CN106295322A - A kind of hardware protection model for buffer overflow attack - Google Patents
A kind of hardware protection model for buffer overflow attack Download PDFInfo
- Publication number
- CN106295322A CN106295322A CN201610597170.1A CN201610597170A CN106295322A CN 106295322 A CN106295322 A CN 106295322A CN 201610597170 A CN201610597170 A CN 201610597170A CN 106295322 A CN106295322 A CN 106295322A
- Authority
- CN
- China
- Prior art keywords
- module
- memory control
- control module
- interface
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of hardware protection model for buffer overflow attack, and it is directly connected with processor, the execution process of monitoring programme; it is made up of four parts: include Serial Peripheral Interface (SPI) module, i.e. SPI module, processor interface module; Memory control module, safety label module;Memory control module is nucleus module, other modules are attached centered by described Memory control module, SPI module provides data download interface for Memory control module, processor interface module provides the interface of processor for Memory control module, and safety label module is encrypted by the data stored in Memory control module;High safety of the present invention, in general software protection, reduces the expense of hardware resource simultaneously, is not take up the memory source of system, and execution efficiency is high, has good transplantability, as long as revising several key parameter, just adapts on the processor of different framework.
Description
Technical field
The present invention provides a kind of hardware protection model for buffer overflow attack, and it relates to the slow of flush bonding processor
Rush the hardware protection model of district's flooding.Belong to embedded system security technical field.
Background technology
Buffer overflow is one leak the most universal, breakneck, and become the most important security threat it
One.In various safety messages, buffer-overflow vulnerability is a most critically important part all the time.Buffer overflow attack holds very much
It is not easily hacked person to utilize, because the language such as C and the C++ operation of detection buffer overflow, programming personnel simultaneously the most automatically
It also is difficult to when writing code check whether relief area may overflow all the time.Utilizing and overflow, expected data can be write by assailant
Enter the optional position in leak program internal memory, even include that control program performs the critical data of stream (after such as function call
Return address), thus control the execution process of program and implement malicious act.
The conventional attack method of buffer overflow is to be injected in program by malicious code shellcode, and uses its address
Come the return address of the function call of overlay program own so that perform this malicious code during return rather than originally should perform
Code.It is to say, this attack generally first has to be injected by malicious code in target leak program when implementing.But, journey
The code segment of sequence is usually arranged as not writeable, and therefore assailant needs to be placed in storehouse this attack code.Then for prevention
The attack of this type, buffer overflow defense mechanism have employed non-executing stacking, and this technology makes the evil on storehouse
Meaning code can not perform.
In sum, the existing protection scheme for buffer overflow attack there is problems in that
(1) guard method above in relation to buffer overflow attack is all from software respective, so can increase answering of software
Miscellaneous degree, and the code itself as protective effect is also object under fire, it is impossible to resist physical attacks.
(2) current defence method can increase the burden of system, affects processor performance.Meanwhile, program also it is easily caused
Collapse during operation.
Summary of the invention
Summary of the invention
1. purpose: it is an object of the invention to provide a kind of hardware protection model for buffer overflow attack, can be effective
The multiple buffer overflow attack of prevention.It increases a hardware protection model inside flush bonding processor and ensures program
Correct execution.
2. technical scheme:
The present invention designs a kind of hardware protection model for buffer overflow attack, and it is directly connected with processor, prison
The execution process of control program.
Hardware protection model of the present invention, is made up of four parts: include Serial Peripheral Interface (SPI) module, i.e. SPI module,
Processor interface module, Memory control module, safety label (such as cryptographic Hash calculating) module.Relation between them is, interior
Depositing control module is nucleus module, and other modules are attached centered by described Memory control module, and SPI module is internal memory control
Molding block provides data download interface, and processor interface module provides the interface of processor, safety label for Memory control module
Module is encrypted by the data stored in Memory control module.
Described SPI module is the communication interface of external equipment and Memory control module, enables host computer by this module
Initialize the memory module in Memory control module;The structure of this SPI module is: externally have four line interface SDI (main equipment numbers
According to input), SDO (output of main equipment data), SCK (clock signal), CS (from equipment chip selection signal).SCK provides clock pulses,
SDI, SDO then complete data transmission based on this pulse.Data export by SDO line, and data are when rising edge clock or trailing edge
Change, be read at back to back trailing edge or rising edge.Complete a data transmission.
Described processor interface module is ppu and Memory control modular connection interface, make of the present invention firmly
Part protection model can the running status of monitoring processor in real time;The structure of this processor interface module is: total by 32 bit instructions
Line and 32 bit address buses composition.
Described Memory control module is mainly made up of memory module and lookup module;Relation between them is to look for module
For the information of storage in memory module is scanned for.
The structure of this memory module is a piece of random access memory (RAM), and which stores program normally performs letter
Breath.
Content in this memory module is made a look up by this lookup module by two way classification, and returns lookup result.
Described safety label module is to calculate for cryptographic Hash, for calculating the Kazakhstan of stored data in Memory control module
Uncommon value;The structure of this safety label module is: this inside modules is Hash encrypting module, its one new lightweight of internal employing
The message of input is encrypted by hash function (patent applied for), and for a length of 512, input is encrypted as 16.
Will be to by special extracting tool (patent applied for) before program performs, it is right that this extracting tool is mainly used in
The off-line analysis of executable file, and extract the code that program safety runs.Downloaded in memory module by SPI interface;
Therefore, when the malicious code implanted when the external world performs, hardware protection model of the present invention can detect the code of current execution
Not being the code stored in memory module, now will send early warning, prevention program continues executing with;Open to save resource
Pin, is not directly to store code, but with instruction basic block as ultimate unit, instruction basic block refers to a code
Fragment (is often referred to assembly code), only comprises the instruction that can sequentially run in this fragment;That is, do not comprise any branch to redirect finger
Order;In order to add strong security, we are not directly instruction to be stored in the memorizer of hardware protection model of the present invention,
But these instructions are processed, the instruction of each instruction basic block is carried out Hash operation, calculates one 16
Check value is as the content in hardware protection model.During the execution of program, first instruction basic block can be initiateed
Address makes a look up, and finds instruction basic block corresponding in hardware protection model, in hardware protection model of the present invention
Safety label module can carry out real-time computing to the cryptographic Hash of currently executing instruction basic block, when an instruction basic block fortune
After row terminates, the cryptographic Hash of the instruction basic block corresponding with security model contrasts, and when both are inconsistent, can sentence
The disconnected attack receiving malicious code.
3, advantage and effect:
The embedded system hardware protection model of this hardware auxiliary has several advantages that
Hardware protection model of the present invention is pure hardware circuit, and is not linked into the internal bus of processor,
Software can not go to access hardware protection model, so high safety is in general software protection by bus.
The hardware protection model that the present invention uses and processor executed in parallel, so hardware protection model is in the process performed
In do not interfere with the properly functioning of processor, will not take the memory source of system, execution efficiency is high.
Hardware module of the present invention has carried out ciphered compressed process during to program monitoring, further increases
The safety of system, reduces the expense of hardware resource simultaneously.
Hardware module of the present invention has good transplantability, as long as revising several key parameter, just adapts to not
With on the processor of framework.
Accompanying drawing explanation
Fig. 1 is the structured flowchart of the hardware protection model of the present invention.
Fig. 2 is the hardware protection model graph of a relation with ppu of the present invention.
In figure, symbol description is as follows:
In Fig. 1, SPI refers to the abbreviation of Serial Peripheral Interface (SPI) (Serial Peripheral Interface).It is a kind of high
Speed, full duplex, the communication bus of synchronization.
Detailed description of the invention
As shown in Fig. 1, Fig. 2, its detailed description of the invention is as follows:
The present invention designs a hardware protection model for buffer overflow attack, and it is mainly by following sections group
Become.SPI (Serial Peripheral Interface (SPI)) module, processor interface module.Internal processing modules mainly includes counter module, safety post
Note module, Memory control module.Relation between them be Memory control module be topmost module, other modules with it are
Center is attached.Wherein SPI module provides download interface for it;Memory control module is entered with processor by processor interface
Row connects;Hash is stored in the memory module of Memory control module for the check value calculating code.
Fig. 1 describes the framework of hardware protection model, needs by extracting tool executable code before its work
Part carries out off-line extraction, is downloaded in memory module as contrast model during program actual motion by SPI interface.Process
Device interface is main carries out company with the Program Counter (PC) of processor and Instruction Register (IR) bus
Connect, the running status of real-time monitor (RTM), and IR is calculated its cryptographic Hash by safety label module, then with Memory control mould
In block, the off-line value of storage contrasts.Safety label module is cryptographic Hash computing module, and it is mainly realized by XOR circuit.
Fig. 2 describes the application in SOC(system on a chip) of the hardware protection model.It is connected between processor and caching, and instead
Feedback signal is to processor.When program brings into operation, hardware protection model can detect the Article 1 of first instruction basic block
Instruction has begun to run, and it enters monitor state.Now hardware protection model can record the cryptographic Hash now instructed.Work as hardware
Protection model inspection terminates to instruction basic block, and it can be by the cryptographic Hash of present instruction basic block institute recording instruction and hardware protection
Value in model compares.If two values are unequal, then may determine that and there occurs buffer overflow attack.Afterwards, firmly
Part protection model can search for the initial address of next instruction basic block, here for improving search efficiency, takes binary search,
If now have found instruction basic block in the content of hardware protection model storage, then may determine that this section of code is firmly
In part protection model, were it not for the start address finding instruction basic block, then conclude and occur in that non-existent instruction is basic
The mistake of block, now judges to there occurs attack.Interrupt signal can be sent after error message being detected and feed back to processor.
Claims (1)
1., for a hardware protection model for buffer overflow attack, it is directly connected with processor, the execution of monitoring programme
Process, it is characterised in that: it is made up of four parts: include Serial Peripheral Interface (SPI) module, i.e. SPI module, processor interface module,
Memory control module, safety label module;Relation between them is, Memory control module is nucleus module, other modules with
Being attached centered by described Memory control module, SPI module provides data download interface for Memory control module, and processor connects
Mouth die block provides the interface of processor for Memory control module, and safety label module is the data stored in Memory control module
It is encrypted;
Described SPI module is the communication interface of external equipment and Memory control module, enables host computer initial by this module
Change the memory module in Memory control module;The structure of this SPI module is: externally have four line interface SDI i.e. main equipment data
Input, the output of SDO i.e. main equipment data, SCK i.e. clock signal, CS are i.e. from equipment chip selection signal;SCK provides clock pulses,
SDI, SDO then complete data transmission based on this pulse;Data export by SDO line, and data are when rising edge clock and trailing edge
Change, be read at back to back trailing edge and rising edge, complete a data transmission;
Described processor interface module is ppu and Memory control modular connection interface, makes hardware package of the present invention
Protecting model can the running status of monitoring processor in real time;The structure of this processor interface module is: by 32 bit instruction buses and
32 bit address bus compositions;
Described Memory control module is made up of memory module and lookup module;Search module for the letter of storage in memory module
Breath scans for;
The structure of this memory module is a piece of random access memory i.e. RAM, which stores the normal execution information of program;
Content in this memory module is made a look up by this lookup module by two way classification, and returns lookup result;
Described safety label module is to calculate for cryptographic Hash, for calculating the Hash of stored data in Memory control module
Value;The structure of this safety label module is: this inside modules is Hash encrypting module, and its internal one new lightweight of employing is breathed out
The message of input is encrypted by uncommon function, and for a length of 512, input is encrypted as 16;
Will be to by special extracting tool before program performs, this extracting tool is for dividing the off-line of executable file
Analysis, and extract the code that program safety runs;Downloaded in memory module by SPI interface;Therefore the evil implanted when the external world
When meaning code performs, hardware protection model of the present invention can detect that the code of current execution is not institute in memory module
The code of storage, now will send early warning, and prevention program continues executing with;With instruction basic block as ultimate unit, instruction is basic
Block refers to a code snippet, only comprises the instruction that can sequentially run in this fragment;That is, do not comprise the jump instruction of any branch;
In order to add strong security, we are not directly instruction to be stored in the memorizer of hardware protection model of the present invention, and
It is that these instructions are processed, the instruction of each instruction basic block is carried out Hash operation, calculates the school of 16
Test value as the content in hardware protection model;During the execution of program, first can be to the starting point of instruction basic block
Location makes a look up, and finds instruction basic block corresponding in hardware protection model, the peace in hardware protection model of the present invention
All mark module can carry out real-time computing to the cryptographic Hash of currently executing instruction basic block, when an instruction basic block runs
After end, the cryptographic Hash of the instruction basic block corresponding with security model contrasts, and when both are inconsistent, can judge to be subject to
Arrive the attack of malicious code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610597170.1A CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610597170.1A CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106295322A true CN106295322A (en) | 2017-01-04 |
| CN106295322B CN106295322B (en) | 2018-12-18 |
Family
ID=57652806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610597170.1A Active CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106295322B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107133515A (en) * | 2017-03-09 | 2017-09-05 | 北京航空航天大学 | A kind of hardware based buffer overflow attack detection method |
| CN110472411A (en) * | 2019-08-20 | 2019-11-19 | 杭州和利时自动化有限公司 | A kind of memory Overflow handling method, apparatus, equipment and readable storage medium storing program for executing |
| WO2020057603A1 (en) * | 2018-09-21 | 2020-03-26 | 中国科学院信息工程研究所 | Method and apparatus for detecting that return address in stack has been tampered with |
| CN112580052A (en) * | 2019-09-30 | 2021-03-30 | 龙芯中科技术股份有限公司 | Computer security protection method, chip, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
| US20110231709A1 (en) * | 2010-03-19 | 2011-09-22 | Nagravision S.A. | Method for checking data consistency in a system on chip |
| CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
| CN104866767A (en) * | 2015-05-11 | 2015-08-26 | 北京航空航天大学 | Embedded module of novel security mechanism |
-
2016
- 2016-07-26 CN CN201610597170.1A patent/CN106295322B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
| US20110231709A1 (en) * | 2010-03-19 | 2011-09-22 | Nagravision S.A. | Method for checking data consistency in a system on chip |
| CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
| CN104866767A (en) * | 2015-05-11 | 2015-08-26 | 北京航空航天大学 | Embedded module of novel security mechanism |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107133515A (en) * | 2017-03-09 | 2017-09-05 | 北京航空航天大学 | A kind of hardware based buffer overflow attack detection method |
| CN107133515B (en) * | 2017-03-09 | 2019-10-18 | 北京航空航天大学 | A kind of hardware based buffer overflow attack detection method |
| WO2020057603A1 (en) * | 2018-09-21 | 2020-03-26 | 中国科学院信息工程研究所 | Method and apparatus for detecting that return address in stack has been tampered with |
| CN110472411A (en) * | 2019-08-20 | 2019-11-19 | 杭州和利时自动化有限公司 | A kind of memory Overflow handling method, apparatus, equipment and readable storage medium storing program for executing |
| CN110472411B (en) * | 2019-08-20 | 2021-05-07 | 杭州和利时自动化有限公司 | Memory overflow processing method, device, equipment and readable storage medium |
| CN112580052A (en) * | 2019-09-30 | 2021-03-30 | 龙芯中科技术股份有限公司 | Computer security protection method, chip, equipment and storage medium |
| CN112580052B (en) * | 2019-09-30 | 2023-05-30 | 龙芯中科技术股份有限公司 | Computer security protection method, chip, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106295322B (en) | 2018-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106295322A (en) | A kind of hardware protection model for buffer overflow attack | |
| EP2513836B1 (en) | Obfuscated malware detection | |
| US9977897B2 (en) | System and method for detecting stack pivot programming exploit | |
| JP5090661B2 (en) | Software behavior modeling device, software behavior monitoring device, software behavior modeling method, and software behavior monitoring method | |
| US10248424B2 (en) | Control flow integrity | |
| CN105260659A (en) | Kernel-level code reuse type attack detection method based on QEMU | |
| US20160098333A1 (en) | Detection of fault injection attacks | |
| CN102184360B (en) | Information flow safety monitoring method applied to embedded processor | |
| CN105787305A (en) | Software protection method capable of resisting symbolic execution and taint analysis | |
| CN105653905A (en) | Software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring | |
| CN106022107A (en) | Method and system for protecting program execution integrity | |
| CN107330323B (en) | Dynamic ROP and variant attack detection method based on Pin tool | |
| CN105138903A (en) | ROP attack detection method based on RET instructions and JMP instructions | |
| EP3127036B1 (en) | Systems and methods for identifying a source of a suspect event | |
| CN107194252A (en) | The program control flow completeness protection method and system of a kind of complete context-sensitive | |
| CN106354575A (en) | Troubleshooting device and method based on stack tracing | |
| Liu et al. | Combining static analysis and dynamic learning to build accurate intrusion detection models | |
| CN106874758A (en) | A kind of method and apparatus for recognizing document code | |
| JP4913353B2 (en) | Software operation modeling device and software operation monitoring device | |
| CN110647748A (en) | Code multiplexing attack detection system and method based on hardware characteristics | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| Wang et al. | Hardware trojan detection and high-precision localization in noc-based mpsoc using machine learning | |
| CN104008336B (en) | ShellCode detecting method and device | |
| KR102022626B1 (en) | Apparatus and method for detecting attack by using log analysis | |
| CN102110204A (en) | Removable apparatus and method for verifying an executable file in a computing apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |