CN109446798A - Return address is tampered the device of history in detection storehouse - Google Patents
Return address is tampered the device of history in detection storehouse Download PDFInfo
- Publication number
- CN109446798A CN109446798A CN201811109741.8A CN201811109741A CN109446798A CN 109446798 A CN109446798 A CN 109446798A CN 201811109741 A CN201811109741 A CN 201811109741A CN 109446798 A CN109446798 A CN 109446798A
- Authority
- CN
- China
- Prior art keywords
- hash value
- return address
- stack
- return
- tampered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the present invention provides a kind of device for detecting return address in storehouse and being tampered history, the beneficial effects such as return address and cryptographic Hash are all stored and verified by a chain structure by the present invention, and the embodiment of the present invention is with high security, performance loss is small, design complexities are low.
Description
Technical field
The present invention relates to field of computer technology, are tampered history more particularly, to return address in detection storehouse
Device.
Background technique
The construction and development of computer technology and internet bring the various aspects such as the economy, culture, science and technology of entire society
Huge promotion and impact, the information systems such as a large amount of telecommunications, e-commerce, banking network have become country and government
Critical infrastructures, therefore how to ensure that the safety of computer system has become and put difficulty in the urgent need to address in face of us
Topic.
Stack overflow loophole is an extremely serious System Security Vulnerability, it is by a limited memory headroom
Too long data are written, destroy the memory headroom of system, system is caused to be operating abnormally, crash or restart.It is attacked by stack overflow
It hits, using the address coverage function pointer of attack code, the system control of attacker's fetching portion or whole can be allowed, this is
A kind of security risk of great threat.
In the prior art, prevention main for stack smashing and defense mechanism are to protect skill by shadow stack and stack
Art guarantees that return address is not maliciously tampered.But the safety of shadow stack and stack protection is all inadequate, and attacker remains to find
Method is attacked to bypass above two defense technique.
Summary of the invention
To solve the above-mentioned problems, the embodiment of the present invention provides one kind and overcomes the above problem or at least be partially solved
State the device that return address in the detection storehouse of problem is tampered history.
According to a first aspect of the embodiments of the present invention, a kind of dress for detecting return address in storehouse and being tampered history is provided
It sets, including hash value computing module, authentication module, Top register and counter:
Hash value computing module, for according to the return address to be verified that is stored in stack top frame in storehouse and to be verified returning
Hash value corresponding to address is returned, any hash value generating algorithm is based on, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value, wherein the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
If authentication module confirms to be verified return different from pre-generated correct hash value for hash value to be verified
Address is gone back to be tampered;Wherein, the correct hash value previously according to stack top frame in stack the return address being not tampered with and not by
Hash value corresponding to the return address distorted is obtained based on any hash value generating algorithm.
Top register, for storing the correct hash value, and the correct hash value stored in Top register can only
It is modified by preset instructions;
Counter, which is used to count when executing storehouse call instruction, adds one, executes a return to the storehouse and refers to
It is counted when enabling and subtracts one;At the end of process, if the count number of counter is not that correct hash value is repaired in 0 or Top register
Change, then reports an error.
Further, further include Salt register:
For Salt register for storing a challenging value, another input of the challenging value as hash function is described
Challenging value can only be modified by preset instructions.
It further, further include one for executing the hash computing module of any hash value generating algorithm;
Correspondingly, the challenging value stored in the Salt register can not be read by the instruction outside preset instructions.
Further, the authentication module is also used to: if confirming, return address to be verified is tampered, and exception is occurred and is interrupted journey
Sequence.
Further, if authentication module is also used to judge that hash value to be verified is identical as pre-generated correct hash value,
Confirm that return address to be verified is not tampered with.
The above embodiment of the present invention provides a kind of device for detecting return address in storehouse and being tampered history, and the present invention will return
Address and cryptographic Hash is returned all to store and verify by a chain structure, the embodiment of the present invention with high security, performance damage
Consume the beneficial effects such as small, design complexities are low.
Detailed description of the invention
Fig. 1 is the device detection storehouse that history is tampered using return address in a kind of detection storehouse of the embodiment of the present invention
Middle return address is tampered the overall flow schematic diagram of historic villages and towns;
Fig. 2 is that return address is tampered chain type Hash heap in the device of history in a kind of detection storehouse of the embodiment of the present invention
The schematic diagram of stack;
Fig. 3 is that return address is tampered chain type Hash heap in the device of history in a kind of detection storehouse of the embodiment of the present invention
The structural schematic diagram of stack;
Fig. 4 is the structural schematic diagram of the storehouse in the prior art of the embodiment of the present invention;
Fig. 5 is the device detection storehouse that history is tampered using return address in a kind of detection storehouse of the embodiment of the present invention
Middle return address is tampered the difference schematic diagram of call instruction execution and prior art call instruction in historic villages and towns;
Fig. 6 is the device detection storehouse that history is tampered using return address in a kind of detection storehouse of the embodiment of the present invention
Middle return address is tampered the difference schematic diagram of return instruction execution and prior art return instruction in historic villages and towns;
Fig. 7 is the non-compressed structure of chain type Hash storehouse and compression storage knot in a kind of detection storehouse of the embodiment of the present invention
The schematic diagram of structure;
Fig. 8 is that the general frame for the device that return address is tampered history in a kind of detection storehouse of the embodiment of the present invention shows
It is intended to
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
It is clearly explained in the following, description of the invention makees one to each basic conception and the prior art and defect first.
Memory Leaks: refer to programmer during software programming, in having time in the operation of memory or space
On design fault, leading to the problem of makes calling program that may make the behavior that designs of violation program itself.Attacker utilizes program
Memory Leaks, can construct various attacks, execute malicious act.
Buffer overflow: being most commonly seen Memory Leaks, copies into a buffer area more than the buffer length
Data can generate buffer overflow, to cover other data other than buffer area.And stack overflow loophole is that buffer area is overflow
Most commonly seen one kind in springing a leak copies into a too long data into stack, the buffer data on stack is caused to overflow, from
And cover the data that other are crucial on stack.
Stack (stack): also known as storehouse, it is a kind of linear list that operation is limited.Its limitation is the one end for being only allowed in table
It is inserted into and is deleted operation.This one end is referred to as stack top, relatively, the other end is called stack bottom.Singapore dollar is inserted into a stack
Element also referred to as pushes on, stacking or calling, it is that new element is put into the upper surface of stack top element, makes new stack top element;
It also referred to as pops or pops off from a stack deletion element, it is that stack top element is deleted, and the element for keeping its adjacent becomes new
Stack top element.
Stack overflow: being one kind of buffer overflow.It is written over useful storage unit, it is past
It is past to cause unpredictable consequence.Program in the process of running, in order to temporarily access the needs of data, will generally distribute one
A little memory headrooms, commonly referred to as these spaces are buffer area.If write-in is more than the data of itself length into buffer area, so that
It can not be accommodated in buffer area, will result in the storage unit other than buffer area and be written over, this phenomenon is known as buffer overflow.
Buffer length is generally related with the type of buffer variable of user oneself definition.
Function call: when computer compiling or operation, related command is completed using some function.
Return address: a mostly important data are exactly Function return addresses in the data stored in stack.When calling one
When a function, Function return addresses can be pressed into stack by call instruction (such as Call instruction).When function returns, return instruction
(such as Return instruction) can read the return address saved in stack, jump to the original position for calling function according to return address
It sets, continuation executes down.It carries out attacking most common method being exactly to utilize stack overflow using stack overflow loophole, covering returns to ground
Return address is changed to the address of attacker setting by location.When function returns, the position that attacker sets will be jumped to
It sets, executes attacker and wish the code executed.
ROP attack: a kind of classical technology using Memory Leaks construction attack, because can not execution position technology
(DEP or NX's) is universal, is directly injected into code execution malicious attack and becomes difficult, and ROP attack then can use program itself
Code, using return address as connection, construct attack.The principle of ROP attack is mainly to use the generation of program itself
With the code snippet (becoming accessory) of return instruction (such as Return instruction) ending in code, cooperate the control to stack space, no
Disconnected makes program run these accessories.When program executes a Return, CPU takes out an address from current stack, and
And it jumps at the code that this address is directed toward and brings into operation.A series of address of accessories is first put into stack by attacker, CPU fortune
When row is to Return, first address can be taken out and jump to this accessory starts to execute, at the end of first accessory executes,
The return instruction (such as Return instruction) of ending, which can take out second address and jump to second accessory, to be started to execute, so
Circulation, constructs any malicious act.
The key points of attacks such as ROP attack are all to distort return address, and current existing some technologies also all pass through
Return address is protected to prevent these attacks.Main relevant work is shadow stack (Shadow Stack) and stack protection (stack
Cookie is also stack canary).
Return address in stack is stored one by different implementations by shadow stack in another region of memory
Back up (region of memory is just shadow stack), and the return address in stack used before address and backup are compared, if
Address is different, then illustrates that the address in stack is tampered with.In simple terms, the essence of shadow stack is exactly by return address other one
A backup is deposited in a place, is thus not concerned about the return address in attacker's modification stack.Intel Company proposed in 2016
CET technology (Control-flow Enforcement Technology) includes mainly two technologies, and one of them are exactly shadow
Sub- stack.
Stack protection is the practical technique used in many mainstream compilers such as gcc compiler.Return address is stored in
In stack, it is previously inserted into a canary in return address (canary, i.e. protection value are a random numbers).If attacker
Want to cover return address using stack overflow, then it will necessarily covering protection value.And protection value is a random number, attacker can not obtain
Know, therefore protection value can also change.Function checks whether protection value is changed when returning, so that it may find that return address is
It is no to be maliciously tampered.
Then, there are following technological deficiencies for above-mentioned art methods.
There are some problems for shadow stack method:
1, the backup in shadow stack must be perfectly safe, this is very difficult in practical implementations.Such as Intel
CET technology just proposes, has used a new page attribute to mark individual page to be " shadow stack " page and protect.But this page
Attribute can be modified, this had precedent in the example of DEP in actual attack before.So in memory the preceding paragraph
It is insufficient that protection safety is done in region.If attacker can modify the return address on shadow stack and stack simultaneously, can break
Solve the protection of shadow stack.
2, the backup in shadow stack needs an individual page to store, therefore will increase memory access, reduces performance, can also increase
Add memory overhead.
3, the realization of shadow stack is complex., can be simple with design comparison if not considering the safety of shadow stack itself, but
Safety is inadequate.If it is considered that the safety of shadow stack itself, it is necessary to add additional protection machine to the memory where shadow stack
System, considerably increases design complexity, causes practicability not high.
There are some problems for stack guard method:
1, stack protection needs to be inserted into a protection value (random number) before return address.Once attacker knows protection value,
Return address and protection value can be easily covered, while guaranteeing that protection value will not change.
2, stack protection can only defend stack overflow to cover return address, and cannot defend other attacks.For example, using arbitrarily
Location is write, direct point-to-point modification return address.
In short, the safety of shadow stack and stack protection is all inadequate, attacker remains to find some methods to bypass.
The specific embodiment of the invention proposes that return address is tampered historic villages and towns in a kind of detection storehouse.
Such as Fig. 1, return address in a kind of chain type Hash storehouse detection storehouse using the embodiment of the present invention is shown and is tampered
The overall flow schematic diagram of the method for historic villages and towns, comprising:
S1, according to corresponding to the return address to be verified and return address to be verified that are stored in stack top frame in storehouse
Hash value is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value;Wherein, the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
S2 confirms that return address to be verified is usurped if hash value to be verified is different from pre-generated correct hash value
Change;Wherein, the return address that is not tampered with and the return that is not tampered with of the correct hash value previously according to stack top frame in stack
Hash value corresponding to address is obtained based on any hash value generating algorithm.
Specifically, the embodiment of the present invention protects return address using main hash algorithm.Hash algorithm has some only
The advantages of having, such as be difficult also to be difficult to export by control input by the anti-input for pushing away hash of output of hash, attacker
One is wished the output valve obtained.Present invention proposition all safeguards return address and cryptographic Hash by a chain structure.Such as
Shown in Fig. 2, newest hash value is according to newest (being stored in stack top frame in storehouse) return address and previous (storehouse
Being stored in middle stack top frame) hash value is calculated.Hash value in stack top frame is returned according to what is stored in its previous frame
It goes back to address and hash value is calculated.Therefore, the return address in storehouse in each frame and hash value form a chain.
Wherein, Fig. 3 illustrates the stack architecture of the embodiment of the present invention.Compared with the normal stack architecture of Fig. 4, the present invention is implemented
Hash value corresponding to return address and its has been stored in same frame by the stack architecture of example.It is worth noting that, in same frame
The hash value and return address stored is staggered, i.e. first return address (Address 1) and a random number
(RAND) it is stored together;First hash value (Hash 1) is calculated and according to first return address and random number
Two return addresses are stored together;And so on, second hash value and third return address exist together;And it is newest
Hash value (Hash 3) is stored in a special register (referred to as Top register).Wherein, random parameter RAND is Top
The initial value of register.
Further, it introduces in the embodiment of the present invention and introduces call instruction and return instruction by taking call and return instruction as an example
Specific implementation procedure.
The implementation procedure of normal call instruction and return instruction is introduced first, then introduces call instruction in the present invention
With the implementation procedure of return instruction, Fig. 5 illustrates the special process that call instruction is different with normal implementation procedure in the present invention, figure
6 illustrate the special process that return instruction is different with normal implementation procedure in the present invention.
Normal call instruction (Call instruction) execution: 1) return address is called, 2) by call instruction (Call instruction)
Destination address deposit PC (is equivalent to and jumps to destination address execution).
Normal return instruction (return instruction) executes: 1) return address popped, 2) and return address deposit PC is (suitable
It is executed in jumping to return address).
Call instruction (Call instruction) of the invention executes: 1) by the hash value and return address (stack top in Top register
The return address of frame being not tampered with) call together, 2) by the data (hash value and return address i.e. in step 1) of calling when
New hash value (correct hash value) is calculated in the input for doing hash function, and new hash value is stored in Top register,
3) destination address of call instruction (Call instruction) is stored in PC.
The return instruction (return instruction) of the embodiment of the present invention executes: 1) by stack top frame hash value and return address
(return address to be verified) pops, and the hash value for calculating the hash value popped and return address (return address to be verified) is (to be tested
Demonstrate,prove hash value), 2) by the hash value being calculated (hash value to be verified), it is (correct with the hash value that is saved in Top register
Hash value) it compares.If the two is unequal, illustrate to occur abnormal, it should alarm and interrupt routine is run.If the two phase
Deng then normally, continuing to execute.3) the hash value popped is stored in Top register (the hash value popped, rather than to be verified
Hash value).4) when hash value to be verified is equal with correct hash value, return address return address to be verified is stored in PC;When
When hash value to be verified and correct hash value are unequal, there is abnormal and interrupt routine.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method is tampered in the processor of historic villages and towns for executing return address in the detection storehouse, further includes a Top deposit
Device, wherein the correct hash value that the Top register is used to store the correct hash value, and be stored in Top register is only
It can be modified by preset instructions.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method is tampered in the processor of historic villages and towns for executing return address in the detection storehouse, further includes that a Salt is posted
Storage, for storing a challenging value, another input of the challenging value as hash function, the challenging value can only pass through
Preset instructions modification.
Wherein, it in order to realize above-mentioned specific embodiment, needs executing a kind of detection of the embodiment of the present invention in actual development
Return address, which is tampered in the processor of historic villages and towns, in storehouse increases at least one register, includes at least Top register,
It is also possible that Salt register.Top register is for saving newest hash value, the challenging value stored in Salt register
It is another input of hash function, a generally random value is also possible to other kinds of value, further increases hash letter
Number is hypothesized the difficulty cracked.
Most start in a process, sets random number for Top register and Salt register respectively and either pass through it
The non-random numbers that his mode generates, wherein random number is most preferred.Hardware in Top register it should be ensured that stored just
The challenging value stored in true hash value and Salt register can only be modified by preset instructions, and otherwise the present invention just loses anti-
Imperial effect.And several special registers is protected not to be easily achieved by attacker's modification.Even if attacker has read
Salt register, the present invention still ensure that attacker can not distort return address easily, safety still with higher.
Hardware is without guaranteeing that Top register is not read by attacker.Can attacker read Top register, to the present invention
Safety do not influence.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method, the correct hash value stored in the challenging value and Top register stored in the Salt register can not be referred to by default
Instruction outside order is read.
Wherein, hardware should guarantee that Salt register is not read by attacker as far as possible, this is technically also to be easier
It realizes.Even if the present invention still ensures that attacker can not distort return ground easily in addition, attacker has read Salt register
Location, safety still with higher.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method is tampered in the processor of historic villages and towns for executing return address in the detection storehouse, further includes one for holding
The hash computing module of row any hash value generating algorithm.
Wherein, the embodiment of the present invention does not require the selection of hash algorithm too much, and arbitrary hash algorithm can be used,
It is even possible that with other enciphering and deciphering algorithms.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method, any return address in the storehouse, and institute is individually stored in hash value corresponding to any return address
It states on the different location in storehouse in same stack frame.As shown in fig. 7, in the specific embodiment of the invention, by return address and
Hash value separates different location and is stored referred to as non-compressed structure (or normal configuration).
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method, in 64 bit manipulation systems, any return address is normally stored in any position in the storehouse in the storehouse, with
Hash value corresponding to any return address is stored in the high bit space of any position.
In particular, it was found that return address occupies 64, but actually true return address is simultaneously in 64 systems
Without so long, general only 40 multidigits.So 64 high positions are idle.Therefore, hash value can be saved in 64
In a high position.This storage organization is referred to as pressure texture, as shown in Figure 7.Pressure texture is distinguished compared to original stack architecture
The value (and being completely the same in layout) of return address only in stack.This results in a most important beneficial effect be can
With the binary system before compatibility, this is because most programs follow following rule: (1) call instruction and return instruction are matchings
's;(2) only have call instruction and return instruction using return address, other instructions do not use;(3) other values in stack are all roots
Position is determined according to offset, data can be directly used properly in other stacks if holding layout.Correspondingly, at the same in order to
Reach above-mentioned beneficial effect, need matched operation are as follows: the operation for reaching this target needs is: will be all in original program
(or matched part) call instruction and return instruction replace with call instruction and return instruction in the embodiment of the present invention, and make
Use pressure texture.Meanwhile also there is section space-efficient beneficial effect compared to not pressure texture using pressure texture.
Certainly, in addition to return address, there are also the high positions that some data may be maintained in 64, such as the random number of ASLR
Deng.But anyway, these data all do not exhaust 64 spaces, and the free time for tending to remaining 20 multidigits is empty
Between, it is sufficiently used for saving hash value.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method, after the S2 further include: abnormal and interrupt routine occur.
If it is confirmed that return address to be verified is tampered, illustrate to occur abnormal, it should alarm and interrupt routine is run.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method confirms that return address to be verified is not tampered with if hash value to be verified is identical as pre-generated correct hash value.
In another specific embodiment of the invention, a kind of side detected return address in storehouse and be tampered history is provided
Method is tampered in the processor of historic villages and towns for executing return address in the detection storehouse, further includes a counter,
It is counted when for executing a call instruction (such as Call is instructed) to the storehouse and adds one, primary return is executed to the storehouse
It is counted when instruction (such as return instruction) and subtracts one;At the end of process, if the count number of counter is not 0 or Top deposit
Correct hash value is modified in device, then is reported an error.
The specific embodiment of the invention possesses unlimited computing capability, then attacking in view of assuming that attacker's is very competent
The person of hitting may be collided by hash and distort return address by force, and construct identical hash value.For this extreme case, originally
Inventive embodiments still have a method discovery, i.e. attacker's value for being unable to control Top register, after not can guarantee attack
The value of Top register will necessarily just leave the trace of attack as with initial value being.
It is further added by a Number counter in the embodiment of the present invention, records the execution time of call instruction and return instruction
Number, it is ensured that as call instruction with the quantity of return instruction is.Process starts, and Number counter is initialized as 0;It executes
Call instruction will count number and add one;A return instruction is executed, number will be counted and subtract one;If process terminates,
Number should be 0, otherwise report an error, terminator operation.
Equally, when process terminates to exit, the value of Top register should be equal to the initial of Top register when process most starts
Value, is otherwise considered as being attacked, reports an error and terminate operation.
If it is considered that process may drop by the wayside, it is also necessary to save and monitor Top register and Number register
Value, it is ensured that the value of Top register and Number register is matched when dropping by the wayside.
As shown in figure 8, showing the general frame that return address in a kind of detection storehouse of the present invention is tampered the device of history
Schematic diagram, generally, including hash value computing module A1, authentication module A2, Top register A3 and counter A4:
Hash value computing module A1, for according to the return address to be verified that is stored in stack top frame in storehouse and to be verified
Hash value corresponding to return address is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value, wherein the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
If authentication module A2 confirms to be verified different from pre-generated correct hash value for hash value to be verified
Return address is tampered;Wherein, the return address that is not tampered with and not of the correct hash value previously according to stack top frame in stack
Hash value corresponding to the return address being tampered is obtained based on any hash value generating algorithm;
Top register A3, the correct hash value stored for storing the correct hash value, and in Top register A3
It can only be modified by preset instructions;
Counter A4 is counted when for executing a call instruction to storehouse and is added one, is executed to the storehouse primary
It is counted when return is instructed and subtracts one;At the end of process, if the count number of counter is not correct in 0 or Top register
Hash value is modified, then is reported an error.
On the basis of any of the above-described specific embodiment of the invention, return address in a kind of detection storehouse is shown it is tampered and go through
The device of history further includes Salt register:
For Salt register for storing a challenging value, another input of the challenging value as hash function is described
Challenging value can only be modified by preset instructions.
On the basis of any of the above-described specific embodiment of the invention, return address in a kind of detection storehouse is shown it is tampered and go through
The device of history further includes one for executing the hash computing module of any hash value generating algorithm;
Correspondingly, the challenging value stored in the Salt register can not be read by the instruction outside preset instructions.
On the basis of any of the above-described specific embodiment of the invention, return address in a kind of detection storehouse is shown it is tampered and go through
The device of history, the authentication module are also used to: if confirming, return address to be verified is tampered, and abnormal and interrupt routine occurs.
On the basis of any of the above-described specific embodiment of the invention, return address in a kind of detection storehouse is shown it is tampered and go through
The device of history, if authentication module is also used to judge that hash value to be verified is identical as pre-generated correct hash value, confirm to
Verifying return address is not tampered with.
In order to allow aforementioned present invention to be really applied to real system, it is also necessary to the branch of the various aspects such as compiler, operating system
It holds.Operating system needs to know the presence (including Top register and Salt register etc.) of several specified registers.At each
Process starts, and initializes the value of these registers, is set as random number.In process switching, the value of these registers is saved, really
The relevant information that each process has oneself is protected, will not be influenced each other.Compiler is also required to know these specified registers.Such as
Fruit is non-compressed structure, needs compiler to add some codes, for operating with these registers.If it is pressure texture,
Compiler needs to know the specific layout of 64 return addresses, which position is return address, which position is hash value, facilitates compiling
Device adds special processing code into program.If compiler has enough supports, compiler is also can be used in the present invention
It realizes (without the support of hardware).But the efficiency being achieved realizes low, performance loss about 3% compared to plain hardware.
The present invention has very high flexibility and compatibility.For example the structure of multichain is used, every a certain number of returns
It is protected using different chains address;Certain address protections, certain addresses are not protected.To increase the difficulty that attacker cracks.
The present invention and other defence methods also do not conflict, and can be used in combination.
It is compared with other technologies, this above-mentioned each specific embodiment uses chain type technology, i.e., by return address and cryptographic Hash
It is linked up as a chain, is the most crucial thought of the present invention.The present invention protects return address, Hash meter using Hash calculation
Calculator has exclusive some advantages.For example know final cryptographic Hash, but be difficult to derive original value with this.But it is worth noting
Be, however it remains using other enciphering and deciphering algorithms come a possibility that substituting hash algorithm.Chain type Hash brings various aspects
Small, design complexities are low etc. is lost in advantage, such as highly-safe, performance.
Meanwhile the above embodiment of the present invention is better than existing method, from safety, performance, design complexities, compatibility, reality
With various aspects such as property.Compared with some particular technique, the present invention is more preferable in some aspects, and other aspect also ensure that it is not poor
In the technology.
Firstly, the present invention can strict guarantee return address will not be maliciously tampered, safety is all higher than other methods.Than
Such as, the Backup Data that shadow stack not can avoid shadow stack is not modified, and stack protection not can avoid the leakage of protection value.
Secondly, according to experiment, using the performance loss only 0.15% of the invention of hardware supported, lower than existing various
Method.
On hardware, the present invention only needs to increase several registers and a Hash operation module, and design complexities are very low,
It is easy to accomplish.And other methods may modify page table management mechanism such as shadow stack, complexity is more much higher than the present invention.
Versatility of the present invention is high, can be used for the computer system of any mainstream.Function call and return are most basic journeys
Sequence function, all computers are all supported, and the present invention can be used for all computer systems for supporting function call and return.
Compatibility of the invention is high, to the change very little of system, can be good at that existing computer system is added.
In short, the present invention is a very useful technology, can very easily be applied in true system.
In addition, there are also some exclusive advantages by the present invention.Once for example, success attack, existing defence method all can not
It was found that.And even if the present invention is really cracked by attacker, but attacker will necessarily leave attack trace, thus will necessarily be by me
Find.
Finally, the present processes are only preferable embodiment, it is not intended to limit the protection model of the embodiment of the present invention
It encloses.With within principle, any modification, equivalent replacement, improvement and so on should be included in all spirit in the embodiment of the present invention
Within the protection scope of the embodiment of the present invention.
Claims (5)
1. return address is tampered the device of history in a kind of detection storehouse, which is characterized in that including hash value computing module, test
Demonstrate,prove module, Top register and counter:
Hash value computing module, for according to the return address to be verified stored in stack top frame in storehouse and return to be verified ground
Hash value corresponding to location is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I+1 frame in the storehouse
Hash value corresponding to return address corresponding to any frame and return address is stored in any frame into stack top frame,
Wherein, the return address and return ground stored in the former frame of hash value any frame according to stack corresponding to return address
Hash value corresponding to location is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein j is stack top
The serial number of frame;
Authentication module confirms return ground to be verified if different from pre-generated correct hash value for hash value to be verified
Location is tampered;Wherein, the correct hash value previously according to stack top frame in stack the return address being not tampered with and be not tampered with
Return address corresponding to hash value, obtained based on any hash value generating algorithm;
Top register, for storing the correct hash value, and the correct hash value stored in Top register can only pass through
Preset instructions modification;
Counter counts when for executing a call instruction to storehouse and adds one, executes a return instruction to the storehouse
When count subtract one;At the end of process, if the count number of counter is not that correct hash value is modified in 0 or Top register,
Then report an error.
2. the apparatus according to claim 1, which is characterized in that further include Salt register:
For Salt register for storing a challenging value, another input of the challenging value as hash function is middle to be stored
Correct hash value can not be read by the instruction outside preset instructions.
3. the apparatus of claim 2, which is characterized in that further include one and generated for executing any hash value
The hash computing module of algorithm;
Correspondingly, the correct hash value stored in the Salt register can not be read by the instruction outside preset instructions.
4. the apparatus according to claim 1, which is characterized in that the authentication module is also used to: if confirming return to be verified
Address is tampered, and abnormal and interrupt routine occurs.
5. the apparatus according to claim 1, which is characterized in that if authentication module is also used to judge hash value to be verified and pre-
The correct hash value first generated is identical, then confirms that return address to be verified is not tampered with.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811109741.8A CN109446798A (en) | 2018-09-21 | 2018-09-21 | Return address is tampered the device of history in detection storehouse |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811109741.8A CN109446798A (en) | 2018-09-21 | 2018-09-21 | Return address is tampered the device of history in detection storehouse |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109446798A true CN109446798A (en) | 2019-03-08 |
Family
ID=65530910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811109741.8A Pending CN109446798A (en) | 2018-09-21 | 2018-09-21 | Return address is tampered the device of history in detection storehouse |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109446798A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8196110B2 (en) * | 2007-11-30 | 2012-06-05 | International Business Machines Corporation | Method and apparatus for verifying a suspect return pointer in a stack |
| CN104520868A (en) * | 2012-08-06 | 2015-04-15 | 英赛瑟库尔公司 | System for detecting a modification of a subprogram call stack |
| US20160171211A1 (en) * | 2014-12-12 | 2016-06-16 | Microsoft Technology Licensing, Llc | Return Oriented Programming (ROP) Attack Protection |
| US9514285B2 (en) * | 2014-09-26 | 2016-12-06 | Intel Corporation | Creating stack position dependent cryptographic return address to mitigate return oriented programming attacks |
-
2018
- 2018-09-21 CN CN201811109741.8A patent/CN109446798A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8196110B2 (en) * | 2007-11-30 | 2012-06-05 | International Business Machines Corporation | Method and apparatus for verifying a suspect return pointer in a stack |
| CN104520868A (en) * | 2012-08-06 | 2015-04-15 | 英赛瑟库尔公司 | System for detecting a modification of a subprogram call stack |
| US9514285B2 (en) * | 2014-09-26 | 2016-12-06 | Intel Corporation | Creating stack position dependent cryptographic return address to mitigate return oriented programming attacks |
| US20160171211A1 (en) * | 2014-12-12 | 2016-06-16 | Microsoft Technology Licensing, Llc | Return Oriented Programming (ROP) Attack Protection |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| De Clercq et al. | A survey of hardware-based control flow integrity (CFI) | |
| CN109409086A (en) | The device that return address is tampered in detection storehouse based on newly-increased instruction | |
| CN109409084A (en) | A kind of chained record storage organization that detection return address is tampered | |
| CN109409082A (en) | The method and device that return address is tampered in detection storehouse | |
| CN101866406A (en) | Stack overflow attack defense method | |
| CN109508539A (en) | The chained stack structure that return address is tampered in detection storehouse | |
| CN109409085A (en) | The method and device that return address is tampered in processing storehouse | |
| CN109508537A (en) | The method and device that return address is tampered in detection storehouse | |
| Jacob et al. | Towards integral binary execution: Implementing oblivious hashing using overlapped instruction encodings | |
| Team | Rap: Rip rop | |
| CN109214180A (en) | A kind of method of calibration and device of internal storage code | |
| Gupta et al. | Marlin: Mitigating code reuse attacks using code randomization | |
| Younan et al. | Extended protection against stack smashing attacks without performance loss | |
| CN109446797A (en) | The device that return address is tampered in detection storehouse | |
| Weiss et al. | Known/chosen key attacks against software instruction set randomization | |
| CN109446798A (en) | Return address is tampered the device of history in detection storehouse | |
| Maunero et al. | Cfi: Control flow integrity or control flow interruption? | |
| CN109508538A (en) | The stack architecture that return address is tampered in a kind of detection storehouse | |
| CN109409083A (en) | The device that return address is tampered in detection storehouse | |
| US20090307536A1 (en) | Method for protecting software programs | |
| US7784063B2 (en) | Method and apparatus for system caller authentication | |
| CN113127940A (en) | Method and device for protecting smart card against side channel attack | |
| Qin et al. | Defending against ROP attacks with nearly zero overhead | |
| CA2958986C (en) | System and method for protecting a device against attacks on processing flow using a code pointer complement | |
| de Clercq | Hardware-supported software and control flow integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190308 |