CN109508538A - The stack architecture that return address is tampered in a kind of detection storehouse - Google Patents
The stack architecture that return address is tampered in a kind of detection storehouse Download PDFInfo
- Publication number
- CN109508538A CN109508538A CN201811108317.1A CN201811108317A CN109508538A CN 109508538 A CN109508538 A CN 109508538A CN 201811108317 A CN201811108317 A CN 201811108317A CN 109508538 A CN109508538 A CN 109508538A
- Authority
- CN
- China
- Prior art keywords
- return address
- stack
- storehouse
- hash value
- return
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The above embodiment of the present invention provides the stack architecture that is tampered of return address in a kind of detection storehouse, the beneficial effects such as return address and cryptographic Hash are all stored and verified by a chain structure by the present invention, and the embodiment of the present invention is with high security, performance loss is small, design complexities are low.
Description
Technical field
The present invention relates to field of computer technology, are tampered more particularly, to return address in a kind of detection storehouse
Stack architecture.
Background technique
The construction and development of computer technology and internet bring the various aspects such as the economy, culture, science and technology of entire society
Huge promotion and impact, the information systems such as a large amount of telecommunications, e-commerce, banking network have become country and government
Critical infrastructures, therefore how to ensure that the safety of computer system has become and put difficulty in the urgent need to address in face of us
Topic.
Stack overflow loophole is an extremely serious System Security Vulnerability, it is by a limited memory headroom
Too long data are written, destroy the memory headroom of system, system is caused to be operating abnormally, crash or restart.It is attacked by stack overflow
It hits, using the address coverage function pointer of attack code, the system control of attacker's fetching portion or whole can be allowed, this is
A kind of security risk of great threat.
In the prior art, prevention main for stack smashing and defense mechanism are to protect skill by shadow stack and stack
Art guarantees that return address is not maliciously tampered.But the safety of shadow stack and stack protection is all inadequate, and attacker remains to find
Method is attacked to bypass above two defense technique.
Summary of the invention
To solve the above-mentioned problems, the embodiment of the present invention provides one kind and overcomes the above problem or at least be partially solved
State the stack architecture that return address is tampered in the detection storehouse of problem.
According to a first aspect of the embodiments of the present invention, the storehouse knot that is tampered of return address in a kind of detection storehouse is provided
Structure stores i-th of return address and a random number in the i-th frame in the storehouse;I+1 frame is to stack top in the storehouse
Hash value corresponding to return address corresponding to any frame and return address is stored in any frame in frame;Wherein,
The return address stored in the former frame of hash value any frame according to stack corresponding to return address and return address institute
Corresponding hash value is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein j is stack top frame
Serial number.
Further, any return address in the storehouse, and distinguish with hash value corresponding to any return address
It is individually stored on the different location in the storehouse in same stack frame.
Further, in 64 bit manipulation systems, in the storehouse any return address and with any return address institute
Corresponding hash value, mode is stored in any position in the storehouse in any combination.
Further, in 64 bit manipulation systems, any return address is normally stored in the storehouse in the storehouse
In any position, it is stored in the high bit space of any position with hash value corresponding to any return address.
The present invention provides the stack architecture that is tampered of return address in a kind of detection storehouse, and the present invention is by return address and Kazakhstan
Uncommon value is all stored and is verified by a chain structure, and the present invention is with high security, performance loss is small, design complexities are low
Etc. beneficial effects.
Detailed description of the invention
Fig. 1 is to be detected using a kind of stack architecture being tampered using return address in detection storehouse of the embodiment of the present invention
The overall flow schematic diagram of the method for the method that return address is tampered in storehouse;
Fig. 2 is the schematic diagram for the stack architecture that return address is tampered in a kind of detection storehouse of the embodiment of the present invention;
Fig. 3 is the structural representation for the stack architecture that return address is tampered in a kind of detection storehouse of the embodiment of the present invention
Figure;
Fig. 4 is the structural schematic diagram of the storehouse in the prior art of the embodiment of the present invention;
Fig. 5 be in a kind of detection storehouse of the embodiment of the present invention in the method that is tampered of return address call instruction execute with
The difference schematic diagram of prior art call instruction;
Fig. 6 be in a kind of detection storehouse of the embodiment of the present invention in the method that is tampered of return address return instruction execute with
The difference schematic diagram of prior art return instruction;
Fig. 7 is the non-compressed structure for the stack architecture that return address is tampered in a kind of detection storehouse of the embodiment of the present invention
With the schematic diagram of compression storage organization.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
It is clearly explained in the following, description of the invention makees one to each basic conception and the prior art and defect first.
Memory Leaks: refer to programmer during software programming, in having time in the operation of memory or space
On design fault, leading to the problem of makes calling program that may make the behavior that designs of violation program itself.Attacker utilizes program
Memory Leaks, can construct various attacks, execute malicious act.
Buffer overflow: being most commonly seen Memory Leaks, copies into a buffer area more than the buffer length
Data can generate buffer overflow, to cover other data other than buffer area.And stack overflow loophole is that buffer area is overflow
Most commonly seen one kind in springing a leak copies into a too long data into stack, the buffer data on stack is caused to overflow, from
And cover the data that other are crucial on stack.
Stack (stack): also known as storehouse, it is a kind of linear list that operation is limited.Its limitation is the one end for being only allowed in table
It is inserted into and is deleted operation.This one end is referred to as stack top, relatively, the other end is called stack bottom.Singapore dollar is inserted into a stack
Element also referred to as pushes on, stacking or pop down, it is that new element is put into the upper surface of stack top element, makes new stack top element;
It also referred to as pops or pops off from a stack deletion element, it is that stack top element is deleted, and the element for keeping its adjacent becomes new
Stack top element.
Stack overflow: being one kind of buffer overflow.It is written over useful storage unit, it is past
It is past to cause unpredictable consequence.Program in the process of running, in order to temporarily access the needs of data, will generally distribute one
A little memory headrooms, commonly referred to as these spaces are buffer area.If write-in is more than the data of itself length into buffer area, so that
It can not be accommodated in buffer area, will result in the storage unit other than buffer area and be written over, this phenomenon is known as buffer overflow.
Buffer length is generally related with the type of buffer variable of user oneself definition.
Function call: when computer compiling or operation, related command is completed using some function.
Return address: a mostly important data are exactly Function return addresses in the data stored in stack.When calling one
When a function, Function return addresses can be pressed into stack by call instruction (such as Call instruction).When function returns, return instruction
(such as Return instruction) can read the return address saved in stack, jump to the original position for calling function according to return address
It sets, continuation executes down.It carries out attacking most common method being exactly to utilize stack overflow using stack overflow loophole, covering returns to ground
Return address is changed to the address of attacker setting by location.When function returns, the position that attacker sets will be jumped to
It sets, executes attacker and wish the code executed.
ROP attack: a kind of classical technology using Memory Leaks construction attack, because can not execution position technology
(DEP or NX's) is universal, is directly injected into code execution malicious attack and becomes difficult, and ROP attack then can use program itself
Code, using return address as connection, construct attack.The principle of ROP attack is mainly to use the generation of program itself
With the code snippet (becoming accessory) of return instruction (such as Return instruction) ending in code, cooperate the control to stack space, no
Disconnected makes program run these accessories.When program executes a Return, CPU takes out an address from current stack, and
And it jumps at the code that this address is directed toward and brings into operation.A series of address of accessories is first put into stack by attacker, CPU fortune
When row is to Return, first address can be taken out and jump to this accessory starts to execute, at the end of first accessory executes,
The return instruction (such as Return instruction) of ending, which can take out second address and jump to second accessory, to be started to execute, so
Circulation, constructs any malicious act.
The key points of attacks such as ROP attack are all to distort return address, and current existing some technologies also all pass through
Return address is protected to prevent these attacks.Main relevant work is shadow stack (Shadow Stack) and stack protection (stack
Cookie is also stack canary).
Return address in stack is stored one by different implementations by shadow stack in another region of memory
Back up (region of memory is just shadow stack), and the return address in stack used before address and backup are compared, if
Address is different, then illustrates that the address in stack is tampered with.In simple terms, the essence of shadow stack is exactly by return address other one
A backup is deposited in a place, is thus not concerned about the return address in attacker's modification stack.Intel Company proposed in 2016
CET technology (Control-flow Enforcement Technology) includes mainly two technologies, and one of them are exactly shadow
Sub- stack.
Stack protection is the practical technique used in many mainstream compilers such as gcc compiler.Return address is stored in
In stack, it is previously inserted into a canary in return address (canary, i.e. protection value are a random numbers).If attacker
Want to cover return address using stack overflow, then it will necessarily covering protection value.And protection value is a random number, attacker can not obtain
Know, therefore protection value can also change.Function checks whether protection value is changed when returning, so that it may find that return address is
It is no to be maliciously tampered.
Then, there are following technological deficiencies for above-mentioned art methods.
There are some problems for shadow stack method:
1, the backup in shadow stack must be perfectly safe, this is very difficult in practical implementations.Such as Intel
CET technology just proposes, has used a new page attribute to mark individual page to be " shadow stack " page and protect.But this page
Attribute can be modified, this had precedent in the example of DEP in actual attack before.So in memory the preceding paragraph
It is insufficient that protection safety is done in region.If attacker can modify the return address on shadow stack and stack simultaneously, can break
Solve the protection of shadow stack.
2, the backup in shadow stack needs an individual page to store, therefore will increase memory access, reduces performance, can also increase
Add memory overhead.
3, the realization of shadow stack is complex., can be simple with design comparison if not considering the safety of shadow stack itself, but
Safety is inadequate.If it is considered that the safety of shadow stack itself, it is necessary to add additional protection machine to the memory where shadow stack
System, considerably increases design complexity, causes practicability not high.
There are some problems for stack guard method:
1, stack protection needs to be inserted into a protection value (random number) before return address.Once attacker knows protection value,
Return address and protection value can be easily covered, while guaranteeing that protection value will not change.
2, stack protection can only defend stack overflow to cover return address, and cannot defend other attacks.For example, using arbitrarily
Location is write, direct point-to-point modification return address.
In short, the safety of shadow stack and stack protection is all inadequate, attacker remains to find some methods to bypass.
The specific embodiment of the invention proposes a kind of method that is tampered of return address in detection storehouse.
Such as Fig. 1, the stack architecture inspection that return address is tampered in a kind of detection storehouse using the embodiment of the present invention is shown
Survey the overall flow schematic diagram of the method for the method that return address is tampered in storehouse, comprising:
S1, according to corresponding to the return address to be verified and return address to be verified that are stored in stack top frame in storehouse
Hash value is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value;Wherein, the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
S2 confirms that return address to be verified is usurped if hash value to be verified is different from pre-generated correct hash value
Change;Wherein, the return address that is not tampered with and the return that is not tampered with of the correct hash value previously according to stack top frame in stack
Hash value corresponding to address is obtained based on any hash value generating algorithm.
Specifically, the embodiment of the present invention protects return address using main hash algorithm.Hash algorithm has some only
The advantages of having, such as be difficult also to be difficult to export by control input by the anti-input for pushing away hash of output of hash, attacker
One is wished the output valve obtained.Present invention proposition all safeguards return address and cryptographic Hash by a chain structure.Such as
Shown in Fig. 2, newest hash value is according to newest (being stored in stack top frame in storehouse) return address and previous (storehouse
Being stored in middle stack top frame) hash value is calculated.Hash value in stack top frame is returned according to what is stored in its previous frame
It goes back to address and hash value is calculated.Therefore, the return address in storehouse in each frame and hash value form a chain.
Wherein, Fig. 3 illustrates the stack architecture that return address is tampered in the detection storehouse of the embodiment of the present invention.With Fig. 4
Normal stack architecture compare, hash value corresponding to return address and its has been stored in same by the stack architecture of the embodiment of the present invention
In frame.It is worth noting that, the hash value and return address that are stored in same frame are staggered, i.e. first return address
(Address1) it is stored together with a random number (RAND);First hash value (Hash 1) is according to first return address
It is calculated with random number and second return address is stored together;And so on, second hash value and third return
Address exists together;And newest hash value (Hash 3) is stored in a special register (referred to as Top register).
Wherein, random parameter RAND is the initial value of Top register.
Further, it introduces in the embodiment of the present invention and introduces call instruction and return instruction by taking call and return instruction as an example
Specific implementation procedure.
The implementation procedure of normal call instruction and return instruction is introduced first, then introduces call instruction in the present invention
With the implementation procedure of return instruction, Fig. 5 illustrates the special process that call instruction is different with normal implementation procedure in the present invention, figure
6 illustrate the special process that return instruction is different with normal implementation procedure in the present invention.
Normal call instructs (Call instruction) execution: 1) by return address pop down, 2) by call instruction (Call instruction)
Destination address deposit PC (is equivalent to and jumps to destination address execution).
Normal return instruction (return instruction) executes: 1) return address popped, 2) and return address deposit PC is (suitable
It is executed in jumping to return address).
Call instruction (Call instruction) of the invention executes: 1) by the hash value and return address (stack top in Top register
The return address of frame being not tampered with) pop down together, 2) by the data (hash value and return address i.e. in step 1) of pop down when
New hash value (correct hash value) is calculated in the input for doing hash function, and new hash value is stored in Top register,
3) destination address of call instruction (Call instruction) is stored in PC.
The return instruction (return instruction) of the embodiment of the present invention executes: 1) by stack top frame hash value and return address
(return address to be verified) pops, and the hash value for calculating the hash value popped and return address (return address to be verified) is (to be tested
Demonstrate,prove hash value), 2) by the hash value being calculated (hash value to be verified), it is (correct with the hash value that is saved in Top register
Hash value) it compares.If the two is unequal, illustrate to occur abnormal, it should alarm and interrupt routine is run.If the two phase
Deng then normally, continuing to execute.3) the hash value popped is stored in Top register (the hash value popped, rather than to be verified
Hash value).4) when hash value to be verified is equal with correct hash value, return address return address to be verified is stored in PC;When
When hash value to be verified and correct hash value are unequal, there is abnormal and interrupt routine.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include a Top register in the processor for executing the method that return address is tampered in the detection storehouse, wherein
The Top register is for storing the correct hash value, and the correct hash value stored in Top register can only be by pre-
If instruction modification.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
In the processor for executing the method that return address is tampered in the detection storehouse, further includes a Salt register, be used for
A challenging value, another input of the challenging value as hash function are stored, the challenging value can only pass through preset instructions
Modification.
Wherein, it in order to realize above-mentioned specific embodiment, needs executing a kind of detection of the embodiment of the present invention in actual development
Increase at least one register in the processor for the method that return address is tampered in storehouse, includes at least Top register, may be used also
It can include Salt register.For saving newest hash value, the challenging value stored in Salt register is Top register
Another input of hash function, generally a random value are also possible to other kinds of value, further increase hash function
It is hypothesized the difficulty cracked.
Most start in a process, sets random number for Top register and Salt register respectively and either pass through it
The non-random numbers that his mode generates, wherein random number is most preferred.Hardware in Top register it should be ensured that stored just
The challenging value stored in true hash value and Salt register can only be modified by preset instructions, and otherwise the present invention just loses
Protection effect.And several special registers is protected not to be easily achieved by attacker's modification.Even if attacker has read
Salt register, the present invention still ensure that attacker can not distort return address easily, safety still with higher.
Hardware is without guaranteeing that Top register is not read by attacker.Can attacker read Top register, to the present invention
Safety do not influence.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
The correct hash value stating the challenging value stored in Salt register and being stored in Top register can not be by presetting privileged instruction
Outer specified reading.
Wherein, hardware should guarantee that Salt register is not read by attacker as far as possible, this is technically also to be easier
It realizes.Even if the present invention still ensures that attacker can not distort return ground easily in addition, attacker has read Salt register
Location, safety still with higher.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include one described any for executing in the processor for executing the method that return address is tampered in the detection storehouse
The hash computing module of hash value generating algorithm.
Wherein, the embodiment of the present invention does not require the selection of hash algorithm too much, and arbitrary hash algorithm can be used,
It is even possible that with other enciphering and deciphering algorithms.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
Any return address in storehouse is stated, and is individually stored in the storehouse with hash value corresponding to any return address
In on different location in same stack frame.As shown in fig. 7, in the specific embodiment of the invention, by return address and hash value point
It opens different frame to be stored, referred to as non-compressed structure (or normal configuration).
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided,
In 64 bit manipulation systems, any return address is normally stored in any position in the storehouse in the storehouse, and described
Hash value corresponding to any return address is stored in the high bit space of any position.
In particular, it was found that return address occupies 64 in 64 systems, but actually back in the significance bit of address
There is no so long, general only 40 multidigits.So 64 high positions are idle.Therefore, in storehouse any return address and
With hash value corresponding to any return address, mode is stored in any position in the storehouse in any combination
On.It is further preferred that hash value can be saved in the high position in 64.This storage organization is referred to as pressure texture, such as
Shown in Fig. 7.Pressure texture only has the value of return address in stack (and in layout to be complete one compared to original stack architecture difference
It causes).This results in the binary systems that a most important beneficial effect is before being compatible with, this is because most programs follow
Following rule: (1) call instruction and return instruction are matched;(2) call instruction and return instruction use return address,
Other instructions do not use;(3) other values in stack are all that position is determined according to offset, keep counting in other stacks if being laid out
According to can directly be used properly.Correspondingly, while in order to reach above-mentioned beneficial effect, matched operation is needed are as follows: reach this
The operation that one target needs is: by original program all (or matched part) call instructions and return instruction replace with this hair
Call instruction and return instruction in bright embodiment, and use pressure texture.Meanwhile using pressure texture compared to not pressure texture
Also there is section space-efficient beneficial effect.
Certainly, in addition to return address, there are also the high positions that some data may be maintained in 64, such as the random number of ASLR
Deng.But anyway, these data all do not exhaust 64 spaces, and the free time for tending to remaining 20 multidigits is empty
Between, it is sufficiently used for saving hash value.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
After stating S2 further include: interrupt routine, which is run, is simultaneously stored in hash value corresponding to return address to be verified in Top register.
If it is confirmed that return address to be verified is tampered, illustrate to occur abnormal, it should alarm and interrupt routine is run.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, if
Hash value to be verified is identical as pre-generated correct hash value, then confirms that return address to be verified is not tampered with.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include a counter, for institute in the processor for executing the method that return address is tampered in the detection storehouse
It states to count when storehouse executes a call instruction (such as Call instruction) and adds one, a return instruction (example is executed to the storehouse
As return instruct) when count subtract one;At the end of process, if the count number of counter is not correct in 0 or Top register
Hash value is modified, then is reported an error.
The specific embodiment of the invention possesses unlimited computing capability, then attacking in view of assuming that attacker's is very competent
The person of hitting may be collided by hash and distort return address by force, and construct identical hash value.For this extreme case, originally
Inventive embodiments still have a method discovery, i.e. attacker's value for being unable to control Top register, after not can guarantee attack
The value of Top register will necessarily just leave the trace of attack as with initial value being.
It is further added by a Number counter in the embodiment of the present invention, records the execution time of call instruction and return instruction
Number, it is ensured that as call instruction with the quantity of return instruction is.Process starts, and Number counter is initialized as 0;It executes
Call instruction will count number and add one;A return instruction is executed, number will be counted and subtract one;If process terminates,
Number should be 0, otherwise report an error, terminator operation.
Equally, when process terminates to exit, the value of Top register should be equal to the initial of Top register when process most starts
Value, is otherwise considered as being attacked, reports an error and terminate operation.
If it is considered that process may drop by the wayside, it is also necessary to save and monitor Top register and Number register
Value, it is ensured that the value of Top register and Number register is matched when dropping by the wayside.
In order to allow aforementioned present invention to be really applied to real system, it is also necessary to the branch of the various aspects such as compiler, operating system
It holds.Operating system needs to know the presence (including Top register and Salt register etc.) of several specified registers.At each
Process starts, and initializes the value of these registers, is set as random number.In process switching, the value of these registers is saved, really
The relevant information that each process has oneself is protected, will not be influenced each other.Compiler is also required to know these specified registers.Such as
Fruit is non-compressed structure, needs compiler to add some codes, for operating with these registers.If it is pressure texture,
Compiler needs to know the specific layout of 64 return addresses, which position is return address, which position is hash value, facilitates compiling
Device adds special processing code into program.If compiler has enough supports, compiler is also can be used in the present invention
It realizes (without the support of hardware).But the efficiency being achieved realizes low, performance loss about 3% compared to plain hardware.
The present invention has very high flexibility and compatibility.For example the structure of multichain is used, every a certain number of returns
It is protected using different chains address;Certain address protections, certain addresses are not protected.To increase the difficulty that attacker cracks.
The present invention and other defence methods also do not conflict, and can be used in combination.
It is compared with other technologies, this above-mentioned each specific embodiment uses chain type technology, i.e., by return address and cryptographic Hash
It is linked up as a chain, is the most crucial thought of the present invention.The present invention protects return address, Hash meter using Hash calculation
Calculator has exclusive some advantages.For example know final cryptographic Hash, but be difficult to derive original value with this.But it is worth noting
Be, however it remains using other enciphering and deciphering algorithms come a possibility that substituting hash algorithm.Chain type Hash brings various aspects
Small, design complexities are low etc. is lost in advantage, such as highly-safe, performance.
Meanwhile the above embodiment of the present invention is better than existing method, from safety, performance, design complexities, compatibility, reality
With various aspects such as property.Compared with some particular technique, the present invention is more preferable in some aspects, and other aspect also ensure that it is not poor
In the technology.
Firstly, the present invention can strict guarantee return address will not be maliciously tampered, safety is all higher than other methods.Than
Such as, the Backup Data that shadow stack not can avoid shadow stack is not modified, and stack protection not can avoid the leakage of protection value.
Secondly, according to experiment, using the performance loss only 0.15% of the invention of hardware supported, lower than existing various
Method.
On hardware, the present invention only needs to increase several registers and a Hash operation module, and design complexities are very low,
It is easy to accomplish.And other methods may modify page table management mechanism such as shadow stack, complexity is more much higher than the present invention.
Versatility of the present invention is high, can be used for the computer system of any mainstream.Function call and return are most basic journeys
Sequence function, all computers are all supported, and the present invention can be used for all computer systems for supporting function call and return.
Compatibility of the invention is high, to the change very little of system, can be good at that existing computer system is added.
In short, the present invention is a very useful technology, can very easily be applied in true system.
In addition, there are also some exclusive advantages by the present invention.Once for example, success attack, existing defence method all can not
It was found that.And even if the present invention is really cracked by attacker, but attacker will necessarily leave attack trace, thus will necessarily be by me
Find.
Finally, the present processes are only preferable embodiment, it is not intended to limit the protection model of the embodiment of the present invention
It encloses.With within principle, any modification, equivalent replacement, improvement and so on should be included in all spirit in the embodiment of the present invention
Within the protection scope of the embodiment of the present invention.
Claims (4)
1. a kind of storehouse, it is characterised in that:
I-th of return address and a random number are stored in the i-th frame in the storehouse;I+1 frame is to stack in the storehouse
Hash value corresponding to return address corresponding to any frame and return address is stored in any frame in the frame of top;Its
In, the return address and return address that are stored in the former frame of hash value any frame according to stack corresponding to return address
Corresponding hash value is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein j is stack top frame
Serial number.
2. storehouse according to claim 1, which is characterized in that any return address in the storehouse, and with it is described any
Hash value corresponding to return address is individually stored on the different location in the storehouse in same stack frame.
3. storehouse according to claim 1, which is characterized in that in 64 bit manipulation systems, any return in the storehouse
Address and with hash value corresponding to any return address, mode is stored in any in the storehouse in any combination
On position.
4. storehouse according to claim 1, which is characterized in that in 64 bit manipulation systems, any return in the storehouse
Address is normally stored in any position in the storehouse, is stored in institute with hash value corresponding to any return address
It states in the high bit space of any position.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811108317.1A CN109508538A (en) | 2018-09-21 | 2018-09-21 | The stack architecture that return address is tampered in a kind of detection storehouse |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811108317.1A CN109508538A (en) | 2018-09-21 | 2018-09-21 | The stack architecture that return address is tampered in a kind of detection storehouse |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109508538A true CN109508538A (en) | 2019-03-22 |
Family
ID=65746184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811108317.1A Pending CN109508538A (en) | 2018-09-21 | 2018-09-21 | The stack architecture that return address is tampered in a kind of detection storehouse |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109508538A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110363006A (en) * | 2019-06-26 | 2019-10-22 | 中国科学院信息工程研究所 | The method that multichain Hash stack architecture and detection function return address are tampered |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101241464A (en) * | 2007-02-05 | 2008-08-13 | 中兴通讯股份有限公司 | Method for checking stack frame destruction |
| US8196110B2 (en) * | 2007-11-30 | 2012-06-05 | International Business Machines Corporation | Method and apparatus for verifying a suspect return pointer in a stack |
| CN104520868A (en) * | 2012-08-06 | 2015-04-15 | 英赛瑟库尔公司 | System for detecting a modification of a subprogram call stack |
| US20160094552A1 (en) * | 2014-09-26 | 2016-03-31 | David M. Durham | Creating stack position dependent cryptographic return address to mitigate return oriented programming attacks |
| US20160171211A1 (en) * | 2014-12-12 | 2016-06-16 | Microsoft Technology Licensing, Llc | Return Oriented Programming (ROP) Attack Protection |
| US20170017791A1 (en) * | 2015-07-13 | 2017-01-19 | Jason W. Brandt | Return address overflow buffer |
-
2018
- 2018-09-21 CN CN201811108317.1A patent/CN109508538A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101241464A (en) * | 2007-02-05 | 2008-08-13 | 中兴通讯股份有限公司 | Method for checking stack frame destruction |
| US8196110B2 (en) * | 2007-11-30 | 2012-06-05 | International Business Machines Corporation | Method and apparatus for verifying a suspect return pointer in a stack |
| CN104520868A (en) * | 2012-08-06 | 2015-04-15 | 英赛瑟库尔公司 | System for detecting a modification of a subprogram call stack |
| US20160094552A1 (en) * | 2014-09-26 | 2016-03-31 | David M. Durham | Creating stack position dependent cryptographic return address to mitigate return oriented programming attacks |
| US20160171211A1 (en) * | 2014-12-12 | 2016-06-16 | Microsoft Technology Licensing, Llc | Return Oriented Programming (ROP) Attack Protection |
| US20170017791A1 (en) * | 2015-07-13 | 2017-01-19 | Jason W. Brandt | Return address overflow buffer |
Non-Patent Citations (1)
| Title |
|---|
| 朱战立: "《数据结构C++语言描述》", 28 February 2004, 高等教育出版社 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110363006A (en) * | 2019-06-26 | 2019-10-22 | 中国科学院信息工程研究所 | The method that multichain Hash stack architecture and detection function return address are tampered |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| De Clercq et al. | A survey of hardware-based control flow integrity (CFI) | |
| CN109409084A (en) | A kind of chained record storage organization that detection return address is tampered | |
| CN109409086A (en) | The device that return address is tampered in detection storehouse based on newly-increased instruction | |
| Li et al. | Zipper stack: Shadow stacks without shadow | |
| CN109409082A (en) | The method and device that return address is tampered in detection storehouse | |
| CN109508539A (en) | The chained stack structure that return address is tampered in detection storehouse | |
| CN109409085A (en) | The method and device that return address is tampered in processing storehouse | |
| CN101866406A (en) | Stack overflow attack defense method | |
| CN109508537A (en) | The method and device that return address is tampered in detection storehouse | |
| Team | Rap: Rip rop | |
| Gupta et al. | Marlin: Mitigating code reuse attacks using code randomization | |
| Younan et al. | Extended protection against stack smashing attacks without performance loss | |
| CN109214180A (en) | A kind of method of calibration and device of internal storage code | |
| Philippaerts et al. | Code pointer masking: Hardening applications against code injection attacks | |
| CN109446797A (en) | The device that return address is tampered in detection storehouse | |
| Karimi et al. | Hardware/software obfuscation against timing side-channel attack on a GPU | |
| Weiss et al. | Known/chosen key attacks against software instruction set randomization | |
| Ruan et al. | Survey of return‐oriented programming defense mechanisms | |
| CN109508538A (en) | The stack architecture that return address is tampered in a kind of detection storehouse | |
| Maunero et al. | Cfi: Control flow integrity or control flow interruption? | |
| CN109446798A (en) | Return address is tampered the device of history in detection storehouse | |
| CN109409083A (en) | The device that return address is tampered in detection storehouse | |
| Li et al. | Virtual wall: Filtering rootkit attacks to protect linux kernel functions | |
| Sullivan et al. | Execution integrity with in-place encryption | |
| Qin et al. | Defending against ROP attacks with nearly zero overhead |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190322 |