CN106295322B - A kind of hardware protection device for buffer overflow attack - Google Patents
A kind of hardware protection device for buffer overflow attack Download PDFInfo
- Publication number
- CN106295322B CN106295322B CN201610597170.1A CN201610597170A CN106295322B CN 106295322 B CN106295322 B CN 106295322B CN 201610597170 A CN201610597170 A CN 201610597170A CN 106295322 B CN106295322 B CN 106295322B
- Authority
- CN
- China
- Prior art keywords
- module
- memory control
- interface
- control module
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of hardware protection device for buffer overflow attack, it is directly connected with processor, the implementation procedure of monitoring programme; it is made of four parts: including Serial Peripheral Interface (SPI) module, i.e. SPI module, processor interface module; Memory control module, safety label module;Memory control module is nucleus module, other modules are attached centered on the Memory control module, SPI module provides data download interface for Memory control module, processor interface module provides the interface of processor for Memory control module, and safety label module is encrypted by the data stored in Memory control module;High safety of the present invention reduces the expense of hardware resource in general software protection, is not take up the memory source of system, and execution efficiency is high, has good transplantability, as long as modifying several key parameters, on the processor for adapting to different frameworks.
Description
Technical field
The present invention provides a kind of hardware protection device for buffer overflow attack, it is related to the slow of embeded processor
Rush the hardware protection device of area's flooding.Belong to embedded system security technical field.
Background technique
Buffer overflow is a kind of very universal, breakneck loophole, and become current important security threat it
One.In various safety messages, buffer-overflow vulnerability is wherein critically important a part always.Buffer overflow attack holds very much
It is easily utilized by attacker, because there is no automatic detection buffer overflows to operate for the language such as C and C++, while programming personnel
Also it is difficult to check whether buffer area may overflow always when writing code.Using spilling, attacker can be write expected data
Enter any position in loophole program internal memory, or even executes the critical data of stream (such as after function call including control program
Return address), to control the implementation procedure of program and implement malicious act.
The common attack method of buffer overflow is that malicious code shellcode is injected into program, and with its address
Come the return address of overlay program function call itself, execute this malicious code when so that returning rather than should execute originally
Code.That is, this attack usually first has to inject malicious code in target loophole program when implementing.But journey
The code segment of sequence is usually arranged as not writeable, therefore attacker needs for this attack code to be placed in storehouse.Then for prevention
The attack of this type, buffer overflow defense mechanism use non-executing stacking, and this technology makes the evil on storehouse
Meaning code not can be performed.
In conclusion the existing protection scheme for buffer overflow attack has the following problems:
It (1) is all that will increase answering for software in this way from software respective above in relation to the guard method of buffer overflow attack
Miscellaneous degree, and the code itself as protective effect is also object under fire, can not resist physical attacks.
(2) current defence method will increase the burden of system, influence processor performance.Meanwhile being also easy to cause program
It is collapsed when operation.
Summary of the invention
1. purpose: the object of the present invention is to provide a kind of hardware protection devices for buffer overflow attack, can be effective
The a variety of buffer overflow attacks of prevention.It increases a hardware protection device inside embeded processor to guarantee program
It is correct to execute.
2. technical solution:
The present invention designs a kind of hardware protection device for buffer overflow attack, it is directly connected with processor, prison
Control the implementation procedure of program.
Hardware protection device of the present invention is made of four parts: including Serial Peripheral Interface (SPI) module, i.e. SPI module,
Processor interface module, Memory control module, safety label (such as cryptographic Hash calculating) module.Relationship between them is, interior
Depositing control module is nucleus module, other modules are attached centered on the Memory control module, and SPI module is memory control
Molding block provides data download interface, and processor interface module provides the interface of processor, safety label for Memory control module
Module is encrypted by the data stored in Memory control module.
The SPI module is the communication interface of external equipment Yu Memory control module, enables host computer by this module
Initialize the memory module in Memory control module;The structure of the SPI module is: externally having four line interface SDI (main equipment numbers
According to input), SDO (output of main equipment data), SCK (clock signal), CS (from equipment chip selection signal).SCK provides clock pulses,
SDI, SDO are then based on this pulse and complete data transmission.Data output is by SDO line, and data are in rising edge clock or failing edge
Change, is read in back to back failing edge or rising edge.Complete a data transmission.
The processor interface module is ppu and Memory control modular connection interface, is made of the present invention hard
Part protective device can monitor the operating status of processor in real time;The structure of the processor interface module is: total by 32 bit instructions
Line and 32 bit address buses composition.
The Memory control module is mainly made of memory module and searching module;Relationship between them is to look for module
For being scanned for the information stored in memory module.
The structure of the memory module is a piece of random access memory (RAM), normally executes letter which stores program
Breath.
The searching module searches the content in the memory module by dichotomy, and returns to lookup result.
The safety label module is calculated for cryptographic Hash, for calculating the Kazakhstan of institute's storing data in Memory control module
Uncommon value;The structure of the safety label module is: this inside modules is Hash encrypting module, internal to use a new lightweight
The message of input is encrypted in hash function (patent applied for), is that 512 bytes are encrypted as 16 by input length.
To be mainly used for by special extracting tool (patent applied for), this extracting tool before program execution to can
The off-line analysis of file is executed, and extracts the code of program safety operation.It is downloaded in memory module by SPI interface;Cause
, when the malicious code of external world's implantation executes, hardware protection device of the present invention can detect currently performed code simultaneously for this
It is not the code stored in memory module, early warning will be issued at this time, program is prevented to continue to execute;It is opened to save resource
Pin is not directly to be stored to code, but to instruct basic block as basic unit, basic block is instructed to refer to a code
Segment (is often referred to assembly code), the only instruction comprising can sequentially run in this segment;That is, not including any branch jumps finger
It enables;In order to reinforce safety, we are not directly instruction to be stored in the memory of hardware protection device of the present invention,
But these instructions are handled, the instruction of each instruction basic block is subjected to Hash operation, calculates one 16
Check value is as the content in hardware protection device.It, first can be to the starting of instruction basic block during the execution of program
Address is searched, and finds corresponding instruction basic block in hardware protection device, in hardware protection device of the present invention
Safety label module can carry out real-time operation to the cryptographic Hash of currently executing instruction basic block, when an instruction basic block is transported
After row, the cryptographic Hash of instruction basic block corresponding in safety device is compared, and when the two is inconsistent, can be sentenced
It is disconnected to receive the attack of malicious code.
3, advantage and effect:
The embedded system hardware protective device of this hardware auxiliary has several advantages that
Hardware protection device of the present invention is pure hardware circuit, and is not linked into the internal bus of processor,
Software cannot remove access hardware protection device by bus, so high safety is in general software protection.
The hardware protection device that the present invention uses executes parallel with processor, so process of the hardware protection device in execution
In will not influence the normal operation of processor, the memory source of system will not be occupied, execution efficiency is high.
Hardware module of the present invention has carried out ciphered compressed processing during monitoring to program, further increases
The safety of system, while reducing the expense of hardware resource.
There is hardware module of the present invention good transplantability to adapt to not as long as modifying several key parameters
With on the processor of framework.
Detailed description of the invention
Fig. 1 is the structural block diagram of hardware protection device of the invention.
Fig. 2 is the relational graph of hardware protection device and ppu of the invention.
Symbol description is as follows in figure:
SPI refers to the abbreviation of Serial Peripheral Interface (SPI) (Serial Peripheral Interface) in Fig. 1.It is a kind of high
Speed, full duplex, synchronous communication bus.
Specific embodiment
As shown in Fig. 1, Fig. 2, specific embodiment is as follows:
The present invention designs the hardware protection device for being directed to buffer overflow attack, it is mainly by following sections group
At.SPI (Serial Peripheral Interface (SPI)) module, processor interface module.Internal processing modules mainly include counter module, safety post
Remember module, Memory control module.Relationship between them is that Memory control module is most important module, other modules are with it
Center is attached.Wherein SPI module provides download interface for it;Memory control module by processor interface and processor into
Row connection;Check value of the Hash for calculation code is stored in the memory module of Memory control module.
Fig. 1 describes the framework of hardware protection device, and needing before its work will be by extracting tool executable code
Part is extracted offline, comparison device when being downloaded in memory module by SPI interface as program actual motion.Processing
Device interface is mainly connected with the Program Counter (PC) of processor and Instruction Register (IR) bus
Connect, the operating status of real-time monitor (RTM), and IR calculated into its cryptographic Hash by safety label module, then with Memory control mould
The offline value stored in block compares.Safety label module is cryptographic Hash computing module, it is mainly realized by XOR circuit.
Fig. 2 describes application of the hardware protection device in system on chip.It is connected between processor and caching, and anti-
Feedback signal is to processor.When program brings into operation, hardware protection device can detect first of first instruction basic block
Instruction has begun operation, enters monitor state.Hardware protection device will record the cryptographic Hash instructed at this time at this time.Work as hardware
Protective device detects the basic block end of instruction, can be by the cryptographic Hash and hardware protection of present instruction basic block institute recording instruction
Value in device is compared.If two values are unequal, buffer overflow attack has occurred then may determine that.Later, firmly
Part protective device can search for the initial address of next instruction basic block, here for search efficiency is improved, take binary search,
If instruction basic block is had found in the content that hardware protection device is stored at this time, then may determine that this section of code hard
In part protective device, were it not for find instruction basic block start address, then conclude occurred there is no instruction it is basic
The mistake of block, judgement is attacked at this time.Interrupt signal feedback can be issued after detecting error message to processor.
Claims (1)
1. a kind of hardware protection device for buffer overflow attack, the hardware protection device is directly connected with processor,
The implementation procedure of monitoring programme, it is characterised in that: hardware protection device is made of four parts: including Serial Peripheral Interface (SPI) module,
That is SPI module, processor interface module, Memory control module, safety label module;Memory control module is nucleus module,
He is attached module centered on the Memory control module, and SPI module provides data download interface for Memory control module,
Processor interface module provides the interface of processor for Memory control module, and safety label module in Memory control module by depositing
The data of storage are encrypted;
The SPI module is the communication interface of external equipment Yu Memory control module, keeps host computer initial by this module
Change the memory module in Memory control module;The structure of the SPI module is: externally having four line interface SDI i.e. main equipment data
Input, SDO, that is, main equipment data output, SCK, that is, clock signal, CS are i.e. from equipment chip selection signal;SCK provides clock pulses,
SDI, SDO are then based on this pulse and complete data transmission;Data output is by SDO line, and data are in rising edge clock and failing edge
Change, be read in back to back failing edge and rising edge, completes a data transmission;
The processor interface module is ppu and Memory control modular connection interface, makes the hardware protection device
The operating status of processor can be monitored in real time;The structure of the processor interface module is: by 32 bit instruction buses and 32 ground
Location bus composition;
The Memory control module is made of memory module and searching module;Searching module is used for the letter stored in memory module
Breath scans for;
The structure of the memory module is a piece of random access memory i.e. RAM, and which stores the normal execution informations of program;
The searching module searches the content in the memory module by dichotomy, and returns to lookup result;
The safety label module is calculated for cryptographic Hash, for calculating the Hash of institute's storing data in Memory control module
Value;The structure of the safety label module is: this inside modules is Hash encrypting module, internal to be breathed out using a new lightweight
The message of input is encrypted in uncommon function, is that 512 bytes are encrypted as 16 by input length;
The off-line analysis to executable file is used for by special extracting tool, this extracting tool before program execution,
And extract the code of program safety operation;It is downloaded in memory module by SPI interface;Therefore when the malice generation of extraneous implantation
When code executes, the hardware protection device can detect that currently performed code is not the generation stored in memory module
Code will issue early warning at this time, and program is prevented to continue to execute;To instruct basic block as basic unit, instruction basic block refers to one
