CN103677770A - Instruction recombining method and device - Google Patents
Instruction recombining method and device Download PDFInfo
- Publication number
- CN103677770A CN103677770A CN201210327202.8A CN201210327202A CN103677770A CN 103677770 A CN103677770 A CN 103677770A CN 201210327202 A CN201210327202 A CN 201210327202A CN 103677770 A CN103677770 A CN 103677770A
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- fragment
- jump
- machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Memory System Of A Hierarchy Structure (AREA)
- Advance Control (AREA)
Abstract
The invention provides an instruction recombining method in the operating process. The instruction recombining method includes the steps that step1, an instruction operating environment is cached; step2, a target address is read from a first storage position, a machine instruction segment to be dispatched is obtained according to the target address, and the last instruction of the machine instruction segment to be dispatched is a first jump instruction; step3, the target address of the first jump instruction is stored in the first storage position; step4, the first jump instruction is replaced by a second jump instruction to form a recombining instruction segment with a second address, and the second jump instruction points to an entry address of an instruction recombining platform; step5, the instruction operating environment is recovered, and execution is continued by jumping to the second address.
Description
Technical field
The present invention relates to computer safety field, relate in particular to a kind of instruction recombination method and device.
Background technology
Existing electronic information security field comprises security of system, data security and three sub-fields of device security.
In data security field, the general three kinds of technology below that adopt are guaranteed data security: (1) data content safety technique, comprise data ciphering and deciphering technology and end-to-end data encryption technology, ensure that data content in storage and transmitting procedure is not illegally read; (2) data security transfer techniques, comprises and prevents illegal copies, printing or other output, ensures the safety of data in use and transfer process; (3) network interrupter technique, comprises network physical blocking-up and the technology such as network barrier is set.
According to correlation analysis, the total effectively detecting ability of current all harm for computing machine is at most in 50% left and right; Because above-mentioned technology is at reply computer inner core virus, wooden horse, Loopholes of OS, system backdoor and people scarce capacity when divulging a secret, all may there is malicious code in any computing equipment (such as computing machine, handheld communication devices etc.) in fact.Once malicious code enters terminal system, above-mentioned encryption technology, anti-copy technology and network interrupter technique are in this case by ineffective.Existing hacking technique can utilize system vulnerability or system backdoor penetrate above-mentioned safety technique and implant malicious code, and utilizes malicious code to obtain user data.Above-mentioned technology more cannot be taken precautions against concerning security matters personnel's active or passive divulging a secret, and for example, internal staff can carry memory device, from internal network or terminal, downloads required data and takes away memory device, causes inside to be divulged a secret; Again for example, internal staff can directly take away computing equipment.
To sum up, anti-copy technology cannot guarantee that classified information is not illegally stored in terminal.Filtration Network Based cannot guarantee that classified information do not lose.Concerning security matters personnel can be caused and divulged a secret by malicious code or malice instrument, also may divulge a secret because of secrecy-involved apparatus or out of control the causing of storage medium.
Summary of the invention
The invention provides a kind of instruction recombination method and device, while realizing operation, instruction catching and recombinating.
According to one aspect of the invention, a kind of instruction recombination method when operation is provided, comprising:
Step 4, the first jump instruction is replaced with to the second jump instruction, generate and there is two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform; With
Optionally, in step 2, according to destination address, obtain and treat that dispatch command fragment comprises:
From destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction carried out to dis-assembling;
Check in dis-assembling result whether comprise jump instruction, if do not comprised, continue to obtain one section of machine instruction to be scheduled next, until match jump instruction, this jump instruction is the first jump instruction; Wherein, the first jump instruction and all instructions compositions are before treated dispatch command fragment.
Optionally, between step 4 and step 5, also comprise:
Assembly code after the restructuring of generation is generated to corresponding machine code by assembler.
Optionally, between step 1 and step 2, also comprise:
From the first memory location, read destination address, utilize described destination address to search the corresponding table in address; The corresponding table in described address is for representing whether machine instruction fragment to be scheduled has the restructuring instruction fragment of having preserved;
If find corresponding record, recover described instruction operation environment, and the preservation address jumping in record continues to carry out.
Optionally, if do not find corresponding record in the corresponding table in address, after step 4, also comprise:
Utilize the address of restructuring instruction fragment in the corresponding table in address, to set up a record with described destination address.
Optionally, before step 4, also comprise:
Resolve described machine instruction fragment to be scheduled, utilize instruction set to mate described machine instruction fragment, obtain pending target machine instruction;
According to predetermined mode, revise described target machine instruction.
Optionally, described target instruction target word is storage/reading command;
According to predetermined mode, revise described target machine instruction and comprise: storage and the reading address revised are wherein the address on safety storage apparatus.
Optionally, described target instruction target word is I/O instruction;
According to predetermined mode, revise described target machine instruction and comprise: the input instruction in described I/O instruction is all stoped.
Optionally, described target instruction target word is Internet Transmission instruction;
According to predetermined mode, revise described target machine instruction and comprise: check whether remote computing devices corresponding to destination address in described Internet Transmission instruction is secure address (allowing reference address); If not, stop described Internet Transmission instruction.
According to a further aspect of the present invention, provide a kind of computer-readable medium, store the executable program code of computing machine in described computer-readable recording medium, described program code is for carrying out the step of said method.
Another aspect according to the present invention, instruction recombination device when a kind of operation is provided, comprising:
Instruction operation environment buffer memory and recovery unit, be suitable for buffer memory and recover instruction operation environment;
The first memory location, is suitable for preserving destination address;
Instruction fetch unit, and instruction running environment buffer memory and recovery unit couple, and are suitable for reading destination address from the first memory location, and obtain machine instruction fragment to be scheduled according to destination address; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction; With
Instruction recombination unit, and instruction running environment buffer memory and recovery unit couple, and are suitable for preserving in the first memory location the destination address of the first jump instruction; Also be suitable for the first jump instruction to replace with the second jump instruction, generate and there is two address restructuring instruction fragment; The entry address of described the second jump instruction indicator device.
During optionally, described operation, instruction recombination device also comprises:
Instruction retrieval unit, is suitable for utilizing described destination address to search the corresponding table in address; The corresponding table in described address is for representing whether machine instruction fragment to be dispatched has the restructuring instruction fragment of having preserved;
If find corresponding record, instruction retrieval unit is also suitable for call instruction running environment buffer memory and recovery unit, recovers described instruction operation environment, and the preservation address jumping in record continues to carry out;
If do not find corresponding record, instruction retrieval unit is also suitable for utilizing the address of restructuring instruction fragment in the corresponding table in address, to set up a record with described destination address.
Optionally, described instruction recombination unit also comprises:
Instruction resolution unit, is suitable for utilizing the described machine instruction fragment to be scheduled of instruction set coupling, obtains pending target machine instruction;
Modifying of order unit, is suitable for according to predetermined mode, revises described target machine instruction.
Optionally, described target instruction target word is storage/reading command;
Storage and reading address that described modifying of order unit is suitable for revising are wherein the address on safety storage apparatus.
Optionally, described target instruction target word is I/O instruction;
Described modifying of order unit is suitable for the input instruction in described I/O instruction all to stop.
Optionally, described target instruction target word is Internet Transmission instruction;
Described modifying of order unit is suitable for checking whether remote computing devices corresponding to the destination address in described Internet Transmission instruction is secure address; If not, described modifying of order unit is suitable for stoping described Internet Transmission instruction.
Optionally, described instruction recombination unit also comprises:
Dis-assembling unit, was suitable for before instruction resolution unit is resolved described machine instruction fragment to be scheduled, and machine instruction fragment to be scheduled described in dis-assembling, generates assembly instruction fragment to be scheduled;
Assembly unit, is suitable for the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents.
When method and apparatus provided by the invention can be realized operation, instruction catching and recombinating, and, getting after dispatch command fragment, can also machine instruction wherein be analyzed and be processed, thereby in the time of not only can realizing operation, instruction is caught, is recombinated, and can also realize the management to predetermined target instruction target word.
Accompanying drawing explanation
Fig. 1 is the system level schematic diagram of computing equipment in prior art;
The process flow diagram of instruction recombination method when Fig. 2 is the operation providing in one embodiment of the invention;
Fig. 3 is the generative process schematic diagram of the restructuring instruction fragment that provides in one embodiment of the invention;
Fig. 4 is the process flow diagram of step S102 in the Fig. 2 providing in another embodiment of the present invention;
The process flow diagram of instruction recombination method when Fig. 5 is the operation providing in another embodiment of the present invention, utilizes the corresponding table in address to preserve the instruction fragment of having recombinated;
The process flow diagram of instruction recombination method when Fig. 6 is the operation providing in another embodiment of the present invention, opens up separately the destination address that the first jump instruction is preserved in memory location;
The process flow diagram of instruction recombination method when Fig. 7 is the operation providing in another embodiment of the present invention, carries out dis-assembling and compilation process for on-fixed length instruction collection;
The process flow diagram of instruction recombination method when Fig. 8 is the operation providing in another embodiment of the present invention, substitutes or record the first jump instruction with pop down instruction;
The process flow diagram of instruction recombination method when Fig. 9 a is the operation providing in another embodiment of the present invention, the feature in a plurality of embodiment before instruction recombination method synthesis during operation wherein;
Operating process schematic diagram when instruction recombination method is moved on X86 system processor when Fig. 9 b-9d is the operation in Fig. 9 a;
Instruction recombination apparatus structure schematic diagram when Figure 10 is the operation providing in one embodiment of the invention;
Instruction recombination apparatus structure schematic diagram when Figure 11 is the operation providing in another embodiment of the present invention;
Figure 12 is the instruction recombination cellular construction schematic diagram providing in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 13 is the operation providing in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 14 is the operation providing in another embodiment of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing, the present invention is described in more detail.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
analyze
The system level schematic diagram that is illustrated in figure 1 computing equipment in prior art, from top to bottom, computing equipment comprises: user interface layer 101, application layer 102, operating system nucleus layer 103, hardware mapping layer 104 and hardware layer 105.
Wherein, user interface layer 101 is the interfaces between user and equipment, and user for example, is undertaken by this layer and equipment (be other levels of equipment, application layer 102) alternately.Application layer 102 finger application software layers.
Operating system nucleus layer 103 is a kind of logical layers based on software, by software data and software code, formed in general, than contact bed 101 and application layer 102, the code of operating system nucleus layer 103 has higher authority, can carry out complete operation to the various software and hardware resources in computer system.
User operates and obtains graphical or non-graphical feedback by user interface layer 101 (i.e. the user interface in user interface layer 101) to this computing equipment.With the example that is operating as of save data, its process comprises:
(1) user interface 101 that user provides by certain application program, selects " preservation " function;
(2) application layer 102 is called corresponding code, and above-mentioned user operation is converted into the interface function that one or more operating system provides, " preservations " operate and transform into calling of interface function that sequence of operations system kernel layer 103 is provided;
(3) operating system nucleus layer 103 is converted into by each operating system interface function the interface function that one or more hardware mapping layers 104 provide; I.e. " preservation " operation transforms into calling of interface function that a series of hardware mapping layers 104 are provided;
(4) interface function that hardware mapping layer 104 provides oneself each is converted into one or more hardware instructions and calls; Finally,
(5) hardware layer 105 (for example CPU) receives above-mentioned hardware instruction and calls and carry out hardware instruction.
For this computing equipment, after it is invaded by malicious code, malicious code can be obtained desired data from computing equipment, steal data after its behavior pattern comprise:
(1) storage behavior: target data content is saved in to certain memory location;
(2) transport behavior: the data of stealing are directly arrived to the destination address of appointment by Internet Transmission.
In addition, use the behavior pattern that the personnel of above-mentioned computing equipment or information equipment carry out divulging a secret inside to comprise:
(1) initiatively divulge a secret: concerning security matters personnel are copied, by malice instrument, penetrated security system, inserted the means such as wooden horse and directly obtain confidential data by active, and divulge a secret;
(2) passive divulging a secret: the computer of concerning security matters librarian use or storage medium are not good at losing or improper use (for example by concerning security matters equipment directly access Internet) causes divulges a secret because of keeping.
The above-mentioned multiple mode of divulging a secret cannot ensure the data security of this computing equipment.
Inventor finds after deliberation, and in computer run process, cpu address register is preserved the address of next machine instruction that will move, the address that for example pc (program counter, programmable counter) points to; Obtain the data in this register, and the address of pointing to according to these data, read the lower one or more of machine instruction that will move, in the time of can realizing operation, catch the object of machine instruction.
And, by revising the dispatch command fragment for the treatment of that described one or more machine instruction forms, (for example insert therein extra jump instruction, be called instruction recombination herein), make to regain CPU right of execution before this section of instruction operation is complete, and again catch the next one and treat dispatch command fragment, in the time of can realizing operation, catch continuously the object of machine instruction.
And, getting after dispatch command fragment, can also machine instruction wherein be analyzed and be processed, thereby in the time of not only can realizing operation, instruction be caught, recombinated, and can also realize the management to predetermined target instruction target word.
instruction recombination or instruction tracing
Based on above-mentioned analysis and discovery, a kind of instruction recombination method when operation is provided in one embodiment of the present of invention, is called instruction recombination platform during the method operation.As shown in Figure 2, the method S100 comprises:
S101, buffer memory instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
S102, obtains machine instruction fragment to be scheduled; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S103, before described the first jump instruction, inserts the second jump instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform, carries out after this second jump instruction, execution step S101;
S104, is revised as the second address by the first address in described address register; With
S105, recovers described instruction operation environment.
In the present embodiment, instruction recombination method is carried out on the CPU of X86-based during above-mentioned operation; In other embodiments of the invention, instruction recombination method also can be carried out on MIPS processor or the processor based on ARM framework during above-mentioned operation.One of ordinary skill in the art will appreciate that, in the instruction process unit of any other type that said method can be in computing equipment, carry out.
Wherein, in step S101, described buffer memory instruction operation environment can comprise:
To being pressed into CPU machine instruction in buffer memory stack, move relevant register data.
In other embodiments of the invention, buffer memory or the running environment of holding instruction also can be carried out in other data cached structures appointment, acquiescence and address.
In step S101, described address register can be cpu address register.
In step S102, in machine instruction fragment to be scheduled, the last item instruction is the first jump instruction, in machine instruction fragment to be scheduled, only have a jump instruction, machine instruction fragment to be scheduled comprise described the first jump instruction with and machine instruction all to be scheduled before.
In step S103, the last item instruction (i.e. the first jump instruction JP1) in described machine instruction fragment to be scheduled is front, insert the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform, generates and has the second address A " restructuring instruction fragment.
Inserting the second jump instruction is for when CPU moves described machine instruction fragment to be scheduled, before JP1 operation, restart to move described instruction recombination platform, like this, instruction recombination platform just can continue to analyze next section of machine instruction fragment to be scheduled, thus the restructuring of instruction while completing all operations by method iterates.
In step S105, recovering described instruction operation environment can comprise:
From buffer memory stack, eject the register data that instruction operation is relevant; The destination address of the jump instruction that wherein address register is preserved has been revised as that to take the second address A " be the new machine instruction fragment of entry address.
After step S105 carries out, recovered described instruction operation environment, instruction recombination platform completes once operation, and CPU carries out described restructuring instruction fragment, and CPU will carry out that to take the second address A " be the machine instruction fragment of entry address.When restructuring instruction fragment is carried out the second jump instruction JP2, described instruction recombination platform obtains CPU control (performing step S101) again, now the destination address of the first jump instruction obtains, this destination address is the first new address, then re-executes step S101~step S105.
Below in conjunction with Fig. 3, further illustrate the generative process of instruction recombination process and restructuring instruction fragment.
Fig. 3 comprises machine instruction set 401 to be scheduled (being for example written into the machine instruction of certain program in internal memory), wherein instruction 4012 is the first jump instruction, if the destination address of instruction 4012 is variable, first presumptive instruction 4012 points to machine instruction 4013; The machine instruction all to be scheduled that comprises the first jump instruction 4012 before the first jump instruction 4012 has formed machine instruction fragment 4011.
(instruction recombination platform 411), first buffer memory instruction operation environment after the operation of instruction recombination method; Then obtain (for example copy) machine instruction fragment 4011; It is own that instruction recombination platform has inserted the second jump instruction 4113, the second jump instruction 4113 directional order restructuring platforms 411 before the first jump instruction 4012, thereby generated restructuring instruction fragment 4111, and the address of restructuring instruction fragment is A "; The value A of the address register in the instruction operation environment of described buffer memory is revised as to address A "; Finally recover described instruction operation environment.
According to a further embodiment of the invention, as shown in Figure 4, in step S102, obtaining machine instruction fragment to be scheduled can comprise:
S1021, for example, reads machine instruction to be scheduled address from address register (cpu address register):
S1022, take jump instruction as searched targets, retrieves machine instruction and subsequent instructions thereof that described machine instruction address is pointed to, until find first jump instruction (being called the first jump instruction); Described jump instruction refers to change the machine instruction that machine instruction is sequentially carried out flow process, comprises Jump instruction, Call instruction, Return instruction etc.;
S1023, described the first jump instruction is usingd and machine instruction all to be scheduled before as a machine instruction fragment to be scheduled; This machine instruction fragment is kept in instruction recombination platform, or the memory location that can read of other instruction recombination platforms.
In other embodiments of the invention, obtaining machine instruction fragment to be scheduled, also can to take non-jump instruction (such as writing instruction, reading command etc.) be searched targets, further cutting machine instruction fragment.Due in such embodiments, also need to guarantee wait dispatch jump instruction carry out after instruction recombination platform still can obtain CPU control or right of execution, so jump instruction need to be as the second searched targets, thereby obtain the machine instruction fragment that granularity is less.
According to a further embodiment of the invention, between step S102 and S103, during described operation, instruction recombination method can also comprise:
Utilize the described machine instruction fragment to be scheduled of instruction set coupling, obtain target machine instruction; Described instruction set comprises X86, MIPS and ARM instruction set; With
According to predetermined mode, revise described target machine instruction.
In the time of not only can completing operation, instruction monitoring, can also carry out other processing procedures, and related embodiment will be described in detail below.
Further, in order to improve the efficiency of instruction recombination method, the pointed dispatch command for the treatment of of fixed address jump instruction can be obtained in the lump in step S102.
According to a further embodiment of the invention, a kind of instruction recombination method when operation is provided, the method S300 comprises:
S301, buffer memory instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
S302, obtains machine instruction fragment to be scheduled; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S303, before described the first jump instruction, inserts the second jump instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform, carries out after this second jump instruction, execution step S301;
S304, is revised as the second address by the first address in described address register;
S305, recovers described instruction operation environment.
Compare with the method providing in embodiment before, difference is: in step S302, in machine instruction fragment to be scheduled, can comprise many jump instructions; In jump instruction, only have an argument address jump instruction, be called the first jump instruction.
It should be noted that, jump instruction can comprise two classes, argument address jump instruction and constant address jump instruction, wherein, the jump address of constant address jump instruction is constant (being immediate), and argument address in argument address jump instruction generally calculates in a machine instruction before jump instruction.
Similarly, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction; Machine instruction fragment to be scheduled comprise described the first jump instruction with and machine instruction all to be scheduled before.
Further, because the machine instruction generating in program operation process has very high repeatability, in order to improve the efficiency of instruction recombination method, save the computational resource (cpu resource) of computing equipment, can utilize a small amount of storage space to preserve restructuring instruction fragment.
A kind of instruction recombination method while according to a further embodiment of the invention, providing operation.As shown in Figure 5, the method S200 comprises:
S201, buffer memory instruction operation environment; Described instruction operation environment comprises address register (for example cpu address register) (in general, instruction operation environment refers to all registers of CPU, comprise general-purpose register, status register, address register etc.), address register is preserved the address of next machine instruction that will move, and this address is the first address;
S202, utilizes the corresponding table in described the first address search address; The corresponding table in described address is for representing whether the dispatch command fragment for the treatment of that the first address A points to has the restructuring instruction fragment of having preserved, and the data of the corresponding table in address are address pair;
S203, if find corresponding record, is revised as described the first address A (being the value A of address register) the address A ' of the restructuring instruction fragment of having preserved;
S204, if do not find corresponding record, obtains machine instruction fragment to be scheduled; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S205, before described the first jump instruction, inserts the second jump instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform, carries out after this second jump instruction, execution step S201;
S206, is revised as the second address by the first address in described address register;
S207, recovers described instruction operation environment.
Further, step S206 also comprises: utilize the second address A " sets up address to (or a record) in the corresponding table in described address with the first address A.There is address A " restructuring instruction fragment be stored in restructuring instruction platform, for reusing.
This method is utilized the corresponding table in address, saves computational resource, the efficiency of instruction recombination while improving operation.
Above-mentioned recombination method, generally by treating that inserting required jump instruction among dispatch command fragment completes, in other embodiments of the invention, also can complete the generation of restructuring instruction fragment by other means.Below in conjunction with embodiment, introduce in detail.
According to a further embodiment of the invention, provide a kind of instruction recombination method, open up separately the destination address that the first jump instruction is preserved in memory location.As shown in Figure 6, the method S110 comprises:
S111, buffer memory instruction operation environment;
S112, reads destination address from the first memory location, obtains the machine instruction fragment for the treatment of scheduling (pending) according to destination address; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
S113, preserves the destination address of the first jump instruction in the first memory location;
S114, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform, carries out after this second jump instruction, execution step S111;
S115, recovers described instruction operation environment, and jumps to the second address continuation execution.
Wherein, in step S112, obtaining machine instruction fragment to be scheduled can comprise:
S1121, take jump instruction as searched targets, retrieve machine instruction and subsequent instructions thereof that described machine instruction address is pointed to, until find first jump instruction (being called the first jump instruction);
Described jump instruction refers to change the machine instruction that machine instruction is sequentially carried out flow process, comprises Jump instruction, Call instruction, Return instruction etc.;
S1122, described the first jump instruction is usingd and machine instruction all to be scheduled before as a machine instruction fragment to be scheduled; This machine instruction fragment is kept in instruction recombination platform, or the memory location that can read of other instruction recombination platforms.
In step S113, destination address is the destination address parameter of jump instruction, and it can be immediate or variable parameter, for immediate, preserves its value, for variable parameter, preserves its address/quote.When processor is about to carry out certain jump instruction, its jump target addresses is complete as calculated.
According to a further embodiment of the invention, provide a kind of instruction recombination method, for on-fixed length instruction collection, carry out dis-assembling and compilation process.As shown in Figure 7, the method comprises:
S121, buffer memory instruction operation environment;
S122, reads destination address from the first memory location, according to destination address, obtains and treats dispatch command fragment:
From destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction carried out to dis-assembling, and dis-assembling result is processed and mated by a lexical analyzer whether wherein comprise jump instruction, if do not comprised, continue to obtain next section of machine instruction to be scheduled and repeat aforesaid operations, until match jump instruction, this jump instruction is the first jump instruction; The first jump instruction and all instructions before form treats dispatch command fragment;
S123, preserves the destination address of the first jump instruction in the first memory location;
S124, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform; In the present embodiment, this first jump instruction and the second jump instruction are all assembly instruction;
S125, generates corresponding machine code by the assembly code after the restructuring of generation by assembler; With
S126, recovers described instruction operation environment, and jumps to the second address continuation execution.
According to a further embodiment of the invention, provide a kind of instruction recombination method, with pop down instruction, substitute or record the first jump instruction.As shown in Figure 8, the method S130 comprises:
S131, buffer memory instruction operation environment;
S132, obtains address and the parameter of the jump instruction of preserving in stack, calculates the instruction address that next is about to operation, and this address is the first address;
S133, waits the machine instruction fragment of dispatching/carrying out according to the first address acquisition; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
S134, replacing the first jump instruction is pop down instruction, records address and the operand of the first jump instruction in pop down instruction;
S135 adds the second jump instruction after pop down instruction, generates and has two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform; With
S136, recovers described instruction operation environment, and jumps to the second address continuation execution.
One of ordinary skill in the art will appreciate that, the function providing in above-mentioned each embodiment or feature can be superimposed upon in same embodiment according to the actual needs, and just combination provides no longer one by one here, only gives one example below and carries out exemplary illustration.
According to a further embodiment of the invention, provide a kind of instruction recombination method, as shown in Fig. 9 a, comprising:
(1) buffer memory instruction operation environment, described instruction operation environment comprises whole CPU environment and memory environment; Obtain address and the parameter of the jump instruction of preserving in stack, calculate the instruction address (zero-address) that next is about to operation, the first address is set to zero-address;
(2) utilize the first address to search address correspondence and show (also referred to as address search table), if find record, recover the instruction operation environment of institute's buffer memory, and jump to corresponding address (address in the corresponding table in address is internal) the continuation execution of finding;
(3) if do not find record, since the first address, obtain pending machine instruction fragment, the ending of instruction fragment is jump instruction (jump instruction address is the 3rd address);
(4) since the first address, machine code is carried out to dis-assembling, and dis-assembling result is processed by a lexical analyzer, generate the assembly code after restructuring, until the 3rd address;
(5) whether the code that judges the 3rd place, address can further be processed, the destination address of the jump instruction at the 3rd address place be known quantity (for example, immediate), if can, the first address is set to the 3rd address (or destination address of the 3rd address), restarts to carry out (3);
(6) if cannot, assembly code after the restructuring generating is last, add pop down instruction to record the original address position of current the 3rd address (i.e. the value of the 3rd address) and operand, and after pop down instruction, add and jump to the instruction that starts of restructuring platform, can make step (1) again start to carry out;
(7) assembly code after the restructuring of generation is generated to corresponding machine code by assembler, and be stored in the address (the second address) distributing in restructuring address space, and the second address and zero-address are stored in the corresponding table in address with the right form of corresponding address;
(8) recover environment, and jump to the second address continuation execution.
For convenient, understand, the existing method of moving this embodiment and providing with X86 system processor describes, and with reference to figure 9b-9d, an instantiation procedure of instruction recombination is as follows:
(1) restructuring is after platform starts working, first buffer memory present instruction running environment; Obtain address and the parameter of the jump instruction of preserving in stack, calculate the instruction address that next is about to operation, this address is the first address.
(2) utilize the first address to search the corresponding table in address, if find record, recover the instruction operation environment of institute's buffer memory, and jump to the corresponding address continuation execution (Fig. 9 b) of finding; If do not find record, proceed as follows (Fig. 9 c).
(3) dis-assembling, since the first address, is carried out by machine code in-(6), and dis-assembling result is processed by a lexical analyzer, generates restructuring code;
This paragraph assembly code is retrieved, checked and whether comprise jump instruction;
First jump instruction is analyzed, judged whether its jump target addresses is known quantity, if known quantity continues to find, until find the jump instruction of article one argument address, be called the first jump instruction, the address of this instruction is the 3rd address;
At the assembly code (machine instruction from three addresses, the first address to the, does not comprise the first jump instruction) generating, finally add pop down instruction to record original address position and the operand of the first redirect of current the 3rd address;
After pop down instruction, add and jump to the instruction (the second jump instruction) that restructuring platform starts.
(7) assembly code of generation is generated to corresponding machine code by assembler, and be stored in the address (the second address) distributing in restructuring address space;
The second address and zero-address are stored in the corresponding table in address with the right form of corresponding address.
(8) recover environment, and jump to the second address continuation execution.
(Fig. 9 d) processor starts to carry out two address instruction, and the jump instruction in instruction fragment to be reorganized before has replaced with the instruction of pop down instruction and redirect duplicate removal group platform, and the main object of pop down instruction is to provide input parameter to restructuring platform.(Fig. 9 d) is when carrying out to the second jump instruction, restructuring platform is carried out again, carries out above-mentioned step (1), by checking address and the parameter of the jump instruction of preserving in pop down instruction, calculate the instruction address that next is about to operation, this address is the first address.
Processing is afterwards the circulation of said process.
Further, instruction monitoring while moving in order to carry out from system starts, while realizing the operation of computing equipment operation phase, instruction is monitored entirely, in another embodiment of the present invention, load instruction while revising computer starting, before carrying out, load instruction calls instruction recombination platform provided by the invention, instruction recombination method while carrying out above-mentioned operation, because load instruction jump address is known fixed address, instruction recombination platform can establish the corresponding table in address and this article one record in advance, and establishes first restructuring instruction fragment.
Further, according to a further embodiment of the invention, provide a kind of computer-readable medium, wherein, in described computer-readable recording medium, store the executable program code of computing machine, the step of described program code instruction recombination method when carrying out the operation that above-described embodiment provides.
Further, according to a further embodiment of the invention, provide a kind of computer program, wherein, the step of instruction recombination method when the operation providing in above-described embodiment is provided described computer program.
instruction recombination for data security
During above-mentioned operation, instruction recombination method provides the foundation for further application.Instruction recombination method when the various operation that instruction is processed for different machines is provided in the following examples, comprising storage/reading command, I/O instruction, and Internet Transmission instruction:
(1) storage/reading command refers to all instruction or packing of orders that External memory equipment (including but not limited to disk, mobile storage, optical storage) is stored/read in computer system.
(2) I/O instruction refers to the instruction of the address space of all operations peripheral hardware in computer system, and these instructions finally can affect peripheral hardware input/output state, data, signal etc.The I/O Address space here includes but not limited to (I/O address space, memory-mapped I/O device address space).
(3) Internet Transmission instruction refers to all instructions that affect the network equipment in computer system, and these instructions finally can affect all correlation properties such as the transmission, state, data, signal of computer system network equipment.
Wherein, between storage/reading command and I/O instruction, can there is common factor.
According to one embodiment of the invention, instruction recombination method S400 when a kind of operation for storage/reading command is provided, comprising:
S401, buffer memory instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
S402, utilizes the corresponding table in described the first address search address;
S403, if find corresponding record, is revised as described the first address A the address A ' of the restructuring instruction fragment of having preserved;
S404, if do not find corresponding record, the generation method of restructuring instruction fragment comprises:
S4041, obtains machine instruction fragment to be dispatched; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction; S102 is identical with step;
S4042, machine instruction fragment to be dispatched described in dis-assembling, obtains assembly instruction fragment;
S4043, searched targets assembly instruction, described target assembly instruction is storage/reading command;
S4044, if retrieval obtains the storage/reading command in described assembly instruction fragment, storage and the reading address revised are wherein the address on safety storage apparatus; Alter mode can be the direct mapping between local address space and safety storage apparatus address space;
S4045, before described the first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S4046, the assembly instruction fragment revised of compilation, generation has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S4047, utilizes restructuring machine instruction sheet sector address A " set up a record (or address to) with the first address A in the corresponding table in described address, have address A " is stored in recombinates in instruction platform;
S4048, is revised as the second address A by the first address A ";
S405, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step; In other embodiments, also can omit dis-assembling and corresponding compilation step, directly handling machine instruction.
In step S4044, for storage and reading command, operate, revise target and source address wherein, to realize storage reorientation/redirected, guarantee data security.The method of safe storage/read will be introduced in the following examples provided by the invention more specifically.
According to one embodiment of the invention, instruction recombination method S500 when a kind of operation for I/O instruction is provided, comprising:
S501, buffer memory instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
S502, utilizes the corresponding table in described the first address search address;
S503, if find corresponding record, is revised as described the first address A the address A ' of the restructuring instruction fragment of having preserved;
S504, if do not find corresponding record, the generation method of restructuring instruction fragment comprises:
S5041, obtains machine instruction fragment to be dispatched; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction; S102 is identical with step;
S5042, machine instruction fragment described in dis-assembling, obtains assembly instruction fragment;
S5043, searched targets assembly instruction, described target assembly instruction is I/O instruction;
S5044, if retrieval obtains the I/O instruction in described assembly instruction fragment, all stops the input instruction in described I/O instruction;
S5045, before described the first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S5046, the assembly instruction fragment revised of compilation, generation has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S5047, utilizes restructuring machine instruction sheet sector address A " set up a record (or address to) with the first address A in the corresponding table in described address, have address A " is stored in recombinates in instruction platform;
S5048, is revised as the second address A by the first address A ";
S505, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step; In other embodiments, also can omit dis-assembling and corresponding compilation step, directly handling machine instruction.
In step S5044, for I/O, instruction operates, and the input instruction in described I/O instruction is all stoped, to realize the write operation of thorough blocking-up to local hardware device; In conjunction with the storage instruction process process in a upper embodiment, can also realize the prevention to the input instruction except storage instruction, can improve the data security in computing equipment.
According to one embodiment of the invention, instruction recombination method S600 when a kind of operation for Internet Transmission instruction is provided, comprising:
S601, buffer memory instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
S602, utilizes the corresponding table in described the first address search address;
S603, if find corresponding record, is revised as described the first address A the address A ' of the restructuring instruction fragment of having preserved;
S604, if do not find corresponding record, the generation method of restructuring instruction fragment comprises:
S6041, obtains machine instruction fragment to be dispatched; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction; S102 is identical with step;
S6042, machine instruction fragment to be dispatched described in dis-assembling, obtains assembly instruction fragment;
S6043, searched targets assembly instruction, described target assembly instruction is Internet Transmission instruction;
S6044, if retrieval obtains the Internet Transmission instruction in described assembly instruction fragment, checks whether remote computing devices corresponding to destination address in described Internet Transmission instruction is secure address, if not, stop described Internet Transmission instruction;
S6045, before described the first jump instruction JP1, inserts the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform;
S6046, the assembly instruction fragment revised of compilation, generation has address A " restructuring machine instruction fragment;
The restructuring instruction fragment that S6047, utilizes restructuring machine instruction sheet sector address A " set up a record (or address to) with the first address A in the corresponding table in described address, have address A " is stored in recombinates in instruction platform;
S6048, is revised as the second address A by the first address A ";
S605, recovers described instruction operation environment.
In step S6044, the instruction of stop/refusal Internet Transmission can replace with the transfer instruction of itself " cancelling the instruction of current operation " or directly replace with illegal command by inserting one to many instructions in the code after restructuring, be depending on the difference of hardware.
The present embodiment carries out instruction process after dis-assembling step; In other embodiments, also can omit dis-assembling and corresponding compilation step, directly handling machine instruction.
In step S6044, for Internet Transmission, instruction operates, and checks whether remote computing devices corresponding to destination address in described Internet Transmission instruction is secure address; If not, stop described Internet Transmission instruction, to realize Security Data Transmission.
The corresponding table in address in above-mentioned a plurality of embodiment is set up and is safeguarded by instruction recombination platform, can be the structure of arrays of regular length, can be also the list structure of variable-length, can also be the suitable data structure of other storage binary datas.Preferably, its adjustable in length, and it takes up room and can discharge.The operation that discharges the corresponding table in address can be carried out at random, also can carry out in the cycle.In certain embodiments, the corresponding table in described address can also comprise and record field Time Created, for when the Free up Memory deletion record, according to the length deletion record of Time Created.In certain embodiments, the corresponding table in described address can also comprise and records access times field, in searching address corresponding table step, if found, will change the value of this field; The described access times field that records is also for when the Free up Memory deletion record, according to how many deletion records of access times.
In addition, those skilled in the art will appreciate that above-mentioned instruction recombination method (instruction recombination method while moving) can be used the method for software or hardware to realize:
(1) if realized with software, the step that said method is corresponding is stored on computer-readable medium with the form of software code, becomes software product;
(2) if realized with hardware, the step that said method is corresponding for example, is described with hardware identification code (Verilog), and curing (through processes such as physical Design/placement-and-routing/wafer factory flows) becomes chip product (for example processor products).To introduce in detail below.
instruction recombination device
During with above-mentioned operation, instruction recombination method S100 is corresponding, according to one embodiment of the invention, and instruction recombination device when a kind of operation is provided.As shown in figure 10, instruction recombination device 500 comprises:
Instruction operation environment buffer memory and recovery unit 501, be suitable for buffer memory and recover instruction operation environment; Described instruction operation environment comprises address register, and this address register is preserved the address of next machine instruction that will move, and this address is the first address;
Instruction fetch unit 502, is suitable for, after unit 501 buffer memory instruction operation environment, obtaining machine instruction fragment to be scheduled; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Described instruction operation environment buffer memory and recovery unit 501 respectively and instruction acquiring unit 502 and address replacement unit 504 couple, described instruction fetch unit 502, and 503He address, instruction recombination unit replacement unit 504 couples successively.
Install 500 implementations as follows:
First, instruction operation environment buffer memory and recovery unit 501 buffer memory instruction operation environment, for example, be pressed into the register data that instruction operation is relevant in buffer memory stack;
Then, described instruction fetch unit 502 reads machine instruction to be scheduled address from cpu address register 511, and reads machine instruction fragment from described machine instruction address, and the instruction of described machine instruction fragment the last item is jump instruction;
For example, instruction fetch unit 502 reads machine instruction to be scheduled address from cpu address register 511; Take jump instruction as searched targets, retrieve machine instruction corresponding to described machine instruction address, until find first jump instruction; Described jump instruction comprises such as Jump instruction and Call instruction etc.; Using described first jump instruction and all machine instructions before thereof as a machine instruction fragment to be scheduled; This machine instruction fragment is kept in device 500, or the memory location that can read of other device 500;
Then, instruction recombination unit 503, before the last item instruction of the described machine instruction fragment of obtaining, inserts the second jump instruction, and the entry address of described the second jump instruction indicator device 500 generates and has address A " restructuring instruction fragment;
Then, address replacement unit 504 is revised as address A by the value A of the address register in the instruction operation environment of described buffer memory ";
Finally, instruction operation environment buffer memory and recovery unit 501 recover described instruction operation environment, for example, from buffer memory stack, eject the register data that instruction operation is relevant.
During with above-mentioned operation, instruction recombination method S300 is corresponding, and described instruction fetch unit 502 can be using first non-constant address jump instruction as the first jump instruction.To improve the execution efficiency of reconstruction unit.
During with above-mentioned operation, instruction recombination method S200 is corresponding, according to a further embodiment of the invention, instruction recombination device when a kind of operation is provided, in the time of can making full use of operation, instruction repeatability, raises the efficiency, and saves computational resource.
As shown in figure 11, instruction recombination device 600 comprises:
Instruction operation environment buffer memory and recovery unit 601, be suitable for buffer memory and recover instruction operation environment; Described instruction operation environment comprises address register, and address register is preserved the address of next machine instruction that will move, and this address is the first address;
Instruction fetch unit 602, is suitable for obtaining machine instruction fragment to be scheduled; Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
If find corresponding record, instruction retrieval unit 605 is suitable for call address replacement unit 604, described the first address A (being the value A of address register) is revised as to the address A ' of the restructuring instruction fragment of having preserved; If do not find corresponding record, instruction retrieval unit is suitable for utilizing the second address A " sets up a record with address A in the corresponding table in described address.
Described instruction operation environment buffer memory and recovery unit 601 respectively and instruction retrieval unit 605 and address replacement unit 604 couple, described instruction retrieval unit 605 is and instruction acquiring unit 602 respectively, 603He address, instruction recombination unit replacement unit 604 couples, and described instruction fetch unit 602,603He address, instruction recombination unit replacement unit 604 couple successively.
The implementation of device 600 is as follows:
First, instruction operation environment buffer memory and recovery unit 601 buffer memory instruction operation environment, for example, be pressed into the register data that instruction operation is relevant in buffer memory stack;
Then, instruction retrieval unit 605 utilizes the value A of the address register in the instruction operation environment of described buffer memory to search the corresponding table in address;
If find corresponding record, instruction retrieval unit 605 call address replacement units 604, address replacement unit 604 is revised as the value A ' in record by the value A of described address register; Address replacement unit 604 call instruction running environment buffer memorys and recovery unit 602 to recover described instruction operation environment, eject the register data that instruction operation is relevant from buffer memory stack, and this reorganization operation finishes;
If do not find corresponding record, described instruction fetch unit 602 is from cpu address register read machine instruction to be scheduled address, and reads machine instruction fragment from described machine instruction address, and the instruction of described machine instruction fragment the last item is jump instruction.Concrete, instruction fetch unit 602 is from cpu address register read machine instruction to be scheduled address; Take jump instruction as searched targets, retrieve machine instruction corresponding to described machine instruction address, until find first jump instruction; Described jump instruction comprises Jump instruction and Call instruction etc.; Using described first jump instruction and all machine instructions before thereof as a machine instruction fragment to be scheduled; This machine instruction fragment is kept in device 600, or the memory location that can read of other device 600;
Then, instruction recombination unit 603, before the last item instruction of the described machine instruction fragment of obtaining, inserts the second jump instruction, and the entry address of described the second jump instruction indicator device 600 generates and has address A " restructuring instruction fragment;
Then, 603Jiang address, instruction recombination unit A " send to instruction retrieval unit 605, instruction retrieval unit 605 utilizes address A " sets up a record with the corresponding table in address A address therein; In order to subsequent instructions, reuse;
Then, address replacement unit 604 is revised as address A by the value A of the address register in the instruction operation environment of described buffer memory ";
Finally, instruction operation environment buffer memory and recovery unit 601 recover described instruction operation environment, from buffer memory stack, eject the register data that instruction operation is relevant.
Continuation is with reference to Figure 11, and wherein, instruction recombination unit 603 can also comprise:
Modifying of order unit 6032, is suitable for according to predetermined mode, revises described target machine instruction.
For example, if described target instruction target word is storage/reading command, described instruction resolution unit 6031 will be responsible for obtaining the storage/reading command in machine instruction fragment to be scheduled, and storage and reading address that described modifying of order unit 6032 is revised are wherein the address on safety storage apparatus.Its effect is identical with above-mentioned corresponding embodiment of the method S400, repeats no more here.
Again for example, if described target instruction target word is I/O instruction, described instruction resolution unit 6031 will be responsible for obtaining the I/O instruction in machine instruction fragment to be scheduled, and described modifying of order unit 6032 all stops the input instruction in described I/O instruction.Its effect is identical with above-mentioned corresponding embodiment of the method S500, repeats no more here.
Again for example, if described target instruction target word is Internet Transmission instruction, described instruction resolution unit 6031 will be responsible for obtaining the Internet Transmission instruction in machine instruction fragment to be scheduled, and whether remote computing devices corresponding to destination address in the described Internet Transmission instruction of described modifying of order unit 6032 check is secure address; If not, described modifying of order unit is suitable for stoping described Internet Transmission instruction.Its effect is identical with above-mentioned corresponding embodiment of the method S600, repeats no more here.
According to a further embodiment of the invention, above-mentioned instruction recombination unit can also comprise dis-assembling unit and assembly unit.As shown in figure 12, instruction recombination unit 703 comprises: the dis-assembling unit 7031 coupling successively, instruction resolution unit 7032, modifying of order unit 7033 and assembly unit 7034.
Wherein, dis-assembling unit 7031 was suitable for before resolving, revising described machine instruction fragment to be scheduled, and machine instruction fragment to be scheduled described in dis-assembling, generates assembly instruction fragment to be scheduled; Send to instruction resolution unit 7032.
Assembly unit 7034 is suitable for after resolving, revising described machine instruction fragment to be scheduled, and the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents; Send to instruction replacement unit.
In this embodiment, described instruction resolution unit 7032 and modifying of order unit 7033 will operate assembly instruction fragment to be scheduled.
During with above-mentioned operation, instruction recombination method S110 is corresponding, according to a further embodiment of the invention, and instruction recombination device when a kind of operation is provided.As shown in figure 13, instruction recombination device 800 comprises:
Instruction operation environment buffer memory and recovery unit 801, be suitable for buffer memory instruction operation environment;
Instruction fetch unit 802 and the first memory location 803, wherein, instruction fetch unit 802 is suitable for reading destination address from the first memory location 803, and obtains according to destination address the machine instruction fragment for the treatment of scheduling/execution; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction; And
Wherein, instruction operation environment buffer memory and recovery unit 801 are also suitable for, after instruction recombination unit 804 replacement instructions, recovering described instruction operation environment, and jump to the second address continuation execution.
The implementation of device 800 is as follows:
First, instruction operation environment buffer memory and recovery unit 801 buffer memory instruction operation environment;
Then, instruction fetch unit 802 reads destination address (treating dispatch command address) from the first memory location 803, according to destination address, obtain machine instruction fragment to be dispatched; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
Then, the destination address of the first jump instruction is preserved in instruction recombination unit 804 in the first memory location 803; For immediate, preserve its value, for variable parameter, preserve its address/quote;
Then, instruction recombination unit 804 replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment;
Finally, instruction operation environment buffer memory and recovery unit 801 recover described instruction operation environment, and jump to the second address continuation execution.
According to a further embodiment of the invention, instruction recombination device when a kind of operation is provided, S130 is corresponding with said method, and the feature that the device providing in above-mentioned some embodiment is provided.As shown in figure 14, this device 900 comprises:
Instruction operation environment buffer memory and recovery unit 901, be suitable for buffer memory and recover instruction operation environment;
Instruction fetch unit 902, the mode that is suitable for calculating by input parameter is obtained next instruction address that is about to operation, and this address is the first address; Also be suitable for treating according to the first address acquisition the machine instruction fragment of scheduling/execution; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
If find corresponding record, instruction retrieval unit 904 is suitable for call instruction running environment buffer memory and recovery unit 901 recovers the instruction operation environment of institute's buffer memory, and jumps to the corresponding address continuation execution (reorganization operation completes) of finding;
If do not find corresponding record, call instruction recomposition unit 903 is carried out reorganization operation.
Wherein, instruction recombination unit 903 can also comprise dis-assembling unit 9031, instruction resolution unit 9032, modifying of order unit 9033, and assembly unit 9034.
Wherein, when instruction recombination unit 902 completes after restructuring, be suitable for the instruction operation environment of call instruction running environment buffer memory and recovery unit 901 recovery institute buffer memorys, and jump to the address continuation execution (this reorganization operation completes) of restructuring instruction fragment.
According to a further embodiment of the invention, above-mentioned dis-assembling unit 9031 can be positioned among instruction fetch unit 902, when obtaining instruction fragment to be scheduled, by it, carries out dis-assembling operation.
It will be appreciated by those skilled in the art that, the arrow of the data stream in the accompanying drawing of said apparatus embodiment is just for the ease of explaining the concrete operations flow process in above-described embodiment, do not limit the data flow between unit or closure in figure, in device between unit for coupling relation.
Above by the detailed introduction of some embodiment instruction recombination method and apparatus during operation, it compared with prior art has the following advantages:
By instruction recombination method, can be under instruction operation state the instruction of monitoring calculation equipment;
Utilize the corresponding table in address, improved instruction recombination efficiency, saved computational resource;
For storage and reading command, operate, revise target and source address wherein, to realize storage reorientation/redirected, guarantee data security;
For I/O, instruction operates, and the input instruction in described I/O instruction is all stoped, to realize the write operation of thorough blocking-up to local hardware device; The prevention to the input instruction except storage instruction can also be realized, the data security in computing equipment can be improved;
For Internet Transmission, instruction operates, and checks whether remote computing devices corresponding to destination address in described Internet Transmission instruction is secure address; If not, stop described Internet Transmission instruction, to realize Security Data Transmission.
Should be noted that and understand, in the situation that not departing from the desired the spirit and scope of the present invention of accompanying claim, can make various modifications and improvement to the present invention of foregoing detailed description.Therefore, the scope of claimed technical scheme is not subject to the restriction of given any specific exemplary teachings.
Claims (17)
1. an instruction recombination method while moving, comprising:
Step 1, buffer memory instruction operation environment;
Step 2, from the first memory location, read destination address, according to destination address, obtain machine instruction fragment to be scheduled; The last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Step 3, in the first memory location, preserve the destination address of the first jump instruction;
Step 4, the first jump instruction is replaced with to the second jump instruction, generate and there is two address restructuring instruction fragment; The entry address of described the second jump instruction directional order restructuring platform; With
Step 5, recover described instruction operation environment, and jump to the second address and continue to carry out.
2. instruction recombination method during operation as claimed in claim 1, in step 2, according to destination address, obtain and treat that dispatch command fragment comprises:
From destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction carried out to dis-assembling;
Check in dis-assembling result whether comprise jump instruction, if do not comprised, continue to obtain one section of machine instruction to be scheduled next, until match jump instruction, this jump instruction is the first jump instruction; Wherein, the first jump instruction and all instructions compositions are before treated dispatch command fragment.
3. instruction recombination method during operation as claimed in claim 2, between step 4 and step 5, also comprises:
Assembly code after the restructuring of generation is generated to corresponding machine code by assembler.
4. instruction recombination method during operation as claimed in claim 1, between step 1 and step 2, also comprises:
From the first memory location, read destination address, utilize described destination address to search the corresponding table in address; The corresponding table in described address is for representing whether machine instruction fragment to be scheduled has the restructuring instruction fragment of having preserved;
If find corresponding record, recover described instruction operation environment, and the preservation address jumping in record continues to carry out.
5. instruction recombination method during operation as claimed in claim 4, if do not find corresponding record in the corresponding table in address, after step 4, also comprises:
Utilize the address of restructuring instruction fragment in the corresponding table in address, to set up a record with described destination address.
6. instruction recombination method during operation as claimed in claim 1, before step 4, also comprises:
Resolve described machine instruction fragment to be scheduled, utilize instruction set to mate described machine instruction fragment, obtain pending target machine instruction;
According to predetermined mode, revise described target machine instruction.
7. instruction recombination method during operation as claimed in claim 6, wherein, described target instruction target word is storage/reading command;
According to predetermined mode, revise described target machine instruction and comprise: storage and the reading address revised are wherein the address on safety storage apparatus.
8. instruction recombination method during operation as claimed in claim 6, wherein, described target instruction target word is I/O instruction;
According to predetermined mode, revise described target machine instruction and comprise: the input instruction in described I/O instruction is all stoped.
9. instruction recombination method during operation as claimed in claim 6, wherein, described target instruction target word is Internet Transmission instruction;
According to predetermined mode, revise described target machine instruction and comprise: check whether remote computing devices corresponding to destination address in described Internet Transmission instruction is secure address; If not, stop described Internet Transmission instruction.
10. a computer-readable medium, stores the executable program code of computing machine in described computer-readable recording medium, and described program code is for executing claims the step of the arbitrary described method of 1-9.
Instruction recombination device during 11. 1 kinds of operations, comprising:
Instruction operation environment buffer memory and recovery unit, be suitable for buffer memory and recover instruction operation environment;
The first memory location, is suitable for preserving destination address;
Instruction fetch unit, and instruction running environment buffer memory and recovery unit couple, and are suitable for reading destination address from the first memory location, and obtain machine instruction fragment to be scheduled according to destination address; Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction; With
Instruction recombination unit, and instruction running environment buffer memory and recovery unit couple, and are suitable for preserving in the first memory location the destination address of the first jump instruction; Also be suitable for the first jump instruction to replace with the second jump instruction, generate and there is two address restructuring instruction fragment; The entry address of described the second jump instruction indicator device.
Instruction recombination device during 12. operation as claimed in claim 11, also comprises:
Instruction retrieval unit, is suitable for utilizing described destination address to search the corresponding table in address; The corresponding table in described address is for representing whether machine instruction fragment to be dispatched has the restructuring instruction fragment of having preserved;
If find corresponding record, instruction retrieval unit is also suitable for call instruction running environment buffer memory and recovery unit, recovers described instruction operation environment, and the preservation address jumping in record continues to carry out;
If do not find corresponding record, instruction retrieval unit is also suitable for utilizing the address of restructuring instruction fragment in the corresponding table in address, to set up a record with described destination address.
Instruction recombination device during 13. operation as claimed in claim 11, described instruction recombination unit also comprises:
Instruction resolution unit, is suitable for utilizing the described machine instruction fragment to be scheduled of instruction set coupling, obtains pending target machine instruction;
Modifying of order unit, is suitable for according to predetermined mode, revises described target machine instruction.
Instruction recombination device during 14. operation as claimed in claim 13, wherein, described target instruction target word is storage/reading command;
Storage and reading address that described modifying of order unit is suitable for revising are wherein the address on safety storage apparatus.
Instruction recombination device during 15. operation as claimed in claim 13, wherein, described target instruction target word is I/O instruction;
Described modifying of order unit is suitable for the input instruction in described I/O instruction all to stop.
Instruction recombination device during 16. operation as claimed in claim 13, wherein, described target instruction target word is Internet Transmission instruction;
Described modifying of order unit is suitable for checking whether remote computing devices corresponding to the destination address in described Internet Transmission instruction is secure address; If not, described modifying of order unit is suitable for stoping described Internet Transmission instruction.
Instruction recombination device during 17. operation as claimed in claim 13, described instruction recombination unit also comprises:
Dis-assembling unit, was suitable for before instruction resolution unit is resolved described machine instruction fragment to be scheduled, and machine instruction fragment to be scheduled described in dis-assembling, generates assembly instruction fragment to be scheduled;
Assembly unit, is suitable for the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327202.8A CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327202.8A CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103677770A true CN103677770A (en) | 2014-03-26 |
| CN103677770B CN103677770B (en) | 2016-12-21 |
Family
ID=50315448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210327202.8A Expired - Fee Related CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103677770B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015131800A1 (en) * | 2014-03-04 | 2015-09-11 | 北京中天安泰信息技术有限公司 | Data blackhole processing method based on mobile storage device, and mobile storage device |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7886287B1 (en) * | 2003-08-27 | 2011-02-08 | Avaya Inc. | Method and apparatus for hot updating of running processes |
| US7552426B2 (en) * | 2003-10-14 | 2009-06-23 | Microsoft Corporation | Systems and methods for using synthetic instructions in a virtual machine |
| CN101604370B (en) * | 2009-07-06 | 2012-08-29 | 中国人民解放军信息技术安全研究中心 | Highly compatible method for monitoring Windows kernel function call |
| JP2014515858A (en) * | 2011-04-29 | 2014-07-03 | 北京中天安泰信息科技有限公司 | Method and apparatus for recombining executing instructions |
-
2012
- 2012-09-06 CN CN201210327202.8A patent/CN103677770B/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015131800A1 (en) * | 2014-03-04 | 2015-09-11 | 北京中天安泰信息技术有限公司 | Data blackhole processing method based on mobile storage device, and mobile storage device |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN110554998B (en) * | 2018-03-30 | 2024-02-13 | 腾讯科技(深圳)有限公司 | Hook method, device, terminal and storage medium for replacing function internal instruction |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103677770B (en) | 2016-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Han et al. | Imf: Inferred model-based fuzzer | |
| CN103679039B (en) | Secure storage method of data and device | |
| Wang et al. | Reranz: A light-weight virtual machine to mitigate memory disclosure attacks | |
| CN103942499A (en) | Data black hole processing method based on mobile storer and mobile storer | |
| Chen et al. | A practical approach for adaptive data structure layout randomization | |
| Zakeri et al. | A static heuristic approach to detecting malware targets | |
| CN103299284A (en) | Method and apparatus for data security reading | |
| CN105653432A (en) | Processing method and device of crash data | |
| CN107632832B (en) | Dalvik byte code oriented control flow confusion method | |
| CN103299270A (en) | Method and device for recombining runtime instruction | |
| CN103679040B (en) | Data safe reading method and device | |
| Urbina et al. | Sigpath: A memory graph based approach for program data introspection and modification | |
| CN103329141B (en) | Safe data storage method and device | |
| CN103677746B (en) | Instruction recombination method and device | |
| CN103729598B (en) | The safe interacted system of data and method for building up thereof | |
| CN103927493B (en) | Data black hole processing method | |
| US20190102279A1 (en) | Generating an instrumented software package and executing an instance thereof | |
| CN103677770A (en) | Instruction recombining method and device | |
| CN103677769A (en) | Instruction recombining method and device | |
| CN109472135A (en) | A kind of method, apparatus and storage medium of detection procedure injection | |
| CN103729600B (en) | Data security interacted system method for building up and data security interacted system | |
| CN103942492B (en) | Uniprocessor version data black hole processing method and the equipment of calculating | |
| CN103679041A (en) | Data security reading method and device | |
| Chen et al. | OBSan: An Out-Of-Bound Sanitizer to Harden DNN Executables. | |
| CN103729601B (en) | The safe interacted system of data and data safety mutual contact construction in a systematic way cube method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150122 Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: The safe and sound Information Technology Co., Ltd in sky in Beijing Address before: 100097 Beijing city Haidian District landianchang road Jin Yuan era business center B block 2-6B1 Applicant before: Beijing Zhongtian Antai Technology Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant before: The safe and sound Information Technology Co., Ltd in sky in Beijing |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161221 Termination date: 20180906 |