
    将地址上连续的代码段合并为一个代码段进行处理,设合并后代码段的起始加载地址是a0,结束地址为a1,对于a0至a1范围内的每一个地址,当该地址是一条正确指令的起始地址,则用一位“1”来表示,否则用一位“0”来表示,或用一位“0”表示一条正确指令的起始地址,一位“1”表示否,在程序运行过程中,地址校验数据放在内存中,供处理器校验指令时进行查询,将所有合并后代码段的起始加载地址、代码段的大小和地址校验数据的地址记录到一个表中,供程序运行时查询使用;Combine consecutive code segments on the address into one code segment for processing. Let the initial load address of the merged code segment be a 0 and the end address be a 1 . For each address in the range from a 0 to a 1 , The address is the starting address of a correct instruction, which is represented by a bit "1". Otherwise, it is represented by a "0", or a "0" indicates the starting address of a correct instruction, one "1""No, during the running of the program, the address check data is placed in the memory for query when the processor verifies the instruction. The start load address, the code segment size and the address check data of all the merged code segments. The address is recorded in a table for query use when the program is running;
    (3)在程序运行过程中,当处理器计算出一条分支转移指令的分支目标地址,未提交结果时,对计算出的分支目标地址进行校验,设待校验的分支目标地址为at,其校验方法是:(3) During the running of the program, when the processor calculates the branch target address of a branch transfer instruction and fails to submit the result, the calculated branch target address is verified, and the branch target address to be verified is set to a t The verification method is:
    1)通过一个分支目标校验缓存对该地址at进行校验,该分支目标缓存中存放了刚成功执行过的分支指令的分支目标地址,当待校验的分支地址at与分支目标缓存中的一个地址一致,则校验成功,处理器则继续正常执行,否则需执行2), 1) by a branch target address of a t the parity check cache, the branch target buffer stored branch target address of the branch instruction just executed successfully is, when the branch address to be verified branch target buffer with a t If one of the addresses is the same, the verification is successful, and the processor continues to execute normally. Otherwise, 2) is required.
    2)首先找到地址at所对应的代码段,即要知道地址at是在哪个代码段的地址范围内,当没有找到对应的代码段,则地址at为非法地址,此时应引发处理器异常,终止校验过程;当找到地址at对应的代码段后,假设该代码段的第一个指令的起始地址为a0,则根据地址at相对于a0的偏移量找出相应的地址校验数据,其方法是:设该代码段的地址校验数据存放于地址ac处,取出地址
    Figure PCTCN2015081034-appb-100001
    处的一个字节,其中运算
    Figure PCTCN2015081034-appb-100002
    表示不超过n的最大整数,该字节的第(at-a0)%8+1位即为地址at的校验数据,其中%表示取模运算;当校验数据表明地址at为一条正确指令的起始地址,则校验成功,处理器继续正常执行,并用地址at更新分支目标校验缓存,否则校验失败,引发处理器异常。     2) First find the code segment corresponding to the address a t , that is, to know the address a t is in the address range of the code segment, when the corresponding code segment is not found, the address a t is an illegal address, and the processing should be triggered at this time. abnormality, calibration process terminates; when you find the code section address corresponding to a T, assuming a start address of the first instruction of the code segment is a 0, then the address T a 0 offset with respect to a search The corresponding address check data is obtained by setting the address check data of the code segment to be stored at the address a c and fetching the address.
    Figure PCTCN2015081034-appb-100001
    One byte at which the operation
    Figure PCTCN2015081034-appb-100002
    Denotes the largest integer not exceeding n, the second byte (a t -a 0)% 8 + 1 bit parity data is the address of a t, wherein% denotes a modulo operation; when the check data address indicating a t For the start address of a correct instruction, the verification is successful, the processor continues to execute normally, and the branch target check cache is updated with the address a t , otherwise the verification fails, causing a processor exception.
PCT/CN2015/081034 2014-12-30 2015-06-09 Processor instruction check method during program execution WO2016107082A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410835359.0 2014-12-30
CN201410835359.0A CN104504329A (en) 2014-12-30 2014-12-30 Method for checking instruction of processor during program execution

Publications (1)

Publication Number Publication Date
WO2016107082A1 true WO2016107082A1 (en) 2016-07-07

Family

ID=52945725

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/081034 WO2016107082A1 (en) 2014-12-30 2015-06-09 Processor instruction check method during program execution

Country Status (2)

Country Link
CN (1) CN104504329A (en)
WO (1) WO2016107082A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158660A (en) * 2019-12-10 2020-05-15 上海航天控制技术研究所 Multi-mode satellite-borne software EEPROM on-orbit programming method
CN111832012A (en) * 2020-07-15 2020-10-27 北京经纬恒润科技有限公司 ECU and starting method thereof
CN111984410A (en) * 2020-08-18 2020-11-24 上海睿赛德电子科技有限公司 Memory protection system with low resource occupation in embedded system

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504329A (en) * 2014-12-30 2015-04-08 中国人民解放军装备学院 Method for checking instruction of processor during program execution
CN105354104B (en) * 2015-10-22 2019-03-26 上海华为技术有限公司 A kind of device and method positioning illegal address
CN107798241B (en) * 2016-09-07 2020-01-31 龙芯中科技术有限公司 Attack detection device, system and method
CN110516438B (en) * 2018-05-21 2023-11-07 深信服科技股份有限公司 Method, system and related components for disassembling executable file
CN109254898B (en) * 2018-09-18 2021-09-24 南京科远智慧科技集团股份有限公司 Software module execution sequence monitoring method and system
CN110135152B (en) * 2019-03-28 2021-07-02 江苏通付盾信息安全技术有限公司 Application program attack detection method and device
CN110780925B (en) * 2019-09-02 2021-11-16 芯创智(北京)微电子有限公司 Pre-decoding system and method of instruction pipeline
CN115408104B (en) * 2022-08-25 2023-08-11 科东(广州)软件科技有限公司 Image loading method and device and image generating method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5313634A (en) * 1992-07-28 1994-05-17 International Business Machines Corporation Computer system branch prediction of subroutine returns
US6247146B1 (en) * 1998-08-17 2001-06-12 Advanced Micro Devices, Inc. Method for verifying branch trace history buffer information
CN102047261A (en) * 2008-05-30 2011-05-04 Nxp股份有限公司 A method for adapting and executing a computer program and computer architecture therefore
CN103310151A (en) * 2012-03-06 2013-09-18 国际商业机器公司 Detecting malicious computer code in an executing program module
CN104504329A (en) * 2014-12-30 2015-04-08 中国人民解放军装备学院 Method for checking instruction of processor during program execution

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350051A (en) * 2007-07-19 2009-01-21 上海市闵行中学 Method for protecting overflow of buffer zone
US8997218B2 (en) * 2010-12-22 2015-03-31 F-Secure Corporation Detecting a return-oriented programming exploit
US9223979B2 (en) * 2012-10-31 2015-12-29 Intel Corporation Detection of return oriented programming attacks
CN103345445A (en) * 2013-07-02 2013-10-09 华中科技大学 Security chip design method based on control flow detection and resistant to error injection attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5313634A (en) * 1992-07-28 1994-05-17 International Business Machines Corporation Computer system branch prediction of subroutine returns
US6247146B1 (en) * 1998-08-17 2001-06-12 Advanced Micro Devices, Inc. Method for verifying branch trace history buffer information
CN102047261A (en) * 2008-05-30 2011-05-04 Nxp股份有限公司 A method for adapting and executing a computer program and computer architecture therefore
CN103310151A (en) * 2012-03-06 2013-09-18 国际商业机器公司 Detecting malicious computer code in an executing program module
CN104504329A (en) * 2014-12-30 2015-04-08 中国人民解放军装备学院 Method for checking instruction of processor during program execution

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158660A (en) * 2019-12-10 2020-05-15 上海航天控制技术研究所 Multi-mode satellite-borne software EEPROM on-orbit programming method
CN111158660B (en) * 2019-12-10 2023-06-02 上海航天控制技术研究所 Multi-mode on-orbit programming method for on-board software EEPROM (electrically erasable programmable read-Only memory)
CN111832012A (en) * 2020-07-15 2020-10-27 北京经纬恒润科技有限公司 ECU and starting method thereof
CN111832012B (en) * 2020-07-15 2024-04-05 北京经纬恒润科技股份有限公司 ECU and starting method thereof
CN111984410A (en) * 2020-08-18 2020-11-24 上海睿赛德电子科技有限公司 Memory protection system with low resource occupation in embedded system

Also Published As

Publication number Publication date
CN104504329A (en) 2015-04-08

Similar Documents

Publication Publication Date Title
WO2016107082A1 (en) Processor instruction check method during program execution
Lipp et al. Meltdown: Reading kernel memory from user space
US11347507B2 (en) Secure control flow prediction
US9767284B2 (en) Continuous run-time validation of program execution: a practical approach
CN110659071A (en) Effective mitigation of side-channel based attacks against speculative execution processing architectures
US4847753A (en) Pipelined computer
JP2021504800A (en) Encoding the input to the branch prediction circuit
US10042776B2 (en) Prefetching based upon return addresses
CN112989351A (en) Integrity protected command buffer execution
CN109858253B (en) LBR-based stack buffer overflow attack defense method
JP2003511787A (en) Method and apparatus for maintaining context while executing translated instructions
JP7443641B2 (en) Dynamically designating instructions as confidential
US20160171213A1 (en) Apparatus and method for controlling instruction execution to prevent illegal accesses to a computer
TWI733735B (en) Vector atomic memory update instruction
US7774587B2 (en) Dynamic redundancy checker against fault injection
CN112596792B (en) Branch prediction method, apparatus, medium, and device
CN110968349A (en) Processor caching technical scheme for resisting speculative execution side channel attack
KR100276138B1 (en) Branch history table with branch pattern field
CN110825442B (en) Instruction prefetching method and processor
US8725948B2 (en) Opcode length caching
CN111989657A (en) Apparatus and method for controlling allocation of instructions to instruction cache memory area
CN113672906B (en) Memory address detection attack defense method and device based on RISC-V and address space layout randomization
US20130151809A1 (en) Arithmetic processing device and method of controlling arithmetic processing device
CN111767536B (en) Cache protection method and device for resisting processor speculative access loopholes
US11016767B2 (en) Target injection safe method for inlining instance-dependent calls

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15874773

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15874773

Country of ref document: EP

Kind code of ref document: A1