Code snippet, in this segment only comprising can sequence operation instruction;That is, not including any branch's jump instruction;In order to reinforce
Safety is not directly instruction to be stored in the memory of the hardware protection device, but carry out to these instructions
The instruction of each instruction basic block is carried out Hash operation, calculates one 16 check values and fill as hardware protection by processing
Content in setting;During the execution of program, the initial address of instruction basic block can be searched first, find hardware
Corresponding instruction basic block in protective device, the safety label module in the hardware protection device can be to currently performed finger
The cryptographic Hash of basic block is enabled to carry out real-time operation, it is and corresponding in safety device after an instruction basic block end of run
The cryptographic Hash of instruction basic block compare, when the two is inconsistent, judgement receives the attack of malicious code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610597170.1A CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610597170.1A CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106295322A CN106295322A (en) | 2017-01-04 |
CN106295322B true CN106295322B (en) | 2018-12-18 |
Family
ID=57652806
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610597170.1A Active CN106295322B (en) | 2016-07-26 | 2016-07-26 | A kind of hardware protection device for buffer overflow attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106295322B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107133515B (en) * | 2017-03-09 | 2019-10-18 | 北京航空航天大学 | A kind of hardware based buffer overflow attack detection method |
CN109409082A (en) * | 2018-09-21 | 2019-03-01 | 中国科学院信息工程研究所 | The method and device that return address is tampered in detection storehouse |
CN110472411B (en) * | 2019-08-20 | 2021-05-07 | 杭州和利时自动化有限公司 | Memory overflow processing method, device, equipment and readable storage medium |
CN112580052B (en) * | 2019-09-30 | 2023-05-30 | 龙芯中科技术股份有限公司 | Computer security protection method, chip, device and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
CN104866767A (en) * | 2015-05-11 | 2015-08-26 | 北京航空航天大学 | Embedded module of novel security mechanism |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2367129A1 (en) * | 2010-03-19 | 2011-09-21 | Nagravision S.A. | Method for checking data consistency in a system on chip |
-
2016
- 2016-07-26 CN CN201610597170.1A patent/CN106295322B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
CN104866767A (en) * | 2015-05-11 | 2015-08-26 | 北京航空航天大学 | Embedded module of novel security mechanism |
Also Published As
Publication number | Publication date |
---|---|
CN106295322A (en) | 2017-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106295322B (en) | A kind of hardware protection device for buffer overflow attack | |
KR102306568B1 (en) | Processor trace-based enforcement of control flow integrity in computer systems | |
US9990583B2 (en) | Match engine for detection of multi-pattern rules | |
CN103310163B (en) | Domain safe to use and the data processing equipment and method of time security domain | |
JP5090661B2 (en) | Software behavior modeling device, software behavior monitoring device, software behavior modeling method, and software behavior monitoring method | |
CN105260659B (en) | A kind of kernel level code reuse type attack detection method based on QEMU | |
CN109643346B (en) | Control flow integrity | |
US10984096B2 (en) | Systems, methods, and apparatus for detecting control flow attacks | |
CN105103158A (en) | Profiling code execution | |
CN107330323B (en) | Dynamic ROP and variant attack detection method based on Pin tool | |
US20190197216A1 (en) | Method, apparatus, and computer-readable medium for executing a logic on a computing device and protecting the logic against reverse engineering | |
CN110647748B (en) | Code multiplexing attack detection system and method based on hardware characteristics | |
US11126721B2 (en) | Methods, systems and apparatus to detect polymorphic malware | |
Li et al. | A control flow integrity checking technique based on hardware support | |
KR102022626B1 (en) | Apparatus and method for detecting attack by using log analysis | |
CN110674501B (en) | Malicious drive detection method, device, equipment and medium | |
Wang et al. | A Fine-Grained Hardware Security Approach for Runtime Code Integrity in Embedded Systems. | |
Thomas et al. | Multi-task support for security-enabled embedded processors | |
CN107967426A (en) | A kind of detection method, defence method and the system of linux kernel Data attack | |
CN116738427B (en) | Terminal safety protection method, device, equipment and storage medium | |
Kim et al. | Detection and Blocking Method against DLL Injection Attack Using PEB-LDR of ICS EWS in Smart IoT Environments | |
Alouneh et al. | A software tool to protect executable files from buffer overflow attacks | |
Liu et al. | Modelling binary oriented software buffer-overflow vulnerability in process algebra | |
CN116633570A (en) | Industrial robot network penetration test method and device and terminal equipment | |
Rocha et al. | Query log analysis for SQL injection detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |