CN109409082A - The method and device that return address is tampered in detection storehouse - Google Patents
The method and device that return address is tampered in detection storehouse Download PDFInfo
- Publication number
- CN109409082A CN109409082A CN201811109566.2A CN201811109566A CN109409082A CN 109409082 A CN109409082 A CN 109409082A CN 201811109566 A CN201811109566 A CN 201811109566A CN 109409082 A CN109409082 A CN 109409082A
- Authority
- CN
- China
- Prior art keywords
- hash value
- return address
- frame
- stack
- tampered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The above embodiment of the present invention provides the method and device that is tampered of return address in a kind of detection storehouse, the beneficial effects such as return address and cryptographic Hash are all stored and verified by a chain structure by the present invention, and the embodiment of the present invention is with high security, performance loss is small, design complexities are low.
Description
Technical field
The present invention relates to field of computer technology, the method being tampered more particularly, to return address in detection storehouse
And device.
Background technique
The construction and development of computer technology and internet bring the various aspects such as the economy, culture, science and technology of entire society
Huge promotion and impact, the information systems such as a large amount of telecommunications, e-commerce, banking network have become country and government
Critical infrastructures, therefore how to ensure that the safety of computer system has become and put difficulty in the urgent need to address in face of us
Topic.
Stack overflow loophole is an extremely serious System Security Vulnerability, it is by a limited memory headroom
Too long data are written, destroy the memory headroom of system, system is caused to be operating abnormally, crash or restart.It is attacked by stack overflow
It hits, using the address coverage function pointer of attack code, the system control of attacker's fetching portion or whole can be allowed, this is
A kind of security risk of great threat.
In the prior art, prevention main for stack smashing and defense mechanism are to protect skill by shadow stack and stack
Art guarantees that return address is not maliciously tampered.But the safety of shadow stack and stack protection is all inadequate, and attacker remains to find
Method is attacked to bypass above two defense technique.
So, it would be highly desirable to propose that one kind can effectively monitor the method and device that return address is not maliciously tampered.
Summary of the invention
To solve the above-mentioned problems, the embodiment of the present invention provides one kind and overcomes the above problem or at least be partially solved
State the method and device that return address is tampered in a kind of detection storehouse of problem.
According to a first aspect of the embodiments of the present invention, a kind of method that is tampered of return address in detection storehouse is provided,
Include:
S1, according to corresponding to the return address to be verified and return address to be verified that are stored in stack top frame in storehouse
Hash value is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value;Wherein, the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
S2 confirms that return address to be verified is usurped if hash value to be verified is different from pre-generated correct hash value
Change;Wherein, the return address that is not tampered with and the return that is not tampered with of the correct hash value previously according to stack top frame in stack
Hash value corresponding to address is obtained based on any hash value generating algorithm.
It further, further include one in the processor for executing the method that return address is tampered in the detection storehouse
A Top register, the correct hash value stored in the Top register can only be modified by preset instructions.
It further, further include one in the processor for executing the method that return address is tampered in the detection storehouse
A hash computing module for being used to execute any hash value generating algorithm.
Further, any return address in the storehouse, and distinguish with hash value corresponding to any return address
It is individually stored on the different location in the storehouse in same stack frame.
Further, S2 further include:
If hash value to be verified is identical as pre-generated correct hash value, confirm that return address to be verified is not usurped
Change.
Other side according to an embodiment of the present invention provides the device that is tampered of return address in a kind of detection storehouse,
Include:
Hash value computing module, for according to the return address to be verified that is stored in stack top frame in storehouse and to be verified returning
Hash value corresponding to address is returned, any hash value generating algorithm is based on, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value;Wherein, the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
Authentication module, if confirming to be tested for judging that hash value to be verified is different from pre-generated correct hash value
Card return address is tampered;Wherein, the correct hash value previously according to stack top frame in stack the return address being not tampered with and
Hash value corresponding to the return address being not tampered with is obtained based on any hash value generating algorithm.
It further, further include a Top register, the Top register is for storing the correct hash value, and Top
The correct hash value stored in register can only be modified by preset instructions.
It further, further include one for executing the hash computing module of any hash value generating algorithm.
Further, any return address in the storehouse, and distinguish with hash value corresponding to any return address
It is individually stored on the different location in the storehouse in same stack frame.
Further, if the authentication module is also used to judge hash value to be verified and pre-generated correct hash value phase
Together, then confirm that return address to be verified is not tampered with.
The above embodiment of the present invention provides the method and device that is tampered of return address in a kind of detection storehouse, and the present invention will
Return address and cryptographic Hash are all stored and are verified by a chain structure, the embodiment of the present invention with high security, performance
The beneficial effects such as small, design complexities are low are lost.
Detailed description of the invention
Fig. 1 is the overall flow signal for the method that return address is tampered in a kind of detection storehouse of the embodiment of the present invention
Figure;
Hash chain structure storehouse in the method that Fig. 2 is tampered for return address in a kind of detection storehouse of the embodiment of the present invention
Schematic diagram;
Hash chain structure storehouse in the method that Fig. 3 is tampered for return address in a kind of detection storehouse of the embodiment of the present invention
Structural schematic diagram;
Fig. 4 is the structural schematic diagram of the storehouse in the prior art of the embodiment of the present invention;
Fig. 5 be in a kind of detection storehouse of the embodiment of the present invention in the method that is tampered of return address call instruction execute with
The difference schematic diagram of prior art call instruction;
Fig. 6 be in a kind of detection storehouse of the embodiment of the present invention in the method that is tampered of return address return instruction execute with
The difference schematic diagram of prior art return instruction;
Non-compressed structure and pressure in the method that Fig. 7 is tampered for return address in a kind of detection storehouse of the embodiment of the present invention
The schematic diagram of contracting storage organization;
Fig. 8 is the device overall structure diagram that return address is tampered in a kind of detection storehouse of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
It is clearly explained in the following, description of the invention makees one to each basic conception and the prior art and defect first.
Memory Leaks: refer to programmer during software programming, in having time in the operation of memory or space
On design fault, leading to the problem of makes calling program that may make the behavior that designs of violation program itself.Attacker utilizes program
Memory Leaks, can construct various attacks, execute malicious act.
Buffer overflow: being most commonly seen Memory Leaks, copies into a buffer area more than the buffer length
Data can generate buffer overflow, to cover other data other than buffer area.And stack overflow loophole is that buffer area is overflow
Most commonly seen one kind in springing a leak copies into a too long data into stack, the buffer data on stack is caused to overflow, from
And cover the data that other are crucial on stack.
Stack (stack): also known as storehouse, it is a kind of linear list that operation is limited.Its limitation is the one end for being only allowed in table
It is inserted into and is deleted operation.This one end is referred to as stack top, relatively, the other end is called stack bottom.Singapore dollar is inserted into a stack
Element also referred to as pushes on, stacking or pop down, it is that new element is put into the upper surface of stack top element, makes new stack top element;
It also referred to as pops or pops off from a stack deletion element, it is that stack top element is deleted, and the element for keeping its adjacent becomes new
Stack top element.
Stack overflow: being one kind of buffer overflow.It is written over useful storage unit, it is past
It is past to cause unpredictable consequence.Program in the process of running, in order to temporarily access the needs of data, will generally distribute one
A little memory headrooms, commonly referred to as these spaces are buffer area.If write-in is more than the data of itself length into buffer area, so that
It can not be accommodated in buffer area, will result in the storage unit other than buffer area and be written over, this phenomenon is known as buffer overflow.
Buffer length is generally related with the type of buffer variable of user oneself definition.
Function call: when computer compiling or operation, related command is completed using some function.
Return address: a mostly important data are exactly Function return addresses in the data stored in stack.When calling one
When a function, Function return addresses can be pressed into stack by call instruction (such as Call instruction).When function returns, return instruction
(such as Return instruction) can read the return address saved in stack, jump to the original position for calling function according to return address
It sets, continuation executes down.It carries out attacking most common method being exactly to utilize stack overflow using stack overflow loophole, covering returns to ground
Return address is changed to the address of attacker setting by location.When function returns, the position that attacker sets will be jumped to
It sets, executes attacker and wish the code executed.
ROP attack: a kind of classical technology using Memory Leaks construction attack, because can not execution position technology
(DEP or NX's) is universal, is directly injected into code execution malicious attack and becomes difficult, and ROP attack then can use program itself
Code, using return address as connection, construct attack.The principle of ROP attack is mainly to use the generation of program itself
With the code snippet (becoming accessory) of return instruction (such as Return instruction) ending in code, cooperate the control to stack space, no
Disconnected makes program run these accessories.When program executes a Return, CPU takes out an address from current stack, and
And it jumps at the code that this address is directed toward and brings into operation.A series of address of accessories is first put into stack by attacker, CPU fortune
When row is to Return, first address can be taken out and jump to this accessory starts to execute, at the end of first accessory executes,
The return instruction (such as Return instruction) of ending, which can take out second address and jump to second accessory, to be started to execute, so
Circulation, constructs any malicious act.
The key points of attacks such as ROP attack are all to distort return address, and current existing some technologies also all pass through
Return address is protected to prevent these attacks.Main relevant work is shadow stack (Shadow Stack) and stack protection (stack
Cookie is also stack canary).
Return address in stack is stored one by different implementations by shadow stack in another region of memory
Back up (region of memory is just shadow stack), and the return address in stack used before address and backup are compared, if
Address is different, then illustrates that the address in stack is tampered with.In simple terms, the essence of shadow stack is exactly by return address other one
A backup is deposited in a place, is thus not concerned about the return address in attacker's modification stack.Intel Company proposed in 2016
CET technology (Control-flow Enforcement Technology) includes mainly two technologies, and one of them are exactly shadow
Sub- stack.
Stack protection is the practical technique used in many mainstream compilers such as gcc compiler.Return address is stored in
In stack, it is previously inserted into a canary in return address (canary, i.e. protection value are a random numbers).If attacker
Want to cover return address using stack overflow, then it will necessarily covering protection value.And protection value is a random number, attacker can not obtain
Know, therefore protection value can also change.Function checks whether protection value is changed when returning, so that it may find that return address is
It is no to be maliciously tampered.
Then, there are following technological deficiencies for above-mentioned art methods.
There are some problems for shadow stack method:
1, the backup in shadow stack must be perfectly safe, this is very difficult in practical implementations.Such as Intel
CET technology just proposes, has used a new page attribute to mark individual page to be " shadow stack " page and protect.But this page
Attribute can be modified, this had precedent in the example of DEP in actual attack before.So in memory the preceding paragraph
It is insufficient that protection safety is done in region.If attacker can modify the return address on shadow stack and stack simultaneously, can break
Solve the protection of shadow stack.
2, the backup in shadow stack needs an individual page to store, therefore will increase memory access, reduces performance, can also increase
Add memory overhead.
3, the realization of shadow stack is complex., can be simple with design comparison if not considering the safety of shadow stack itself, but
Safety is inadequate.If it is considered that the safety of shadow stack itself, it is necessary to add additional protection machine to the memory where shadow stack
System, considerably increases design complexity, causes practicability not high.
There are some problems for stack guard method:
1, stack protection needs to be inserted into a protection value (random number) before return address.Once attacker knows protection value,
Return address and protection value can be easily covered, while guaranteeing that protection value will not change.
2, stack protection can only defend stack overflow to cover return address, and cannot defend other attacks.For example, using arbitrarily
Location is write, direct point-to-point modification return address.
In short, the safety of shadow stack and stack protection is all inadequate, attacker remains to find some methods to bypass.
The specific embodiment of the invention proposes a kind of method that is tampered of return address in detection storehouse.
Such as Fig. 1, the method overall procedure signal that return address is tampered in a kind of detection storehouse of the embodiment of the present invention is shown
Figure, comprising:
S1, according to corresponding to the return address to be verified and return address to be verified that are stored in stack top frame in storehouse
Hash value is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value;Wherein, the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
S2 confirms that return address to be verified is usurped if hash value to be verified is different from pre-generated correct hash value
Change;Wherein, the return address that is not tampered with and the return that is not tampered with of the correct hash value previously according to stack top frame in stack
Hash value corresponding to address is obtained based on any hash value generating algorithm.
Specifically, the embodiment of the present invention protects return address using main hash algorithm.Hash algorithm has some only
The advantages of having, such as be difficult also to be difficult to export by control input by the anti-input for pushing away hash of output of hash, attacker
One is wished the output valve obtained.Present invention proposition all safeguards return address and cryptographic Hash by a chain structure.Such as
Shown in Fig. 2, newest hash value is according to newest (being stored in stack top frame in storehouse) return address and previous (storehouse
Being stored in middle stack top frame) hash value is calculated.Hash value in stack top frame is returned according to what is stored in its previous frame
It goes back to address and hash value is calculated.Therefore, the return address in storehouse in each frame and hash value form a chain.
Wherein, Fig. 3 illustrates the stack architecture of the embodiment of the present invention.Compared with the normal stack architecture of Fig. 4, the present invention is implemented
Hash value corresponding to return address and its has been stored in same frame by the stack architecture of example.It is worth noting that, in same frame
The hash value and return address stored is staggered, i.e. first return address (Address 1) and a random number
(RAND) it is stored together;First hash value (Hash 1) is calculated and according to first return address and random number
Two return addresses are stored together;And so on, second hash value and third return address exist together;And it is newest
Hash value (Hash 3) is stored in a special register (referred to as Top register).Wherein, random parameter RAND is Top
The initial value of register.
Further, it introduces in the embodiment of the present invention and introduces call instruction and return instruction by taking call and return instruction as an example
Specific implementation procedure.
The implementation procedure of normal call instruction and return instruction is introduced first, then introduces call instruction in the present invention
With the implementation procedure of return instruction, Fig. 5 illustrates the special process that call instruction is different with normal implementation procedure in the present invention, figure
6 illustrate the special process that return instruction is different with normal implementation procedure in the present invention.
Normal call instructs (Call instruction) execution: 1) by return address pop down, 2) by call instruction (Call instruction)
Destination address deposit PC (is equivalent to and jumps to destination address execution).
Normal return instruction (return instruction) executes: 1) return address popped, 2) and return address deposit PC is (suitable
It is executed in jumping to return address).
Call instruction (Call instruction) of the invention executes: 1) by the hash value and return address (stack top in Top register
The return address of frame being not tampered with) pop down together, 2) by the data (hash value and return address i.e. in step 1) of pop down when
New hash value (correct hash value) is calculated in the input for doing hash function, and new hash value is stored in Top register,
3) destination address of call instruction (Call instruction) is stored in PC.
The return instruction (return instruction) of the embodiment of the present invention executes: 1) by stack top frame hash value and return address
(return address to be verified) pops, and the hash value for calculating the hash value popped and return address (return address to be verified) is (to be tested
Demonstrate,prove hash value), 2) by the hash value being calculated (hash value to be verified), it is (correct with the hash value that is saved in Top register
Hash value) it compares.If the two is unequal, illustrate to occur abnormal, it should alarm and interrupt routine is run.If the two phase
Deng then normally, continuing to execute.3) the hash value popped is stored in Top register (the hash value popped, rather than to be verified
Hash value).4) when hash value to be verified is equal with correct hash value, return address return address to be verified is stored in PC;When
When hash value to be verified and correct hash value are unequal, there is abnormal and interrupt routine.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include a Top register in the processor for executing the method that return address is tampered in the detection storehouse, wherein
The Top register is for storing the correct hash value, and the correct hash value stored in Top register can only be by pre-
If instruction modification.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
In the processor for executing the method that return address is tampered in the detection storehouse, further includes a Salt register, be used for
A challenging value, another input of the challenging value as hash function are stored, the challenging value can only pass through preset instructions
Modification.
Wherein, it in order to realize above-mentioned specific embodiment, needs executing a kind of detection of the embodiment of the present invention in actual development
Increase at least one register in the processor for the method that return address is tampered in storehouse, includes at least Top register, may be used also
It can include Salt register.For saving newest hash value, the challenging value stored in Salt register is Top register
Another input of hash function, generally a random value are also possible to other kinds of value, further increase hash function
It is hypothesized the difficulty cracked.
Most start in a process, sets random number for Top register and Salt register respectively and either pass through it
The non-random numbers that his mode generates, wherein random number is most preferred.Hardware in Top register it should be ensured that stored just
The challenging value stored in true hash value and Salt register can only be modified by preset instructions, and otherwise the present invention just loses anti-
Imperial effect.And several special registers is protected not to be easily achieved by attacker's modification.Even if attacker has read
Salt register, the present invention still ensure that attacker can not distort return address easily, safety still with higher.
Hardware is without guaranteeing that Top register is not read by attacker.Can attacker read Top register, to the present invention
Safety do not influence.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
The correct hash value stating the challenging value stored in Salt register and being stored in Top register can not be by presetting privileged instruction
Outer specified reading.Wherein, hardware should guarantee that Salt register is not read by attacker as far as possible, this is technically also to compare
Easy to accomplish.Even if the present invention still ensures that attacker can not distort easily and returns in addition, attacker has read Salt register
Return address, safety still with higher.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include one described any for executing in the processor for executing the method that return address is tampered in the detection storehouse
The hash computing module of hash value generating algorithm.
Wherein, the embodiment of the present invention does not require the selection of hash algorithm too much, and arbitrary hash algorithm can be used,
It is even possible that with other enciphering and deciphering algorithms.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
Any return address in storehouse is stated, and is individually stored in the storehouse with hash value corresponding to any return address
In on different location in same stack frame.As shown in fig. 7, in the specific embodiment of the invention, by return address and hash value point
It opens different location and is stored referred to as non-compressed structure (or normal configuration).
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided,
In 64 bit manipulation systems, any return address is normally stored in any position in the storehouse in the storehouse, and described
Hash value corresponding to any return address is stored in the high bit space of any position.
In particular, it was found that return address occupies 64, but actually true return address is simultaneously in 64 systems
Without so long, general only 40 multidigits.So 64 high positions are idle.Therefore, hash value can be saved in 64
In a high position.This storage organization is referred to as pressure texture, as shown in Figure 7.Pressure texture is distinguished compared to original stack architecture
The value (and being completely the same in layout) of return address only in stack.This results in a most important beneficial effect be can
With the binary system before compatibility, this is because most programs follow following rule: (1) call instruction and return instruction are matchings
's;(2) only have call instruction and return instruction using return address, other instructions do not use;(3) other values in stack are all roots
Position is determined according to offset, data can be directly used properly in other stacks if holding layout.Correspondingly, at the same in order to
Reach above-mentioned beneficial effect, need matched operation are as follows: the operation for reaching this target needs is: will be all in original program
(or matched part) call instruction and return instruction replace with call instruction and return instruction in the embodiment of the present invention, and make
Use pressure texture.Meanwhile also there is section space-efficient beneficial effect compared to not pressure texture using pressure texture.
Certainly, in addition to return address, there are also the high positions that some data may be maintained in 64, such as the random number of ASLR
Deng.But anyway, these data all do not exhaust 64 spaces, and the free time for tending to remaining 20 multidigits is empty
Between, it is sufficiently used for saving hash value.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse, institute are provided
After stating S2 further include: interrupt routine, which is run, is simultaneously stored in hash value corresponding to return address to be verified in Top register.
If it is confirmed that return address to be verified is tampered, illustrate to occur abnormal, it should alarm and interrupt routine is run.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, if
Hash value to be verified is identical as pre-generated correct hash value, then confirms that return address to be verified is not tampered with.
In another of the invention specific embodiment, a kind of method that return address is tampered in detection storehouse is provided, is used
It further include a counter, for institute in the processor for executing the method that return address is tampered in the detection storehouse
It states to count when storehouse executes a call instruction (such as Call instruction) and adds one, a return instruction (example is executed to the storehouse
As return instruct) when count subtract one;At the end of process, if the count number of counter is not correct in 0 or Top register
Hash value is modified, then is reported an error.
The specific embodiment of the invention possesses unlimited computing capability, then attacking in view of assuming that attacker's is very competent
The person of hitting may be collided by hash and distort return address by force, and construct identical hash value.For this extreme case, originally
Inventive embodiments still have a method discovery, i.e. attacker's value for being unable to control Top register, after not can guarantee attack
The value of Top register will necessarily just leave the trace of attack as with initial value being.
It is further added by a Number counter in the embodiment of the present invention, records the execution time of call instruction and return instruction
Number, it is ensured that as call instruction with the quantity of return instruction is.Process starts, and Number counter is initialized as 0;It executes
Call instruction will count number and add one;A return instruction is executed, number will be counted and subtract one;If process terminates,
Number should be 0, otherwise report an error, terminator operation.
Equally, when process terminates to exit, the value of Top register should be equal to the initial of Top register when process most starts
Value, is otherwise considered as being attacked, reports an error and terminate operation.
If it is considered that process may drop by the wayside, it is also necessary to save and monitor Top register and Number register
Value, it is ensured that the value of Top register and Number register is matched when dropping by the wayside.
As shown in figure 8, showing the general frame signal for the device that return address is tampered in a kind of detection storehouse of the present invention
Figure, generally, comprising:
Hash value computing module A1, for according to the return address to be verified that is stored in stack top frame in storehouse and to be verified
Hash value corresponding to return address is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I-th in the storehouse
+ 1 frame stores corresponding to return address corresponding to any frame and return address in any frame into stack top frame
Hash value, wherein the return address stored in the former frame of hash value any frame according to stack corresponding to return address
With hash value corresponding to return address, it is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein
J is the serial number of stack top frame;
If authentication module A2 confirms to be verified different from pre-generated correct hash value for hash value to be verified
Return address is tampered;Wherein, the return address that is not tampered with and not of the correct hash value previously according to stack top frame in stack
Hash value corresponding to the return address being tampered is obtained based on any hash value generating algorithm.
In another of the invention specific embodiment, the device that return address is tampered in a kind of detection storehouse, institute are provided
State for executing in the processor of method that return address is tampered in the detection storehouse, further include a Top register and
One Salt register:
Wherein, the Top register is for storing the correct hash value, and in the correct hash value that is stored can only lead to
Cross preset instructions modification;
The Salt register for store a challenging value, the challenging value as hash function another input,
The challenging value can only be modified by preset instructions.
In order to allow aforementioned present invention to be really applied to real system, it is also necessary to the branch of the various aspects such as compiler, operating system
It holds.Operating system needs to know the presence (including Top register and Salt register etc.) of several specified registers.At each
Process starts, and initializes the value of these registers, is set as random number.In process switching, the value of these registers is saved, really
The relevant information that each process has oneself is protected, will not be influenced each other.Compiler is also required to know these specified registers.Such as
Fruit is non-compressed structure, needs compiler to add some codes, for operating with these registers.If it is pressure texture,
Compiler needs to know the specific layout of 64 return addresses, which position is return address, which position is hash value, facilitates compiling
Device adds special processing code into program.If compiler has enough supports, compiler is also can be used in the present invention
It realizes (without the support of hardware).But the efficiency being achieved realizes low, performance loss about 3% compared to plain hardware.
The present invention has very high flexibility and compatibility.For example the structure of multichain is used, every a certain number of returns
It is protected using different chains address;Certain address protections, certain addresses are not protected.To increase the difficulty that attacker cracks.
The present invention and other defence methods also do not conflict, and can be used in combination.
It is compared with other technologies, this above-mentioned each specific embodiment uses chain type technology, i.e., by return address and cryptographic Hash
It is linked up as a chain, is the most crucial thought of the present invention.The present invention protects return address, Hash meter using Hash calculation
Calculator has exclusive some advantages.For example know final cryptographic Hash, but be difficult to derive original value with this.But it is worth noting
Be, however it remains using other enciphering and deciphering algorithms come a possibility that substituting hash algorithm.Chain type Hash brings various aspects
Small, design complexities are low etc. is lost in advantage, such as highly-safe, performance.
Meanwhile the above embodiment of the present invention is better than existing method, from safety, performance, design complexities, compatibility, reality
With various aspects such as property.Compared with some particular technique, the present invention is more preferable in some aspects, and other aspect also ensure that it is not poor
In the technology.
Firstly, the present invention can strict guarantee return address will not be maliciously tampered, safety is all higher than other methods.Than
Such as, the Backup Data that shadow stack not can avoid shadow stack is not modified, and stack protection not can avoid the leakage of protection value.
Secondly, according to experiment, using the performance loss only 0.15% of the invention of hardware supported, lower than existing various
Method.
On hardware, the present invention only needs to increase several registers and a Hash operation module, and design complexities are very low,
It is easy to accomplish.And other methods may modify page table management mechanism such as shadow stack, complexity is more much higher than the present invention.
Versatility of the present invention is high, can be used for the computer system of any mainstream.Function call and return are most basic journeys
Sequence function, all computers are all supported, and the present invention can be used for all computer systems for supporting function call and return.
Compatibility of the invention is high, to the change very little of system, can be good at that existing computer system is added.
In short, the present invention is a very useful technology, can very easily be applied in true system.
In addition, there are also some exclusive advantages by the present invention.Once for example, success attack, existing defence method all can not
It was found that.And even if the present invention is really cracked by attacker, but attacker will necessarily leave attack trace, to will necessarily be sent out
It is existing.
Finally, the present processes are only preferable embodiment, it is not intended to limit the protection model of the embodiment of the present invention
It encloses.With within principle, any modification, equivalent replacement, improvement and so on should be included in all spirit in the embodiment of the present invention
Within the protection scope of the embodiment of the present invention.
Claims (10)
1. a kind of method that return address is tampered in detection storehouse characterized by comprising
S1, according to hash corresponding to the return address to be verified and return address to be verified that are stored in stack top frame in storehouse
Value is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I+1 frame in the storehouse
Hash value corresponding to return address corresponding to any frame and return address is stored in any frame into stack top frame;
Wherein, the return address and return ground stored in the former frame of hash value any frame according to stack corresponding to return address
Hash value corresponding to location is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein j is stack top
The serial number of frame;
S2 confirms that return address to be verified is tampered if hash value to be verified is different from pre-generated correct hash value;Its
In, the return address that is not tampered with and the return address institute that is not tampered with of the correct hash value previously according to stack top frame in stack
Corresponding hash value is obtained based on any hash value generating algorithm.
2. the method according to claim 1, wherein being tampered for executing return address in the detection storehouse
Method processor in, further include a Top register, the Top register for storing the correct hash value, and
The correct hash value stored in Top register can only be modified by preset instructions.
3. according to the method described in claim 2, it is characterized in that, being tampered for executing return address in the detection storehouse
Method processor in, further include one for executing the hash computing module of any hash value generating algorithm.
4. the method according to claim 1, wherein any return address in the storehouse, and with it is described any
Hash value corresponding to return address is individually stored on the different location in the storehouse in same stack frame.
5. the method according to claim 1, wherein S2 further include:
If hash value to be verified is identical as pre-generated correct hash value, confirm that return address to be verified is not tampered with.
6. the device that return address is tampered in a kind of detection storehouse characterized by comprising
Hash value computing module, for according to the return address to be verified stored in stack top frame in storehouse and return to be verified ground
Hash value corresponding to location is based on any hash value generating algorithm, obtains hash value to be verified;
Wherein, i-th of return address and a random number are stored in the i-th frame in the storehouse;I+1 frame in the storehouse
Hash value corresponding to return address corresponding to any frame and return address is stored in any frame into stack top frame;
Wherein, the return address and return ground stored in the former frame of hash value any frame according to stack corresponding to return address
Hash value corresponding to location is based on any hash value generating algorithm, the hash value of acquisition;I >=1 j >, wherein j is stack top
The serial number of frame;
Authentication module, if confirming to be verified return for judging that hash value to be verified is different from pre-generated correct hash value
Address is gone back to be tampered;Wherein, the correct hash value previously according to stack top frame in stack the return address being not tampered with and not by
Hash value corresponding to the return address distorted is obtained based on any hash value generating algorithm.
7. device according to claim 6, which is characterized in that further include a Top register, the Top register is used
In the storage correct hash value, and the correct hash value stored in Top register can only be modified by preset instructions.
8. device according to claim 7, which is characterized in that further include one and generated for executing any hash value
The hash computing module of algorithm.
9. device according to claim 6, which is characterized in that any return address in the storehouse, and with it is described any
Hash value corresponding to return address is individually stored on the different location in the storehouse in same stack frame.
10. device according to claim 6, which is characterized in that if the authentication module is also used to judge hash to be verified
Value is identical as pre-generated correct hash value, then confirms that return address to be verified is not tampered with.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811109566.2A CN109409082A (en) | 2018-09-21 | 2018-09-21 | The method and device that return address is tampered in detection storehouse |
| PCT/CN2019/106686 WO2020057603A1 (en) | 2018-09-21 | 2019-09-19 | Method and apparatus for detecting that return address in stack has been tampered with |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811109566.2A CN109409082A (en) | 2018-09-21 | 2018-09-21 | The method and device that return address is tampered in detection storehouse |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109409082A true CN109409082A (en) | 2019-03-01 |
Family
ID=65466234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811109566.2A Pending CN109409082A (en) | 2018-09-21 | 2018-09-21 | The method and device that return address is tampered in detection storehouse |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109409082A (en) |
| WO (1) | WO2020057603A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
| WO2020057603A1 (en) * | 2018-09-21 | 2020-03-26 | 中国科学院信息工程研究所 | Method and apparatus for detecting that return address in stack has been tampered with |
| CN112463536A (en) * | 2020-11-27 | 2021-03-09 | 宁波拓普集团股份有限公司 | System and method for monitoring illegal tampering of software stack area |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090144309A1 (en) * | 2007-11-30 | 2009-06-04 | Cabrera Escandell Marco A | Method and apparatus for verifying a suspect return pointer in a stack |
| US20120236857A1 (en) * | 2010-05-18 | 2012-09-20 | Lsi Corporation | Multicast address learning in an input/output adapter of a network processor |
| CN103942152A (en) * | 2014-04-28 | 2014-07-23 | 中国人民解放军国防科学技术大学 | Distributed stacking data storage method supporting SIMD system structure |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101344904B (en) * | 2008-09-02 | 2010-09-01 | 中国科学院软件研究所 | Dynamic measurement method |
| CN106295322B (en) * | 2016-07-26 | 2018-12-18 | 北京航空航天大学 | A kind of hardware protection device for buffer overflow attack |
| EP3373178A1 (en) * | 2017-03-08 | 2018-09-12 | Secure-IC SAS | Comparison of execution context data signatures with references |
| CN109409082A (en) * | 2018-09-21 | 2019-03-01 | 中国科学院信息工程研究所 | The method and device that return address is tampered in detection storehouse |
-
2018
- 2018-09-21 CN CN201811109566.2A patent/CN109409082A/en active Pending
-
2019
- 2019-09-19 WO PCT/CN2019/106686 patent/WO2020057603A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090144309A1 (en) * | 2007-11-30 | 2009-06-04 | Cabrera Escandell Marco A | Method and apparatus for verifying a suspect return pointer in a stack |
| US20120236857A1 (en) * | 2010-05-18 | 2012-09-20 | Lsi Corporation | Multicast address learning in an input/output adapter of a network processor |
| CN103942152A (en) * | 2014-04-28 | 2014-07-23 | 中国人民解放军国防科学技术大学 | Distributed stacking data storage method supporting SIMD system structure |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020057603A1 (en) * | 2018-09-21 | 2020-03-26 | 中国科学院信息工程研究所 | Method and apparatus for detecting that return address in stack has been tampered with |
| CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
| CN112463536A (en) * | 2020-11-27 | 2021-03-09 | 宁波拓普集团股份有限公司 | System and method for monitoring illegal tampering of software stack area |
| CN112463536B (en) * | 2020-11-27 | 2022-08-05 | 宁波拓普集团股份有限公司 | System and method for monitoring illegal tampering of software stack area |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020057603A1 (en) | 2020-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| De Clercq et al. | A survey of hardware-based control flow integrity (CFI) | |
| CN109409084A (en) | A kind of chained record storage organization that detection return address is tampered | |
| CN109409086A (en) | The device that return address is tampered in detection storehouse based on newly-increased instruction | |
| Tuck et al. | Hardware and binary modification support for code pointer protection from buffer overflow | |
| Strackx et al. | Efficient isolation of trusted subsystems in embedded systems | |
| CN109409082A (en) | The method and device that return address is tampered in detection storehouse | |
| CN109409085A (en) | The method and device that return address is tampered in processing storehouse | |
| CN109508539A (en) | The chained stack structure that return address is tampered in detection storehouse | |
| CN109508537A (en) | The method and device that return address is tampered in detection storehouse | |
| CN101866406A (en) | Stack overflow attack defense method | |
| CN110659458A (en) | Central processor design method supporting software code data secret credible execution | |
| KR20160145014A (en) | Hardware-based stack control information protection | |
| Gupta et al. | Marlin: Mitigating code reuse attacks using code randomization | |
| CN109446797A (en) | The device that return address is tampered in detection storehouse | |
| Weiss et al. | Known/chosen key attacks against software instruction set randomization | |
| Ruan et al. | Survey of return‐oriented programming defense mechanisms | |
| Maunero et al. | Cfi: Control flow integrity or control flow interruption? | |
| CN109508538A (en) | The stack architecture that return address is tampered in a kind of detection storehouse | |
| CN109446798A (en) | Return address is tampered the device of history in detection storehouse | |
| CN109409083A (en) | The device that return address is tampered in detection storehouse | |
| Sullivan et al. | Execution integrity with in-place encryption | |
| Shrivastava et al. | Code tamper-proofing using dynamic canaries | |
| Nguyen et al. | A framework for diversifying windows native APIs to tolerate code injection attacks | |
| CA2958986C (en) | System and method for protecting a device against attacks on processing flow using a code pointer complement | |
| de Clercq | Hardware-supported software and control flow integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |
|
| RJ01 | Rejection of invention patent application after publication |