CN103677746B - Instruction recombination method and device - Google Patents
Instruction recombination method and device Download PDFInfo
- Publication number
- CN103677746B CN103677746B CN201210327228.2A CN201210327228A CN103677746B CN 103677746 B CN103677746 B CN 103677746B CN 201210327228 A CN201210327228 A CN 201210327228A CN 103677746 B CN103677746 B CN 103677746B
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- jump
- fragment
- restructuring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 111
- 230000006798 recombination Effects 0.000 title claims abstract description 109
- 238000005215 recombination Methods 0.000 title claims abstract description 109
- 239000012634 fragment Substances 0.000 claims abstract description 159
- 230000008569 process Effects 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 25
- 238000011084 recovery Methods 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000013507 mapping Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 8
- 238000012986 modification Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 238000004321 preservation Methods 0.000 description 4
- 230000008521 reorganization Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Advance Control (AREA)
Abstract
Instruction recombination method when the present invention provides one to run, including: step 1, cache instruction running environment;Obtaining address and the parameter of the jump instruction preserved in stack, calculate next instruction address being about to run, this address is zero-address;First address is set to zero-address;Step 2, utilizing the first address to search address correspondence table, if finding record, recovering the instruction operation environment of institute's buffer memory, and jump to the corresponding address found and continue executing with, complete this instruction recombination;Step 3, without finding record, start from the first address to obtain pending machine instruction fragment, the ending of instruction fragment is jump instruction, and jump instruction address is the 3rd address;Step 4, from the first address, machine code is carried out dis-assembling, and dis-assembling result is processed by a lexical analyzer, generate the assembly code after restructuring, until the 3rd address.
Description
Technical field
The present invention relates to computer safety field, particularly relate to a kind of instruction recombination method and device.
Background technology
Existing electronic information security field includes security of system, data safety and three sub-fields of equipment safety.
In data security arts, it is generally adopted following three technology and guarantees data safety: (1) data content safe practice, including data ciphering and deciphering technology and end-to-end data encryption technology, ensure that data content in storage and transmitting procedure is not illegally read;(2) data safe transfer technology, including preventing from illegally copying, printing or other output, ensures that data are in the safety used and in transfer process;(3) network interrupter technique, blocks including network physical and arranges the technology such as network barrier.
According to correlation analysis, all harm currently for computer always effectively detect ability at most about 50%;Due to above-mentioned technology scarce capacity when tackling computer inner core virus, wooden horse, Loopholes of OS, system backdoor and artificially divulging a secret, in fact any computing equipment (such as computer, handheld communication devices etc.) all would be likely to occur malicious code.Once malicious code enters terminal system, above-mentioned encryption technology, anti-copy technology and network interrupter technique are in this case by ineffective.Existing hacking technique can utilize system vulnerability or system backdoor penetrate above-mentioned safe practice and implant malicious code, and utilizes malicious code to obtain user data.Above-mentioned technology more cannot take precautions against actively or passively divulging a secret of concerning security matters personnel, for instance, internal staff can carry storage device, downloads required data and takes away storage device, cause divulging a secret in inside from internal network or terminal;Again such as, computing equipment can directly be taken away by internal staff.
To sum up, anti-copy technology cannot ensure that classified information is not illegally stored in terminal.Filtration Network Based cannot guarantee that classified information is not lost.Concerning security matters personnel can be caused divulged a secret by malicious code or malice instrument, it is also possible to because secrecy-involved apparatus or out of control the causing of storage medium are divulged a secret.
Summary of the invention
The present invention provides a kind of instruction recombination method and device, it is achieved during operation, instruction catching and recombinating.
According to one aspect of the invention, it is provided that a kind of instruction recombination method during operation, including:
Step 1, cache instruction running environment;Obtaining address and the parameter of the first jump instruction preserved in stack, calculate next instruction address being about to run, the described instruction address being about to run is zero-address;First address is set to zero-address;
Step 2, utilizing the first address to search address correspondence table, if finding record, recovering the instruction operation environment of institute's buffer memory, and jump to the corresponding address found and continue executing with, complete this instruction recombination;
Step 3, without finding record, start from the first address to obtain pending machine instruction fragment, the ending of instruction fragment is the second jump instruction, and described second jump instruction address is the 3rd address;
Step 4, from the first address, machine code is carried out dis-assembling, and dis-assembling result is processed by a lexical analyzer, generate the assembly code after restructuring, until the 3rd address;
Step 5, judge whether the object code of second jump instruction at the 3rd address place can process further, if it can, the first address is set to the destination address of the second jump instruction of the 3rd address or the 3rd address, restart to perform step 3;
Step 6, if it is not possible, the assembly code after the restructuring generated is last, adds value and the operand of current 3rd address of pop down instruction record, and addition jumps to the instruction that restructuring platform starts after pop down instruction;
Step 7, by assembler, the assembly code after the restructuring generated being generated corresponding machine code, and be stored in restructuring address space the address distributed, this address is the second address;Second address and zero-address are stored in the corresponding table in address with the form of corresponding address pair;With
Step 8, recover environment, and jump to the second address and continue executing with.
Optionally, before step 6, also include:
Resolve described pending machine instruction fragment, utilize instruction set to mate described machine instruction fragment, obtain pending target machine instructions;
Revise described target machine instructions.
Optionally, described target instruction target word is storage/reading instruction;
The described target machine instructions of described amendment includes: revise storage therein and reading address is the address on safety storage apparatus.
Optionally, described target instruction target word is I/O instruction;
The described target machine instructions of described amendment includes: the input instruction in described I/O instruction all stoped.
Optionally, described target instruction target word is network transmission instruction;
The described target machine instructions of described amendment includes: whether the remote computing devices checking the destination address in the transmission instruction of described network corresponding is secure address (namely allowing reference address);If it is not, stop the transmission instruction of described network.
According to a further aspect of the present invention, it is provided that a kind of computer-readable medium, in described computer-readable recording medium, storage has the executable program code of computer, and described program code is for performing the step of said method.
When method and apparatus provided by the invention can realize running, instruction catching and recombinating, and, getting after dispatch command fragment, machine instruction therein can also be analyzed and process, thus instruction is caught, is recombinated when being possible not only to realize running, it is also possible to realize the management to predetermined target instruction target word.
Accompanying drawing explanation
Fig. 1 is the system level schematic diagram of computing equipment in prior art;
The flow chart of instruction recombination method when Fig. 2 is the operation provided in one embodiment of the invention;
Fig. 3 is the generation process schematic of the restructuring instruction fragment provided in one embodiment of the invention;
Fig. 4 is the flow chart of step S102 in the Fig. 2 provided in another embodiment of the present invention;
The flow chart of instruction recombination method when Fig. 5 is the operation provided in another embodiment of the present invention, utilizes address correspondence table to preserve the instruction fragment recombinated;
The flow chart of instruction recombination method when Fig. 6 is the operation provided in another embodiment of the present invention, individually opens up storage position and preserves the destination address of the first jump instruction;
When Fig. 7 is the operation provided in another embodiment of the present invention, the flow chart of instruction recombination method, carries out dis-assembling and compilation process for on-fixed length instruction collection;
The flow chart of instruction recombination method when Fig. 8 is the operation provided in another embodiment of the present invention, substitutes with pop down instruction or record the first jump instruction;
The flow chart of instruction recombination method when Fig. 9 a is the operation provided in another embodiment of the present invention, the feature in the comprehensive multiple embodiments before of instruction recombination method during operation therein;
Operating process schematic diagram when instruction recombination method is run on X86 system processor when Fig. 9 b-9d is the operation in Fig. 9 a;
Instruction recombination apparatus structure schematic diagram when Figure 10 is the operation provided in one embodiment of the invention;
Instruction recombination apparatus structure schematic diagram when Figure 11 is the operation provided in another embodiment of the present invention;
Figure 12 is the instruction recombination cellular construction schematic diagram provided in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 13 is the operation provided in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 14 is the operation provided in another embodiment of the present invention.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearly understand, below in conjunction with accompanying drawing, the present invention is described in more detail.Should be appreciated that specific embodiment described herein is only in order to explain the present invention, is not intended to limit the present invention.
Analyze
The system level schematic diagram being illustrated in figure 1 in prior art computing equipment, from top to bottom, computing equipment includes: user interface layer 101, application layer 102, operating system nucleus layer 103, hardware mapping layer 104 and hardware layer 105.
Wherein, user interface layer 101 is the interface between user and equipment, and user is interacted by this layer and equipment (i.e. other levels of equipment, for instance application layer 102).Application layer 102 refers to application software layer.
Operating system nucleus layer 103 is a kind of logical layer based on software, it is made up of software data and software code in general, compared to boundary layer 101 and application layer 102, the code of operating system nucleus layer 103 has higher authority, it is possible to the various software and hardware resources in computer system are carried out complete operation.
Hardware mapping layer 104 is a kind of logical layer based on software, and it is generally operational in operating system nucleus layer, has the authority identical with inner nuclear layer.Hardware mapping layer is primarily to and solves the operator scheme of different types of hardware is mapped as a kind of unified high-level interface, upwards shields the particularity of hardware.In general, hardware mapping layer is mainly used by operating system nucleus layer 103, completes the operation to various hardware.
Hardware layer 105 refers to all hardware parts constituting computer system.
This computing equipment is operated by user interface layer 101 (being namely in the user interface of user interface layer 101) and obtains graphical or non-patterned feedback by user.For the operation preserving data, its process includes:
(1) user interface 101 that user is provided by certain application program, selects " preservation " function;
(2) application layer 102 calls corresponding code, and above-mentioned user operation is converted into the interface function that one or more operating system provides, and namely " preservation " operation transforms into calling the interface function that sequence of operations system kernel layer 103 provides;
(3) each operating system interface function is converted into the interface function that one or more hardware mapping layer 104 provides by operating system nucleus layer 103;Namely " preservation " operation transforms into calling the interface function that a series of hardware mapping layers 104 provide;
(4) interface function that hardware mapping layer 104 provides each oneself is converted into one or more hardware instruction and calls;Finally,
(5) hardware layer 105 (such as CPU) receives above-mentioned hardware instruction and calls and perform hardware instruction.
For this computing equipment, after it is invaded by malicious code, malicious code can obtain desired data from computing equipment, and after stealing data, its behavioral pattern includes:
(1) storage behavior: target data content is saved in certain storage position;
(2) transport behavior: the data stolen are transferred to either directly through network the destination address specified.
It addition, use the behavioral pattern that the personnel of above-mentioned computing equipment or information equipment carry out divulging a secret inside to include:
(1) actively divulge a secret: concerning security matters personnel by actively copy, penetrate security system by maliciously instrument, insert the means such as wooden horse and directly obtain confidential data, and divulge a secret;
(2) passively divulge a secret: the computer of concerning security matters librarian use or storage medium are not good at losing because of keeping or improper use (such as concerning security matters equipment being directly accessed Internet) causes divulges a secret.
The above-mentioned multiple mode of divulging a secret makes the data of this computing equipment cannot ensure safely.
Inventor it have been investigated that, in computer running, cpu address depositor preserves the address of next machine instruction that will run, for instance the address that pc (programcounter, program counter) points to;Obtain the data in this depositor, and according to the address that these data are pointed to, the one or more of machine instructions that will run under reading, it is possible to achieve catch the purpose of machine instruction during operation.
And, what be modified that described one or more machine instruction forms treats that dispatch command fragment (such as inserts extra jump instruction wherein, herein referred as instruction recombination), make to regain CPU right of execution before this section of instruction operation is complete, and again catch the next one and treat dispatch command fragment, it is possible to achieve catch the purpose of machine instruction during operation continuously.
Further, getting after dispatch command fragment, it is also possible to machine instruction therein is analyzed and processes, thus instruction is caught, recombinated when being possible not only to realize running, it is also possible to realize the management to predetermined target instruction target word.
Instruction recombination or instruction tracing
Based on above-mentioned analysis and discovery, providing a kind of instruction recombination method during operation in one embodiment of the present of invention, the method is called instruction recombination platform when running.As in figure 2 it is shown, the method S100 includes:
S101, cache instruction running environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
S102, obtains machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S103, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, after namely performing this second jump instruction, performs step S101;
S104, is revised as the second address by the first address in described address register;With
S105, recovers described instruction operation environment.
In the present embodiment, during above-mentioned operation, instruction recombination method performs on the CPU of X86-based;In other embodiments of the invention, during above-mentioned operation, instruction recombination method can also at MIPS processor or based on execution on the processor of ARM framework.It will appreciated by the skilled person that said method can perform in the instruction process unit of any other type in computing equipment.
Wherein, in step S101, described cache instruction running environment may include that
In buffer memory stack, it is pressed into CPU machine instruction runs relevant register data.
In other embodiments of the invention, buffer memory or preservation instruction operation environment can also carry out in other caching data structure that specify, acquiescence and address.
In step S101, described address register can be cpu address depositor.
In step s 102, in machine instruction fragment to be scheduled, the last item instruction is the first jump instruction, an only jump instruction in machine instruction fragment to be scheduled, machine instruction fragment to be scheduled includes described first jump instruction and the machine instruction all to be scheduled before it.
In step s 103, front in the last item instruction (i.e. the first jump instruction JP1) of described machine instruction fragment to be scheduled, insert the second jump instruction JP2, described JP2 directional order restructuring platform entry address, generate there is the second address A " restructuring instruction fragment.
Inserting the second jump instruction is in order to when CPU runs described machine instruction fragment to be scheduled, before JP1 runs, restart to run described instruction recombination platform, so, instruction recombination platform just can continue to analyze next section of machine instruction fragment to be scheduled, thereby through repeating the restructuring of instruction when this method completes all operation.
In step S105, recover described instruction operation environment and may include that
The register data that instruction operation is relevant is ejected from buffer memory stack;Wherein the destination address of the jump instruction that address register preserves has been modified to the second address A " the new machine instruction fragment for entry address.
Step S105 has recovered described instruction operation environment after performing, and instruction recombination platform completes once to run, and CPU performs described restructuring instruction fragment, and namely CPU will perform with the second address A " machine instruction fragment for entry address.When restructuring instruction fragment goes to the second jump instruction JP2, described instruction recombination platform retrieves CPU control (namely performing step S101), now the destination address of the first jump instruction obtains, this destination address is the first new address, then re-executes step S101~step S105.
Below in conjunction with Fig. 3, further illustrate instruction recombination process and the generation process of restructuring instruction fragment.
Fig. 3 includes machine instruction set 401 (such as already loaded into the machine instruction of certain program in internal memory) to be scheduled, wherein instruction 4012 is the first jump instruction, if the destination address of instruction 4012 is variable, then assume initially that machine instruction 4013 is pointed in instruction 4012;Machine instruction fragment 4011 is constituted from the machine instruction all to be scheduled including the first jump instruction 4012 before the first jump instruction 4012.
After instruction recombination method is run (instruction recombination platform 411), first cache instruction running environment;Then (such as copy) machine instruction fragment 4011 is obtained;Instruction recombination platform inserts the second jump instruction 4113 before the first jump instruction 4012, the second jump instruction 4113 directional order restructuring platform 411 itself, thus generating restructuring instruction fragment 4111, the address of restructuring instruction fragment is A ";The value A of the address register in the instruction operation environment of described buffer memory is revised as address A ";Finally recover described instruction operation environment.
After instruction recombination platform 411 terminates operation, with A, " for the restructuring instruction fragment of address, when going to the second jump instruction 4113, instruction recombination platform 411 can regain CPU control in CPU execution.Now, the destination address 4013 of the first jump instruction 4012 generates, this destination address is the first new address, instruction recombination platform restarts to perform step S101~step S105 according to this destination address, continue to analyze follow-up machine instruction to be scheduled, thus the method for instruction recombination when completing operation.
According to a further embodiment of the invention, as shown in Figure 4, in step s 102, obtain machine instruction fragment to be scheduled may include that
S1021, reads machines instruction address to be scheduled from address register (such as cpu address depositor);
S1022, with jump instruction for searched targets, retrieves machine instruction and subsequent instructions thereof that described machines instruction address points to, until finding first jump instruction (being called the first jump instruction);Described jump instruction refers to change machine instruction order and performs the machine instruction of flow process, including Jump instruction, Call instruction, Return instruction etc.;
S1023, using described first jump instruction and the machine instruction all to be scheduled before it as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in instruction recombination platform, or the storage position that other instruction recombination platforms can read.
In other embodiments of the invention, obtaining machine instruction fragment to be scheduled can also with non-jump instruction (such as write instruction, reading instruction etc.) for searched targets, further cutting machine instruction fragment.Due in such embodiments, it is also desirable to ensure that instruction recombination platform still is able to obtain CPU control or right of execution after performing until scheduling jump instruction, so jump instruction needs as the second searched targets, thus obtaining the machine instruction fragment that granularity is less.
According to a further embodiment of the invention, between step S102 and S103, during described operation, instruction recombination method can also include:
Utilize instruction set to mate described machine instruction fragment to be scheduled, obtain target machine instructions;Described instruction set includes X86, MIPS and ARM instruction set;With
In a predetermined manner, described target machine instructions is revised.
Instruction monitoring when being possible not only to run, it is also possible to carrying out other processing procedures, related embodiment will be described in detail below.
Further, in order to improve the efficiency of instruction recombination method, it is possible to will treat that dispatch command obtains in step s 102 in the lump pointed by fixed address jump instruction.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation, the method S300 includes:
S301, cache instruction running environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
S302, obtains machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S303, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, after namely performing this second jump instruction, performs step S301;
S304, is revised as the second address by the first address in described address register;
S305, recovers described instruction operation environment.
Compared with the method provided in embodiment before, it is distinctive in that: in step s 302, machine instruction fragment to be scheduled can include a plurality of jump instruction;In jump instruction, an only argument address jump instruction, is called the first jump instruction.
It should be noted that, jump instruction can include two classes, argument address jump instruction and constant address jump instruction, wherein, the jump address of constant address jump instruction is constant (i.e. immediate), and the argument address in argument address jump instruction be typically in jump instruction before a machine instruction in calculate and obtain.
Similarly, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Machine instruction fragment to be scheduled includes described first jump instruction and the machine instruction all to be scheduled before it.
Further, machine instruction owing to generating in program operation process has significantly high repeatability, in order to improve the efficiency of instruction recombination method, save the calculating resource (cpu resource) of computing equipment, it is possible to use a small amount of memory space preserves restructuring instruction fragment.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation.As it is shown in figure 5, the method S200 includes:
S201, cache instruction running environment;Described instruction operation environment includes address register (such as cpu address depositor) (in general, instruction operation environment refers to all depositors of CPU, including general register, status register, address register etc.), address register preserves the address of next machine instruction that will run, and this address is the first address;
S202, utilizes described first address search address correspondence table;Described address correspondence table for represent first address A point to treat whether dispatch command fragment has the restructuring instruction fragment preserved, the data of address correspondence table are address pair;
S203, if finding corresponding record, is revised as the address A ' of the restructuring instruction fragment preserved by described first address A (i.e. the value A of address register);
S204, without finding corresponding record, obtains machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S205, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, after namely performing this second jump instruction, performs step S201;
S206, is revised as the second address by the first address in described address register;
S207, recovers described instruction operation environment.
Further, step S206 also includes: utilize the second address A " sets up address to (or a record) with the first address A in the corresponding table in described address.There is address A " restructuring instruction fragment be stored in restructuring instruction platform in, for reusing.
This method utilizes address correspondence table, saves and calculates resource, improves the efficiency of instruction recombination when running.
Above-mentioned recombination method is typically via treating that inserting required jump instruction among dispatch command fragment completes, in other embodiments of the present invention, it is also possible to complete the generation of restructuring instruction fragment by other means.It is discussed in detail below in conjunction with embodiment.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, individually open up storage position and preserve the destination address of the first jump instruction.As shown in Figure 6, the method S110 includes:
S111, cache instruction running environment;
S112, stores position from first and reads destination address, obtain the machine instruction fragment treating scheduling (namely pending) according to destination address;Wherein, wait that the last item instruction dispatching machine instruction fragment is the first jump instruction;
S113, stores position first and preserves the destination address of the first jump instruction;
S114, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, after namely performing this second jump instruction, performs step S111;
S115, recovers described instruction operation environment, and jumps to the second address and continue executing with.
Wherein, in step S112, obtain machine instruction fragment to be scheduled and may include that
S1121, with jump instruction for searched targets, retrieve described machines instruction address point to machine instruction and subsequent instructions, until find first jump instruction (being called the first jump instruction);
Described jump instruction refers to change machine instruction order and performs the machine instruction of flow process, including Jump instruction, Call instruction, Return instruction etc.;
S1122, using described first jump instruction and the machine instruction all to be scheduled before it as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in instruction recombination platform, or the storage position that other instruction recombination platforms can read.
In step S113, the destination address parameter of destination address and jump instruction, it can be immediate or variable parameter, preserves its value for immediate, preserves its address/quote for variable parameter.When processor is about to perform certain jump instruction, its jump target addresses has been computed complete.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, dis-assembling and compilation process are carried out for on-fixed length instruction collection.As it is shown in fig. 7, the method includes:
S121, cache instruction running environment;
S122, stores position from first and reads destination address, obtain according to destination address and treat dispatch command fragment:
From destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out dis-assembling, and by dis-assembling result by a lexical analyzer carries out processing and mating whether wherein comprise jump instruction, if not comprising, continuing to obtain next section of machine instruction to be scheduled and repeating aforesaid operations, until matching jump instruction, this jump instruction is the first jump instruction;First jump instruction and the composition of all instructions before treat dispatch command fragment;
S123, stores position first and preserves the destination address of the first jump instruction;
S124, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform;In the present embodiment, this first jump instruction and the second jump instruction are all assembly instruction;
S125, generates corresponding machine code by the assembly code after the restructuring generated by assembler;With
S126, recovers described instruction operation environment, and jumps to the second address and continue executing with.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, substitute with pop down instruction or record the first jump instruction.As shown in Figure 8, the method S130 includes:
S131, cache instruction running environment;
S132, obtains address and the parameter of the jump instruction preserved in stack, calculates next instruction address being about to run, and this address is the first address;
S133, treats the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein, wait that the last item instruction dispatching machine instruction fragment is the first jump instruction;
S134, replacing the first jump instruction is pop down instruction, records address and the operand of the first jump instruction in pop down instruction;
S135, adds the second jump instruction after pop down instruction, generates and has two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform;With
S136, recovers described instruction operation environment, and jumps to the second address and continue executing with.
It will appreciated by the skilled person that the function provided in each embodiment above-mentioned or feature can be superimposed upon in same embodiment according to the actual needs, just combination provides no longer one by one here, only gives one example below illustrative.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, as illustrated in fig. 9, including:
(1) cache instruction running environment, described instruction operation environment includes whole CPU environment and memory environment;Obtain address and the parameter of the jump instruction preserved in stack, calculate the instruction address (zero-address) that next article is about to run, the first address is set to zero-address;
(2) utilize the first address to search address correspondence table (also referred to as address search table), if finding record, recover the instruction operation environment of institute buffer memory, and jump to the corresponding address (address in the correspondence table of address is internal) found and continue executing with;
(3) without finding record, starting from the first address to obtain pending machine instruction fragment, the ending of instruction fragment is jump instruction (jump instruction address is the 3rd address);
(4) from the first address, machine code is carried out dis-assembling, and dis-assembling result is processed by a lexical analyzer, generate the assembly code after restructuring, until the 3rd address;
(5) judge whether the code at the 3rd address place can process further, namely the destination address of the jump instruction at the 3rd address place be known quantity (such as, immediate), if it is passable, first address is set to the 3rd address (or destination address of the jump instruction of the 3rd address), restarts to perform (3);
(6) if cannot, assembly code after the restructuring generated is last, add original address position (i.e. the value of the 3rd address) and the operand of current 3rd address of pop down instruction record, and after pop down instruction, addition jumps to the instruction that restructuring platform starts, and step (1) namely can be made to start again at execution;
(7) assembly code after the restructuring generated is generated corresponding machine code by assembler, and be stored in the address (the second address) that distributes in restructuring address space, and the second address and zero-address are stored in the corresponding table in address with the form of corresponding address pair;
(8) recover environment, and jump to the second address and continue executing with.
Understanding in order to convenient, the method that now running this embodiment with X86 system processor provides illustrates, and with reference to Fig. 9 b-9d, an instantiation procedure of instruction recombination is as follows:
(1) after restructuring platform is started working, first buffer memory present instruction running environment;Obtaining address and the parameter of the jump instruction preserved in stack, calculate next instruction address being about to run, this address is the first address.
(2) utilizing the first address to search address correspondence table, if finding record, recovering the instruction operation environment of institute buffer memory, and jump to the corresponding address found and continue executing with (Fig. 9 b);Without finding record, proceed as follows (Fig. 9 c).
(3) machine code, from the first address, is carried out dis-assembling, and dis-assembling result is processed by a lexical analyzer by-(6), generates restructuring code;
This paragraph assembly code is retrieved, checks whether and comprise jump instruction;
First jump instruction being analyzed, it is judged that whether its jump target addresses is known quantity, if known quantity, then continually looks for, until finding Article 1 argument address jump instruction, being called the first jump instruction, the address of this instruction is the 3rd address;
The the first original address position redirected and operand of current 3rd address of pop down instruction record it is eventually adding at the assembly code (from the first address to the machine instruction of the 3rd address, do not include the first jump instruction) generated;
Add after pop down instruction and jump to the instruction (the second jump instruction) that restructuring platform starts.
(7) assembly code generated is generated corresponding machine code by assembler, and be stored in restructuring address space the address (the second address) distributed;
Second address and zero-address are stored in the corresponding table in address with the form of corresponding address pair.
(8) recover environment, and jump to the second address and continue executing with.
(Fig. 9 d) processor starts to perform two address instruction, and the jump instruction in instruction fragment to be reorganized before has replaced with pop down instruction and redirected the instruction of duplicate removal group platform, and the main purpose of pop down instruction is to provide input parameter to restructuring platform.(Fig. 9 d) is when going to the second jump instruction, restructuring platform retrieves execution, carries out above-mentioned step (1), by checking address and the parameter of the jump instruction preserved in pop down instruction, calculating next instruction address being about to run, this address is the first address.
Process afterwards and the circulation of said process.
Further, in order to namely perform instruction monitoring when running after system start-up, when realizing the operation of computing equipment operation phase, instruction is monitored entirely, in another embodiment of the present invention, load instruction during amendment computer starting, instruction recombination platform provided by the invention is called before load instruction performs, perform instruction recombination method during above-mentioned operation, due to the fixed address that load instruction jump address is known, instruction recombination platform can establish address correspondence table and this Article 1 record in advance, and establishes first restructuring instruction fragment.
Further, according to a further embodiment of the invention, it is provided that a kind of computer-readable medium, wherein, in described computer-readable recording medium, storage has the executable program code of computer, and described program code is used for the step of instruction recombination method during the operation performing to provide in above-described embodiment.
Further, according to a further embodiment of the invention, it is provided that a kind of computer program, wherein, described computer program comprises the step of instruction recombination method during the operation provided in above-described embodiment.
Instruction recombination for data safety
During above-mentioned operation, instruction recombination method provides the foundation for further application.The following examples provide various instruction recombination method when carrying out, for different machines instruction, the operation processed, including storage/read instruction, I/O instruction, and network transmission instruction:
(1) storage/reading instruction refers to all instructions that External memory equipment (including but not limited to disk, mobile storage, optical storage) is stored/reads or instruction combination in computer system.
(2) I/O instruction refers to the instruction of the address space of all operations peripheral hardware in computer system, and these instructions eventually affect peripheral hardware input/output state, data, signal etc..Here I/O Address space includes but not limited to (I/O address space, memory-mapped I/O device address space).
(3) network transmission instruction refers to all instructions affecting the network equipment in computer system, and these instructions eventually affect all correlation properties such as the transmission of computer system network equipment, state, data, signal.
Wherein, storage/can there is common factor between reading instruction and I/O instruction.
According to one embodiment of the invention, it is provided that a kind of for storage/read instruction operation time instruction recombination method S400, including:
S401, cache instruction running environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
S402, utilizes described first address search address correspondence table;
S403, if finding corresponding record, is revised as the address A ' of the restructuring instruction fragment preserved by described first address A;
S404, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S4041, obtains and treats scheduling machine instruction fragment;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Identical with step S102;
S4042, treats scheduling machine instruction fragment, obtains assembly instruction fragment described in dis-assembling;
S4043, searched targets assembly instruction, described target assembly instruction is storage/reading instruction;
S4044, if retrieval obtains the storage/reading instruction in described assembly instruction fragment, revises storage therein and reading address is the address on safety storage apparatus;Amendment mode can be the direct mapping between home address space and safety storage apparatus address space;
S4045, before described first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S4046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S4047, utilizes restructuring machine instruction fragment address A " setting up a record (or address to) in the corresponding table in described address with the first address A, have address A " is stored in recombinates in instruction platform;
S4048, is revised as the second address A by the first address A ";
S405, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit dis-assembling and corresponding compilation step, direct handling machine instruction.
In step S4044, it is operated for storage and reading instruction, revises target therein and source address, to realize storage reorientation/redirection, it is ensured that data safety.The method of safety storage more specifically/reading will be introduced in the following examples provided by the invention.
According to one embodiment of the invention, it is provided that instruction recombination method S500 during a kind of operation for I/O instruction, including:
S501, cache instruction running environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
S502, utilizes described first address search address correspondence table;
S503, if finding corresponding record, is revised as the address A ' of the restructuring instruction fragment preserved by described first address A;
S504, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S5041, obtains and treats scheduling machine instruction fragment;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Identical with step S102;
S5042, machine instruction fragment described in dis-assembling, obtain assembly instruction fragment;
S5043, searched targets assembly instruction, described target assembly instruction is I/O instruction;
S5044, if retrieval obtains the I/O instruction in described assembly instruction fragment, all stops the input instruction in described I/O instruction;
S5045, before described first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S5046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S5047, utilizes restructuring machine instruction fragment address A " setting up a record (or address to) in the corresponding table in described address with the first address A, have address A " is stored in recombinates in instruction platform;
S5048, is revised as the second address A by the first address A ";
S505, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit dis-assembling and corresponding compilation step, direct handling machine instruction.
In step S5044, it is operated for I/O instruction, the input instruction in described I/O instruction is all stoped, to realize the write operation thoroughly blocked local hardware device;In conjunction with the storage instruction processing procedure in a upper embodiment, it is also possible to realize the prevention to the input instruction except storage instruction, it is possible to improve the Information Security in computing equipment.
According to one embodiment of the invention, it is provided that a kind of for network transmit instruction operation time instruction recombination method S600, including:
S601, cache instruction running environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
S602, utilizes described first address search address correspondence table;
S603, if finding corresponding record, is revised as the address A ' of the restructuring instruction fragment preserved by described first address A;
S604, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S6041, obtains and treats scheduling machine instruction fragment;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Identical with step S102;
S6042, treats scheduling machine instruction fragment, obtains assembly instruction fragment described in dis-assembling;
S6043, searched targets assembly instruction, described target assembly instruction is network transmission instruction;
S6044, if retrieval obtains the network transmission instruction in described assembly instruction fragment, whether the remote computing devices checking the destination address in the transmission instruction of described network corresponding is secure address, if it is not, stop the transmission instruction of described network;
S6045, before described first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S6046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S6047, utilizes restructuring machine instruction fragment address A " setting up a record (or address to) in the corresponding table in described address with the first address A, have address A " is stored in recombinates in instruction platform;
S6048, is revised as the second address A by the first address A ";
S605, recovers described instruction operation environment.
In step S6044, the transmission instruction of itself can be replaced with " instruction of cancellation current operation " to a plurality of instruction by inserting in code in the reassembled one or directly replace with illegal command by prevention/refusal network transmission instruction, depending on the difference of hardware.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit dis-assembling and corresponding compilation step, direct handling machine instruction.
In step S6044, transmitting instruction for network and be operated, whether the remote computing devices checking the destination address in the transmission instruction of described network corresponding is secure address;If it is not, stop the transmission instruction of described network, to realize Security Data Transmission.
Address correspondence table in above-mentioned multiple embodiment is set up by instruction recombination platform and safeguards, it is possible to be the structure of arrays of regular length, it is also possible to be the list structure of variable-length, it is also possible to be the suitable data structure of other storage binary datas.Preferably, its adjustable in length, and it takes up room releasably.The operation of release address correspondence table can carry out at random, it is also possible to the cycle carries out.In certain embodiments, described address correspondence table can also include record and set up time field, for when Free up Memory deletion record, according to the length deletion record of the time of setting up.In certain embodiments, described address correspondence table can also include record access times field, in searching address correspondence table step, if it is found, the value that this field will be changed;Described record access times field is also used for when Free up Memory deletion record, according to how many deletion records of access times.
It addition, it will be understood to those skilled in the art that above-mentioned instruction recombination method (when namely running instruction recombination method) can use the method for software or hardware to realize:
(1) if implemented in software, then the step that said method is corresponding stores on a computer-readable medium with the form of software code, becomes software product;
(2) if realized with hardware, the step that then said method is corresponding describes with hardware identification code (such as Verilog), and solidifies (through processes such as physical Design/placement-and-routing/fab flows) and become chip product (such as processor products).It is described in detail below.
Instruction recombination device
During with above-mentioned operation, instruction recombination method S100 is corresponding, according to one embodiment of the invention, it is provided that instruction recombination device during a kind of operation.As shown in Figure 10, instruction recombination device 500 includes:
Instruction operation environment buffer memory and recovery unit 501, be suitable to buffer memory and recover instruction operation environment;Described instruction operation environment includes address register, and this address register preserves the address of next machine instruction that will run, and this address is the first address;
Instruction acquiring unit 502, is suitable to, after unit 501 cache instruction running environment, obtain machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Instruction recombination unit 503, is suitable to resolve, revise described machine instruction fragment to be scheduled, including: before the first jump instruction, insert the second jump instruction, generate and there is the second address A " restructuring instruction fragment;Described second jump instruction indicator device 500, after namely performing this second jump instruction, the instruction operation environment buffer memory of device 500 and recovery unit 501 process next time;With
Address replacement unit 504, is suitable to be revised as the value of the address register in the instruction operation environment of described buffer memory the address of restructuring instruction fragment.
Described instruction operation environment buffer memory and recovery unit 501 couple with instruction acquiring unit 502 and address replacement unit 504 respectively, described instruction acquiring unit 502, and instruction recombination unit 503 and address replacement unit 504 couple successively.
It is as follows that device 500 performs process:
First, instruction operation environment buffer memory and recovery unit 501 cache instruction running environment, for instance be pressed into the register data that instruction operation is relevant in buffer memory stack;
Then, described instruction acquiring unit 502 reads machines instruction address to be scheduled from cpu address depositor 511, and from described machines instruction address read machine instruction fragment, described machine instruction fragment the last item instruction is jump instruction;
Such as, instruction acquiring unit 502 reads machines instruction address to be scheduled from cpu address depositor 511;With jump instruction for searched targets, retrieve the machine instruction that described machines instruction address is corresponding, until finding first jump instruction;Described jump instruction includes such as Jump instruction and Call instruction etc.;Using described first jump instruction and all machine instructions before thereof as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in device 500, or the storage position that other device 500 can read;
Then, instruction recombination unit 503, before the last item instruction of the machine instruction fragment of described acquisition, inserts the second jump instruction, the entry address of described second jump instruction indicator device 500, generates and has address A " restructuring instruction fragment;
Then, the value A of the address register in the instruction operation environment of described buffer memory is revised as address A by address replacement unit 504 ";
Finally, instruction operation environment buffer memory and recovery unit 501 recover described instruction operation environment, for instance eject the register data that instruction operation is relevant from buffer memory stack.
During with above-mentioned operation, instruction recombination method S300 is corresponding, and described instruction acquiring unit 502 can using first non-constant address jump instruction as the first jump instruction.To improve the execution efficiency of reconstruction unit.
During with above-mentioned operation, instruction recombination method S200 is corresponding, according to a further embodiment of the invention, it is provided that instruction recombination device during a kind of operation, it is possible to makes full use of instruction repeatability during operation, improves efficiency, saves and calculate resource.
As shown in figure 11, instruction recombination device 600 includes:
Instruction operation environment buffer memory and recovery unit 601, be suitable to buffer memory and recover instruction operation environment;Described instruction operation environment includes address register, and address register preserves the address of next machine instruction that will run, and this address is the first address;
Instruction acquiring unit 602, is suitable to obtain machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Instruction recombination unit 603, is suitable to treat described in parsing, amendment scheduling machine instruction fragment, including: before the first jump instruction, insert the second jump instruction, to generate, there is two address restructuring instruction fragment;Described second jump instruction indicator device 600, after namely performing this second jump instruction, the instruction operation environment buffer memory of device 600 and recovery unit 601 process next time;
Address replacement unit 604, is suitable to be revised as the value of the address register in the instruction operation environment of described buffer memory the address of restructuring instruction fragment;With
Instruction retrieval unit 605, is suitable to utilize described first address search address correspondence table;Described address correspondence table for represent first address A point to treat whether dispatch command fragment has the restructuring instruction fragment preserved, the data of address correspondence table are address pair;
If finding corresponding record, instruction retrieval unit 605 is suitable to call address replacement unit 604, and described first address A (i.e. the value A of address register) is revised as the address A ' of the restructuring instruction fragment preserved;Without finding corresponding record, instruction retrieval unit is suitable to utilize the second address A " sets up a record with address A in the corresponding table in described address.
Described instruction operation environment buffer memory and recovery unit 601 couple with instruction retrieval unit 605 and address replacement unit 604 respectively, described instruction retrieval unit 605 respectively with instruction acquiring unit 602, instruction recombination unit 603 and address replacement unit 604 couple, and described instruction acquiring unit 602, instruction recombination unit 603 and address replacement unit 604 couple successively.
The execution process of device 600 is as follows:
First, instruction operation environment buffer memory and recovery unit 601 cache instruction running environment, for instance be pressed into the register data that instruction operation is relevant in buffer memory stack;
Then, instruction retrieval unit 605 utilizes the value A of the address register in the instruction operation environment of described buffer memory to search address correspondence table;
If finding corresponding record, instruction retrieval unit 605 call address replacement unit 604, the value A of described address register is revised as the value A ' in record by address replacement unit 604;Address replacement unit 604 call instruction running environment buffer memory and recovery unit 602, to recover described instruction operation environment, namely eject the register data that instruction operation is relevant from buffer memory stack, and this reorganization operation terminates;
Without finding corresponding record, described instruction acquiring unit 602 reads machines instruction address to be scheduled from cpu address depositor, and from described machines instruction address read machine instruction fragment, described machine instruction fragment the last item instruction is jump instruction.Concrete, instruction acquiring unit 602 reads machines instruction address to be scheduled from cpu address depositor;With jump instruction for searched targets, retrieve the machine instruction that described machines instruction address is corresponding, until finding first jump instruction;Described jump instruction includes Jump instruction and Call instruction etc.;Using described first jump instruction and all machine instructions before thereof as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in device 600, or the storage position that other device 600 can read;
Then, instruction recombination unit 603, before the last item instruction of the machine instruction fragment of described acquisition, inserts the second jump instruction, the entry address of described second jump instruction indicator device 600, generates and has address A " restructuring instruction fragment;
Then, a record set up by instruction recombination unit 603 is by address A " being sent to instruction retrieval unit 605, instruction retrieval unit 605 utilizes address A " table corresponding to address A address wherein;Reuse in order to subsequent instructions;
Then, the value A of the address register in the instruction operation environment of described buffer memory is revised as address A by address replacement unit 604 ";
Finally, instruction operation environment buffer memory and recovery unit 601 recover described instruction operation environment, namely eject the register data that instruction operation is relevant from buffer memory stack.
With continued reference to Figure 11, wherein, instruction recombination unit 603 can also include:
Instruction resolution unit 6031, is suitable to utilize instruction set to mate described machine instruction fragment, obtains pending target machine instructions (namely utilizing target instruction target word to retrieve machine instruction fragment to be scheduled);Described instruction set includes X86, MIPS and ARM instruction set;
Instruction modification unit 6032, is suitable in a predetermined manner, revises described target machine instructions.
Such as, if described target instruction target word is storage/reading instruction, described instruction resolution unit 6031 will be responsible for the storage/reading instruction obtaining in machine instruction fragment to be scheduled, and described instruction modification unit 6032 revises storage therein and reading address is the address on safety storage apparatus.Its effect is identical with above-mentioned corresponding embodiment of the method S400 with effect, repeats no more here.
Again such as, if described target instruction target word is I/O instruction, described instruction resolution unit 6031 will be responsible for obtaining the I/O instruction in machine instruction fragment to be scheduled, and the input instruction in described I/O instruction is all stoped by described instruction modification unit 6032.Its effect is identical with above-mentioned corresponding embodiment of the method S500 with effect, repeats no more here.
Again such as, if described target instruction target word is network transmission instruction, described instruction resolution unit 6031 will be responsible for the network transmission instruction obtaining in machine instruction fragment to be scheduled, and whether the remote computing devices that described instruction modification unit 6032 checks the destination address in the transmission instruction of described network corresponding is secure address;If it is not, described instruction modification unit is suitable to stop the transmission instruction of described network.Its effect is identical with above-mentioned corresponding embodiment of the method S600 with effect, repeats no more here.
According to a further embodiment of the invention, above-mentioned instruction recombination unit can also include dis-assembling unit and assembly unit.As shown in figure 12, instruction recombination unit 703 includes: the dis-assembling unit 7031 coupled successively, instruction resolution unit 7032, instruction modification unit 7033 and assembly unit 7034.
Wherein, dis-assembling unit 7031 is suitable to before resolving, revising described machine instruction fragment to be scheduled, and machine instruction fragment to be scheduled described in dis-assembling generates assembly instruction fragment to be scheduled;It is sent to instruction resolution unit 7032.
Assembly unit 7034 is suitable to after resolving, revising described machine instruction fragment to be scheduled, the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents;It is sent to instruction replacement unit.
In this embodiment, described instruction resolution unit 7032 and instruction modification unit 7033 will operate assembly instruction fragment to be scheduled.
During with above-mentioned operation, instruction recombination method S110 is corresponding, according to a further embodiment of the invention, it is provided that instruction recombination device during a kind of operation.As shown in figure 13, instruction recombination device 800 includes:
Instruction operation environment buffer memory and recovery unit 801, be suitable to cache instruction running environment;
Instruction acquiring unit 802 and the first storage position 803, wherein, instruction acquiring unit 802 is suitable to store position 803 from first and reads destination address, and obtains the machine instruction fragment treating scheduling/execution according to destination address;Wherein, wait that the last item instruction dispatching machine instruction fragment is the first jump instruction;And
Instruction recombination unit 804, is suitable to store position 803 first and preserves the destination address of the first jump instruction, the first jump instruction replaces with the second jump instruction, generates and have two address restructuring instruction fragment;The entry address of described second jump instruction indicator device 800.
Wherein, instruction operation environment buffer memory and recovery unit 801 are further adapted for after instruction recombination unit 804 replacement instruction, recover described instruction operation environment, and jump to the second address and continue executing with.
The execution process of device 800 is as follows:
First, instruction operation environment buffer memory and recovery unit 801 cache instruction running environment;
Then, instruction acquiring unit 802 stores position 803 from first and reads destination address (treating dispatch command address), obtains according to destination address and treats scheduling machine instruction fragment;Wherein, wait that the last item instruction dispatching machine instruction fragment is the first jump instruction;
Then, instruction recombination unit 804 stores position 803 first and preserves the destination address of the first jump instruction;Its value is preserved for immediate, its address/quote is preserved for variable parameter;
Then, the first jump instruction is replaced with the second jump instruction by instruction recombination unit 804, generates and has two address restructuring instruction fragment;
Finally, instruction operation environment buffer memory and recovery unit 801 recover described instruction operation environment, and jump to the second address and continue executing with.
According to a further embodiment of the invention, it is provided that instruction recombination device during a kind of operation, corresponding with said method S130, and the feature of the device provided in some embodiment above-mentioned is provided.As shown in figure 14, this device 900 includes:
Instruction operation environment buffer memory and recovery unit 901, be suitable to buffer memory and recover instruction operation environment;
Instruction acquiring unit 902, the mode being suitable to calculate by inputting parameter obtains next instruction address being about to run, and this address is the first address;It is further adapted for treating the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein, wait that the last item instruction dispatching machine instruction fragment is the first jump instruction;
Instruction recombination unit 903, being suitable to replace the first jump instruction is pop down instruction, records address and the operand of the first jump instruction in pop down instruction;It is further adapted for after pop down instruction and adds the second jump instruction, generate and there is two address restructuring instruction fragment;The entry address of described second jump instruction indicator device 900;It is further adapted in the corresponding table in address, the second address and first address of restructuring instruction fragment are set up a record;
Instruction retrieval unit 904, is suitable to utilize described first address search address correspondence table;Described address correspondence table for represent first address point to treat whether dispatch command fragment has the restructuring instruction fragment preserved, the data of address correspondence table are address pair;
If finding corresponding record, instruction retrieval unit 904 is suitable to call instruction running environment buffer memory and recovery unit 901 recovers the instruction operation environment of institute's buffer memory, and jumps to the corresponding address found and continue executing with (reorganization operation completes);
Without finding corresponding record, call instruction recomposition unit 903 carries out reorganization operation.
Wherein, instruction recombination unit 903 can also include dis-assembling unit 9031, instruction resolution unit 9032, instruction modification unit 9033, and assembly unit 9034.
Wherein, after instruction recombination unit 902 completes restructuring, be suitable to call instruction running environment buffer memory and recovery unit 901 recovers the instruction operation environment of institute's buffer memory, and the address jumping to restructuring instruction fragment continues executing with (this reorganization operation completes).
According to a further embodiment of the invention, above-mentioned dis-assembling unit 9031 may be located among instruction acquiring unit 902, is carried out dis-assembling when obtaining instruction fragment to be scheduled by it and operates.
It will be appreciated by those skilled in the art that, the arrow of the data stream in the accompanying drawing of said apparatus embodiment is only to facilitate the concrete operations flow process explained in above-described embodiment, limit in figure the data flow between unit or closure, for coupling relation between unit in device.
Above with instruction recombination method and apparatus when describing operation that some embodiments are detailed, it compared with prior art has the advantage that
By instruction recombination method, it is possible to the instruction of monitoring calculation equipment under instruction operation state;
Utilize address correspondence table, improve instruction recombination efficiency, save calculating resource;
It is operated for storage and reading instruction, revises target therein and source address, to realize storage reorientation/redirection, it is ensured that data safety;
It is operated for I/O instruction, the input instruction in described I/O instruction is all stoped, to realize the write operation thoroughly blocked local hardware device;The prevention to the input instruction except storage instruction can also be realized, it is possible to improve the Information Security in computing equipment;
Transmitting instruction for network to be operated, whether the remote computing devices checking the destination address in the transmission instruction of described network corresponding is secure address;If it is not, stop the transmission instruction of described network, to realize Security Data Transmission.
It should be noted that and understand, when without departing from the spirit and scope of the present invention required by appended claims, it is possible to the present invention of foregoing detailed description is made various amendment and improvement.It is therefore desirable to the scope of the technical scheme of protection is not by the restriction of given any specific exemplary teachings.
Claims (5)
1. instruction recombination method when running, including:
Step 1, cache instruction running environment;Obtaining address and the parameter of the first jump instruction preserved in stack, calculate next instruction address being about to run, the described instruction address being about to run is zero-address;First address is set to zero-address;
Step 2, utilizing the first address to search address correspondence table, if finding record, recovering the instruction operation environment of institute's buffer memory, and jump to the corresponding address found and continue executing with, complete this instruction recombination;
Step 3, without finding record, start from the first address to obtain pending machine instruction fragment, the ending of instruction fragment is the second jump instruction, and the second jump instruction address is the 3rd address;
Step 4, from the first address, machine code is carried out dis-assembling, and dis-assembling result is processed by a lexical analyzer, generate the assembly code after restructuring, until the 3rd address;
Step 5, judge whether the object code of second jump instruction at the 3rd address place can process further, if it can, the first address is set to the destination address of the second jump instruction of the 3rd address or the 3rd address, restart to perform step 3;
Step 6, if it is not possible, the assembly code after the restructuring generated is last, adds value and the operand of current 3rd address of pop down instruction record, and addition jumps to the instruction that restructuring platform starts after pop down instruction;
Step 7, by assembler, the assembly code after the restructuring generated being generated corresponding machine code, and be stored in restructuring address space the address distributed, this address is the second address;Second address and zero-address are stored in the corresponding table in address with the form of corresponding address pair;With
Step 8, recover environment, and jump to the second address and continue executing with.
2. instruction recombination method during operation as claimed in claim 1, before step 6, also includes:
Resolve described pending machine instruction fragment, utilize instruction set to mate described machine instruction fragment, obtain pending target machine instructions;
Revise described target machine instructions.
3. instruction recombination method during operation as claimed in claim 2, wherein, described target machine instructions is storage/reading instruction;
The described target machine instructions of described amendment includes: revise storage therein and reading address is the address on safety storage apparatus.
4. instruction recombination method during operation as claimed in claim 2, wherein, described target machine instructions is I/O instruction;
The described target machine instructions of described amendment includes: the input instruction in described I/O instruction all stoped.
5. instruction recombination method during operation as claimed in claim 2, wherein, described target machine instructions is network transmission instruction;
The described target machine instructions of described amendment includes: whether the remote computing devices checking the destination address in the transmission instruction of described network corresponding is secure address;If it is not, stop the transmission instruction of described network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327228.2A CN103677746B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327228.2A CN103677746B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103677746A CN103677746A (en) | 2014-03-26 |
| CN103677746B true CN103677746B (en) | 2016-06-29 |
Family
ID=50315428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210327228.2A Expired - Fee Related CN103677746B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103677746B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942499B (en) * | 2014-03-04 | 2017-01-11 | 中天安泰(北京)信息技术有限公司 | Data black hole processing method based on mobile storer and mobile storer |
| CN110516438B (en) * | 2018-05-21 | 2023-11-07 | 深信服科技股份有限公司 | Method, system and related components for disassembling executable file |
| CN112395594B (en) * | 2019-08-15 | 2023-12-12 | 奇安信安全技术(珠海)有限公司 | Method, device and equipment for processing instruction execution sequence |
| CN110457046B (en) * | 2019-08-22 | 2023-05-12 | 广州小鹏汽车科技有限公司 | Disassembles method, disassembles device, storage medium and disassembles terminal for hybrid instruction set programs |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| CN102508637A (en) * | 2011-11-22 | 2012-06-20 | 中国科学院软件研究所 | Method for generating energy consumption information of instruction level password equipment |
-
2012
- 2012-09-06 CN CN201210327228.2A patent/CN103677746B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| CN102508637A (en) * | 2011-11-22 | 2012-06-20 | 中国科学院软件研究所 | Method for generating energy consumption information of instruction level password equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103677746A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103679039B (en) | Secure storage method of data and device | |
| Octeau et al. | Effective {Inter-Component} communication mapping in android: An essential step towards holistic security analysis | |
| Crussell et al. | Andarwin: Scalable detection of android application clones based on semantics | |
| CN103299284B (en) | Data safe reading method and device | |
| CN103942499B (en) | Data black hole processing method based on mobile storer and mobile storer | |
| CN104484599A (en) | Behavior processing method and device based on application program | |
| Zakeri et al. | A static heuristic approach to detecting malware targets | |
| Wang et al. | Reranz: A light-weight virtual machine to mitigate memory disclosure attacks | |
| CN107102944A (en) | The analysis method and device of a kind of call function | |
| CN103299270B (en) | Instruction recombination method and device during operation | |
| CN103679040B (en) | Data safe reading method and device | |
| CN106355092B (en) | System and method for optimizing anti-virus measurement | |
| CN103677746B (en) | Instruction recombination method and device | |
| CN103329141B (en) | Safe data storage method and device | |
| CN103729598B (en) | The safe interacted system of data and method for building up thereof | |
| CN103927493B (en) | Data black hole processing method | |
| US20190102279A1 (en) | Generating an instrumented software package and executing an instance thereof | |
| CN103677769B (en) | Instruction recombination method and device | |
| CN100478974C (en) | Method and device for preventing from computer virus | |
| CN103677770B (en) | Instruction recombination method and device | |
| CN103729600B (en) | Data security interacted system method for building up and data security interacted system | |
| CN103942492B (en) | Uniprocessor version data black hole processing method and the equipment of calculating | |
| CN103679041B (en) | Data safe reading method and device | |
| Deng et al. | A Pattern‐Based Software Testing Framework for Exploitability Evaluation of Metadata Corruption Vulnerabilities | |
| CN103729601B (en) | The safe interacted system of data and data safety mutual contact construction in a systematic way cube method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150121 Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: The safe and sound Information Technology Co., Ltd in sky in Beijing Address before: 100097 Beijing city Haidian District landianchang road Jin Yuan era business center B block 2-6B1 Applicant before: Beijing Zhongtian Antai Technology Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant before: The safe and sound Information Technology Co., Ltd in sky in Beijing |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160629 Termination date: 20180906 |