CN101694686A - Dynamic measuring method of buffer overflow on the basis of logic isolation - Google Patents
Dynamic measuring method of buffer overflow on the basis of logic isolation Download PDFInfo
- Publication number
- CN101694686A CN101694686A CN200910092060A CN200910092060A CN101694686A CN 101694686 A CN101694686 A CN 101694686A CN 200910092060 A CN200910092060 A CN 200910092060A CN 200910092060 A CN200910092060 A CN 200910092060A CN 101694686 A CN101694686 A CN 101694686A
- Authority
- CN
- China
- Prior art keywords
- data
- pointer
- isolation
- stack
- buffer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a dynamic measuring method of buffer overflow on the basis of logic isolation, comprising the steps of logic isolation of buffer data and buffer dynamic measurement on the basis of the logic isolation in an operation process so as to detect the buffer overflow. Different data types are stored in continuous linear physical spaces without modifying the current structure of a computer system. The dynamic measuring method comprises the following steps: by inserting an isolation mark, storing the buffer data in the low address direction of the isolation mark, and storing pointer data in the high address direction of the isolation mark to form a state space subset ranging from the low address to the high address of a memory, wherein a buffer comprises a plurality of continuous state space subsets; and based on the logic isolation, checking the completeness of the isolation mark by the dynamic measuring method to judge whether the buffer overflow occurs in or not. The dynamic measuring method of buffer overflow on the basis of logic isolation can be applied to buffers with different applications, in particular to stacks. The method is optimized in measuring time and measuring range to overcome the defects of the traditional method.
Description
Technical field
The present invention relates to information security field, the buffer zone that relates in particular to a kind of logic-based isolation overflows dynamic measurement method.
Background technology
Buffer zone overflows finger when the data of duplicating in the buffer zone that has distributed definite storage space to more than this buffer zone processing power, buffer zone will take place overflow.Overflow the integrality of having destroyed data space.Overflow and comprise that heap overflows and stack overflow.
Buffer overflow attack is to cover the pointer that points to run time version by overflowing, the malicious code that this pointed is injected, thereby the control flow of reprogramming, the extraneous program of injecting of operation.So the key point of attack is to destroy the integrality in pointer data space.
There are two kinds of main buffer overflow attack patterns at present.First kind, the data that write to buffer zone comprise shellcode (executable binary code), when the generation buffer zone overflows, the data of overflowing override the entry address of an executable program (as the return address of function, function pointer variable or the like), make this address point to shellcode, thereby when program is attempted by this entry address run time version, will carry out assailant's shellcode, this mode is called the code injection attacks; Second kind, the assailant does not comprise executable code in writing the data of buffer zone, and just comprise some system call parameters needed, cover the entry address of executable code with the address of a system function, can make the default parameter call system function of program by constructing cleverly, such as call system () function with "/bin/sh ", this mode is called return-into-libc and attacks.
As far back as 1998, people such as Crispin Cowan were published at one piece in the scientific paper of by name " Stack Guard:Automatic Adaptive Detection and Prevention ofBuffer-Overflow Attacks " in " 7th USENIX SecurityConference " and have introduced the technology that is used for detecting on the gcc compiler stack overflow that they studied.Stack Guard technology is expanded compiler, deposits " canary " word of 4 bytes that a program produces at random during call function between the local variable of storehouse and function address, checks the integrality of " canary " before function returns.If " canary " is destroyed, then showing has buffer zone to overflow generation, and program is ended.
The GS technique of compiling that Microsoft uses in Visual C++.NET has absorbed on the basis of Stack Guard technological thought and has developed.
The GS compile option has increased some extra data and operations for each function call, in order to detect overflowing in the stack.
1, with Stack Guard technology type seemingly, in all function calls take place, in the stack frame, be pressed into an extra random number " canary ".Be noted as Security Cookie.
2, Security Cookie is positioned at before the EBP, and the copy of a Security Cookie also will be deposited by system in the region of memory of .data.
3, when overflowing in the stack, Security Cookie will at first be flooded, and is only EBP and return address afterwards.
4, before function returns, system will carry out a safety verification operation, become Security Check.
5, in the process of Security Check, check the integrality of Security Cookie, the value of copy among Security Cookie that deposited originally in the comparison stack frame and the .data is not if both are inconsistent, illustrate that the Security Cookie in the stack frame is destroyed, promptly taken place in the stack to overflow.
When 6, overflowing in detecting stack, system will enter the overflow error treatment scheme, and function can normally not returned, and the ret instruction can not be performed yet.
By GS safety compile option, the attacks that operating system can be in operation and detect effectively and stop the overwhelming majority to be overflowed based on storehouse.
But, by concrete experiment, find above-mentioned buffer overflow detection method, can not detect all overflowing and attack method fully.Below will enumerate 4 concrete attack examples, from several special attack methods of perception understanding, for the method for the follow-up proposition of the present invention is made a place mat.
Attack example 1:
As shown in Figure 1, in the stack buffer storage some stack frames, with its from the bottom of the stack to stack top mark successively.Wherein stack frame [i] is positioned at stack top.
If the buffered data Buf[i in the stack frame [i]] in certain string data chari the situation that buffer zone overflows has appearred; And this overflows the final pointer data Pter[i-1 that has influenced in the stack frame [i-1]], as among Fig. 1 by Buf[i] draw two-dimentional arrow 1. shown in.In this case, because isolation mark Sep[i] logic isolation buffered data and the pointer data in the adjacent stack frame, so can be at stack frame [i] when withdrawing from, by checking Sep[i] integrality, judge Pter[i-1] whether be capped.
But, if the buffered data Buf[i in the stack frame [i]] in certain string data chari the situation that buffer zone overflows has appearred; And this overflows the final pointer data Pter[i that has influenced in the stack frame [i]], as among Fig. 1 by Buf[i] draw two-dimentional arrow 2. shown in.In this case, because do not have the logic isolation sign between two kinds of data types in same stack frame, so can't be by checking Sep[i], judge Pter[i] integrality.If in stack frame [i], stored certain code pointer pi, directly point to certain section run time version, as among Fig. 1 by Pter[i] draw arrow 3. shown in.So, above-mentioned overflow pi to be changed into point to other one section run time version, as among Fig. 1 by Pter[i] draw arrow 4. shown in.
If before stack frame [j] withdraws from, call the code that pi points to, the other one section unexpected code segment of then final execution has been realized the effect of attacking.So, must stop between two isolation mark, to occur overflowing the situation that covers pointer.
Attack example 2:
As shown in Figure 2, in the stack buffer storage some stack frames, with its from the bottom of the stack to stack top mark successively.Wherein stack frame [j] is positioned at stack top, below stack top certain location storage stack frame [i].In stack frame [j], store certain multiple code pointer pj, in stack frame [i], stored certain code pointer pi.Multiple pointer pj realizes the address transmission by the pointer data between stack frame [j] and the stack frame [i], finally points to pi, as among Fig. 2 by Pter[j] draw arrow 1. shown in.Code pointer pi in the stack frame [i] directly points to certain section run time version, as among Fig. 2 by Pter[i] draw arrow 2. shown in.So pj just transmits final this run time version that points to by the address.If the buffered data Buf[j in the stack frame [j]] in certain string data charj the situation that buffer zone overflows has appearred; And this overflows the final code pointer pi that has influenced in the stack frame [i], as among Fig. 2 by Buf[j] draw two-dimentional arrow 3. shown in.As a result, pi changes into and points to other one section run time version, as among Fig. 2 by Pter[i] draw arrow 4. shown in.If before stack frame [j] withdraws from, call the code that pj points to, then because pj points to pi, and pi is modified because of overflowing, and carries out other one section unexpected code segment so finally change into, has realized the effect of attacking.So, only check when the stack frame withdraws from that the isolation mark in this stack frame can't be resisted this type of attack special case.
Attack example 3:
As shown in Figure 3, in the stack buffer storage some stack frames, with its from the bottom of the stack to stack top mark successively.Wherein stack frame [j] is positioned at stack top, below stack top certain location storage stack frame [i].In stack frame [j], store certain multiple pointer pj, in stack frame [i], stored certain pointer pi.Multiple pointer pj realizes the address transmission by the pointer data between stack frame [j] and the stack frame [i], finally points to pi, as among Fig. 3 by Pter[j] draw arrow 1. shown in.If the buffered data Buf[j in the stack frame [j]] in certain string data charj the situation that buffer zone overflows has appearred; And this overflows the final code pointer pi that has influenced in the stack frame [i], as among Fig. 3 by Buf[j] draw two-dimentional arrow 2. shown in.As a result, pi changes the code pointer pj ' that points in the stack frame [j] into, as among Fig. 3 by Pter[i] draw arrow 3. shown in.If after overflowing generation, to the space copy input character that pi points to, object code pointer pj ' changes into and points to unexpected execution point by pj, as among Fig. 3 by Pter[j] draw arrow 4. shown in.If before stack frame [j] withdraws from, call the code that pj ' points to, then finally changed the programmed control flow process, realized the effect of attacking.
The threat that this ratio of attacking example is attacked example 2 is bigger, is that mainly its pointer pi that passes through the centre can locate any space in the internal memory.Example 2 is similar with attacking, and only checks when the stack frame withdraws from that the isolation mark in this stack frame can't be resisted this type of attack special case.
Attack example 4:
In above-mentioned attack pattern, all be by stack top buffered data Buf[j] the realization flooding.Attacking example 4 provides and a kind ofly realizes the attack that non-stack top stack frame buffer zone overflows by the pointer transmission.This attacks example and only provides overflow method, and the follow-on attack method can be used for reference and attack example 1, attacks example 2 and be attacked example 3 or other attack means.
As shown in Figure 4, in the stack buffer storage some stack frames, with its from the bottom of the stack to stack top mark successively.Wherein stack frame [j] is positioned at stack top, below stack top certain location storage stack frame [i].In stack frame [j], store the multiple pointer pj of certain character string, in stack frame [i], stored certain character string chari.Multiple pointer pj realizes the address transmission by the pointer data between stack frame [j] and the stack frame [i], finally points to chari, as among Fig. 4 by Pter[j] draw arrow 1. shown in.If the character string chari that points to pj imports data, and the situation that buffer zone overflows has appearred in chari; And this overflows the final code pointer pi-1 that has influenced in the stack frame [i-1], as among Fig. 4 by Buf[i] draw two-dimentional arrow 2. shown in.As a result, pi-1 has changed the run time version that points to.The characteristics of this attack example are exactly to cause the buffered data of non-stack top to overflow by the pointer transmission, and the result can't find the incident of overflowing by the tolerance stack top to the isolation mark between the spill point.
Analyze existing detection technique and overflow the deficiency that exists with attack method, can reduce following 2 points at above-mentioned 4 kinds:
1, tolerance granularity
The measure of random number is set before the return address, can only checks whether the return address is changed, but revising the return address is not unique attack pattern.As attack as described in the example 1.Therefore only at the safety inspection of return address, can not check out by changing the attack that the pointer type variable causes.
2, the tolerance moment and tolerance scope
Buffer zone inspection method based on Stack Guard technology, be to carry out the safety inspection operation in the moment that function returns, this moment, function was finished, return address when just returning at this function is checked, but in the function implementation, if certain the pointer type variable in stack has pointed to the variable that is in before the current stack frame,, also can cause the change of program circuit if before using these variablees, it is not checked so.As attack shown in example 2 and the attack example 3.In addition, only can't resist the flooding of attacking example 4 at stack frame At time of eject at the buffer zone inspection in this stack frame.Therefore only carry out the safety inspection of current stack frame, can not find the flooding that takes place at other data that relied in the function implementation in the moment that function returns.
Summary of the invention
In view of this, the purpose of the embodiment of the invention is that the buffer zone that provides a kind of logic-based to isolate overflows dynamic measurement method, to realize the dynamic measurement to the process status space, to set up complete computing environment.
The present invention realizes by the following technical solutions:
Storage data in the described buffer zone are divided into pointer data and buffered data:
Wherein pointer data is refered in particular to the data of the pointer type that defines in program, and the pointer data that is used to safeguard buffer zone work; For example, character string pointer in the program, function (Virtual Function) pointer, multiple pointer, extended instruction pointer EIP in the stack (Extended Instruction Pointer), expansion base pointer EBP (Extended Base Pointer) safeguard the chain list index of heap piece etc.;
Wherein buffered data comprises the data of all non-pointer type, overflows at buffer zone, and this buffered data refers in particular to the data of the character string type that defines in program;
Described buffer data storage, do not revise the current computer architecture, still different types of data is stored in the continuous linear physical space, but, provides a kind of fine-grained logic isolation mechanism by storage administration and adding isolation mark to different types of data.
As shown in Figure 5, at first, by isolation mark (Seperator writes a Chinese character in simplified form Sep) from logic separately with pointer data (Pointer writes a Chinese character in simplified form Pter) and buffered data (Buffering writes a Chinese character in simplified form Buf);
Secondly, leave buffered data the low address direction of isolation mark in, pointer data is left in the high address direction of isolation mark;
At last, buffered data, isolation mark, the pointer data deposited to high address from the low address of internal memory form a state space subclass, can deposit several in the core buffer space, and be continuous, meets the state space subclass of said structure.
Because it is that buffered data breaks bounds that buffer zone overflows, covered other data type, pointer data type particularly is so be stored in low address space with buffered data, and on its border, deposit an isolation mark, realize the logic isolation of buffered data and pointer data.On the one hand, when overflow in the high address space, must revise isolation mark, could cover pointer data, so just can judge to overflow whether take place by the integrality of tolerance isolation mark when buffered data; On the other hand, between two isolation mark, because pointer data is placed in the low address space of relative buffered data, so buffered data can not impact pointer data.
Described buffer data storage comprises the logic isolation at the stack buffer data, the logic isolation of stacker buffer data and the optimization of stack buffer;
Preferably, the storage of described buffer data, at the logic isolation of stack buffer data as shown in Figure 5; A stack frame to high address, comprises pointer data, buffered data and isolation mark from the internal memory low address; Not only isolated interference between the different stack frames by isolation mark, and by (pointer data is positioned at stack top) before in a stack frame, pointer data being placed on buffered data, eliminated of the influence of the interior buffered data of this stack frame, thereby realized fine-grained isolation pointer data.
Preferably, the storage of described buffer data, at the logic isolation of stacker buffer data as shown in Figure 5; A heap piece to high address, comprises isolation mark, pointer data and buffered data from the internal memory low address; Two interference of piling between the pieces of adjacent storage have been isolated by isolation mark; The buffered data and back heap block pointer data of having isolated previous heap piece.
Preferably, the logic isolation of described stack buffer data further can leave the character string array in the buffered data in the high address space at the optimization of stack buffer, and with data storage such as integer and floating types between pointer data and character string array.Storage administration does not have this type of problem at the heap piece.
Logic isolation based on above-mentioned buffer data, the dynamic measurement method that described buffer zone overflows is before certain pointer data is operated, to measure and the isolation mark of this pointer data in a state space subclass, if this isolation mark is modified, show that then buffer zone having occurred overflows.This method is a universal method, can carry out dynamic measurement at the buffer zone of different application.According to the characteristics of different buffer zones, can be optimized this method, will be optimized at the buffer zone of stack below.
The dynamic measurement method that overflows at stack buffer is that the moment of metric operations carries out before playing stack operation for carrying out, and carries out before push operation before calling the sensing pointer data relevant with run time version;
The pointer data of described sensing run time version is, is used in reference to the pointer data to the process executable code, perhaps points to the pointer data of the type pointer data, just multiple pointer; The function pointer type that specifically comprises program, the Virtual Function pointer type, the iterate pointer is safeguarded the pointer EIP of stack space and EBP etc.; The main cause of paying close attention to the pointer data of pointing to run time version is, buffer overflow attack must be by overflowing the value that changes this type of pointer, make it point to malicious code or certain calls, thus when the code of routine call pointed, will then carry out the program that the assailant designs.So such pointer is the key point that realizes the buffer zone attack effect.
Preferably, the optimization of the dynamic measurement method that described stack buffer overflows is, as there be calling of plurality of adjacent code pointer, and between calling, these do not have operation at buffered data, then only before first code call, measure based on pointer, and not checking the back.According to program circuit, after another appearance operation, before the code call based on pointer of its back, check again buffer data.
The dynamic measurement method that stack buffer overflows, its tolerance scope are, the isolation mark of tolerance stack top stack frame, and point to buffered data type set of pointers in the stack top stack frame by the isolation mark in the buffered data place state space subclass of pointer transmission sensing.
The present invention compared with prior art has following remarkable advantages and beneficial effect:
The present invention is divided into pointer data and buffered data with the storage data in the buffer zone: on the basis of not revising the current computer architecture, still different types of data is stored in the continuous linear physical space, but by storage administration and adding isolation mark to different types of data, a kind of fine-grained data logic isolation is provided, forms the state space subclass that meets logic isolation of plurality of continuous.Whether by the integrality of isolation mark in tolerance space, pointer place before pointer calls, can judge that buffer zone overflows takes place.At the characteristics of stack architexture, optimize constantly and on the tolerance scope in tolerance, thereby better solved the deficiency of existing testing mechanism.The dynamic measurement method that the present invention proposes not only can solve 4 attack examples of proposition, but also the buffer overflow attack that can tackle other type.
Description of drawings
Fig. 1 attacks the synoptic diagram of example 1 for buffer zone;
Fig. 2 attacks the synoptic diagram of example 2 for buffer zone;
Fig. 3 attacks the synoptic diagram of example 3 for buffer zone;
Fig. 4 attacks the synoptic diagram of example 4 for buffer zone;
The logic isolation synoptic diagram of the buffer data that Fig. 5 provides for the embodiment of the invention;
The data logic isolation that Fig. 6 provides for the embodiment that the present invention is directed to stack;
The data logic isolation that Fig. 7 provides for the embodiment that the present invention is directed to heap;
The general dynamic measurement method that a kind of buffer zone that Fig. 8 proposes for the present invention overflows;
The measure that overflows at stack buffer that Fig. 9 proposes for the present invention.
Embodiment
The buffer zone that a kind of logic-based that the embodiment of the invention provides is isolated overflows dynamic measurement method, realized the fine-grained logic isolation of different types of data in the state space, and on the basis of described logic isolation, the dynamic measurement method that a kind of buffer zone overflows has been proposed, refinement has been carried out in enforcement on stack to this method, thereby sets up the integrity measurement mechanism in running state of process space.
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Describe the management of stack heap space data storage in detail in conjunction with figure.
Fig. 6 be the present invention on the basis of Fig. 5, the data logic isolation that provides at the embodiment of stack.
The memory state of two stack frames of stack top as shown in Figure 6, the structure of other stack frame is with stack frame [i-1].As shown in Figure 6, a stack frame comprises random number, interim non-pointer variable, temporary pointer data variable, transmits parametric variable, extended instruction pointer, expands base pointer.Wherein random number is as isolation mark, buffered data and pointer data in the adjacent stack frame of logic isolation.Two continuous temporary variable storage spaces of the low address space of random number have been stored the local variable of this stack frame institute respective function.Interim non-pointer variable mainly comprises can cause buffer zone overflow data type instance, character string etc. for example, and with the integer of non-character string, non-pointer type, the floating type data storage adjacent low address space in string data.The temporary pointer data variable has been stored the local variable of all pointer type, and at stack space, what mainly pay close attention to is the pointer data of pointing to run time version.Transmitting parametric variable is the data acquisition that stack frame [i-1] passes to stack frame [i], and data are divided into real ginseng and shape ginseng in this set, and wherein real ginseng realizes transmitting by pointer, and the shape ginseng comprises non-character string type data, so this set overflow problem can not occur; And consider that pointer in this set can realize the pointer transmission between the different stack frames, be referred in the pointer data so will transmit the parametric variable set.Extended instruction pointer (EIP) and expansion base pointer (EBP) all are the very important pointers that is used to safeguard the stack operation, wherein early stage buffer zone overflows main attack EIP, occurred the attack to EBP afterwards again, two pointers herein are extremely important in a word, and are included in the pointer data.
Random number has realized the logic isolation of buffered data and pointer data between the different stack frames in this structure; But this isolation also can't be stopped between the random number, and the situation of overflowing the covering pointer of a stack frame inside is shown in above-mentioned attack example 1.So, in the storage organization of organizing stack frame internal data, pointer data being positioned over low address space, buffered data is positioned over the high address space; Because the direction that data are overflowed be from low address to high address, so above-mentioned storage organization will be avoided the influence of the buffered data of a stack frame inside to pointer data, thereby realize more fine-grained isolation mech isolation test.
The isolation mark random number can produce before each pop down, and preserves a copy at data segment, so that buffer zone overflows tolerance.
Fig. 7 is that the present invention is on the basis of Fig. 5, at the data logic isolation that provides of embodiment of heap.
The memory state of two continuous heap pieces in piling as shown in Figure 7.As shown in Figure 7, a heap piece comprises random number, heap block pointer data and heap piece ephemeral data.Random number has realized the logic isolation of buffered data and pointer data between the different heap pieces in this structure; But this isolation also can't be stopped between the random number, the situation of overflowing the covering pointer of a heap piece inside, similar above-mentioned attack example 1.So, in the storage organization of tissue heap piece internal data, pointer data being positioned over low address space, buffered data is positioned over the high address space; Because the direction that data are overflowed be from low address to high address, so above-mentioned storage organization will be avoided the influence of the buffered data of a heap piece inside to pointer data, thereby realize more fine-grained isolation, avoided attacking the generation of example 1.
The isolation mark random number can generate before the heap initialization block, and preserves a copy at data segment, so that buffer zone overflows tolerance.
In sum, by provide and the analysis process space in the embodiment of buffer data storage of stack and heap, the logic isolation of the buffer data of two kinds of difference in functionalitys can be unified under the structure shown in Figure 5, thereby realizes fine-grained data isolation.
Based on the storage of above-mentioned buffer data, the present invention proposes the dynamic measurement method that a kind of buffer zone overflows.The generalized flowsheet that this method is used in stack and different embodiment such as heap as shown in Figure 8.
The measure that described general buffer zone overflows is that step 801 judges whether the input of current operation relates to pointer data; If relate to, step 802 tolerance and the isolation mark of this pointer data in a state space subclass if this isolation mark is modified, show that then buffer zone having occurred overflows.
Because generalized flowsheet is all measured isolation mark before all relate to the operation of pointer data, so its efficiency ratio is lower.The key point of realization flooding is under the special construction of stack buffer, covers the pointer data of pointing to run time version by overflowing, thus the process of change control flow.So, according to above-mentioned feature, the present invention proposes the measure that overflows at stack buffer, as shown in Figure 9, this flow process has carried out becoming privileged processing to generalized flowsheet under the characteristics of stack architexture.
Find that by statistics the operation at pointer in stack top stack frame may be very frequent, and be mostly to operate at the character string pointer, if before relating to pointer operation isolation mark is measured at every turn, then efficient is lower.Because the key point of buffer overflow attack is to cover the pointer that points to run time version, and the number of times of invoke code pointer is less relatively in the stack frame, can improve detection efficiency so only before this calls, measure isolation mark.
Because having only stack top stack frame in the stack is active state, current stack frame is stack top stack frame.
Step 901 judges whether the operation in the stack top stack frame calls the pointer data of pointing to run time version, if relate to code pointer, then enters step 904, the tolerance isolation mark.The code pointer data are direct or the data variable of indirect (by the pointer transmission) sensing run time version, finally can call one section code by assembly instruction Call, mainly comprise function pointer, iterate pointer, Virtual Function pointer in source code.
Step 902 judges whether the operation in the stack top stack frame is to be pressed into new stack frame, if be pressed into new stack frame, then enters step 904, the tolerance isolation mark.If the situation of similar attack example 3 has appearred in current stack frame, if in current stack frame, there is not step 901, perhaps implemented attack example 3 after the step 901, attacking example 3 so can not be checked through.If the code pointer in the current stack frame is attacked example 3 and attacked, and certain multiple code pointer has called this interior code pointer of current stack frame in the new stack frame, also can't detect attack example 3 by step 904 so in new stack frame.Its main cause is to attack example 3 can realize being redirected by middle pointer, thereby destroys the structure that data are transmitted from the top to bottom in the stack.So, before being pressed into new stack frame, need to check whether current stack frame the situation that buffer zone overflows occurred.
Step 903 judges whether the operation in the stack top stack frame is to eject the stack frame, if eject current stack frame, then enters step 904, the tolerance isolation mark.Can carry out EIP code pointed in the next stack frame after ejecting stack top stack frame at once, whether be capped so step 904 can detect EIP.In addition, there are identical problem when attacking example 3 in step 903 and step 902 facing, so must buffer zone whether occur to current stack frame overflow and detect.
Step 905 is not if the tolerance at isolation mark has report to overflow the generation of incident, the then described associative operation of execution in step 901, step 902 and step 903 in the step 904.
The present invention can further be optimized.If after execution in step 904, and, then can no longer detect at current operation not at the operation of buffered data.
Preferably, the measure that the present invention proposes can embed in the program compiler, on the basis of source program, adding is to the administrative mechanism of buffer data storage, the detection method that adding is overflowed buffer zone, and generate the assembly routine of using the inventive method, finally generate object code.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being made within the spirit and principles in the present invention, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (2)
1. the buffer zone of a logic-based isolation overflows dynamic measurement method; Storage data in the described buffer zone are divided into pointer data and buffered data: it is characterized in that:
Described pointer data is the data of the pointer type that defines in program, and the pointer data that is used to safeguard buffer zone work;
Described buffered data comprises the data of all non-pointer type, and the data of the character string type that defines in program;
On the basis of not revising the current computer system, different types of data is stored in continuous linear physical space, may further comprise the steps:
By isolation mark from logic separately with pointer data and buffered data;
Leave buffered data the low address direction of isolation mark in, pointer data is left in the high address direction of isolation mark;
Buffered data, isolation mark, the pointer data deposited to high address from the low address of internal memory form a state space subclass, can deposit several in the core buffer space, and be continuous, meets the state space subclass of said structure;
The storage of described buffer data comprises the logic isolation at the stack buffer data, the logic isolation of stacker buffer data and the optimization of stack buffer;
Based on this logic isolation, before certain pointer data operated, tolerance and the isolation mark of this pointer data in a state space subclass if this isolation mark is modified, showed that then buffer zone having occurred overflows.
2. the buffer zone that logic-based according to claim 1 is isolated overflows dynamic measurement method, and it is characterized in that: the optimization of described stack buffer comprises:
A, the tolerance moment:
1) before being pressed into new stack frame, measures;
2) in stack top stack frame implementation, between calling, the operation of continuous buffered data and pointer measure;
3) before being ejected, measures current stack frame;
B, tolerance scope:
Measure the isolation mark of current stack top stack frame, and the isolation mark in the buffered data place state space subclass that buffered data type pointer points to by the pointer transmission in the stack top stack frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910092060XA CN101694686B (en) | 2009-09-21 | 2009-09-21 | Dynamic measuring method of buffer overflow on the basis of logic isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910092060XA CN101694686B (en) | 2009-09-21 | 2009-09-21 | Dynamic measuring method of buffer overflow on the basis of logic isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101694686A true CN101694686A (en) | 2010-04-14 |
| CN101694686B CN101694686B (en) | 2011-07-20 |
Family
ID=42093658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910092060XA Active CN101694686B (en) | 2009-09-21 | 2009-09-21 | Dynamic measuring method of buffer overflow on the basis of logic isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101694686B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229862A (en) * | 2017-06-06 | 2017-10-03 | 电子科技大学 | A kind of ROP injected based on Simulation Stack and thread attacks stack overflow means of defence |
| CN107908954A (en) * | 2017-11-13 | 2018-04-13 | 湖南大学 | A kind of method that memory overflows on dynamic detection GPU based on address compression technology |
| CN108388517A (en) * | 2018-03-14 | 2018-08-10 | 深圳怡化电脑股份有限公司 | A kind of internal-memory detection method, device, equipment and storage medium |
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
| CN110134617A (en) * | 2019-05-15 | 2019-08-16 | 上海东软载波微电子有限公司 | Address space allocation method and device, computer readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100586500B1 (en) * | 2004-03-18 | 2006-06-07 | 학교법인고려중앙학원 | Method for sensing and recovery against buffer overflow attacks and apparatus thereof |
| CN1818822A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Buffer field overflow attack detection |
-
2009
- 2009-09-21 CN CN200910092060XA patent/CN101694686B/en active Active
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229862A (en) * | 2017-06-06 | 2017-10-03 | 电子科技大学 | A kind of ROP injected based on Simulation Stack and thread attacks stack overflow means of defence |
| CN107908954A (en) * | 2017-11-13 | 2018-04-13 | 湖南大学 | A kind of method that memory overflows on dynamic detection GPU based on address compression technology |
| CN107908954B (en) * | 2017-11-13 | 2021-04-30 | 湖南大学 | Method for dynamically detecting memory overflow on GPU (graphics processing Unit) based on address compression technology |
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
| CN109840410B (en) * | 2017-12-28 | 2021-09-21 | 中国科学院计算技术研究所 | Method and system for isolating and protecting data in process |
| CN108388517A (en) * | 2018-03-14 | 2018-08-10 | 深圳怡化电脑股份有限公司 | A kind of internal-memory detection method, device, equipment and storage medium |
| CN110134617A (en) * | 2019-05-15 | 2019-08-16 | 上海东软载波微电子有限公司 | Address space allocation method and device, computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101694686B (en) | 2011-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101694686B (en) | Dynamic measuring method of buffer overflow on the basis of logic isolation | |
| TWI512520B (en) | Systems and methods for detecting attacks against a digital circuit | |
| CN110032867B (en) | Method and system for actively cutting off hidden channel to deal with channel attack at cache side | |
| CN101673326A (en) | Method for detecting web page Trojan horse based on program execution characteristics | |
| CN109558726A (en) | A kind of control stream hijack attack detection technique and system based on dynamic analysis | |
| CN105653905A (en) | Software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring | |
| WO2013160724A1 (en) | Data processing system and method for operating a data processing system | |
| CN103617120A (en) | Unit testing method and device | |
| Islam et al. | Nd-hmds: Non-differentiable hardware malware detectors against evasive transient execution attacks | |
| CN103678131A (en) | Software failure injection and analysis system of multi-core processor | |
| Jiang et al. | WANA: Symbolic execution of wasm bytecode for extensible smart contract vulnerability detection | |
| CN101719204A (en) | Heapspray detection method based on intermediate command dynamic instrumentation | |
| CN111680290B (en) | Code pile inserting frame system based on Ether house virtual machine | |
| CN109766690A (en) | A kind of ROP and mutation attacks dynamic testing method based on the detection of more policy instructions | |
| Liu et al. | Pangr: a behavior-based automatic vulnerability detection and exploitation framework | |
| Wang et al. | An M-Cache-based security monitoring and fault recovery architecture for embedded processor | |
| Lin | Study on the principle and defense of buffer overflow attacks | |
| Zhou et al. | The final security problem in IOT: Don’t count on the canary! | |
| CN103019865A (en) | Virtual machine monitoring method and system | |
| CN112765609B (en) | Multi-bit SDC fragile instruction identification method based on single-class support vector machine | |
| Ping et al. | Research on software security vulnerability detection technology | |
| CN110162967B (en) | Memory time error protection method based on MPX | |
| Ma et al. | Dam: A practical scheme to mitigate data-oriented attacks with tagged memory based on hardware | |
| Wang et al. | Hardware-assisted monitoring for code security in embedded system | |
| Yuwen et al. | A Multi-Variant Voting Algorithm Based on Dynamic Feedback |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |