CN106295322B - A kind of hardware protection device for buffer overflow attack - Google Patents

A kind of hardware protection device for buffer overflow attack Download PDF

Info

Publication number
CN106295322B
CN106295322B CN201610597170.1A CN201610597170A CN106295322B CN 106295322 B CN106295322 B CN 106295322B CN 201610597170 A CN201610597170 A CN 201610597170A CN 106295322 B CN106295322 B CN 106295322B
Authority
CN
China
Prior art keywords
module
memory control
interface
control module
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610597170.1A
Other languages
Chinese (zh)
Other versions
CN106295322A (en
Inventor
王翔
庞树松
王维克
赵宗民
何展宏
王晓翠
徐洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201610597170.1A priority Critical patent/CN106295322B/en
Publication of CN106295322A publication Critical patent/CN106295322A/en
Application granted granted Critical
Publication of CN106295322B publication Critical patent/CN106295322B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of hardware protection device for buffer overflow attack, it is directly connected with processor, the implementation procedure of monitoring programme; it is made of four parts: including Serial Peripheral Interface (SPI) module, i.e. SPI module, processor interface module; Memory control module, safety label module;Memory control module is nucleus module, other modules are attached centered on the Memory control module, SPI module provides data download interface for Memory control module, processor interface module provides the interface of processor for Memory control module, and safety label module is encrypted by the data stored in Memory control module;High safety of the present invention reduces the expense of hardware resource in general software protection, is not take up the memory source of system, and execution efficiency is high, has good transplantability, as long as modifying several key parameters, on the processor for adapting to different frameworks.

Description

A kind of hardware protection device for buffer overflow attack
Technical field
The present invention provides a kind of hardware protection device for buffer overflow attack, it is related to the slow of embeded processor Rush the hardware protection device of area's flooding.Belong to embedded system security technical field.
Background technique
Buffer overflow is a kind of very universal, breakneck loophole, and become current important security threat it One.In various safety messages, buffer-overflow vulnerability is wherein critically important a part always.Buffer overflow attack holds very much It is easily utilized by attacker, because there is no automatic detection buffer overflows to operate for the language such as C and C++, while programming personnel Also it is difficult to check whether buffer area may overflow always when writing code.Using spilling, attacker can be write expected data Enter any position in loophole program internal memory, or even executes the critical data of stream (such as after function call including control program Return address), to control the implementation procedure of program and implement malicious act.
The common attack method of buffer overflow is that malicious code shellcode is injected into program, and with its address Come the return address of overlay program function call itself, execute this malicious code when so that returning rather than should execute originally Code.That is, this attack usually first has to inject malicious code in target loophole program when implementing.But journey The code segment of sequence is usually arranged as not writeable, therefore attacker needs for this attack code to be placed in storehouse.Then for prevention The attack of this type, buffer overflow defense mechanism use non-executing stacking, and this technology makes the evil on storehouse Meaning code not can be performed.
In conclusion the existing protection scheme for buffer overflow attack has the following problems:
It (1) is all that will increase answering for software in this way from software respective above in relation to the guard method of buffer overflow attack Miscellaneous degree, and the code itself as protective effect is also object under fire, can not resist physical attacks.
(2) current defence method will increase the burden of system, influence processor performance.Meanwhile being also easy to cause program It is collapsed when operation.
Summary of the invention
1. purpose: the object of the present invention is to provide a kind of hardware protection devices for buffer overflow attack, can be effective The a variety of buffer overflow attacks of prevention.It increases a hardware protection device inside embeded processor to guarantee program It is correct to execute.
2. technical solution:
The present invention designs a kind of hardware protection device for buffer overflow attack, it is directly connected with processor, prison Control the implementation procedure of program.
Hardware protection device of the present invention is made of four parts: including Serial Peripheral Interface (SPI) module, i.e. SPI module, Processor interface module, Memory control module, safety label (such as cryptographic Hash calculating) module.Relationship between them is, interior Depositing control module is nucleus module, other modules are attached centered on the Memory control module, and SPI module is memory control Molding block provides data download interface, and processor interface module provides the interface of processor, safety label for Memory control module Module is encrypted by the data stored in Memory control module.
The SPI module is the communication interface of external equipment Yu Memory control module, enables host computer by this module Initialize the memory module in Memory control module;The structure of the SPI module is: externally having four line interface SDI (main equipment numbers According to input), SDO (output of main equipment data), SCK (clock signal), CS (from equipment chip selection signal).SCK provides clock pulses, SDI, SDO are then based on this pulse and complete data transmission.Data output is by SDO line, and data are in rising edge clock or failing edge Change, is read in back to back failing edge or rising edge.Complete a data transmission.
The processor interface module is ppu and Memory control modular connection interface, is made of the present invention hard Part protective device can monitor the operating status of processor in real time;The structure of the processor interface module is: total by 32 bit instructions Line and 32 bit address buses composition.
The Memory control module is mainly made of memory module and searching module;Relationship between them is to look for module For being scanned for the information stored in memory module.
The structure of the memory module is a piece of random access memory (RAM), normally executes letter which stores program Breath.
The searching module searches the content in the memory module by dichotomy, and returns to lookup result.
The safety label module is calculated for cryptographic Hash, for calculating the Kazakhstan of institute's storing data in Memory control module Uncommon value;The structure of the safety label module is: this inside modules is Hash encrypting module, internal to use a new lightweight The message of input is encrypted in hash function (patent applied for), is that 512 bytes are encrypted as 16 by input length.
To be mainly used for by special extracting tool (patent applied for), this extracting tool before program execution to can The off-line analysis of file is executed, and extracts the code of program safety operation.It is downloaded in memory module by SPI interface;Cause , when the malicious code of external world's implantation executes, hardware protection device of the present invention can detect currently performed code simultaneously for this It is not the code stored in memory module, early warning will be issued at this time, program is prevented to continue to execute;It is opened to save resource Pin is not directly to be stored to code, but to instruct basic block as basic unit, basic block is instructed to refer to a code Segment (is often referred to assembly code), the only instruction comprising can sequentially run in this segment;That is, not including any branch jumps finger It enables;In order to reinforce safety, we are not directly instruction to be stored in the memory of hardware protection device of the present invention, But these instructions are handled, the instruction of each instruction basic block is subjected to Hash operation, calculates one 16 Check value is as the content in hardware protection device.It, first can be to the starting of instruction basic block during the execution of program Address is searched, and finds corresponding instruction basic block in hardware protection device, in hardware protection device of the present invention Safety label module can carry out real-time operation to the cryptographic Hash of currently executing instruction basic block, when an instruction basic block is transported After row, the cryptographic Hash of instruction basic block corresponding in safety device is compared, and when the two is inconsistent, can be sentenced It is disconnected to receive the attack of malicious code.
3, advantage and effect:
The embedded system hardware protective device of this hardware auxiliary has several advantages that
Hardware protection device of the present invention is pure hardware circuit, and is not linked into the internal bus of processor, Software cannot remove access hardware protection device by bus, so high safety is in general software protection.
The hardware protection device that the present invention uses executes parallel with processor, so process of the hardware protection device in execution In will not influence the normal operation of processor, the memory source of system will not be occupied, execution efficiency is high.
Hardware module of the present invention has carried out ciphered compressed processing during monitoring to program, further increases The safety of system, while reducing the expense of hardware resource.
There is hardware module of the present invention good transplantability to adapt to not as long as modifying several key parameters With on the processor of framework.
Detailed description of the invention
Fig. 1 is the structural block diagram of hardware protection device of the invention.
Fig. 2 is the relational graph of hardware protection device and ppu of the invention.
Symbol description is as follows in figure:
SPI refers to the abbreviation of Serial Peripheral Interface (SPI) (Serial Peripheral Interface) in Fig. 1.It is a kind of high Speed, full duplex, synchronous communication bus.
Specific embodiment
As shown in Fig. 1, Fig. 2, specific embodiment is as follows:
The present invention designs the hardware protection device for being directed to buffer overflow attack, it is mainly by following sections group At.SPI (Serial Peripheral Interface (SPI)) module, processor interface module.Internal processing modules mainly include counter module, safety post Remember module, Memory control module.Relationship between them is that Memory control module is most important module, other modules are with it Center is attached.Wherein SPI module provides download interface for it;Memory control module by processor interface and processor into Row connection;Check value of the Hash for calculation code is stored in the memory module of Memory control module.
Fig. 1 describes the framework of hardware protection device, and needing before its work will be by extracting tool executable code Part is extracted offline, comparison device when being downloaded in memory module by SPI interface as program actual motion.Processing Device interface is mainly connected with the Program Counter (PC) of processor and Instruction Register (IR) bus Connect, the operating status of real-time monitor (RTM), and IR calculated into its cryptographic Hash by safety label module, then with Memory control mould The offline value stored in block compares.Safety label module is cryptographic Hash computing module, it is mainly realized by XOR circuit.
Fig. 2 describes application of the hardware protection device in system on chip.It is connected between processor and caching, and anti- Feedback signal is to processor.When program brings into operation, hardware protection device can detect first of first instruction basic block Instruction has begun operation, enters monitor state.Hardware protection device will record the cryptographic Hash instructed at this time at this time.Work as hardware Protective device detects the basic block end of instruction, can be by the cryptographic Hash and hardware protection of present instruction basic block institute recording instruction Value in device is compared.If two values are unequal, buffer overflow attack has occurred then may determine that.Later, firmly Part protective device can search for the initial address of next instruction basic block, here for search efficiency is improved, take binary search, If instruction basic block is had found in the content that hardware protection device is stored at this time, then may determine that this section of code hard In part protective device, were it not for find instruction basic block start address, then conclude occurred there is no instruction it is basic The mistake of block, judgement is attacked at this time.Interrupt signal feedback can be issued after detecting error message to processor.

Claims (1)

1. a kind of hardware protection device for buffer overflow attack, the hardware protection device is directly connected with processor, The implementation procedure of monitoring programme, it is characterised in that: hardware protection device is made of four parts: including Serial Peripheral Interface (SPI) module, That is SPI module, processor interface module, Memory control module, safety label module;Memory control module is nucleus module, He is attached module centered on the Memory control module, and SPI module provides data download interface for Memory control module, Processor interface module provides the interface of processor for Memory control module, and safety label module in Memory control module by depositing The data of storage are encrypted;
The SPI module is the communication interface of external equipment Yu Memory control module, keeps host computer initial by this module Change the memory module in Memory control module;The structure of the SPI module is: externally having four line interface SDI i.e. main equipment data Input, SDO, that is, main equipment data output, SCK, that is, clock signal, CS are i.e. from equipment chip selection signal;SCK provides clock pulses, SDI, SDO are then based on this pulse and complete data transmission;Data output is by SDO line, and data are in rising edge clock and failing edge Change, be read in back to back failing edge and rising edge, completes a data transmission;
The processor interface module is ppu and Memory control modular connection interface, makes the hardware protection device The operating status of processor can be monitored in real time;The structure of the processor interface module is: by 32 bit instruction buses and 32 ground Location bus composition;
The Memory control module is made of memory module and searching module;Searching module is used for the letter stored in memory module Breath scans for;
The structure of the memory module is a piece of random access memory i.e. RAM, and which stores the normal execution informations of program;
The searching module searches the content in the memory module by dichotomy, and returns to lookup result;
The safety label module is calculated for cryptographic Hash, for calculating the Hash of institute's storing data in Memory control module Value;The structure of the safety label module is: this inside modules is Hash encrypting module, internal to be breathed out using a new lightweight The message of input is encrypted in uncommon function, is that 512 bytes are encrypted as 16 by input length;
The off-line analysis to executable file is used for by special extracting tool, this extracting tool before program execution, And extract the code of program safety operation;It is downloaded in memory module by SPI interface;Therefore when the malice generation of extraneous implantation When code executes, the hardware protection device can detect that currently performed code is not the generation stored in memory module Code will issue early warning at this time, and program is prevented to continue to execute;To instruct basic block as basic unit, instruction basic block refers to one Code snippet, in this segment only comprising can sequence operation instruction;That is, not including any branch's jump instruction;In order to reinforce Safety is not directly instruction to be stored in the memory of the hardware protection device, but carry out to these instructions The instruction of each instruction basic block is carried out Hash operation, calculates one 16 check values and fill as hardware protection by processing Content in setting;During the execution of program, the initial address of instruction basic block can be searched first, find hardware Corresponding instruction basic block in protective device, the safety label module in the hardware protection device can be to currently performed finger The cryptographic Hash of basic block is enabled to carry out real-time operation, it is and corresponding in safety device after an instruction basic block end of run The cryptographic Hash of instruction basic block compare, when the two is inconsistent, judgement receives the attack of malicious code.
CN201610597170.1A 2016-07-26 2016-07-26 A kind of hardware protection device for buffer overflow attack Active CN106295322B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610597170.1A CN106295322B (en) 2016-07-26 2016-07-26 A kind of hardware protection device for buffer overflow attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610597170.1A CN106295322B (en) 2016-07-26 2016-07-26 A kind of hardware protection device for buffer overflow attack

Publications (2)

Publication Number Publication Date
CN106295322A CN106295322A (en) 2017-01-04
CN106295322B true CN106295322B (en) 2018-12-18

Family

ID=57652806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610597170.1A Active CN106295322B (en) 2016-07-26 2016-07-26 A kind of hardware protection device for buffer overflow attack

Country Status (1)

Country Link
CN (1) CN106295322B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107133515B (en) * 2017-03-09 2019-10-18 北京航空航天大学 A kind of hardware based buffer overflow attack detection method
CN109409082A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The method and device that return address is tampered in detection storehouse
CN110472411B (en) * 2019-08-20 2021-05-07 杭州和利时自动化有限公司 Memory overflow processing method, device, equipment and readable storage medium
CN112580052B (en) * 2019-09-30 2023-05-30 龙芯中科技术股份有限公司 Computer security protection method, chip, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101017458A (en) * 2007-03-02 2007-08-15 北京邮电大学 Software safety code analyzer based on static analysis of source code and testing method therefor
CN104809391A (en) * 2014-01-26 2015-07-29 华为技术有限公司 Buffer overflow attack detecting device, method and safeguard system
CN104866767A (en) * 2015-05-11 2015-08-26 北京航空航天大学 Embedded module of novel security mechanism

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2367129A1 (en) * 2010-03-19 2011-09-21 Nagravision S.A. Method for checking data consistency in a system on chip

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101017458A (en) * 2007-03-02 2007-08-15 北京邮电大学 Software safety code analyzer based on static analysis of source code and testing method therefor
CN104809391A (en) * 2014-01-26 2015-07-29 华为技术有限公司 Buffer overflow attack detecting device, method and safeguard system
CN104866767A (en) * 2015-05-11 2015-08-26 北京航空航天大学 Embedded module of novel security mechanism

Also Published As

Publication number Publication date
CN106295322A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
CN106295322B (en) A kind of hardware protection device for buffer overflow attack
KR102306568B1 (en) Processor trace-based enforcement of control flow integrity in computer systems
US9990583B2 (en) Match engine for detection of multi-pattern rules
CN103310163B (en) Domain safe to use and the data processing equipment and method of time security domain
JP5090661B2 (en) Software behavior modeling device, software behavior monitoring device, software behavior modeling method, and software behavior monitoring method
CN105260659B (en) A kind of kernel level code reuse type attack detection method based on QEMU
CN109643346B (en) Control flow integrity
US10984096B2 (en) Systems, methods, and apparatus for detecting control flow attacks
CN105103158A (en) Profiling code execution
CN107330323B (en) Dynamic ROP and variant attack detection method based on Pin tool
US20190197216A1 (en) Method, apparatus, and computer-readable medium for executing a logic on a computing device and protecting the logic against reverse engineering
CN110647748B (en) Code multiplexing attack detection system and method based on hardware characteristics
US11126721B2 (en) Methods, systems and apparatus to detect polymorphic malware
Li et al. A control flow integrity checking technique based on hardware support
KR102022626B1 (en) Apparatus and method for detecting attack by using log analysis
CN110674501B (en) Malicious drive detection method, device, equipment and medium
Wang et al. A Fine-Grained Hardware Security Approach for Runtime Code Integrity in Embedded Systems.
Thomas et al. Multi-task support for security-enabled embedded processors
CN107967426A (en) A kind of detection method, defence method and the system of linux kernel Data attack
CN116738427B (en) Terminal safety protection method, device, equipment and storage medium
Kim et al. Detection and Blocking Method against DLL Injection Attack Using PEB-LDR of ICS EWS in Smart IoT Environments
Alouneh et al. A software tool to protect executable files from buffer overflow attacks
Liu et al. Modelling binary oriented software buffer-overflow vulnerability in process algebra
CN116633570A (en) Industrial robot network penetration test method and device and terminal equipment
Rocha et al. Query log analysis for SQL injection detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant