CN102662830A - Code reuse attack detection system based on dynamic binary translation framework - Google Patents
Code reuse attack detection system based on dynamic binary translation framework Download PDFInfo
- Publication number
- CN102662830A CN102662830A CN2012100735634A CN201210073563A CN102662830A CN 102662830 A CN102662830 A CN 102662830A CN 2012100735634 A CN2012100735634 A CN 2012100735634A CN 201210073563 A CN201210073563 A CN 201210073563A CN 102662830 A CN102662830 A CN 102662830A
- Authority
- CN
- China
- Prior art keywords
- instruction
- translation
- program
- attack
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Devices For Executing Special Programs (AREA)
Abstract
The invention belongs to the field of computer security, and discloses a code reuse attack detection system based on a dynamic binary translation framework. The detection system comprises a translator, a detector, a cache and transition platforms. The translator is used for decoding binary data of a program item by item by using basic blocks as unit. The detector is used for processing commands after decoding, normal operation is guaranteed on the basis of conventional detection, and behaviors of the commands are acquired and detected by centering on attack detection. Mapping relation between sources and translation addresses of the basic blocks are established by the cache, and target codes of the basic blocks, which are generated by translation, are cached. Control flows of the program are managed through the transition platforms, program translation and ordered execution are guaranteed, and a detection and optimization mechanism is provided for commands of the same type. The system can be used for processing non-open source programs, and guaranteeing safe execution of the programs.
Description
Technical field
The invention belongs to computer safety field, specifically is a kind of code reuse attack detection system based on the binary translation framework.
Background technology
The continuous expansion of software size makes that leak quantity is increasing, and popularize making attack based on software vulnerability present that scope is wide, mode is many, characteristics such as spreading soon of internet causes serious threat to user's security.Early stage main attack pattern to buffer-overflow vulnerability is that code injects; Assailant this locality is perhaps long-range injects executable binary code to the process address space; The control stream of reprogramming makes process carry out this section code, has a large amount of defense mechanisms to the code injection attacks at present.
It is current comparatively common attack pattern that code reuse is attacked (Code Reuse Attack), is the evolution of code injection attacks, need not the assailant and injects malicious code, utilizes legal function and instruction in dynamic base or the program to start effective attack.Code reuse based on ROP (Return OrientedProgramming) and JOp (Jump-Oriented Programming) technology is attacked, and utilizes the instruction sequence with RET and JMP order fulfillment respectively, can realize the attack of any purpose.At present, hackers' success implement the code reuse attack in various platforms, equipment, software, and the appearance of code reuse attack robotization constructing technology makes the code reuse attack become and threatens maximum a kind of attack pattern.
The binary translation technology can be translated as a kind of binary executable of platform with executable binary code in platform or other platforms, makes executable program can break through the restriction of platform, has strengthened the adaptability between software and the processor.Binary translation refers in the program implementation process, source program carried out real time translation, monitors whole translation and implementation in real time, is the normal a kind of technology that adopts of tracing program control stream.
Binary is surveyed (Instrumentatation) techniques make use binary translation technology, in program, adds additional code collection procedure behavioural information or reprogramming behavior.Detection Techniques can be used in each stage of program; Act on the rank of binary code; Do not need the support of source code, cover all client codes that are performed and code is analyzed, distinguish the data and the code of program at an easy rate; Be mainly used in the detection and the defence of program behavior analysis, bug, aspects such as program security assurance.
Shortcomings such as there are such-and-such deficiency in existing defense mechanism or detection system, support like the need source code, and performance cost is big.The present invention combines the binary translation framework, has designed the detection system that a kind of code reuse is attacked, and has solved the deficiency that exists in the present detection system.
Summary of the invention
The present invention proposes a kind of code reuse attack detection system based on the binary translation framework, this system can guarantee the normal execution of non-rogue program, detects and stop the operation of malicious attack.It comprises translater, detector, Cache and four modules of diving tower.
Translater is responsible for the translation of program, is unit with the fundamental block, intercepts and captures the instruction stream of program and one by one the binary command decoding of program is translated.Employing is with platform translation technology and " translation-execution " pattern, and every translation finishes a fundamental block, carries out this fundamental block.
Detector provides the normal execution of instruction, the optimization that security detects and instructs through carrying out the C code or adding assembly code in object code, is divided into conventional the detection and attack detecting.The conventional detection is foundation, and the assurance program is normally moved; Attack detecting is a core, the potential danger instruction that exists the control circulation to move in the main processing program.
Cache is storage allocation space buffer memory translation object code later on the one hand, reduces and repeats to translate the expense of introducing; Set up and safeguard the mapping table among the Cache, the mapping relations between in store fundamental block source address of mapping table and the translating address on the one hand.
Diving tower (Trampoline) comes down to be made up of the assembly instruction sequence that embeds in the internal memory; Carry out the assembly instruction sequence that embeds through calling the diving tower first address; Be mainly used in and realize optimization that function call, other diving towers call, instruct etc., guarantee that the translation and the execution work of program carried out in order.
Compare with existing Hole Detection technology or attack detection system, the present invention has following characteristics:
A) need not the program source code support.A lot of traditional detection methods or system need program to carry source code, and the most of program in the operating system does not provide source code at present, big limitations the scope of application of testing mechanism.The present invention is based on the binary translation technology, intercept and capture the binary command of program and be translated as executable object code, detect for the non-program of increasing income provides security with platform.
B) high efficiency of operation.Program is reruned through the detection system translation with after detecting; Will cause the performance cost sharp increase; The present invention proposes the object code after the translation of Cache buffer memory, and the execution performance of Local C ache and jump target forecasting mechanism optimization aim code is set, and guarantees the operational efficiency of program.
Description of drawings
Fig. 1 is a system architecture synoptic diagram of the present invention;
Fig. 2 is translator component workflow diagram among the present invention;
Fig. 3 is the structural representation of Cache mechanism among the present invention;
Fig. 4 is the structural representation of the core component attack detectors of the present invention's proposition;
The shadow stack memory mapping that Fig. 5 proposes for the present invention;
Embodiment
Do further to specify below in conjunction with accompanying drawing and instance specific embodiments of the invention.
As shown in Figure 1, see that from the level of architecture the applied computer system of the present invention is mainly by application program, detection system, kernel spacing is formed.After application program is transferred to detection system translation and detection, by the kernel spacing executive routine.Detection system comprises translater, detector, Cache, four modules of diving tower.The workflow of detection system of the present invention is following:
(1) application program is loaded into detection system of the present invention, and detection system is taken over the control of application program fully, accomplishes system initialization work, distributes the establishment of diving tower and initialization etc. like the Cache memory headroom.
(2) binary command of translater intercepting program stream is unit with the fundamental block, adopts " translation-execution " pattern, and every translation finishes a fundamental block, carries out this fundamental block.Fundamental block refers to the instruction sequence with control flow branching order fulfillment.
(3) probe function in the detector is accepted translater and is passed over the fundamental block relevant information, according to the different disposal requirement of system to instruction, adds mechanism such as Simulation execution, safety detection, performance optimization to object code.
(4) the probe function processing finishes the translation that the back control is delivered translater continuation remaining command.For guaranteeing the normal operation of program, during fast end of fundamental block translation, will create a fundamental block diving tower, comprise the information and the executable code of next fundamental block, be used to call the translation and the execution of other diving tower orderly start fundamental blocks.
(5) after the fundamental block translate end, the source address SRC of fundamental block and destination address DST are passed to the Cache management, and will control circulation and move on to object code and carry out, object code is finished and continues to translate new fundamental block.
Specify the execution flow process of translater below in conjunction with Fig. 2.To handle certain fundamental block is example, and whether translater will at first be translated through this fundamental block of Cache inquiry, if translated, then directly jump in the object code and will carry out, otherwise begin to translate the instruction in the fundamental block one by one.The translation of instruction stream realizes that through enumerating translation table object code is added through preset probe function in instruction decoding back, so repeatedly until the translate end of this fundamental block.
Present most of processor is supported elongated instruction, and for guaranteeing the correctness of decoding, the present invention reads the binary command data with continuing after translater matees success for the first time, see whether also to have match condition.
Binary translation of the present invention is the translation with platform, only handles the instruction that exists the control circulation to move, so the probe function that designs in the detector of the present invention is divided into two types, one type of decoded assembly instruction of simple process is like operations such as duplicate instructions, ignore instructions; One type is to add a large amount of additional object codes for this instruction, is used for dummy instruction and carries out, and obtains the behavior of instruction, instruction secure detection and performance optimization etc.
Cache is responsible for setting up and safeguard the mapping relations between fundamental block source address SRC and the translating address DST that Fig. 3 has described the layout of Cache.Before the translation of fundamental block started, Cache received the search request of translater, searched function coupling SRC through mapping table, if SRC exists, jumped to place, DST address and carried out object code; Otherwise DST returns translater with Cache free block first address, and in mapping table, sets up the mapping relations between SRC and the DST.
The singularity that memory address distributes makes the foundation of mapping table and maintenance to realize searching fast and inserting through Hash mechanism.But the conflict or the collision phenomenon of Hash table are unavoidable; For solving the collision conflict of Hash table, Cache module of the present invention adopts the linear probing method, continues the next unit of coupling when running into collision; If mapping table all can't match SRC, then SRC is not in mapping table.
For guaranteeing carrying out in order of program translation and execution work, the present invention creates the diving tower that comprises all information of next fundamental block and executable code when the fast end of fundamental block translation, be used to call translation and the execution that other diving towers are realized new fundamental block.Because the first fundamental block of program can't be carried out object code through calling diving tower, the method that the present invention adopts is that the return address of when the translation function finishes, revising function is the target code addresses of fundamental block, realizes that effectively program control flow shifts.
Describing the core of detector below in conjunction with Fig. 4, also is core of the present invention attack detecting.Attack detecting is by the ELF performance analysis, and attack detecting and strike report five parts composition are flowed in instruction identification, ROP attack detecting, control.
All working is accomplished in the ELF performance analysis when system initialization, comprise ELF file essential information obtain with shared object in all function address information obtain.The present invention is mapped to shared object in the internal memory, according to the ELF file structure, obtains in the shared object information such as all function address scopes, for the work of control stream attack detecting provides the information support.
Transfer to probe function behind the translater decoding binary command stream and handle, all will call the security that the safety detection function guarantees instruction in the probe function of potential danger instruction.The safety detection course of work of detecting device is following:
(1) the instruction recognizer is screened the type of potential danger instruction, confirms that instruction for CALL, RET still are the JMP instruction, provides support for the present invention selects testing mechanism.
(2) according to the type of instruction to be detected, the present invention mainly provides two kinds of testing mechanisms: ROP attack detecting and control stream attack detecting.
(3) if ROP attack detecting or control stream attack detecting are found malicious attack, attacking appears in the prompting user, the terminator operation.
Be the attack that detection utilizes CALL and RET instruction to initiate, ROP attack detecting of the present invention proposes, and distributes a relative insulating space as the shadow stack at region of memory.The shadow stack is preserved the corresponding translating address in return address and this address of function, and Fig. 5 has described the memory mapping of shadow stack and system's stack.If be the CALL instruction, instruct return address PUSH to the memory headroom of shadow stack CALL, simultaneously with the translating address PUSH of return address to the shadow stack; If be the RET instruction, popping, also whether the comparison system stack is consistent with shadow stack stack top element RIP.
There is a prerequisite in the shadow stack that the ROP attack detecting proposes, and CALL instructs with RET need satisfy symmetry, but in the program some can cause the present invention phenomenon to occur reporting by mistake unusually.The solution that the present invention takes is, calling again verification function and further judging whether inconsistent be that normal condition causes when inconsistent appears in system's stack and shadow stack.
For example, Linux adopts dynamic analytic technique to resolve the built-in function address, built-in function call and return that instruction realizes with RET by the JMP instruction, the stack top element of system's stack and shadow stack will occur inconsistently at this moment, the present invention produces wrong report.To this situation, the present invention is through the tracking of control stream, and it is legal will calling the abnormal marking that causes for the first time by built-in function, simultaneously the stack top element of system's stack and shadow stack is popped, and continues to carry out.
Control stream attack detecting is responsible for the detection of JMP instruction secure.The method that the present invention adopts is; Whether the jump target of the indirect JMP instruction of foundation is this phenomenon in same function or in the shared object generally, judge and satisfy between JMP command source address SRC and the jump target addresses DST in same function or same shared object.Because there is singularity in the indirect JMP instruction jump target of built-in function dynamic link process; The present invention preserves the copy of GOT; GOT that the signature library function call causes changes, the situation of getting rid of the normal GOT of the modification GOT copy legal modifications place that upgrades in time, and the GOT illegal with former GOT comparison and detection revises.
The efficient that the introducing of the translation of program, the interpolation of object code, security mechanism etc. all will cause program to be carried out reduces; Be the operation efficiently in system of the present invention of assurance program; The present invention is based on the analysis of wide range sort run situation in early stage; Repeatedly introduce local Small-sized C ache mechanism buffer memory more used information recently, realize performance optimization mechanism such as indirect jump target is predicted, symbol table is searched fast.Mechanism is searched in associating simultaneously fast, as Hash search, the binary search scheduling algorithm guarantees Local C ache it fails to match the back executing efficiency.
When jump target prediction settlement procedure exists a large amount of indirect jump target identical indirectly, the expense that the mapping table searching work of repeatability is introduced.This mechanism is used the relevant information of the last indirect several times JMP instruction of local Cache buffer memory; Like source address SRC, jump target addresses DST, jump target translating address etc., before mapping table is searched earlier in Local C ache coupling whether be that the jump target of this instruction was inquired about recently.For reducing the aspect effect that this mechanism prediction of failure number of times too much causes; When the number of times of jump target prediction of failure reaches the predefined maximum frequency of failure of system; The present invention will stop the prediction of indirect jump target, realize searching fast of mapping table then directly adopt Hash to search algorithm.
The symbol table mechanism of searching fast combines Local C ache and searches algorithm fast, the performance cost that a large amount of symbol table matching operations when solving the detection of JMP instruction secure property cause.Local C ache uses LRU (least recently used Replacement Strategy) Local C that upgrades in time ache, and Cache searches the failure back and adopts binary search algorithm to realize searching fast of symbol table.
Claims (2)
1. code reuse attack detection system based on the binary translation framework is characterized in that: application program is loaded into translation operation in the detection system, comprises translater, detector, Cache, four modules of diving tower:
Translater is responsible for the translation of program, is unit with the fundamental block, intercepts and captures the instruction stream of program and one by one the binary command decoding of program is translated.Employing is with platform translation technology and " translation-execution " pattern, and every translation finishes a fundamental block, carries out this fundamental block;
After the instruction decoding, detector is through execution C code or add assembly code in the corresponding object code of instruction, and the normal execution of instruction, the optimization that security detects and instructs are provided, and is divided into conventional the detection and attack detecting; The conventional detection is foundation, and the assurance program is normally moved; Attack detecting is a core, the potential danger instruction that exists the control circulation to move in the main processing program;
The object code that generates is managed by Cache, and Cache is storage allocation space buffer memory translation object code later on the one hand, reduces and repeats to translate the expense of introducing; On the one hand set up and safeguard mapping table, whether the mapping relations between in store fundamental block source address of mapping table and the translating address were translated for the inquiry fundamental block and to be provided support;
Diving tower (Trampoline) is used to the translation and the execution work of the program that guarantees to carry out in order, provides support for the detection of instruction secure property simultaneously; Diving tower comes down to be made up of the assembly instruction sequence that embeds in the internal memory; Carry out the assembly instruction sequence that embeds through calling the diving tower first address; Be mainly used in and realize optimization that function call, other diving towers call, instruct etc., guarantee that the translation and the execution work of program carried out in order.
2. according to right 1 described system, it is characterized in that: the attack detecting of detector comprises ELF performance analysis, instruction identification, ROP attack detecting, control stream attack detecting, instruction identification five parts:
The ELF performance analysis is obtained all the function address range information in the procedure sharing object according to ELF file layout traversal program, for detecting potential danger instruction secure property the information support is provided;
The instruction recognizer is screened the type of instruction, and promptly recognition instruction is that CALL, RET still are the JMP instruction, and then which kind of testing mechanism is the decision attack detectors choose;
The ROP attack detecting proposes shadow stack thought, preserves the copy of return address, and whether the monitoring return address is distorted, the attack that processing and utilizing CALL and RET instruction are started;
Control stream attack detecting detects the attack that utilizes the JMP instruction to start through the legitimacy of decision instruction source address SRC and jump target addresses DST;
Strike report is used for when detecting code reuse attack or other types attack, attacking the also operation of terminator to user report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100735634A CN102662830A (en) | 2012-03-20 | 2012-03-20 | Code reuse attack detection system based on dynamic binary translation framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100735634A CN102662830A (en) | 2012-03-20 | 2012-03-20 | Code reuse attack detection system based on dynamic binary translation framework |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102662830A true CN102662830A (en) | 2012-09-12 |
Family
ID=46772327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100735634A Pending CN102662830A (en) | 2012-03-20 | 2012-03-20 | Code reuse attack detection system based on dynamic binary translation framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102662830A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105009135A (en) * | 2013-02-28 | 2015-10-28 | 英特尔公司 | Performing security operations using binary translation |
| CN105138914A (en) * | 2015-08-03 | 2015-12-09 | 南京大学 | Software security detection method for code reuse programming |
| CN105260659A (en) * | 2015-09-10 | 2016-01-20 | 西安电子科技大学 | Kernel-level code reuse type attack detection method based on QEMU |
| CN105700931A (en) * | 2016-02-23 | 2016-06-22 | 北京蓝海讯通科技股份有限公司 | Code injection method and device |
| CN106022166A (en) * | 2016-06-02 | 2016-10-12 | 东北大学 | Code reuse attack defense system and method |
| CN106295258A (en) * | 2016-08-04 | 2017-01-04 | 南京大学 | To the shadow stack implementation method controlling stream integrity protection after multithreading |
| CN107330323A (en) * | 2017-07-10 | 2017-11-07 | 电子科技大学 | A kind of dynamic testing method of ROP and its mutation attacks based on Pin instruments |
| CN107908954A (en) * | 2017-11-13 | 2018-04-13 | 湖南大学 | A kind of method that memory overflows on dynamic detection GPU based on address compression technology |
| CN107977229A (en) * | 2016-11-30 | 2018-05-01 | 上海寒武纪信息科技有限公司 | A kind of multiplexing method and device, processing unit for instructing generating process |
| CN109558726A (en) * | 2018-09-29 | 2019-04-02 | 四川大学 | A kind of control stream hijack attack detection technique and system based on dynamic analysis |
| CN110378116A (en) * | 2019-06-06 | 2019-10-25 | 北京奇安信科技有限公司 | A kind of method and device of the prevention based on primary code attack operation system |
| CN111552959A (en) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN112199669A (en) * | 2020-09-25 | 2021-01-08 | 杭州安恒信息技术股份有限公司 | Method and device for detecting ROP attack |
| CN112817812A (en) * | 2020-12-31 | 2021-05-18 | 深圳市联影高端医疗装备创新研究院 | Sequence translation simulation method, device, equipment and storage medium |
| CN114050928A (en) * | 2021-11-10 | 2022-02-15 | 湖南大学 | SDN flow table overflow attack detection and mitigation method based on machine learning |
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
| WO2023185799A1 (en) * | 2022-03-31 | 2023-10-05 | 华为技术有限公司 | Instruction translation method and related device therefor |
| CN117521061A (en) * | 2024-01-05 | 2024-02-06 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003510681A (en) * | 1999-09-21 | 2003-03-18 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Optimized bytecode interpreter for virtual machine instructions |
| CN101452396A (en) * | 2008-12-25 | 2009-06-10 | 上海交通大学 | Binary translation method combining static optimization |
| CN101719204A (en) * | 2009-12-15 | 2010-06-02 | 北京大学 | Heapspray detection method based on intermediate command dynamic instrumentation |
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
-
2012
- 2012-03-20 CN CN2012100735634A patent/CN102662830A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003510681A (en) * | 1999-09-21 | 2003-03-18 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Optimized bytecode interpreter for virtual machine instructions |
| CN101452396A (en) * | 2008-12-25 | 2009-06-10 | 上海交通大学 | Binary translation method combining static optimization |
| CN101719204A (en) * | 2009-12-15 | 2010-06-02 | 北京大学 | Heapspray detection method based on intermediate command dynamic instrumentation |
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
Non-Patent Citations (3)
| Title |
|---|
| 崔进鲜: "动态二进制翻译的主从式多线程并行架构及优化技术研究", 《CNKI优秀硕士学位论文全文库》, 31 December 2011 (2011-12-31), pages 32 * |
| 徐帆: "软硬协同动态二进制翻译系统设计与实现", 《CNKI优秀硕士学位论文全文库》, 31 December 2010 (2010-12-31), pages 22 - 35 * |
| 褚超: "用于受限系统的分布式动态二进制翻译框架的设计与实现", 《CNKI优秀硕士学位论文全文库》, 31 December 2010 (2010-12-31), pages 33 * |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105009135A (en) * | 2013-02-28 | 2015-10-28 | 英特尔公司 | Performing security operations using binary translation |
| CN105009135B (en) * | 2013-02-28 | 2019-06-14 | 英特尔公司 | For executing the method, apparatus and system of Binary Conversion |
| CN105138914B (en) * | 2015-08-03 | 2018-02-16 | 南京大学 | A kind of software security detection method for code reuse programming |
| CN105138914A (en) * | 2015-08-03 | 2015-12-09 | 南京大学 | Software security detection method for code reuse programming |
| CN105260659A (en) * | 2015-09-10 | 2016-01-20 | 西安电子科技大学 | Kernel-level code reuse type attack detection method based on QEMU |
| CN105260659B (en) * | 2015-09-10 | 2018-03-30 | 西安电子科技大学 | A kind of kernel level code reuse type attack detection method based on QEMU |
| CN105700931A (en) * | 2016-02-23 | 2016-06-22 | 北京蓝海讯通科技股份有限公司 | Code injection method and device |
| CN106022166A (en) * | 2016-06-02 | 2016-10-12 | 东北大学 | Code reuse attack defense system and method |
| CN106022166B (en) * | 2016-06-02 | 2018-10-23 | 东北大学 | A kind of code reuse attack defending system and method |
| CN106295258A (en) * | 2016-08-04 | 2017-01-04 | 南京大学 | To the shadow stack implementation method controlling stream integrity protection after multithreading |
| CN106295258B (en) * | 2016-08-04 | 2019-03-26 | 南京大学 | For the shadow stack implementation method of integrity protection to be flowed after multithreading to control |
| CN107977229B (en) * | 2016-11-30 | 2023-05-16 | 上海寒武纪信息科技有限公司 | Multiplexing method and device for instruction generation process and processing device |
| CN107977229A (en) * | 2016-11-30 | 2018-05-01 | 上海寒武纪信息科技有限公司 | A kind of multiplexing method and device, processing unit for instructing generating process |
| CN107330323A (en) * | 2017-07-10 | 2017-11-07 | 电子科技大学 | A kind of dynamic testing method of ROP and its mutation attacks based on Pin instruments |
| CN107330323B (en) * | 2017-07-10 | 2020-05-19 | 电子科技大学 | Dynamic ROP and variant attack detection method based on Pin tool |
| CN107908954B (en) * | 2017-11-13 | 2021-04-30 | 湖南大学 | Method for dynamically detecting memory overflow on GPU (graphics processing Unit) based on address compression technology |
| CN107908954A (en) * | 2017-11-13 | 2018-04-13 | 湖南大学 | A kind of method that memory overflows on dynamic detection GPU based on address compression technology |
| CN109558726A (en) * | 2018-09-29 | 2019-04-02 | 四川大学 | A kind of control stream hijack attack detection technique and system based on dynamic analysis |
| CN109558726B (en) * | 2018-09-29 | 2022-02-11 | 四川大学 | Control flow hijacking attack detection method and system based on dynamic analysis |
| CN110378116A (en) * | 2019-06-06 | 2019-10-25 | 北京奇安信科技有限公司 | A kind of method and device of the prevention based on primary code attack operation system |
| CN111552959B (en) * | 2020-06-18 | 2023-08-29 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN111552959A (en) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | Program feature sequence generation method and device |
| CN112199669B (en) * | 2020-09-25 | 2022-05-17 | 杭州安恒信息技术股份有限公司 | Method and device for detecting ROP attack |
| CN112199669A (en) * | 2020-09-25 | 2021-01-08 | 杭州安恒信息技术股份有限公司 | Method and device for detecting ROP attack |
| CN112817812A (en) * | 2020-12-31 | 2021-05-18 | 深圳市联影高端医疗装备创新研究院 | Sequence translation simulation method, device, equipment and storage medium |
| CN112817812B (en) * | 2020-12-31 | 2022-11-04 | 深圳市联影高端医疗装备创新研究院 | Sequence translation simulation method, device, equipment and storage medium |
| CN114050928A (en) * | 2021-11-10 | 2022-02-15 | 湖南大学 | SDN flow table overflow attack detection and mitigation method based on machine learning |
| WO2023185799A1 (en) * | 2022-03-31 | 2023-10-05 | 华为技术有限公司 | Instruction translation method and related device therefor |
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
| CN117521061A (en) * | 2024-01-05 | 2024-02-06 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
| CN117521061B (en) * | 2024-01-05 | 2024-03-15 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102662830A (en) | Code reuse attack detection system based on dynamic binary translation framework | |
| Chandramohan et al. | Bingo: Cross-architecture cross-os binary search | |
| Qasem et al. | Automatic vulnerability detection in embedded devices and firmware: Survey and layered taxonomies | |
| CN105260659B (en) | A kind of kernel level code reuse type attack detection method based on QEMU | |
| Wang et al. | Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution | |
| Xu et al. | Goldeneye: Efficiently and effectively unveiling malware’s targeted environment | |
| CN104573515A (en) | Virus processing method, device and system | |
| Wang et al. | Reranz: A light-weight virtual machine to mitigate memory disclosure attacks | |
| CN105787368A (en) | ROP defense method and device based on function scrambling | |
| Zhang et al. | Exploring branch predictors for constructing transient execution trojans | |
| CN101154257A (en) | Dynamic mend performing method based on characteristics of loopholes | |
| CN103761476A (en) | Characteristic extraction method and device | |
| Shan et al. | Growing grapes in your computer to defend against malware | |
| Liao et al. | SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability | |
| CN103473508A (en) | Security verification method during kernel operation of operation system | |
| Zhao et al. | {StateFuzz}: System {Call-Based}{State-Aware} Linux Driver Fuzzing | |
| US11916937B2 (en) | System and method for information gain for malware detection | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN107194246A (en) | A kind of CPU for being used to realize dynamic instruction sets randomization | |
| Lanzi et al. | A smart fuzzer for x86 executables | |
| Huang et al. | The taming of the stack: Isolating stack data from memory errors | |
| Ji et al. | Effuzz: Efficient fuzzing by directed search for smart contracts | |
| CN103677746A (en) | Instruction recombining method and device | |
| Kang | A review on javascript engine vulnerability mining | |
| Stratis et al. | Speeding up test execution with increased cache locality |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120912 |