CN112269597B - Method and system for detecting abnormal behavior of processor instruction - Google Patents

Method and system for detecting abnormal behavior of processor instruction Download PDF

Info

Publication number
CN112269597B
CN112269597B CN202011149498.XA CN202011149498A CN112269597B CN 112269597 B CN112269597 B CN 112269597B CN 202011149498 A CN202011149498 A CN 202011149498A CN 112269597 B CN112269597 B CN 112269597B
Authority
CN
China
Prior art keywords
instruction
abnormal
processor
detection
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011149498.XA
Other languages
Chinese (zh)
Other versions
CN112269597A (en
Inventor
魏强
武泽慧
周国淼
吴昊岚
尹中旭
王红敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202011149498.XA priority Critical patent/CN112269597B/en
Publication of CN112269597A publication Critical patent/CN112269597A/en
Application granted granted Critical
Publication of CN112269597B publication Critical patent/CN112269597B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30145Instruction analysis, e.g. decoding, instruction word fields
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2236Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention belongs to the technical field of network security, and particularly relates to a method and a system for detecting abnormal behavior of processor instructions, which comprise the following steps: different processors respectively establish corresponding instruction sets; carrying out fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to instruction functions and characteristics; performing anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction. The invention can effectively detect the instruction error of the processor and improve the performance of the processor.

Description

Method and system for detecting abnormal behavior of processor instruction
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a system for detecting abnormal behavior of processor instructions.
Background
Due to the continuous development of processors, in order to improve performance and meet more software and system requirements, various instruction extensions are gradually introduced, but the safety problem of instructions is gradually increased. In 1994, FDIV bug caused floating point number division errors on Pentium processors, with large batches of processors being recalled; in 1997. An F00F exception instruction on a Pentium processor may cause instruction encoding to be invalid while the exception handling mechanism is deadlocked so that the CPU is down, in 2014, the TSX instruction bug affects the normal operation of the system, causing the corresponding instruction to be disabled. In 2007, theo de Raadt was the first to link an Intel bug with a potential security vulnerability in the OpenBSD operating system, after which more and more people began working on the bug table to implement attacks. In 2018, the # DB exception that occurred may produce unexpected behavior due to operating system developers not handling MOV SS/POP SS instructions correctly, causing operating system crashes and may even be used to refer rights. In 2018, domas Christopher discovered an instruction backdoor in a wilson (VIA) C3 processor, with which an ordinary user can promote to super-user permission. Yet, the issue of microinstruction updates was also discovered, in 2014, daming d.chen performed security analysis on the microcode of the x86 processor, demonstrating that malicious microcode updates could potentially implement new malicious code structures or change the functionality of existing instructions. In 2017, koppe Philipp et al performed reverse analysis on x86 processor microcode, completed custom microcode update, and implemented a microcode-level remotely triggerable backdoor. These instruction level security issues seriously jeopardize critical infrastructure security and information security for important industries, and have caused huge losses.
To address processor flaws at design time, formal verification is used to prove correctness. The DIVA is a method for detecting and repairing processor errors by adopting a dynamic verification technology so as to improve the performance of a processor. SPECS adds a small amount of hardware to the processor, and aims to detect and recover processor errors violating invariant rules without affecting the normal operation of a program by setting different security invariants and dynamically verifying. A teaching team of Wei Shaoshi university hardware security and cipher chip laboratories provides a dynamic monitoring and control technology for CPU hardware security on a hardware level, and a control processor is combined by an instruction level CPU model and a hardware behavior security assertion method, so that the CPU is effectively prevented from being attacked by hardware trojans, illegal microcode updating, hardware bugs and the like, and the actual behavior of an instruction XRSTO is found to be inconsistent with an instruction manual. Despite the increasing number of dynamic monitoring techniques to address the shortcomings of processors, research efforts continue to be expended in studying the behavior of exceptions for instructions.
Disclosure of Invention
Therefore, the invention provides a method and a system for detecting abnormal behaviors of processor instructions, which can effectively detect the instruction errors of a processor and improve the performance of the processor.
According to the design scheme provided by the invention, the method for detecting the abnormal behavior of the processor instruction comprises the following contents:
different processors respectively establish corresponding instruction sets;
performing fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and labeling a sample instruction according to instruction functions and characteristics;
performing anomaly detection on the instruction to be detected according to the sample instruction subjected to tagging processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
As the method for detecting the abnormal behavior of the processor instruction, the invention further sets the space length of the instruction byte according to the instruction format constitution of the target processor, traverses the instruction by using a depth-first algorithm from the first byte, acquires all instruction contents except the instruction prefix byte, and combines the contents and the instruction prefix to obtain all effective instructions of the target processor.
As the method for detecting the abnormal behavior of the processor instruction, the instruction search space is further determined according to the fuzzy test, the disassembler is used for disassembling the sample instruction, and the instruction classification is completed through operand test.
The method for detecting the abnormal behavior of the processor instruction further carries out labeling processing on the instruction classification by utilizing the abnormal characteristics of the instruction in the error table according to the instruction function and the characteristics.
As the method for detecting the abnormal behavior of the processor instruction, the normal behavior of the instruction is identified in the labeling processing, all the instructions and corresponding disassembly are classified by no operand, a single operand and multiple operands, and the classification result is mapped into operand logic operation, memory reading operation, register writing operation and special operation function.
As the method for detecting the abnormal behavior of the processor instruction, the method further extracts and labels the abnormal characteristics of the instruction in the error table within a preset time interval according to the error table updated by a processor manufacturer periodically so as to ensure the accuracy and the integrity of the instruction test.
As the method for detecting the abnormal behavior of the processor instruction, the invention further obtains the suspicious instruction by rechecking aiming at the abnormal detection result and eliminates the false alarm situation by combining with manual analysis.
As the method for detecting the abnormal behavior of the processor instruction, the invention further judges whether the instruction to be detected is a suspicious instruction by comparing the instruction disassembly result with the label in the actual instruction execution process and combining the abnormal detection.
As the method for detecting the abnormal behavior of the processor instruction, disclosed by the invention, the operation and the execution result before and after the target instruction is executed are further compared by utilizing the assertion statement so as to determine the abnormal behavior of the instruction.
Further, based on the above method, the present invention further provides a system for detecting abnormal behavior of processor instructions, comprising: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormality detection module is used for carrying out abnormality detection on the instruction to be detected according to the labeled sample instruction and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; sorting the abnormal instructions and forming an abnormal instruction test report aiming at the abnormal instructions; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
The invention has the beneficial effects that:
according to the invention, through arranging the instruction sample library of the processor, instruction behavior detection can be carried out on a plurality of processors, the problems of error of a prospecting instruction and inconsistency of execution formats of part of software instructions with actual processor execution can be found in time, and the problem of an instruction causing processor deadlock can be detected, so that the instruction abnormity detection efficiency and accuracy of the processor are improved, and the performance of the processor is improved; furthermore, the method for searching and sorting the command library is more efficient by improving the mode of searching the commands; a lightweight instruction judgment strategy is introduced for detecting the instruction abnormal behavior, various assertion methods are provided, the instruction behavior can be successfully and preliminarily judged, the instruction abnormal detection efficiency of the processor can be further ensured, and the method has a good application value.
Description of the drawings:
FIG. 1 is a flow chart of an abnormal behavior detection method in an embodiment;
FIG. 2 is a schematic diagram of the abnormal behavior detection principle in the embodiment;
FIG. 3 is a schematic diagram of an embodiment of the x86 instruction format;
FIG. 4 is a schematic diagram of an instruction search flow in the embodiment;
FIG. 5 is a schematic of instruction classification logic in an embodiment;
FIG. 6 is a schematic diagram of an abnormal behavior detection system framework in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The current research aiming at instructions is not mature enough, and has the following problems: (1) The CPU loophole back door frequently sends, hidden instructions have the function of privilege escalation, but the CPU implementation framework is not disclosed, the back door Trojan horse detection difficulty is high, a proper method is not available, and the detection means is lacked; (2) The problem of instruction violation against the given description is serious and the error is not timely, but there is no perfect anomaly analysis method to assist the analysis. In development, the instruction cannot execute the corresponding function completely according to the set description, but the instruction behavior is difficult to observe, and the problem of standard violation is difficult to find in time. In software vulnerability mining, static vulnerability mining and dynamic vulnerability mining are mainly used. An embodiment of the present invention, as shown in fig. 1, provides a method for detecting abnormal behavior of processor instructions, which includes the following steps:
s101, different processors respectively establish corresponding instruction sets;
s102, carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to an instruction function and characteristics;
s103, carrying out anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
According to the embodiment of the invention, the dynamic vulnerability mining represented by the fuzzy test is different from the static vulnerability mining method in the defects of high false alarm rate, low efficiency and the like, and the software vulnerability can be efficiently detected. Through the instruction sample library of the processor, instruction behavior detection can be carried out on a plurality of processors, the problems of error of a prospecting instruction and inconsistency of execution formats of part of software instructions with actual processor execution can be found in time, the problem of an instruction causing processor deadlock can be detected, the efficiency and accuracy of detecting processor instruction abnormity are improved, and the performance of the processor is improved.
As the method for detecting the abnormal behavior of the processor instruction in the embodiment of the present invention, further, the instruction byte space length is set according to the instruction format composition of the target processor, the instruction is traversed by using the depth-first algorithm from the first byte, all instruction contents except the instruction prefix byte are obtained, and the contents are combined with the instruction prefix to obtain all effective instructions of the target processor.
Referring to fig. 2, the detailed steps of the abnormal behavior detection principle of the embodiment will be further explained:
step 1: firstly, a target CPU is subjected to a fuzzy test of an instruction set, an instruction search space is determined, an instruction search sample is generated, and an instruction sample library is finally obtained.
Step 2: and disassembling the sample instruction by utilizing a disassembler such as a capstone, testing the operand, and preliminarily finishing the classification of the instruction.
And step 3: extracting the labels of the functionality and the characteristics of the instructions, adding the abnormal characteristics of the instructions in the error table, and further labeling the instruction classification.
And 4, step 4: transmitting the instructions in the tagged instruction library into the monitoring module, and starting to perform exception detection on the instructions
And 5: if the monitoring module detects the abnormal problem, the abnormal instruction is transmitted to a re-detection link for further judgment
And 6: combining the suspicious instructions after the retest with manual analysis, eliminating the false alarm condition and determining the correctness of the instruction detection result
And 7: judging whether the instruction to be detected is a suspicious instruction or not by comparing the disassembling result of the instruction with the label comparison and abnormal signal result in the actual execution process of the instruction
And 8: if the monitoring module does not detect the problem or the judgment result is normal, the monitoring module is switched to the assertion module to carry out the next judgment
And step 9: aiming at the comparison of the operation before and after the instruction execution and the execution result, whether the instruction is an abnormal instruction is judged
Step 10: after the instructions are judged and screened, the abnormal instructions are sorted to obtain a detailed test report
Step 11: and after the single instruction is tested, recovering the state to wait for the next instruction to be tested.
In order to test the abnormal behavior of the existing instruction, corresponding instruction libraries are established for different processors. In order to further improve the searching efficiency, the method is formed by researching the instruction format. As shown in FIG. 3, the instruction length is 0-15 bytes, and the instruction format is generally divided into instruction prefix, opcode, register and addressing flag, offset, and immediate. Through experiments, the operation code of the 1-,2-or 3-byte generally controls the functional behavior of the instruction, the instruction prefix of the 1-byte is used for carrying out additional identification on the instruction, and the offset and the immediate generally have no great influence. Therefore, the residual offset can be merged by using the type of the instruction prefix as a pruning method mainly based on the operation code.
TABLE 1 Prefix types and roles
Figure BDA0002740745980000041
Figure BDA0002740745980000051
/>
As shown in table 1, there are 4 types of instruction prefixes, and at most one in each group can be used in combination without order problem, so that the instruction prefixes occupy at most 4 bytes and at least 0 bytes. Since the purpose of the present application is to determine the abnormal behavior of the instruction, in order to further reduce the search time, as shown in fig. 4, a 15-byte space may be set, and the instruction is traversed by using a depth-first algorithm starting from the first byte, and when the prefix byte of the instruction is encountered, the instruction is preferentially skipped to obtain all instructions except the instruction prefix, and then the obtained instruction results are respectively combined with the instruction prefix, and if the result is successful, the instruction is traversed sequentially backwards until all effective instructions of the processor are obtained. If the total number of the other searched instructions is n, 11 x 2 of the instruction search can be reduced according to theoretical analysis 16-n . As shown in fig. 5, in order to ensure the accuracy of detecting the abnormal behavior of the instruction, the normal behavior of the instruction may be identified, all instructions and corresponding disassemblies are classified according to Non-operand, si single operand and Mul multiple operands, 4 functions of Ex operation (arithmetic and logical operation), mem memory read, reg register write, and Spe special operation are mapped by analyzing a large number of CPU instruction manuals, and according to the functional characteristics of each instruction, characteristics such as change of a register are stored, and specific characteristics including processor deadlock, right lifting, and the like are subdivided for the special operation.
Because the CPU inevitably generates instruction execution errors during the development process, these errors are usually the result of incorrectly updating registers, writing into memory, etc. during the instruction execution process, which is not described according to the established instructions. Manufacturers continue to test to solve this problem by periodically updating the error tables to post CPU instruction exceptions. Therefore, the accuracy in the instruction testing process can be ensured by periodically summarizing the error table of the CPU, extracting the abnormal characteristics of the instructions and then further labeling each instruction. Meanwhile, a research team analyzes the instructions and the microinstructions, analyzes the formats of the instructions and analyzes the microinstructions, and arranges and summarizes corresponding functions and use, so that the part of instruction data can be also brought into an expert strategy library to ensure the integrity of the instruction test.
Further, based on the foregoing method, an embodiment of the present invention further provides a system for detecting abnormal behavior of processor instructions, including: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormality detection module is used for carrying out abnormality detection on the instruction to be detected according to the labeled sample instruction and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
Referring to fig. 6, the instruction abnormal behavior detection system can be further divided into: the device comprises an instruction generation module, an execution controller, a monitoring module, an assertion module, a result analysis module, a state recovery module and the like. The instruction generation module is responsible for generating an instruction test sample, classifying and labeling the instruction characteristic functions, and judging the subsequent abnormal behavior according to the classified label. The monitoring module is responsible for monitoring changes of the register, the MSR, error signals and the like and transmitting abnormal change conditions to the judging module. The assertion module is an executor used for making assertion on the execution behavior of the target instruction test sample, and provides support for judging whether the instruction has abnormal behavior. The judging module analyzes and summarizes the instruction testing result, preliminarily screens and processes whether the judging instruction has abnormal behaviors or not, and finally obtains the testing result. The recovery module is responsible for recovering the state of the processor after each instruction is tested, and normal judgment of the next instruction is prevented from being influenced.
For the monitoring of the register, the operating mechanism of gdb can be imitated, ptrace system call of the ubuntu system is utilized for monitoring, parameters of all register values are effectively read, and real-time monitoring is guaranteed. The ptrace () is used to enable a user to realize interception and modification of system call; through ptrace (), one process can be hooked with a designated process (attach), and the memory and registers of the other process can be dynamically read/written, including the instruction space, the data space, the stack and all the registers; in combination with the signaling mechanism (and other means), the purpose of one process running under the control and tracking of another process can also be achieved. By means of system call, dynamic changes which cannot be observed after instructions are executed can be intercepted through the system call, and the instructions are debugged. Developing by using an mtel MSR-tools toolkit, carrying out fuzz on all MSR register positions in a processor, reading all MSR registers existing in the processor, recording numerical values, and arranging the numerical values into an MSR register base table. Then, the MSR register is added with labels according to corresponding functions by combining the white paper issued by the manufacturer. If the register value changes, the corresponding position in the table is marked immediately, and the correctness of the instruction influencing the register is effectively judged through comparison. The MSR-tools toolkit of intel can be used for development, fuzz is carried out on all MSR register positions in the processor, all MSR registers existing in the processor are read out, numerical values are recorded, and the numerical values are arranged in an MSR register base table. Then, the MSR register is added with labels according to corresponding functions by combining the white paper issued by the manufacturer. If the register value changes, the corresponding position in the base table is marked immediately, and the correctness of the register influenced by the instruction is effectively judged through comparison.
To determine the abnormal behavior of an instruction, embodiments may use predicate statements for the decision, and all 6 predicate methods may be constructed by using the simplest 3.
always (expression): expression the expression must be true.
next (expression, signal, time) the expression must be true for a certain time after the signal changes from 0 to 1.
change (expression, signal) an expression must be true when the signal changes from 0 to 1.
TABLE 2 assertion method for problem detection
Figure BDA0002740745980000061
As shown in table 2, the value change of the register, which is one of the important key items that can be taken, compares the instruction tags with the state before and after the register is saved to determine whether the instruction execution modifies the corresponding register according to the predetermined description, and the determination of the instruction format change is only required to be consistent before and after the execution and before and after the disassembly. When the authority is judged to be consistent, the execution code of the specific authority is set, for example, when a certain instruction is in a low authority, when commands with high and low authorities are respectively executed, whether the instruction will carry out the authority-raising operation is judged through the feedback information, and whether the instruction complies with the instruction execution specification is further judged according to the instruction label. When an abnormal state returns, it is only required to judge whether the front and rear states are consistent with the abnormal type marked by the instruction tag. And when judging whether the instruction causes the processor to be locked or not, setting a heartbeat packet experiment, capturing a signal, and if the connection fails and the signal is not changed within 300s, judging that the instruction can cause the processor to be locked and the behavior is abnormal.
In the embodiment, the instruction searching space is greatly reduced by improving the mode of searching the instructions in the sandsifter, and the instruction searching efficiency is improved, so that the instruction library collection and arrangement is more efficient; a lightweight instruction judgment strategy is introduced for detecting the abnormal behavior of the instruction, various assertion methods are provided, and the instruction behavior can be successfully and preliminarily judged. Can help changing the instruction behavior that is not observable into the state that can be observed, be favorable to the unusual behavior of quick detection instruction. And detecting the instruction behaviors of the processors, finding out the problems of error instructions and inconsistency of the execution formats of part of software instructions with the actual processor, and detecting an instruction problem causing processor deadlock.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the system as described above.
Based on the foregoing system, an embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, where the program is executed by a processor to implement the foregoing system.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the system embodiment, and for the sake of brief description, reference may be made to the corresponding content in the system embodiment for the part where the device embodiment is not mentioned.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing system embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the system according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (4)

1. A method for detecting abnormal behavior of processor instructions, comprising:
different processors respectively establish corresponding instruction sets;
carrying out fuzzy test on an instruction set of a target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on a sample instruction according to instruction functions and characteristics;
performing anomaly detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction;
setting the space length of instruction bytes according to the instruction format of a target processor, traversing the instruction by using a depth-first algorithm from the first byte, acquiring all instruction contents except an instruction prefix byte, and combining the contents with the instruction prefix to obtain all effective instructions of the target processor;
determining an instruction search space according to the fuzzy test, disassembling the sample instruction by using a disassembler, and completing instruction classification through operand test;
according to the instruction functions and characteristics, the instruction abnormal characteristics in the error table are utilized to carry out labeling processing on the instruction classification;
in the labeling processing, the normal behavior of the instruction is identified, all the instructions and corresponding disassembly are classified by no operand, a single operand and multiple operands, and the classification result is mapped into an arithmetic logic operation, a memory reading operation, a register writing operation and a special operation function;
comparing the instruction disassembling result with a label in the actual instruction executing process, and judging whether the instruction to be detected is a suspicious instruction or not by combining abnormality detection;
comparing the operation and the execution result before and after the target instruction is executed by using the assertion statement to determine the abnormal behavior of the instruction;
judging whether the execution authority and the page authority are matched with the abnormal behavior and the operand structure processing abnormal behavior by using always (expression), judging whether the processor completely locks the abnormal behavior by using next (expression, signal and time), and judging the register modification abnormal behavior, the MSR modification abnormal behavior and the update state abnormal return behavior by using change (expression, signal).
2. The method as claimed in claim 1, wherein the method further comprises extracting and labeling abnormal instruction features in the error table at a predetermined time interval according to the error table updated by the processor manufacturer periodically to ensure the accuracy and completeness of the instruction testing.
3. The method according to claim 1, wherein the suspicious instructions are obtained by a review test and combined with a manual analysis to eliminate false alarm condition for the exception detection result.
4. A processor instruction abnormal behavior detection system, implemented based on the method of claim 1, comprising: a data collection module, a fuzz testing module, and an anomaly detection module, wherein,
the data collection module is used for respectively establishing corresponding instruction sets aiming at different processors;
the fuzzy test module is used for carrying out fuzzy test on an instruction set of the target processor, generating an instruction search sample and an instruction sample library, and carrying out labeling processing on the sample instruction according to the instruction function and the characteristics;
the abnormity detection module is used for carrying out abnormity detection on the instruction to be detected according to the sample instruction subjected to labeling processing, and judging whether the instruction to be detected is a suspicious instruction or a normal instruction; comparing the operation and the execution result before and after the target instruction is executed to predicate whether the suspicious instruction or the normal instruction is an abnormal instruction; aiming at the abnormal instruction, the abnormal instruction is sorted and an abnormal instruction test report is formed; and after the detection of the single instruction is finished, returning to the abnormal detection to wait for the test of the next instruction.
CN202011149498.XA 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction Active CN112269597B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011149498.XA CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011149498.XA CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Publications (2)

Publication Number Publication Date
CN112269597A CN112269597A (en) 2021-01-26
CN112269597B true CN112269597B (en) 2023-03-24

Family

ID=74341861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011149498.XA Active CN112269597B (en) 2020-10-23 2020-10-23 Method and system for detecting abnormal behavior of processor instruction

Country Status (1)

Country Link
CN (1) CN112269597B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112905995B (en) * 2021-02-05 2022-08-05 电子科技大学 Method and system for detecting abnormal behaviors of register group in processor in real time

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6021272A (en) * 1995-10-04 2000-02-01 Platinum Technology, Inc. Transforming and manipulating program object code
CN1628284A (en) * 2002-05-31 2005-06-15 先进微装置公司 Secure execution mode exceptions
CN101351784A (en) * 2005-12-30 2009-01-21 阿西式·A·潘迪亚 Runtime adaptable search processor
CN102707926A (en) * 2011-04-07 2012-10-03 威盛电子股份有限公司 Microprocessor that performs x86 isa and arm isa machine language program instructions by hardware translation
CN109918292A (en) * 2019-01-28 2019-06-21 中国科学院信息工程研究所 A kind of processor instruction set test method and device
WO2019152752A1 (en) * 2018-02-02 2019-08-08 Mcintosh Gordon David Systems and methods for preventing code insertion attacks
CN110597715A (en) * 2019-08-28 2019-12-20 昆明理工大学 Test sample optimization method based on fuzzy test
CN110851830A (en) * 2019-10-24 2020-02-28 中国人民解放军战略支援部队信息工程大学 CPU (Central processing Unit) -oriented undisclosed instruction discovery method based on instruction format identification
CN110851352A (en) * 2019-10-15 2020-02-28 深圳开源互联网安全技术有限公司 Fuzzy test system and terminal equipment
CN111475868A (en) * 2020-06-19 2020-07-31 南京芯驰半导体科技有限公司 CPU instruction protection method and system suitable for function and information security chip
CN111783096A (en) * 2019-08-28 2020-10-16 北京京东尚科信息技术有限公司 Method and device for detecting security vulnerability

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7849293B2 (en) * 2008-01-31 2010-12-07 International Business Machines Corporation Method and structure for low latency load-tagged pointer instruction for computer microarchitechture
US11294798B2 (en) * 2017-11-15 2022-04-05 Lenovo (Singapore) Pte. Ltd. Method and system for context based testing of software application vulnerabilities
US11086631B2 (en) * 2018-11-30 2021-08-10 Western Digital Technologies, Inc. Illegal instruction exception handling

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6021272A (en) * 1995-10-04 2000-02-01 Platinum Technology, Inc. Transforming and manipulating program object code
CN1628284A (en) * 2002-05-31 2005-06-15 先进微装置公司 Secure execution mode exceptions
CN101351784A (en) * 2005-12-30 2009-01-21 阿西式·A·潘迪亚 Runtime adaptable search processor
CN102707926A (en) * 2011-04-07 2012-10-03 威盛电子股份有限公司 Microprocessor that performs x86 isa and arm isa machine language program instructions by hardware translation
WO2019152752A1 (en) * 2018-02-02 2019-08-08 Mcintosh Gordon David Systems and methods for preventing code insertion attacks
CN109918292A (en) * 2019-01-28 2019-06-21 中国科学院信息工程研究所 A kind of processor instruction set test method and device
CN110597715A (en) * 2019-08-28 2019-12-20 昆明理工大学 Test sample optimization method based on fuzzy test
CN111783096A (en) * 2019-08-28 2020-10-16 北京京东尚科信息技术有限公司 Method and device for detecting security vulnerability
CN110851352A (en) * 2019-10-15 2020-02-28 深圳开源互联网安全技术有限公司 Fuzzy test system and terminal equipment
CN110851830A (en) * 2019-10-24 2020-02-28 中国人民解放军战略支援部队信息工程大学 CPU (Central processing Unit) -oriented undisclosed instruction discovery method based on instruction format identification
CN111475868A (en) * 2020-06-19 2020-07-31 南京芯驰半导体科技有限公司 CPU instruction protection method and system suitable for function and information security chip

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
CPU Security Benchmark;Jianping Zhu 等;《SecArch"18: Proceedings of the 1st Workshop on Security-Oriented Designs of Computer Architectures and Processors》;20180115;第8-14页 *
iScanU: A Portable Scanner for Undocumented Instructions on RISC Processors;Rens Dofferhoff 等;《2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)》;20200731;第306-316页 *
SPARC体系结构处理器测试方法研究与实现;张晓静等;《计算机测量与控制》;20110325(第03期);全文 *
UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching;Xixing Li 等;《 IEEE Access》;20191024;第149224-149236页 *
X86中央处理器安全问题综述;魏强 等;《通信学报》;20181130;第39卷(第Z2期);第151-162页 *
面向二进制程序的导向性模糊测试方法;张瀚方等;《计算机应用》;20190121(第05期);全文 *

Also Published As

Publication number Publication date
CN112269597A (en) 2021-01-26

Similar Documents

Publication Publication Date Title
CN109583200B (en) Program abnormity analysis method based on dynamic taint propagation
Ming et al. {BinSim}: Trace-based semantic binary diffing via system call sliced segment equivalence checking
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
TWI553503B (en) Method of generating in-kernel hook point candidates to detect rootkits and system thereof
US7937764B2 (en) Metamorphic computer virus detection
Ceccato et al. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities
CN101964036B (en) Leak detection method and device
Ren et al. Automated localization for unreproducible builds
Dai et al. {BScout}: Direct whole patch presence test for java executables
Cai et al. SwordDTA: A dynamic taint analysis tool for software vulnerability detection
CN113468525A (en) Similar vulnerability detection method and device for binary program
Liu et al. Characterizing transaction-reverting statements in ethereum smart contracts
CN112925524A (en) Method and device for detecting unsafe direct memory access in driver
CN112269597B (en) Method and system for detecting abnormal behavior of processor instruction
Alrabaee A stratified approach to function fingerprinting in program binaries using diverse features
Zhao et al. Suzzer: A vulnerability-guided fuzzer based on deep learning
Jiang et al. EXAMINER: Automatically locating inconsistent instructions between real devices and CPU emulators for ARM
Li et al. An integration testing framework and evaluation metric for vulnerability mining methods
CN114741700B (en) Public component library vulnerability availability analysis method and device based on symbolized stain analysis
Kim et al. Efficient Automatic Original Entry Point Detection.
Dinesh Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization
Zhu et al. Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs
Jiang et al. Automatically Locating ARM Instructions Deviation between Real Devices and CPU Emulators
Cai et al. A smart fuzzing approach for integer overflow detection
Alqarni et al. Evdd-a novel dataset for embedded system vulnerability detection mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant