CN105426752A - Buffer region overflow protection method - Google Patents
Buffer region overflow protection method Download PDFInfo
- Publication number
- CN105426752A CN105426752A CN201510828343.1A CN201510828343A CN105426752A CN 105426752 A CN105426752 A CN 105426752A CN 201510828343 A CN201510828343 A CN 201510828343A CN 105426752 A CN105426752 A CN 105426752A
- Authority
- CN
- China
- Prior art keywords
- function
- stack
- guard method
- buffer overflow
- backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention provides a buffer region overflow protection method. The method comprises: forming a backup stack according to an original stack, wherein the backup stack backs up a function return address and a stack frame pointer, and the backup stack backs up control flow information at a call function entry; and judging whether overflow occurs or not by comparing original stack and backup stack information when a function call is returned.
Description
Technical field
The present invention relates to field of computer technology, be specifically related to a kind of buffer overflow guard method.
Background technology
Storehouse is as content requisite in program, and program operationally, can hew out one piece of continuous print stack space in internal memory, and necessary contextual information during for safeguarding function call, comprises old frame pointer, return address, call parameters and local variable etc.Program by contextual information pop down, also can eject from stack top.But buffer zone is once be assigned, are just fixed up in size and address.When using buffer zone, if operation exceeding the region on border, buffer zone, just may there is territory, stack buffer and overflowing.Buffer overflow attack comprises the attack types such as stack overflow, heap overflow, format string attack.Its preventive means comprises the safety enhancing etc. of static array bounds checking, can not the performing of storehouse, dynamic buffer overflow monitoring and built-in function.And compare the leak that stacker buffer is overflowed and format string is attacked, stack buffer Overflow Vulnerability still occupies the majority, and assailant utilizes the means variation of stack buffer Overflow Vulnerability, attacks more hidden.
Stack overflow generally can cause the change such as Function return addresses, stack frame pointer, so cause program control flow to be distorted, system delays machine etc.For this problem, the common practice proposed at present be ensure by adding stack protection (StackGuard) label in stack stack integrality, set up that control flow check information is separated with traffic flow information by double narrow pulses completely, stack frame pointer encryption etc.
But the protection of current stack information is all protect based on a certain in buffer overflow attack mostly, can not comprehensive resolve buffer district overflow problem.Moreover current double narrow pulses etc. its remain a very large deficiency at compatible and aspect of performance, cause declining to a great extent of the aspects such as performance sometimes.
Summary of the invention
Technical matters to be solved by this invention is for there is above-mentioned defect in prior art, provides a kind of compatible secure, efficient, comprehensively buffer overflow guard method.
According to the present invention, provide a kind of buffer overflow guard method, comprising: form a backup stack according to original stack, wherein back up stack and backed up Function return addresses and stack frame pointer, and backup stack is at call function porch Standby control stream information; Judge whether to overflow by more original stack and backup stack information when function call returns and occurred.
Preferably, all processes have code in shared library; In base library link process, described shared library is not copied to output file, but make all processes share the copy of the routine in a shared library that they are used.
Preferably, realize at call function porch Standby control stream information by designing a storehouse.
Preferably, a static array is defined in described storehouse for preserving control flow check information.
Preferably, the function in described storehouse realizes press-in and the ejection operation of stack, and monitors treatment mechanism when control flow check information is modified.
Preferably, described storehouse comprises the first function and the second function; Wherein the first function is called in the porch of each function being compiled program, the content being input as the core position of the frame pointer sensing of current function of the first function and return address; Second function is called in the exit of each function being compiled program, wherein the content of core position pointed to of the frame pointer being input as current function of the second function and return address.
Preferably, before the first function and the second function are inserted in the head of objective function and the Article 1 instruction of afterbody and after the last item instruction.
The buffer overflow guard method of the employing Standby control stream information scheme that the present invention proposes, both protected control flow check information crucial in storehouse, and in turn ensure that the compatibility issue of different platform, and also ensure that the performance issue of program.
Accompanying drawing explanation
By reference to the accompanying drawings, and by reference to detailed description below, will more easily there is more complete understanding to the present invention and more easily understand its adjoint advantage and feature, wherein:
Fig. 1 schematically shows the process flow diagram of buffer overflow guard method according to the preferred embodiment of the invention.
Fig. 2 a and Fig. 2 b schematically shows the schematic diagram of the Standby control stream information that buffer overflow guard method according to the preferred embodiment of the invention adopts.
It should be noted that, accompanying drawing is for illustration of the present invention, and unrestricted the present invention.Note, represent that the accompanying drawing of structure may not be draw in proportion.Further, in accompanying drawing, identical or similar element indicates identical or similar label.
Embodiment
In order to make content of the present invention clearly with understandable, below in conjunction with specific embodiments and the drawings, content of the present invention is described in detail.
It is that control flow check information to key backs up that the present invention proposes a plan, and compares backup value and original value has judged whether that attack produces when program is run.
Particularly, Fig. 1 schematically shows the process flow diagram of buffer overflow guard method according to the preferred embodiment of the invention.
As shown in Figure 1, buffer overflow guard method comprises according to the preferred embodiment of the invention:
First step S1: according to original stack (the original stack such as shown in Fig. 2 a), form a backup stack (the backup stack such as shown in Fig. 2 b), wherein back up stack and backed up Function return addresses and stack frame pointer, and backup stack is at call function porch Standby control stream information;
Second step S2: judged whether to overflow with backup stack information by more original stack when function call returns and occur.
In the specific embodiment of the present invention, can realize backing up crucial control flow check information by designing a storehouse.Define a static array _ _ retarray in storehouse and preserve control flow check information, the function in storehouse realizes press-in and the ejection operation of stack, and monitors treatment mechanism when control flow check information is modified.Its primary function realization example can as shown in algorithm 1 and algorithm 2.
Provide concrete algorithm example below.
The algorithm specific implementation algorithm that backup function porch realizes is as algorithm 1:
The algorithm that backup function exit realizes is concrete as algorithm 2:
Function _ _ retarray_prolog is called in the porch of each function being compiled program, the content of the core position that its frame pointer being input as current function points to and return address._ _ retarray_epilog function is called in the exit of each function being compiled program.The content of the core position that the frame pointer that _ _ retarray_epilog function is input as current function points to and return address, the content of preserving in this input and array _ _ retarray is compared, if identical, then show that in storehouse, control flow check information is not tampered, otherwise have attack to occur.
This method can realize in dynamic base mode, and wherein all processes have code in shared library; Shared library is not copied to output file in base library link process, but all processes share the copy of a shared library routine that they are used, thus a large amount of storage spaces can be saved.And if certain process have modified global variable _ retarray, then this process obtains a copy of this variable, saves its private data information to dependent variable in copy.Like this, even the control flow check information of certain function is tampered, also can not affect other function corresponding _ retarray preserve information.Therefore, back up stack _ _ retarray and do not have the problem of conflicting between each process.And assailant wants to break through this kind of defense mechanism, backup information corresponding in backup information in current stack and _ _ retarray must be revised simultaneously, this obviously increases the difficulty of attack.
Take specific procedure as example, the left side is the program that programmer normally writes.The program on the right is then the code layout situation obtained after compiler employs control flow check information back-up patch, and it automatically inserts retarray_prolog and retarray_epilog two function calls before the head of each function and the Article 1 instruction of afterbody and after the last item instruction pellucidly to programmer.
One of feature of the present invention is: the method proposing part control flow check information back-up, the control flow check information of some keys in original storehouse is kept in a backup stack.Program moves to the porch of each function, the return address of the current function deposited in stack and frame pointer is backed up to another region of internal memory.
Two of feature of the present invention is: propose and realize this back-up job by the method for dynamic base.All processes have code in shared library.Shared library is not copied to output file in base library link process, but all processes share the copy of a shared library routine that they are used, thus a large amount of storage spaces can be saved.
In the present invention, by Standby control stream information, avoid rogue program distorting control flow check information as much as possible.Meanwhile, compared to two stack and single stack architexture, avoid the change to architecture, choosing comprehensively has been done to the complexity that compatible and program realize.In security, to the problem of the spilling of stack buffer, it can be distorted control flow check etc. and all can correctly protect the indirect aggression of the directtissima of return address, frame pointer, pointer for it.At aspect of performance, the realization of dynamic base mode ensure that performance loss is below 5%.In compatible, adopt array to preserve backup information, therefore can not compatibility issue be caused.
In addition, it should be noted that, unless otherwise indicated, otherwise the term " first " in instructions, " second ", " the 3rd " etc. describe only for distinguishing each assembly, element, step etc. in instructions, instead of for representing logical relation between each assembly, element, step or ordinal relation etc.
Be understandable that, although the present invention with preferred embodiment disclose as above, but above-described embodiment and be not used to limit the present invention.For any those of ordinary skill in the art, do not departing under technical solution of the present invention ambit, the technology contents of above-mentioned announcement all can be utilized to make many possible variations and modification to technical solution of the present invention, or be revised as the Equivalent embodiments of equivalent variations.Therefore, every content not departing from technical solution of the present invention, according to technical spirit of the present invention to any simple modification made for any of the above embodiments, equivalent variations and modification, all still belongs in the scope of technical solution of the present invention protection.
Claims (7)
1. a buffer overflow guard method, is characterized in that comprising:
Form a backup stack according to original stack, wherein back up stack and backed up Function return addresses and stack frame pointer, and backup stack is at call function porch Standby control stream information;
Judge whether to overflow by more original stack and backup stack information when function call returns and occurred.
2. buffer overflow guard method according to claim 1, is characterized in that, all processes have code in shared library; In base library link process, described shared library is not copied to output file, but make all processes share the copy of the routine in a shared library that they are used.
3. buffer overflow guard method according to claim 1 and 2, is characterized in that, realizes at call function porch Standby control stream information by designing a storehouse.
4. buffer overflow guard method according to claim 3, is characterized in that, defines a static array for preserving control flow check information in described storehouse.
5. buffer overflow guard method according to claim 3, is characterized in that, the function in described storehouse realizes press-in and the ejection operation of stack, and monitors treatment mechanism when control flow check information is modified.
6. buffer overflow guard method according to claim 3, is characterized in that, described storehouse comprises the first function and the second function; Wherein the first function is called in the porch of each function being compiled program, the content being input as the core position of the frame pointer sensing of current function of the first function and return address; Second function is called in the exit of each function being compiled program, wherein the content of core position pointed to of the frame pointer being input as current function of the second function and return address.
7. buffer overflow guard method according to claim 6, is characterized in that, before the first function and the second function are inserted in the head of objective function and the Article 1 instruction of afterbody and after the last item instruction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510828343.1A CN105426752A (en) | 2015-11-24 | 2015-11-24 | Buffer region overflow protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510828343.1A CN105426752A (en) | 2015-11-24 | 2015-11-24 | Buffer region overflow protection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105426752A true CN105426752A (en) | 2016-03-23 |
Family
ID=55504957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510828343.1A Pending CN105426752A (en) | 2015-11-24 | 2015-11-24 | Buffer region overflow protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105426752A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033821A (en) * | 2018-07-12 | 2018-12-18 | 郑州云海信息技术有限公司 | A kind of Stack Smashing Protection System and method |
| CN109785537A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of ATM machine |
| CN111209042A (en) * | 2020-01-06 | 2020-05-29 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for establishing function stack |
| CN112784261A (en) * | 2021-01-04 | 2021-05-11 | 北京蓝军网安科技发展有限责任公司 | Method for program execution and corresponding system, computer device and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS6043771A (en) * | 1983-08-20 | 1985-03-08 | Fujitsu Ltd | Buffer memory control system |
| CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
-
2015
- 2015-11-24 CN CN201510828343.1A patent/CN105426752A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS6043771A (en) * | 1983-08-20 | 1985-03-08 | Fujitsu Ltd | Buffer memory control system |
| CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
Non-Patent Citations (1)
| Title |
|---|
| 谢汶兵: "基于备份控制流信息的缓冲区溢出监测技术", 《计算机工程与应用》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033821A (en) * | 2018-07-12 | 2018-12-18 | 郑州云海信息技术有限公司 | A kind of Stack Smashing Protection System and method |
| CN109785537A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of ATM machine |
| CN109785537B (en) * | 2018-12-29 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | Safety protection method and device for ATM |
| CN111209042A (en) * | 2020-01-06 | 2020-05-29 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for establishing function stack |
| CN112784261A (en) * | 2021-01-04 | 2021-05-11 | 北京蓝军网安科技发展有限责任公司 | Method for program execution and corresponding system, computer device and medium |
| CN112784261B (en) * | 2021-01-04 | 2023-10-27 | 北京蓝军网安科技发展有限责任公司 | Method for program operation and corresponding system, computer device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9870474B2 (en) | Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| CN105426752A (en) | Buffer region overflow protection method | |
| CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
| CN102667794B (en) | The method and system of unauthorized update is avoided for the protection of operating system | |
| US20160275019A1 (en) | Method and apparatus for protecting dynamic libraries | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| CN105653905B (en) | A kind of method for protecting software hidden based on API security attributes with attack threat monitoring | |
| CN105184118A (en) | Code fragmentization based Android application program packing protection method and apparatus | |
| CN102650944A (en) | Operation system security bootstrap device and bootstrap device | |
| CN102722665A (en) | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) | |
| CN103413075A (en) | Method and device for protecting JAVA executable program through virtual machine | |
| US11204776B2 (en) | Apparatus and method for booting virtual machines | |
| CN105378663A (en) | Updating boot code | |
| US10803176B2 (en) | Bios security | |
| CN102467628A (en) | Method for protecting data based on browser kernel intercept technology | |
| CN104881610B (en) | A kind of defence method for virtual table hijack attack | |
| CN105637486A (en) | Memory integrity checking | |
| CN103559439A (en) | Detection method and system for buffer overflow | |
| CN106295319A (en) | Operating system safety protecting method | |
| CN113886835A (en) | Method and device for preventing container from escaping, computer equipment and storage medium | |
| CN103324885A (en) | Method and system for protecting kernel-level file | |
| CN104714834B (en) | The method for scheduling task that a kind of space determines | |
| US20160188900A1 (en) | Protection of a non-volatile memory by change of instructions | |
| US9536090B2 (en) | Method of defending a computer from malware | |
| CN109643352B (en) | Preserving protected secrets across secure boot updates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160323 |