CN105260659A - Kernel-level code reuse type attack detection method based on QEMU - Google Patents
Kernel-level code reuse type attack detection method based on QEMU Download PDFInfo
- Publication number
- CN105260659A CN105260659A CN201510574168.8A CN201510574168A CN105260659A CN 105260659 A CN105260659 A CN 105260659A CN 201510574168 A CN201510574168 A CN 201510574168A CN 105260659 A CN105260659 A CN 105260659A
- Authority
- CN
- China
- Prior art keywords
- file
- instruction
- addr
- ret
- qemu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a kernel-level code reuse type attack detection method based on QEMU. The method mainly solves the problem of relying on hardware or need of modifying kernel source code in the prior art. According to the method, a function module of a QEMU virtual machine manager is expanded; each instruction which operates on the function module and in an operating system kernel is traversed and detected; jumping instructions relevant to the control flow process are recognized from the instructions, wherein the jumping instructions include ret and indirect call instructions; the jumping target addresses of the instructions are recorded; then, the target addresses are compared with legal target addresses in the system normal execution flow process for detecting whether a system is normally executed or not; and meanwhile, the interruption return addresses pushed into a stack during the interruption occurrence and the return addresses used during interruption actual return are subjected to comparison verification, so that whether attack occurs or not is judged. The kernel-level code reuse type attack detection method has the advantages that by aiming at the characteristic that the system original execution flow process needs to be changed for the code reuse type attack, the attack can be effectively discovered by monitoring the kernel execution flow process change instructions (and positions), and the kernel-level code reuse type attack detection method can be used for protecting the security of an operating system.
Description
Technical field
The invention belongs to Computer Science and Technology field, relate to the protection of Malware, specifically a kind of kernel level code reuse type attack detection method based on QEMU.
Background technology
As the attack method that a kind of present age is novel; kernel level code reuse type is attacked not to be needed to inject any new code; only utilize existing (legal) code in (or reusing) kernel just can construct complete attack and fundamentally overturn whole operating system; it can escape from the protection of kernel code integrity protection mechanism, brings grave danger safely to user machine system.
Code reuse type is attacked needs two step and has been come: (1) assailant selects available instruction fragment meticulously, and they is connected in series by specific instruction (such as ret); (2) changing system original execution flow process (by distorting kernel certain control data executory, such as function pointer or Function return addresses), jumping to the first instruction fragment that assailant selects, implement to attack.
It is that ROP (return-orientedprogramming) attacks that code reuse type is the earliest attacked.The instruction fragment meticulously selected due to it all ends up with ret instruction, and tool set of its structure can comprise many ret instructions, and this is irrational in normal system.Thus, the people such as Chen [ICISS2009] propose a kind of frequent degree by ret instruction calls in detection system instruction execution flow, thus find the technical method that ROP attacks.The people [ACMEuroSys2010] such as the Li of Bei Ka state university, by amendment compiler, remove ret instruction operation code bytes all in kernel, make assailant that available instruction fragment structure cannot be found to attack.And up-to-date code reuse type is attacked mutation and has been no longer dependent on ret instruction, but change into and utilize similar jump instruction (such as jmp or " pop+jmp " instruction indirectly) to be connected in series instruction fragment, be more difficult to tackle.For this reason; the people [IEEETIFS2011] such as the Li of Bei Ka state university propose a kind of method based on compiler, protect the control data in kernel (comprising function pointer sum functions return address) to prevent code reuse type from attacking by amendment kernel dependent instruction (such as call and ret instruction indirectly).The people such as the Kuznetsov of EPFL [OSDI2014] propose one equally based on compiler method, and they protect code-pointer all in program, thus resist the attack of code reuse type.
Should say, current achievement in research has had certain effect to the detection that code reuse type is attacked.But existing detection method mostly has technical limitation.They otherwise need extra hardware supported, or need revise kernel source code.The former can increase hardware cost and extensibility is poor, and the latter is then inapplicable for non-open source operating system kernel (such as Windows).
The detection method that the present invention proposes completes based on QEMU virtual machine manager.QEMU be a fast, dynamic binary translator easily, it can start virtual machine and support multiple different CPU architecture.The form translated with binary command due to QEMU performs, and each instruction that it can perform virtual machine kernel is interfered (or intervention).And the attack of code reuse type all needs the original execution flow process (second step) of change system, the present invention, by monitoring the instruction (and place) changing kernel execution flow process, just can effectively detect and find to attack.Further, in existing detection method, all do not provide the detection to kernel interrupt flow journey, and assailant can be attacked by the flow implementation changed in kernel interrupt processing equally.The invention provides detection and the checking of kernel being interrupted to flow process.
Summary of the invention
In order to make up the deficiencies in the prior art; the present invention proposes a kind of kernel level code reuse type attack detection method based on QEMU; the method attacks the behavior of (and mutation) in order to detect various kernel level code reuse type, the safety of protection operating system.
To achieve these goals, the technical solution adopted in the present invention comprises the following steps:
1) pre-service
1.1) the temporary file temp_file that establishment one is empty, and the content in operating system nucleus image file is outputted in temporary file temp_file;
1.2) create the file f unc_addr_file of function entrance address in a record kernel, from temp_file file, obtain the entry address of all functions of kernel successively, and by these addresses write func_addr_file file;
1.3) create the file ret_addr_file of Function return addresses in a record kernel, from temp_file file, obtain all efficient function return addresses in system successively, and by these addresses write ret_addr_file file;
2) based on record and the interruption flow verification of the jump instruction destination address of QEMU
3) jump instruction destination address is verified
While instruction translation, to the destination address of the jump instruction of QEMU record verify detect whether there occurs attack.
The present invention further improves and is:
Described step 2) in, based on the jump instruction destination address of QEMU record and to interrupt the concrete grammar of flow verification as follows:
2.1) QEMU is used to start virtual machine kernel;
2.2) in the translating phase from guest instruction to host command of QEMU, an instruction I in core instructions is obtained;
2.3) before instruction I is translated, first judge whether to there occurs interrupt event, if there occurs interruption, then jump to step 2.7);
2.4) type of decision instruction I: if I is indirect call instruction, then jump to step 2.5); If I is ret instruction, then jump to step 2.6); Otherwise jump to step 2.8);
2.5) indirect call instruction I is proceeded as follows:
If 2.5a) file call_addr.out does not exist, then create the file call_addr.out recording indirect call instruction target address;
2.5b) when translating indirect call instruction I, be 1 to its mark call_flag assignment;
If 2.5c) now interrupt, judge when entering interrupt processing function whether call_flag is 1, if so, then record interrupt processing time pop down return an address in call_addr.out file, then be 0 by call_flag assignment, jump to step 2.5e);
The destination address that 2.5d) QEMU jumps to indirect call instruction is translated, whether judgement symbol call_flag is 1 before translation, if, then record translation block first address is in call_addr.out file, being the destination address of indirect call instruction, is then 0 by call_flag assignment;
2.5e) jump to step 2.8);
2.6) ret instruction I is proceeded as follows:
If 2.6a) file ret_addr.out does not exist, then create the file ret_addr.out of the destination address of record ret instruction;
2.6b) when translating ret instruction I, be 1 to its mark ret_flag assignment;
If 2.6c) now interrupt, judge when entering interrupt processing function whether ret_flag is 1, if so, then record interrupt processing time pop down return an address in ret_addr.out file, then be 0 by ret_flag assignment, jump to step 2.6e);
The destination address that 2.6d) QEMU jumps to ret instruction is translated, judge whether ret_flag is 1 before translation, if so, then record translates block first address in ret_addr.out file, being the destination address of ret instruction, is then 0 by ret_flag assignment;
2.6e) jump to step 2.8);
2.7) interruption is proceeded as follows:
If 2.7a) int_addr.out file does not exist, then create the file int_addr.out of record interrupting information;
If 2.7b) without self-defined stack, then initialization stack int_addr, top-of-stack pointer points to first position;
2.7c) in the function of QEMU process interruption, the return address of system pop down is pressed in self-defined stack int_addr simultaneously;
2.7d) after QEMU performs interrupt routine, when calling interrupt return instruction, is popped in return address in self-defined stack int_addr, compared with the return address of interrupt return instruction, if the two is different, then report there occurs attack, and is recorded in int_addr.out file by return addresses different for comparing result;
2.7e) jump to step 2.4);
2.8) if operating system nucleus also has untreated instruction, step 2.2 is returned), start the process of next instruction; Otherwise terminate.
Described step 2.4) in, the type of instruction I is that QEMU is by identifying that the operational code of binary command carries out judging.
Described step 3) in, jump instruction destination address verification step is specific as follows:
3.1) read each newly-increased destination address in call_addr.out, verify that whether it is the function entrance address in func_addr_file file, if not, then report there occurs attack;
3.2) read each newly-increased destination address in ret_addr.out, verify that whether it is the valid function return address in ret_addr_file file, if not, then report there occurs attack;
3.3) 3.1 are turned back to).
The present invention compared with prior art, has following beneficial effect:
1) the present invention is based on QEMU virtual machine manager to implement, do not need development hardware, also just can identify, locate and record the destination address of the required jump instruction detected without retouching operation system kernel source code.This mechanism is low relative to existing method cost, and extensibility is strong, and can support several operation systems type (such as non-open source operating system).By the destination address of record and the legal jump address of system being compared, just can detect that kernel level code reuse type is attacked, the safety of protection operating system.
2) the present invention only needs translation jump instruction time increase once store operation, be recorded to the operation of file by destination address.It has the advantage of performance efficiency, and the performance test results based on UnixBench shows, the performance loss that the present invention brings is about 4%.
3) the invention provides the detection to jump instruction most in operating system nucleus, meanwhile, which propose when system occurs to interrupt, to the method that the return address of interrupting in processing procedure is detected and verified.In fact QEMU has supervised the jump procedure of whole operating system control flow, so it can detect that kernel level code reuse type is attacked, for operating system security provides strong guarantee.
Accompanying drawing explanation
Fig. 1 is process flow diagram of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the present invention will be further described in detail:
With reference to Fig. 1, the present invention includes pre-service with based on the jump instruction destination address of QEMU record and interrupt flow verification, and the legitimate verification of jump instruction destination address.Wherein, the jump instruction relevant to control flow comprises indirect call instruction, ret instruction, by recording their jump target addresses, then these destination addresses and normal system destination address performed in the middle of flow process being contrasted detection system and whether normally performing, whether being attacked.
The present invention proposes based on a kind of like this observation: the no matter code reuse type attack of which kind of type, they want to implement to attack, the original execution flow process (or control flow) of system must be changed, jump to the first instruction fragment that assailant selects and just can carry out.If can detect (or checking) the place that may change system execution flow process, just can detect (or prevention) and attack.For this reason, must protect changing the indirect call instruction of system control process, ret instruction in system and interrupting flow process.
Core concept of the present invention is with QEMU virtual machine manager for platform, uses QEMU virtual machine manager operation system kernel to carry out detecting or verifying.Because QEMU realizes based on binary command translation technology, each instruction of system kernel all can translate operation in QEMU virtual machine manager, and each instruction that QEMU can perform virtual machine kernel is interfered (or intervention).By modifying to the functional module of QEMU virtual machine manager, traversal detects each instruction in operating system nucleus, therefrom identify the interpretative system of ret instruction, call instruction and interruption indirectly, then the jump target addresses of these instructions is recorded, by recorded information and legal information being contrasted, the detection that code reuse type is attacked just can be realized.On the virtual machine that operating system starts at QEMU, and attack and occur on an operating system, assailant can not hinder the operation of QEMU; In QEMU, carry out detection need not revise system kernel code, namely to any operating system, do not need to recompilate and just can detect.Meanwhile, QEMU is the software of a Open Source Code, does not need to carry out a large amount of code change, only needs to add process code to place crucial in the middle of QEMU and just can complete the detection of attacking code reuse type.
For jump target addresses, because the value of destination address dynamically generates when system cloud gray model and is change, record can be carried out when QEMU carries out dynamic translation.Specifically, in accordance with the flow process of function call in system, when performing an indirect call instruction calls function, next QEMU can be jumped to and translate block continuation execution, namely the first address now translating block is the destination address of jump instruction, thus just can record the first address of the function of indirect call instruction calls.In like manner, ret instruction also can jump to next translation block after execution and perform instruction execution flow, can record the return address of ret instruction in the same way.
The destination address of jump instruction considered, the present invention needs to carry out record to the jump target addresses of the indirect call instruction in system, ret instruction, carries out validity judgement so that follow-up; And contrast verification is carried out, to judge whether to there occurs attack in the return address used to the interrupt return address in press-in stack when interrupting occurring with when interrupting actual returning.
Contrast Fig. 1, the detailed operation steps of the present invention is as follows:
Pre-treatment step
A) create temporary file temp_file, the code disassembling order (such as objdump) that use system carries, outputs to the content in operating system nucleus image file in temp_file file;
B) create file f unc_addr_file, function entrance addresses all in temp_file file is recorded in file f unc_addr_file;
C) create file ret_addr_file, efficient function return addresses all in temp_file file are recorded in (that instruction be close to after certain call instruction is pointed in each effective return address) in file ret_addr_file.
Based on record and the interruption flow process verification step of the jump instruction destination address of QEMU
D) use QEMU to start virtual machine kernel, read core instructions and carry out translation execution;
In the stage of QEMU interpretive order, QEMU not translates in units of individual instructions, and translation process is divided into two steps, and whole system instruction flow is first that boundary divides with jump instruction by the first step, whole instruction flow is divided into different instruction blocks, is called translation block.Like this, each translation block is using a jump instruction as ending, and such characteristic makes there has been certain characteristic to the acquisition of address.After instruction flow is split into translation block, QEMU is to translate block as translation unit; Second step is exactly translate each instruction in translation block.
E) in the translating phase from guest instruction to host command of QEMU, obtain an instruction I in core instructions, before translation, first judge whether to there occurs interruption, if there occurs interruption, then perform step I);
F) by the operational code of reading command, the type of decision instruction I: if I is indirect call instruction, perform step g), if I is ret instruction, perform step h), otherwise perform step j);
G) indirect call instruction I is proceeded as follows:
G1) if call_addr.out file does not exist, then the file call_addr.out recording the destination address of indirect call instruction is created;
G2) when translating indirect call instruction I, be 1 by call_flag assignment;
Step g 2) in add mark when translating to represent that indirect call instruction is being translated for each indirect call instruction, during each translation indirect call instruction, call_flag is assigned 1;
G3) before translation block continues to perform next block translation block, judge whether to interrupt, if interrupted, then jump in interrupt processing function and judge whether call_flag is 1, if, then the return address of pop down during interrupt processing to be recorded in file call_addr.out (now interrupting the redirect destination address that pop down return address is indirect call instruction), to be then 0 by call_flag assignment, to jump to step g 5);
Step g 3) in why need judge interrupt generation, because QEMU is when carrying out binary translation, be not can interrupt at any time, the translation block piecemeal used due to translation needs can be very little, so QEMU can carry out the judgement interrupting occurring when each translates BOB(beginning of block) translation when judging to interrupt, so the judgement carrying out jump instruction destination address here needs the possibility considering to interrupt occurring;
G4) before QEMU translation next translation block, judging whether call_flag is 1, if be 1, be then recorded in file call_addr.out by translation block first address, is then 0 by call_flag assignment;
G5) step j is jumped to);
H) ret instruction I is proceeded as follows:
H1) if ret_addr.out file does not exist, then the file ret_addr.out of the destination address of record ret instruction is created;
H2) when translating ret instruction I, be 1 by ret_flag assignment;
Step h2) in add mark when translating to represent that ret instruction is being translated for each ret instruction, when translating ret instruction, ret_flag is assigned 1 at every turn;
H3) before translation block continues to perform next block translation block, judge whether to interrupt, if interrupted, then jump in interrupt processing function and judge whether ret_flag is 1, if, then the return address of pop down during interrupt processing to be recorded in file ret_addr.out (jump target addresses of now interrupting pop down return address and ret instruction), to be then 0 by ret_flag assignment, to jump to step h5);
The reason of carrying out interrupting the judgement occurred here is the same with indirect call instruction.
H4) before QEMU translation next translation block, judging whether ret_flag is 1, if so, be then recorded in file ret_addr.out by translation block first address, is then 0 by ret_flag assignment;
H5) step j is jumped to);
I) interruption is proceeded as follows:
I1) if int_addr.out file does not exist, then file int_addr.out is created;
I2) if there is no self-defined stack, then initialization stack int_addr, and be 50 by the spatial placement of stack, top-of-stack pointer points to first position;
I3) in commission need the value of register and context pop down before disconnected function, comprising interrupt return address, first carry out judging that whether self-defined stack int_addr space is full, if less than, then interrupt return address is pressed into self-defined stack int_addr, then top-of-stack pointer is from adding 1; Otherwise (int_addr space is full) system reports an error;
I4) after interrupt function is finished, system call interrupt return function returns to the place occurring to interrupt to be continued to perform, the interrupt return address of stack top record when calling interrupt processing function is ejected, the interrupt return address be recorded in self-defined stack int_addr is taken out simultaneously, judge that whether the return address of interrupting return function use is consistent with the return address of recording in self-defined stack int_addr; If both are inconsistent, then the return address in known interruption flow process is tampered, and report there occurs attack, and outputs in file int_addr.out by two different return addresses;
I5) step f is jumped to);
If j) also have untreated instruction in operating system instruction set, return step e), start the process of next instruction; The ELSE instruction translating phase terminates.
Jump instruction destination address verification step
K) while instruction translation, to the destination address of the jump instruction of QEMU record verify detect whether there occurs attack:
K1) to the checking of indirect call instruction target address: read each the newly-increased jump target addresses in call_addr.out, verify that whether it is the function entrance address in func_addr_file file, if not, then report there occurs attack;
K2) to the checking of ret instruction target address: read each in ret_addr.out newly-increased return destination address, verify that whether it is the valid function return address in ret_addr_file file, if not, then report there occurs attack.
The impact of performance of the present invention can be further illustrated by following experiment:
Experiment condition:
The present invention is implemented in QEMU virtual machine manager.The present invention utilizes QEMU1.5.0 version to carry out the detection of code reuse type attack to the kernel of Linux3.11.1 version, realizes this function by the source code revising QEMU.
Experiment content:
Select performance testing tool UnixBench, respectively performance test is carried out, to draw the performance loss that the present invention brings to original QEMU start up system kernel and the QEMU start up system kernel that with the addition of function of the present invention.Each test three times, averages.
Interpretation of result:
The performance test results based on UnixBench shows, this performance loss brought is about 4%.Generally, the present invention has the advantage of performance efficiency.
Above content is only and technological thought of the present invention is described; protection scope of the present invention can not be limited with this; every technological thought proposed according to the present invention, any change that technical scheme basis is done, within the protection domain all falling into claims of the present invention.
Claims (4)
1., based on a kernel level code reuse type attack detection method of QEMU, it is characterized in that, comprise the following steps:
1) pre-service
1.1) the temporary file temp_file that establishment one is empty, and the content in operating system nucleus image file is outputted in temporary file temp_file;
1.2) create the file f unc_addr_file of function entrance address in a record kernel, from temp_file file, obtain the entry address of all functions of kernel successively, and by these addresses write func_addr_file file;
1.3) create the file ret_addr_file of Function return addresses in a record kernel, from temp_file file, obtain all efficient function return addresses in system successively, and by these addresses write ret_addr_file file;
2) based on record and the interruption flow verification of the jump instruction destination address of QEMU
3) jump instruction destination address is verified
While instruction translation, to the destination address of the jump instruction of QEMU record verify detect whether there occurs attack.
2. the kernel level code reuse type attack detection method based on QEMU according to claim 1, is characterized in that, described step 2) in, based on the jump instruction destination address of QEMU record and to interrupt the concrete grammar of flow verification as follows:
2.1) QEMU is used to start virtual machine kernel;
2.2) in the translating phase from guest instruction to host command of QEMU, an instruction I in core instructions is obtained;
2.3) before instruction I is translated, first judge whether to there occurs interrupt event, if there occurs interruption, then jump to step 2.7);
2.4) type of decision instruction I: if I is indirect call instruction, then jump to step 2.5); If I is ret instruction, then jump to step 2.6); Otherwise jump to step 2.8);
2.5) indirect call instruction I is proceeded as follows:
If 2.5a) file call_addr.out does not exist, then create the file call_addr.out recording indirect call instruction target address;
2.5b) when translating indirect call instruction I, be 1 to its mark call_flag assignment;
If 2.5c) now interrupt, judge when entering interrupt processing function whether call_flag is 1, if so, then record interrupt processing time pop down return an address in call_addr.out file, then be 0 by call_flag assignment, jump to step 2.5e);
The destination address that 2.5d) QEMU jumps to indirect call instruction is translated, whether judgement symbol call_flag is 1 before translation, if, then record translation block first address is in call_addr.out file, being the destination address of indirect call instruction, is then 0 by call_flag assignment;
2.5e) jump to step 2.8);
2.6) ret instruction I is proceeded as follows:
If 2.6a) file ret_addr.out does not exist, then create the file ret_addr.out of the destination address of record ret instruction;
2.6b) when translating ret instruction I, be 1 to its mark ret_flag assignment;
If 2.6c) now interrupt, judge when entering interrupt processing function whether ret_flag is 1, if so, then record interrupt processing time pop down return an address in ret_addr.out file, then be 0 by ret_flag assignment, jump to step 2.6e);
The destination address that 2.6d) QEMU jumps to ret instruction is translated, judge whether ret_flag is 1 before translation, if so, then record translates block first address in ret_addr.out file, being the destination address of ret instruction, is then 0 by ret_flag assignment;
2.6e) jump to step 2.8);
2.7) interruption is proceeded as follows:
If 2.7a) int_addr.out file does not exist, then create the file int_addr.out of record interrupting information;
If 2.7b) without self-defined stack, then initialization stack int_addr, top-of-stack pointer points to first position;
2.7c) in the function of QEMU process interruption, the return address of system pop down is pressed in self-defined stack int_addr simultaneously;
2.7d) after QEMU performs interrupt routine, when calling interrupt return instruction, is popped in return address in self-defined stack int_addr, compared with the return address of interrupt return instruction, if the two is different, then report there occurs attack, and is recorded in int_addr.out file by return addresses different for comparing result;
2.7e) jump to step 2.4);
2.8) if operating system nucleus also has untreated instruction, step 2.2 is returned), start the process of next instruction; Otherwise terminate.
3. the kernel level code reuse type attack detection method based on QEMU according to claim 2, is characterized in that, described step 2.4) in, the type of instruction I is that QEMU is by identifying that the operational code of binary command carries out judging.
4. the kernel level code reuse type attack detection method based on QEMU according to claim 1 or 2 or 3, is characterized in that, described step 3) in, jump instruction destination address verification step is specific as follows:
3.1) read each newly-increased destination address in call_addr.out, verify that whether it is the function entrance address in func_addr_file file, if not, then report there occurs attack;
3.2) read each newly-increased destination address in ret_addr.out, verify that whether it is the valid function return address in ret_addr_file file, if not, then report there occurs attack;
3.3) 3.1 are turned back to).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510574168.8A CN105260659B (en) | 2015-09-10 | 2015-09-10 | A kind of kernel level code reuse type attack detection method based on QEMU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510574168.8A CN105260659B (en) | 2015-09-10 | 2015-09-10 | A kind of kernel level code reuse type attack detection method based on QEMU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105260659A true CN105260659A (en) | 2016-01-20 |
| CN105260659B CN105260659B (en) | 2018-03-30 |
Family
ID=55100343
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510574168.8A Active CN105260659B (en) | 2015-09-10 | 2015-09-10 | A kind of kernel level code reuse type attack detection method based on QEMU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105260659B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107506638A (en) * | 2017-08-09 | 2017-12-22 | 南京大学 | A kind of kernel controlling stream method for detecting abnormality based on hardware mechanisms |
| CN109471668A (en) * | 2018-11-20 | 2019-03-15 | 南方电网科学研究院有限责任公司 | Cross-platform video card firmware translation executes method, apparatus, equipment and readable medium |
| CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
| CN110457046A (en) * | 2019-08-22 | 2019-11-15 | 广州小鹏汽车科技有限公司 | Dis-assembling method, apparatus, storage medium and the terminal of mixed instruction collection program |
| CN111552959A (en) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN112100686A (en) * | 2020-08-28 | 2020-12-18 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
| CN112426714A (en) * | 2020-12-16 | 2021-03-02 | 广州繁星互娱信息科技有限公司 | Live broadcast fighting picture display method and device, terminal and storage medium |
| CN113076136A (en) * | 2021-04-23 | 2021-07-06 | 中国人民解放军国防科技大学 | Safety protection-oriented branch instruction execution method and electronic device |
| CN113312088A (en) * | 2021-06-29 | 2021-08-27 | 北京熵核科技有限公司 | Method and device for executing program instruction |
| CN113641995A (en) * | 2021-07-08 | 2021-11-12 | 中国人民解放军战略支援部队信息工程大学 | Cisco IOS-oriented ROP attack positioning and code capturing method |
| CN115758164A (en) * | 2022-10-12 | 2023-03-07 | 清华大学 | Binary code similarity detection method, model training method and device |
| CN116501387A (en) * | 2023-06-16 | 2023-07-28 | 龙芯中科技术股份有限公司 | Instruction jump method and device, electronic equipment and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102012987A (en) * | 2010-12-02 | 2011-04-13 | 李清宝 | Automatic behavioural analysis system for binary malicious codes |
| CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
-
2015
- 2015-09-10 CN CN201510574168.8A patent/CN105260659B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102012987A (en) * | 2010-12-02 | 2011-04-13 | 李清宝 | Automatic behavioural analysis system for binary malicious codes |
| CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
Non-Patent Citations (3)
| Title |
|---|
| 刘智 等: "一种有效的Return-Oriented-Programming攻击检测方法", 《小型微型计算机系统》 * |
| 刘超: "基于动态二进制翻译框架的代码复用攻击检测与防御", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
| 陈林博 等: "利用返回地址保护机制防御代码复用类攻击", 《计算机科学》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107506638A (en) * | 2017-08-09 | 2017-12-22 | 南京大学 | A kind of kernel controlling stream method for detecting abnormality based on hardware mechanisms |
| CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
| CN109471668A (en) * | 2018-11-20 | 2019-03-15 | 南方电网科学研究院有限责任公司 | Cross-platform video card firmware translation executes method, apparatus, equipment and readable medium |
| CN109471668B (en) * | 2018-11-20 | 2021-11-26 | 南方电网科学研究院有限责任公司 | Cross-platform display card firmware translation execution method, device, equipment and readable medium |
| CN110457046B (en) * | 2019-08-22 | 2023-05-12 | 广州小鹏汽车科技有限公司 | Disassembles method, disassembles device, storage medium and disassembles terminal for hybrid instruction set programs |
| CN110457046A (en) * | 2019-08-22 | 2019-11-15 | 广州小鹏汽车科技有限公司 | Dis-assembling method, apparatus, storage medium and the terminal of mixed instruction collection program |
| CN111552959A (en) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN111552959B (en) * | 2020-06-18 | 2023-08-29 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN112100686A (en) * | 2020-08-28 | 2020-12-18 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
| CN112100686B (en) * | 2020-08-28 | 2022-04-08 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
| CN112426714A (en) * | 2020-12-16 | 2021-03-02 | 广州繁星互娱信息科技有限公司 | Live broadcast fighting picture display method and device, terminal and storage medium |
| CN113076136A (en) * | 2021-04-23 | 2021-07-06 | 中国人民解放军国防科技大学 | Safety protection-oriented branch instruction execution method and electronic device |
| CN113312088A (en) * | 2021-06-29 | 2021-08-27 | 北京熵核科技有限公司 | Method and device for executing program instruction |
| CN113641995A (en) * | 2021-07-08 | 2021-11-12 | 中国人民解放军战略支援部队信息工程大学 | Cisco IOS-oriented ROP attack positioning and code capturing method |
| CN115758164A (en) * | 2022-10-12 | 2023-03-07 | 清华大学 | Binary code similarity detection method, model training method and device |
| CN116501387A (en) * | 2023-06-16 | 2023-07-28 | 龙芯中科技术股份有限公司 | Instruction jump method and device, electronic equipment and readable storage medium |
| CN116501387B (en) * | 2023-06-16 | 2023-09-12 | 龙芯中科技术股份有限公司 | Instruction jump method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105260659B (en) | 2018-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105260659A (en) | Kernel-level code reuse type attack detection method based on QEMU | |
| KR102306568B1 (en) | Processor trace-based enforcement of control flow integrity in computer systems | |
| KR100942795B1 (en) | A method and a device for malware detection | |
| CN102592082B (en) | Security through opcode randomization | |
| EP3779745B1 (en) | Code pointer authentication for hardware flow control | |
| KR101691719B1 (en) | Return-target restrictive return from procedure instructions, processors, methods, and systems | |
| CN109918903B (en) | Program non-control data attack protection method based on LLVM compiler | |
| US20090271867A1 (en) | Virtual machine to detect malicious code | |
| JP2012501028A (en) | Heuristics for code analysis | |
| CN109858253B (en) | LBR-based stack buffer overflow attack defense method | |
| CN107330323B (en) | Dynamic ROP and variant attack detection method based on Pin tool | |
| CN112805709B (en) | Data processing apparatus and data processing method | |
| CN107194246A (en) | A kind of CPU for being used to realize dynamic instruction sets randomization | |
| CN110717181B (en) | Non-control data attack detection method and device based on novel program dependency graph | |
| CN110414218B (en) | Kernel detection method and device, electronic equipment and storage medium | |
| CN107577925A (en) | Based on the virtual Android application program guard methods of dual ARM instruction | |
| US10885184B1 (en) | Rearranging executables in memory to prevent rop attacks | |
| Park et al. | Microarchitectural protection against stack-based buffer overflow attacks | |
| CN110515652B (en) | Code abstract generation method and device and storage medium | |
| CN111898120A (en) | Control flow integrity protection method and device | |
| US10019576B1 (en) | Security control system for protection of multi-core processors | |
| CN111177805B (en) | Method and device for improving operation safety of processor and CPU chip | |
| KR101421630B1 (en) | system and method for detecting code-injected malicious code | |
| CN116401668B (en) | Code reuse attack defense system and method based on function grouping dynamic activation | |
| Wang et al. | IRePf: An Instruction Reorganization Virtual Platform for Kernel Stack Overflow Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |