CN112269597A - Method and system for detecting abnormal behavior of processor instruction - Google Patents

Method and system for detecting abnormal behavior of processor instruction Download PDF

Info

Publication number
CN112269597A
CN112269597A CN202011149498.XA CN202011149498A CN112269597A CN 112269597 A CN112269597 A CN 112269597A CN 202011149498 A CN202011149498 A CN 202011149498A CN 112269597 A CN112269597 A CN 112269597A
Authority
CN
China
Prior art keywords
instruction
abnormal
processor
sample
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011149498.XA
Other languages
Chinese (zh)
Other versions
CN112269597B (en
Inventor
魏强
武泽慧
周国淼
吴昊岚
尹中旭
王红敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202011149498.XA priority Critical patent/CN112269597B/en
Publication of CN112269597A publication Critical patent/CN112269597A/en
Application granted granted Critical
Publication of CN112269597B publication Critical patent/CN112269597B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30145Instruction analysis, e.g. decoding, instruction word fields
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2236Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention belongs to the technical field of network security, and particularly relates to a method and a system for detecting abnormal behavior of processor instructions, which comprise the following steps: different processors respectively establish corresponding instruction sets; carrying out fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to instruction functions and characteristics; performing anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction. The invention can effectively detect the instruction error of the processor and improve the performance of the processor.

Description

Method and system for detecting abnormal behavior of processor instruction
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a system for detecting abnormal behavior of processor instructions.
Background
Due to the continuous development of processors, in order to improve performance and meet more software and system requirements, various instruction extensions are gradually introduced, but the safety problem of instructions is gradually increased. In 1994, FDIV bug caused floating point number division errors on Pentium processors, with large batches of processors being recalled; in 1997. An F00F exception instruction on a Pentium processor may cause instruction encoding to be invalid while the exception handling mechanism is deadlocked so that the CPU is down, 2014, the TSX instruction bug affects the normal operation of the system, causing the corresponding instruction to be disabled. In 2007, Theo de Raadt was the first to link an Intel bug with a potential security vulnerability in the OpenBSD operating system, after which more and more people began working on the bug table to implement attacks. In 2018, the # DB exception that occurred may produce unexpected behavior due to operating system developers not handling MOV SS/POP SS instructions correctly, causing operating system crashes and may even be used to refer rights. In 2018, Domas Christopher discovered an instruction backdoor in the wilson (VIA) C3 processor, with which an average user could elevate to super-user privilege. Yet, the issue of microinstruction updates was also discovered, in 2014, Daming d.chen performed security analysis on the microcode of the x86 processor, demonstrating that malicious microcode updates could potentially implement new malicious code structures or change the functionality of existing instructions. In 2017, Koppe Philipp et al reversely analyze the microcode of the x86 processor, complete the update of the custom microcode, and realize the remote-triggered backdoor at the microcode level. These instruction level security issues seriously jeopardize critical infrastructure security and information security for important industries, and have caused significant losses.
To address processor flaws at design time, formal verification is used to prove correctness. The DIVA is a method for detecting and repairing processor errors by adopting a dynamic verification technology, and the performance of a processor is improved. SPECS adds a small amount of hardware to the processor, and aims to detect and recover processor errors violating invariant rules without affecting the normal operation of a program by setting different security invariants and dynamically verifying. A teaching team of Wei Shaoshi university hardware security and cipher chip laboratories provides a dynamic monitoring and control technology for CPU hardware security on a hardware level, and a control processor is combined by an instruction level CPU model and a hardware behavior security assertion method, so that the CPU is effectively prevented from being attacked by hardware trojans, illegal microcode updating, hardware bugs and the like, and the actual behavior of an instruction XRSTO is found to be inconsistent with an instruction manual. Despite the increasing number of dynamic monitoring techniques to address the shortcomings of processors, research efforts continue to be expended in studying the behavior of exceptions for instructions.
Disclosure of Invention
Therefore, the invention provides a method and a system for detecting abnormal behavior of processor instructions, which can effectively detect instruction errors of a processor and improve the performance of the processor.
According to the design scheme provided by the invention, the method for detecting the abnormal behavior of the processor instruction comprises the following contents:
different processors respectively establish corresponding instruction sets;
carrying out fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to instruction functions and characteristics;
performing anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
As the method for detecting the abnormal behavior of the processor instruction, the invention further sets the space length of the instruction byte according to the instruction format constitution of the target processor, traverses the instruction by using a depth-first algorithm from the first byte, acquires all instruction contents except the instruction prefix byte, and combines the contents and the instruction prefix to obtain all effective instructions of the target processor.
As the method for detecting the abnormal behavior of the processor instruction, the instruction search space is further determined according to the fuzzy test, the disassembler is used for disassembling the sample instruction, and the instruction classification is completed through operand test.
The method for detecting the abnormal behavior of the processor instruction further carries out labeling processing on the instruction classification by utilizing the abnormal characteristics of the instruction in the error table according to the instruction function and the characteristics.
As the method for detecting the abnormal behavior of the processor instruction, the normal behavior of the instruction is identified in the labeling processing, all the instructions and corresponding disassembly are classified by no operand, a single operand and multiple operands, and the classification result is mapped into operand logic operation, memory reading operation, register writing operation and special operation function.
As the method for detecting the abnormal behavior of the processor instruction, the method further extracts and labels the abnormal characteristics of the instruction in the error table within a preset time interval according to the error table updated by a processor manufacturer periodically so as to ensure the accuracy and the integrity of the instruction test.
As the method for detecting the abnormal behavior of the processor instruction, the invention further obtains the suspicious instruction by rechecking aiming at the abnormal detection result and eliminates the false alarm situation by combining with manual analysis.
As the method for detecting the abnormal behavior of the processor instruction, the invention further judges whether the instruction to be detected is a suspicious instruction by comparing the instruction disassembly result with the label in the actual instruction execution process and combining the abnormal detection.
As the method for detecting the abnormal behavior of the processor instruction, disclosed by the invention, the operation and the execution result before and after the target instruction is executed are further compared by utilizing the assertion statement so as to determine the abnormal behavior of the instruction.
Further, based on the above method, the present invention further provides a system for detecting abnormal behavior of processor instructions, comprising: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormality detection module is used for carrying out abnormality detection on the instruction to be detected according to the labeled sample instruction and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
The invention has the beneficial effects that:
according to the invention, through arranging the instruction sample library of the processor, instruction behavior detection can be carried out on a plurality of processors, the problems of error of a prospecting instruction and inconsistency of execution formats of part of software instructions with actual processor execution can be found in time, and the problem of an instruction causing processor deadlock can be detected, so that the instruction abnormity detection efficiency and accuracy of the processor are improved, and the performance of the processor is improved; furthermore, the method for searching and sorting the command library is more efficient by improving the mode of searching the commands; a lightweight instruction judgment strategy is introduced for detecting the instruction abnormal behavior, various assertion methods are provided, the instruction behavior can be successfully and preliminarily judged, the instruction abnormal detection efficiency of the processor can be further ensured, and the method has a good application value.
Description of the drawings:
FIG. 1 is a flow chart of an abnormal behavior detection method in an embodiment;
FIG. 2 is a schematic diagram of the abnormal behavior detection principle in the embodiment;
FIG. 3 is a schematic format of an x86 instruction in an embodiment;
FIG. 4 is a schematic diagram of an instruction search flow in the embodiment;
FIG. 5 is a schematic of instruction classification logic in an embodiment;
FIG. 6 is a schematic diagram of an abnormal behavior detection system framework in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The current research aiming at instructions is not mature enough, and has the following problems: (1) the CPU loophole back door frequently sends, hidden instructions have the function of privilege escalation, but the CPU implementation framework is not disclosed, the back door Trojan horse detection difficulty is high, a proper method is not available, and the detection means is lacked; (2) the problem of instruction violation against the established description is serious and the error is not timely, but there is no perfect abnormal analysis method to assist the analysis. In development, the instruction cannot execute the corresponding function completely according to the set description, but the instruction behavior is difficult to observe, and the problem of standard violation is difficult to find in time. In software vulnerability mining, static vulnerability mining and dynamic vulnerability mining are mainly used. An embodiment of the present invention, as shown in fig. 1, provides a method for detecting abnormal behavior of processor instructions, which includes the following steps:
s101, different processors respectively establish corresponding instruction sets;
s102, carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to an instruction function and characteristics;
s103, carrying out anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
According to the embodiment of the invention, the dynamic vulnerability mining represented by the fuzzy test is different from the static vulnerability mining method in the defects of high false alarm rate, low efficiency and the like, and the software vulnerability can be efficiently detected. Through the instruction sample library of the processor, instruction behavior detection can be carried out on a plurality of processors, the problems of error of a prospecting instruction and inconsistency of execution formats of part of software instructions with actual processor execution can be found in time, the problem of an instruction causing processor deadlock can be detected, the efficiency and accuracy of detecting processor instruction abnormity are improved, and the performance of the processor is improved.
As the method for detecting the abnormal behavior of the processor instruction in the embodiment of the present invention, further, the instruction byte space length is set according to the instruction format composition of the target processor, the instruction is traversed by using the depth-first algorithm from the first byte, all instruction contents except the instruction prefix byte are obtained, and the contents are combined with the instruction prefix to obtain all effective instructions of the target processor.
Referring to fig. 2, the detailed steps of the abnormal behavior detection principle of the embodiment will be further explained:
step 1: firstly, a target CPU is subjected to a fuzzy test of an instruction set, an instruction search space is determined, an instruction search sample is generated, and an instruction sample library is finally obtained.
Step 2: and disassembling the sample instruction by utilizing a disassembler such as a capstone, testing the operand, and preliminarily finishing the classification of the instruction.
And step 3: extracting the labels of the functionality and the characteristics of the instructions, adding the abnormal characteristics of the instructions in the error table, and further labeling the instruction classification.
And 4, step 4: transmitting the instructions in the tagged instruction library into a monitoring module, and starting to perform exception detection on the instructions
And 5: if the monitoring module detects the abnormal problem, the abnormal instruction is transmitted to a re-detection link for further judgment
Step 6: combining the suspicious instructions after the retest with manual analysis, eliminating the false alarm condition and determining the correctness of the instruction detection result
And 7: judging whether the instruction to be detected is a suspicious instruction or not by comparing the disassembling result of the instruction with the label comparison and abnormal signal result in the actual execution process of the instruction
And 8: if the monitoring module does not detect the problem or the judgment result is normal, the monitoring module is switched to the assertion module to carry out the next judgment
And step 9: aiming at the comparison of the operation before and after the instruction execution and the execution result, whether the instruction is an abnormal instruction is judged
Step 10: after the instructions are judged and screened, the abnormal instructions are sorted to obtain a detailed test report
Step 11: and after the single instruction is tested, recovering the state to wait for the next instruction to be tested.
In order to test the abnormal behavior of the existing instruction, corresponding instruction libraries are established for different processors. In order to further improve the searching efficiency, the searching efficiency is improved by researching the command format. As shown in FIG. 3, the instruction length is 0-15 bytes, and the instruction format is generally divided into an instruction prefix, an operation code, a register and addressing flag code, an offset, and an immediate. Through experiments, the operation code of the 1-, 2-or 3-byte generally controls the functional behavior of the instruction, the instruction prefix of the 1-byte is used for carrying out additional identification on the instruction, and the offset and the immediate generally have no great influence. Therefore, the residual offset can be merged by using the type of the instruction prefix as a pruning method mainly based on the operation code.
TABLE 1 Prefix types and roles
Figure BDA0002740745980000041
Figure BDA0002740745980000051
As shown in Table 1, there are 4 types of instruction prefixes, and at most one in each group, can beCombined use, there is no ordering issue, so the instruction prefix takes up a maximum of 4 bytes and a minimum of 0 bytes. Since the purpose of the scheme is to determine the abnormal behavior of the instruction, in order to further reduce the search time, as shown in fig. 4, a 15-byte space may be set, and the instruction is traversed by using a depth-first algorithm starting from the first byte, when the prefix byte of the instruction is encountered, the prefix byte is skipped preferentially to obtain all instructions except the instruction prefix, and then the obtained instruction results are combined with the instruction prefix respectively, and if the result is successful, the instruction is traversed backwards in sequence until all effective instructions of the processor are obtained. If the total number of the other searched instructions is n, 11 x 2 of the instruction search can be reduced according to theoretical analysis16-n. As shown in fig. 5, in order to ensure the accuracy of detecting the abnormal behavior of the instruction, the normal behavior of the instruction may be identified, all instructions and corresponding disassembly items are classified by Non-operand, Si single operand and Mul multiple operands, and by analyzing a large number of CPU instruction manuals, and classifying and mapping the instructions into 4 functions of Ex operation type (arithmetic and logical operation type), Mem memory read type, Reg register write type and Spe special operation type, according to the functional characteristics of each instruction, the characteristics of a certain register change and the like are saved, and specific characteristics are subdivided for the special operation, including processor lock, right lifting and the like.
Because the CPU inevitably generates instruction execution errors during the development process, these errors are usually caused by incorrectly performing register update, memory write, and the like during the instruction execution process according to the given instruction description. Manufacturers continue to test to solve this problem by periodically updating the error tables to post CPU instruction exceptions. Therefore, the accuracy in the instruction testing process can be ensured by periodically summarizing the error table of the CPU, extracting the abnormal characteristics of the instructions and then further labeling each instruction. Meanwhile, a research team analyzes the instructions and the microinstructions, analyzes the formats of the instructions and analyzes the microinstructions, and arranges and summarizes corresponding functions and use, so that the part of instruction data can be also brought into an expert strategy library to ensure the integrity of the instruction test.
Further, based on the foregoing method, an embodiment of the present invention further provides a system for detecting abnormal behavior of processor instructions, including: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormality detection module is used for carrying out abnormality detection on the instruction to be detected according to the labeled sample instruction and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
Referring to fig. 6, the instruction abnormal behavior detection system can be further divided into: the device comprises an instruction generation module, an execution controller, a monitoring module, an assertion module, a result analysis module, a state recovery module and the like. The instruction generating module is responsible for generating an instruction test sample, classifying the instruction characteristic function and labeling the instruction characteristic function for the basis of judging the later abnormal behavior. The monitoring module is responsible for monitoring changes of the register, the MSR, error signals and the like and transmitting abnormal change conditions to the judging module. The assertion module is an executor used for making assertion on the execution behavior of the target instruction test sample, and provides support for judging whether the instruction has abnormal behavior. The judging module analyzes and summarizes the instruction testing result, preliminarily screens and processes whether the judging instruction has abnormal behaviors or not, and finally obtains the testing result. The recovery module is responsible for recovering the state of the processor after each instruction is tested, and normal judgment of the next instruction is prevented from being influenced.
For the monitoring of the register, the operating mechanism of gdb can be imitated, ptrace system call of the ubuntu system is utilized for monitoring, parameters of all register values are effectively read, and real-time monitoring is guaranteed. The ptrace () is used to enable a user to realize interception and modification of system call; through ptrace (), one process can be hooked with a designated process (attach), and the memory and registers of the other process can be dynamically read/written, including the instruction space, the data space, the stack and all the registers; in combination with the signaling mechanism (and other means), the purpose of one process running under the control and tracking of another process can also be achieved. By means of system call, dynamic changes which cannot be observed after instructions are executed can be intercepted through the system call, and the instructions are debugged. Developing by using an MSR-tools toolkit of intel, fuzz is carried out on all MSR register positions in a processor, all MSR registers existing in the processor are read out, numerical values are recorded, and the numerical values are arranged into an MSR register base table. Then, the MSR register is added with labels according to corresponding functions by combining the white paper issued by the manufacturer. If the register value changes, the corresponding position in the base table is marked immediately, and the correctness of the register influenced by the instruction is effectively judged through comparison. The development can be carried out by using an MSR-tools toolkit of intel, fuzz is carried out on all MSR register positions in a processor, all MSR registers existing in the processor are read out, numerical values are recorded, and the numerical values are arranged in an MSR register base table. Then, the MSR register is added with labels according to corresponding functions by combining the white paper issued by the manufacturer. If the register value changes, the corresponding position in the base table is marked immediately, and the correctness of the register influenced by the instruction is effectively judged through comparison.
To determine the abnormal behavior of an instruction, embodiments may use predicate statements for the decision, and all 6 predicate methods may be constructed by using the simplest 3.
always (expression): expression the expression must be true.
next (expression, signal, time) the expression must be true for a certain time after the signal changes from 0 to 1.
change (expression, signal) an expression must be true when the signal changes from 0 to 1.
TABLE 2 assertion method for problem detection
Figure BDA0002740745980000061
As shown in table 2, the value change of the register, which is one of the important key items that can be taken, compares the instruction tags with the state before and after the register is saved to determine whether the instruction execution modifies the corresponding register according to the predetermined description, and the determination of the instruction format change is only required to be consistent before and after the execution and before and after the disassembly. When the authority is judged to be consistent, the execution code of the specific authority is set, for example, when a certain instruction is in a low authority, when commands with high and low authorities are respectively executed, whether the instruction will carry out the authority-raising operation is judged through the feedback information, and whether the instruction complies with the instruction execution specification is further judged according to the instruction label. When an abnormal state returns, it is only required to judge whether the front and rear states are consistent with the abnormal type marked by the instruction tag. And when judging whether the instruction causes the processor to be locked or not, setting a heartbeat packet experiment, capturing a signal, and if the connection fails and the signal is not changed within 300s, judging that the instruction can cause the processor to be locked and the behavior is abnormal.
In the embodiment, the instruction searching space is greatly reduced by improving the mode of searching the instructions in the sandsifter, and the instruction searching efficiency is improved, so that the instruction library collection and arrangement is more efficient; a lightweight instruction judgment strategy is introduced for detecting the abnormal behavior of the instruction, various assertion methods are provided, and the instruction behavior can be successfully and preliminarily judged. Can help changing the instruction behavior that is not observable into the state that can be observed, be favorable to the unusual behavior of quick detection instruction. And detecting the instruction behaviors of the processors, finding out the problems of error instructions and inconsistency of the execution formats of part of software instructions with the actual processor, and detecting an instruction problem causing processor deadlock.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the system as described above.
Based on the above system, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above system.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the system embodiment, and for the sake of brief description, reference may be made to the corresponding content in the system embodiment for the part where the device embodiment is not mentioned.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing system embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the system according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method for detecting abnormal behavior of processor instructions, comprising:
different processors respectively establish corresponding instruction sets;
carrying out fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to instruction functions and characteristics;
performing anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
2. The method of claim 1, wherein the instruction byte space length is set according to the instruction format configuration of the target processor, the instruction is traversed by a depth-first algorithm starting from a first byte, all instruction contents except an instruction prefix byte are obtained, and the contents are combined with the instruction prefix to obtain all effective instructions of the target processor.
3. The method of claim 1, wherein the instruction search space is determined based on fuzzy testing, the sample instructions are disassembled by the disassembler, and the instruction classification is performed by operand testing.
4. The method as claimed in claim 3, wherein the instruction classification is tagged according to instruction function and characteristics by using the abnormal characteristics of the instruction in the error table.
5. The method as claimed in claim 4, wherein in the tagging process, the normal behavior of the instruction is identified, all instructions and corresponding disassembly are classified by no operand, single operand and multiple operands, and the classification result is mapped to an arithmetic logic operation, a memory read operation, a register write operation and a special operation function.
6. The method as claimed in claim 4, wherein the instruction exception feature in the error table is extracted and labeled within a predetermined time interval according to the error table updated by the processor manufacturer periodically to ensure the accuracy and completeness of the instruction test.
7. The method according to claim 1, wherein the suspicious instructions are obtained by a review test and combined with a manual analysis to eliminate false alarm condition for the exception detection result.
8. The method as claimed in claim 3, wherein the instruction to be detected is determined to be a suspicious instruction by comparing the instruction disassembly result with a tag during actual execution of the instruction and by combining exception detection.
9. The method as claimed in claim 1, wherein the operation before and after the target instruction is executed and the execution result are compared by using the predicate statement to determine the abnormal behavior of the instruction.
10. A system for detecting abnormal behavior of processor instructions, comprising: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormality detection module is used for carrying out abnormality detection on the instruction to be detected according to the labeled sample instruction and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
CN202011149498.XA 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction Active CN112269597B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011149498.XA CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011149498.XA CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Publications (2)

Publication Number Publication Date
CN112269597A true CN112269597A (en) 2021-01-26
CN112269597B CN112269597B (en) 2023-03-24

Family

ID=74341861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011149498.XA Active CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Country Status (1)

Country Link
CN (1) CN112269597B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112905995A (en) * 2021-02-05 2021-06-04 电子科技大学 Method and system for detecting abnormal behaviors of register group in processor in real time

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6021272A (en) * 1995-10-04 2000-02-01 Platinum Technology, Inc. Transforming and manipulating program object code
CN1628284A (en) * 2002-05-31 2005-06-15 先进微装置公司 Secure execution mode exceptions
CN101351784A (en) * 2005-12-30 2009-01-21 阿西式·A·潘迪亚 Runtime adaptable search processor
US20090198967A1 (en) * 2008-01-31 2009-08-06 Bartholomew Blaner Method and structure for low latency load-tagged pointer instruction for computer microarchitechture
CN102707926A (en) * 2011-04-07 2012-10-03 威盛电子股份有限公司 Microprocessor that performs x86 isa and arm isa machine language program instructions by hardware translation
US20190146900A1 (en) * 2017-11-15 2019-05-16 Lenovo (Singapore) Pte. Ltd. Method and system for context based testing of software application vulnerabilities
CN109918292A (en) * 2019-01-28 2019-06-21 中国科学院信息工程研究所 A kind of processor instruction set test method and device
WO2019152752A1 (en) * 2018-02-02 2019-08-08 Mcintosh Gordon David Systems and methods for preventing code insertion attacks
CN110597715A (en) * 2019-08-28 2019-12-20 昆明理工大学 Test sample optimization method based on fuzzy test
CN110851830A (en) * 2019-10-24 2020-02-28 中国人民解放军战略支援部队信息工程大学 CPU (Central processing Unit) -oriented undisclosed instruction discovery method based on instruction format identification
CN110851352A (en) * 2019-10-15 2020-02-28 深圳开源互联网安全技术有限公司 Fuzzy test system and terminal equipment
US20200174794A1 (en) * 2018-11-30 2020-06-04 Western Digital Technologies, Inc. Illegal instruction exception handling
CN111475868A (en) * 2020-06-19 2020-07-31 南京芯驰半导体科技有限公司 CPU instruction protection method and system suitable for function and information security chip
CN111783096A (en) * 2019-08-28 2020-10-16 北京京东尚科信息技术有限公司 Method and device for detecting security vulnerability

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6021272A (en) * 1995-10-04 2000-02-01 Platinum Technology, Inc. Transforming and manipulating program object code
CN1628284A (en) * 2002-05-31 2005-06-15 先进微装置公司 Secure execution mode exceptions
CN101351784A (en) * 2005-12-30 2009-01-21 阿西式·A·潘迪亚 Runtime adaptable search processor
US20090198967A1 (en) * 2008-01-31 2009-08-06 Bartholomew Blaner Method and structure for low latency load-tagged pointer instruction for computer microarchitechture
CN102707926A (en) * 2011-04-07 2012-10-03 威盛电子股份有限公司 Microprocessor that performs x86 isa and arm isa machine language program instructions by hardware translation
US20190146900A1 (en) * 2017-11-15 2019-05-16 Lenovo (Singapore) Pte. Ltd. Method and system for context based testing of software application vulnerabilities
WO2019152752A1 (en) * 2018-02-02 2019-08-08 Mcintosh Gordon David Systems and methods for preventing code insertion attacks
US20200174794A1 (en) * 2018-11-30 2020-06-04 Western Digital Technologies, Inc. Illegal instruction exception handling
CN109918292A (en) * 2019-01-28 2019-06-21 中国科学院信息工程研究所 A kind of processor instruction set test method and device
CN110597715A (en) * 2019-08-28 2019-12-20 昆明理工大学 Test sample optimization method based on fuzzy test
CN111783096A (en) * 2019-08-28 2020-10-16 北京京东尚科信息技术有限公司 Method and device for detecting security vulnerability
CN110851352A (en) * 2019-10-15 2020-02-28 深圳开源互联网安全技术有限公司 Fuzzy test system and terminal equipment
CN110851830A (en) * 2019-10-24 2020-02-28 中国人民解放军战略支援部队信息工程大学 CPU (Central processing Unit) -oriented undisclosed instruction discovery method based on instruction format identification
CN111475868A (en) * 2020-06-19 2020-07-31 南京芯驰半导体科技有限公司 CPU instruction protection method and system suitable for function and information security chip

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
JIANPING ZHU 等: "CPU Security Benchmark", 《SECARCH"18: PROCEEDINGS OF THE 1ST WORKSHOP ON SECURITY-ORIENTED DESIGNS OF COMPUTER ARCHITECTURES AND PROCESSORS》 *
RENS DOFFERHOFF 等: "iScanU: A Portable Scanner for Undocumented Instructions on RISC Processors", 《2020 50TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN)》 *
XIXING LI 等: "UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching", 《 IEEE ACCESS》 *
张晓静等: "SPARC体系结构处理器测试方法研究与实现", 《计算机测量与控制》 *
张瀚方等: "面向二进制程序的导向性模糊测试方法", 《计算机应用》 *
魏强 等: "X86中央处理器安全问题综述", 《通信学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112905995A (en) * 2021-02-05 2021-06-04 电子科技大学 Method and system for detecting abnormal behaviors of register group in processor in real time

Also Published As

Publication number Publication date
CN112269597B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
CN109583200B (en) Program abnormity analysis method based on dynamic taint propagation
Ming et al. {BinSim}: Trace-based semantic binary diffing via system call sliced segment equivalence checking
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Eschweiler et al. Discovre: Efficient cross-architecture identification of bugs in binary code.
US7937764B2 (en) Metamorphic computer virus detection
TWI553503B (en) Method of generating in-kernel hook point candidates to detect rootkits and system thereof
Ceccato et al. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities
CN101964036B (en) Leak detection method and device
Ren et al. Automated localization for unreproducible builds
Dai et al. {BScout}: Direct whole patch presence test for java executables
Sun et al. Malware virtualization-resistant behavior detection
Cai et al. SwordDTA: A dynamic taint analysis tool for software vulnerability detection
CN113468525A (en) Similar vulnerability detection method and device for binary program
CN112269597B (en) Method and system for detecting abnormal behavior of processor instruction
CN111428239A (en) Detection method of malicious mining software
Alrabaee A stratified approach to function fingerprinting in program binaries using diverse features
Zheng et al. An empirical study of high-impact factors for machine learning-based vulnerability detection
Zhao et al. Suzzer: A vulnerability-guided fuzzer based on deep learning
Li et al. An integration testing framework and evaluation metric for vulnerability mining methods
CN114741700B (en) Public component library vulnerability availability analysis method and device based on symbolized stain analysis
Kim et al. Efficient Automatic Original Entry Point Detection.
Ohm et al. SoK: Practical Detection of Software Supply Chain Attacks
Zhu et al. Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs
Jiang et al. Automatically Locating ARM Instructions Deviation between Real Devices and CPU Emulators
Wang et al. A behavior feature generation method for obfuscated malware detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant