CN110059454B - Method and device for reinforcing safety of CPU program - Google Patents
Method and device for reinforcing safety of CPU program Download PDFInfo
- Publication number
- CN110059454B CN110059454B CN201910251029.XA CN201910251029A CN110059454B CN 110059454 B CN110059454 B CN 110059454B CN 201910251029 A CN201910251029 A CN 201910251029A CN 110059454 B CN110059454 B CN 110059454B
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- cpu
- program
- instruction address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000003014 reinforcing effect Effects 0.000 title claims abstract description 19
- 230000008439 repair process Effects 0.000 claims description 18
- 230000001960 triggered effect Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 abstract description 25
- 230000004044 response Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 7
- 238000013461 design Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002787 reinforcement Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a method and a device for safely reinforcing a CPU program, wherein the method for safely reinforcing the CPU program comprises the following steps: acquiring output data of an instruction address register in a CPU (Central processing Unit), and temporarily storing the output data serving as a previous instruction address into the previous instruction address register; comparing a previous instruction address in a previous instruction address register with a current instruction address in an instruction address register in the CPU, and judging whether the relationship between the current instruction address and the previous instruction address is non-increasing, if so, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, and if not, determining that the CPU program runs away, wherein the address set comprises entry addresses of all sequential instruction sections in the CPU program, an interrupt entry address and entry addresses of all sequential instruction sections in an interrupt service program. By implementing the technical scheme of the invention, the coverage and completeness of program jump detection can be improved, and the response speed of program run-off detection is greatly improved.
Description
Technical Field
The invention relates to the field of computers, in particular to a method and a device for safely reinforcing a CPU program.
Background
In the running process of the CPU, due to interference of an external environment (e.g., electromagnetism or voltage) or a malicious attacker intentionally applying laser attack or electromagnetic signal attack to the CPU chip, a program executed by the CPU deviates from a predetermined path, jumps to a position outside a normal program address space, and executes other unexpected operations, which is called program runaway. Program run-off caused by an external environment can influence the execution of the normal functions of a CPU, and a malicious attacker causes the normal program to run-off through an attack means, so that the attacker starts to execute malicious software at an abnormal jump point in the next operation. Therefore, the function of preventing the program from flying is added in the CPU design, and the method has important significance and effect on realizing the safety reinforcement of the CPU.
The CPU implements the corresponding functions by executing the program, which reads, interprets, and executes instructions in a desired path as a basis for correct execution of the program. The program structure is expanded, as shown in fig. 1, to show the execution in turn or jump execution of several sequential instruction segments, and the address of the first instruction of the sequential instruction segment is the entry address of the sequential instruction segment and is also the target address of the jump instruction. Taking the sequential instruction segment Ci as an example in the figure, the entry address is Addr-i, and is also the branch target address of the jump instruction Ji. Therefore, by checking and checking the target address of the jump instruction, it is possible to know whether the program runs away.
Currently, a software method is usually adopted to check whether a problem occurs in the execution of the jump instruction, that is, a corresponding hash calculation is configured for each jump instruction, and the calculated hash value is compared with an expected value, so as to determine whether the program runs away. However, this software approach has the following drawbacks:
1. only known jump conditions can be detected, namely, a program track Hash value is added to a jump instruction in a program for calculation, unpredictable jump conditions such as hardware interruption cannot be detected, if an attacker utilizes attack methods such as laser and electromagnetism to modify the content of an instruction address register in a CPU, the program jumps to an address space where malicious software is located, and the software detection scheme cannot detect the execution of the malicious software as long as the malicious software jumps back to the next instruction address of an original program insertion point after the execution of the malicious software is finished, so that the coverage range of program jump detection is small;
2. the check of the program run-off condition depends on the calculation of the hash value at each detection point and the comparison with an expected value, the calculation of the hash value needs to execute a plurality of instructions, the execution of the comparison operation also needs to execute a plurality of instructions, and the expenses are unfavorable for improving the response speed of the program run-off detection;
3. the repair capability for program runaway is very limited, and after the program runaway, the system often enters an endless loop and needs to be reset to restore the work.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for security reinforcement of a CPU program, aiming at the defects of a small coverage area of program jump detection and a slow detection response speed in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a safety reinforcing method of a CPU program is constructed, and comprises the following steps:
s10, acquiring output data of an instruction address register in the CPU, and temporarily storing the output data serving as a previous instruction address into the previous instruction address register;
s20, comparing the previous instruction address in the previous instruction address register with the current instruction address in the instruction address register in the CPU, judging whether the relation between the current instruction address and the previous instruction address is non-increasing, and if so, executing S30;
and S30, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, if not, determining that the CPU program flies, wherein the address set comprises the entry addresses of all sequential instruction segments in the CPU program, the interrupt entry address and the entry addresses of all sequential instruction segments in the interrupt service program.
Preferably, the step S10 further includes:
acquiring an instruction sequence execution identifier from a CPU, temporarily storing the instruction sequence execution identifier in an instruction sequence execution identifier register, and acquiring an interrupt enable signal from an interrupt priority determination circuit;
the step S30 includes:
when the instruction sequence execution identifier is true and the interrupt enabling signal is false, determining that the CPU program is flown;
and when the instruction sequence execution identifier is false, or the instruction sequence execution identifier is true and the interrupt enable signal is true, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, and if not, determining that the CPU program flies.
Preferably, after the step S30, the method further includes:
and S40, when the CPU program is determined to run away, restoring the execution field of the CPU program by backtracking to the current sequence instruction segment or one of the previous sequence instruction segments.
Preferably, in the step S30, if the current instruction address exists in a preset address set, the current instruction address is written into a jump address register;
the step S40 includes:
and when the CPU program is determined to run away, triggering the CPU program to generate an interrupt so that the instruction address register in the CPU reads data from the jump address register.
Preferably, in the step S30, if the current instruction address exists in the preset address set, writing data of the ith jump address register into the (i + 1) th jump address register, and writing the current instruction address into the ith jump address register, where i is 1, 2, …, N-1, and N is the number of jump address registers;
the step S40 includes:
when the CPU program is determined to run away, the CPU program is triggered to generate interruption, a jump address register is determined from the N jump address registers, and the instruction address register in the CPU reads data from the determined jump address register.
The present invention also constructs a security reinforcing apparatus for a CPU program, including:
the instruction execution state judging module is used for acquiring output data of an instruction address register in the CPU, temporarily storing the output data serving as a previous instruction address into the previous instruction address register, comparing the previous instruction address in the previous instruction address register with a current instruction address in the instruction address register in the CPU, and judging whether the relationship between the current instruction address and the previous instruction address is non-increasing or not;
the jump address judging module is used for judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set when the relationship between the current instruction address and the last instruction address is non-increasing, wherein the address set comprises entry addresses of all sequential instruction segments in a CPU program, an interrupt entry address and entry addresses of all sequential instruction segments in an interrupt service program;
and the program run-off determining module is used for determining that the CPU program runs off when the current instruction address does not exist in the preset address set.
Preferably, the instruction execution state judgment module is further configured to obtain an instruction sequential execution identifier from the CPU, temporarily store the instruction sequential execution identifier in the instruction sequential execution identifier register, and obtain an interrupt enable signal from the interrupt priority judgment circuit;
the program run-off determining module is used for determining the CPU program run-off when the instruction sequence execution identifier is true and the interrupt enabling signal is false; and the CPU is also used for determining that the CPU program is flown away if the current instruction address does not exist in a preset address set when the instruction sequence execution identifier is false or the instruction sequence execution identifier is true and the interrupt enable signal is true.
Preferably, the method further comprises the following steps:
and the program repairing module is used for recovering the execution site of the CPU program by backtracking to the current sequence instruction segment or one of the previous sequence instruction segments when the CPU program is determined to run away.
Preferably, the program repair module is configured to write the current instruction address into a jump address register when the current instruction address exists in a preset address set; and when determining that the CPU program is running away, triggering the CPU program to generate an interrupt so as to enable the instruction address register in the CPU to read data from the jump address register.
Preferably, the program repair module is configured to, when the current instruction address exists in a preset address set, write data of an i-th jump address register into an i + 1-th jump address register, and write the current instruction address into the i-th jump address register, where i is 1, 2, …, N-1, and N is the number of jump address registers; and the CPU is also used for triggering the CPU program to generate interrupt when the CPU program is determined to run away, determining a jump address register from the N jump address registers, and enabling the instruction address register in the CPU to read data from the determined jump address register.
The technical scheme of the invention has the following beneficial effects:
1. because the preset address set not only contains the jump address of the jump instruction in the CPU program, but also contains the jump address of the jump instruction in the interrupt entry address and the interrupt service program, the detection addresses under all normal function conditions are covered, and if the address which is not in the set appears, the program runaway can be accurately judged. Therefore, the coverage and completeness of program jump detection can be improved;
2. when a new instruction is executed, the address comparison operation is started, the detection speed is related to the size of the pre-stored address set, and the detection can be finished within a plurality of clock beats, so that the response speed of program run-off detection is greatly improved.
Drawings
In order to illustrate the embodiments of the invention more clearly, the drawings that are needed in the description of the embodiments will be briefly described below, it being apparent that the drawings in the following description are only some embodiments of the invention, and that other drawings may be derived from those drawings by a person skilled in the art without inventive effort. In the drawings:
FIG. 1 is a block diagram of a CPU program;
FIG. 2 is a flowchart of a first embodiment of a method for security hardening of a CPU program according to the present invention;
FIG. 3 is a flowchart of a second embodiment of the security reinforcing method of the CPU program according to the present invention;
FIG. 4 is a logic structure diagram of a first embodiment of the security reinforcing apparatus for CPU programs according to the present invention;
FIG. 5 is a logic structure diagram of a second embodiment of the security reinforcing apparatus of the CPU program according to the present invention;
fig. 6 is a logical structure diagram of a third embodiment of the security reinforcement apparatus for a CPU program according to the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings.
The embodiments/examples described herein are specific embodiments of the present invention, are intended to be illustrative of the concepts of the present invention, are intended to be illustrative and exemplary, and should not be construed as limiting the embodiments and scope of the invention. In addition to the embodiments described herein, those skilled in the art will be able to employ other technical solutions which are obvious based on the disclosure of the claims and the specification of the present application, and these technical solutions include those which make any obvious replacement or modification of the embodiments described herein, and all of which are within the scope of the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Fig. 2 is a flowchart of a first embodiment of a security reinforcing method for a CPU program according to the present invention, where the security reinforcing method of the embodiment includes:
s10, acquiring output data of an instruction address register in the CPU, and temporarily storing the output data serving as a previous instruction address into the previous instruction address register;
in this step, the content in the instruction address register in the CPU is the address of the current instruction, and the register (previous instruction address register) is set and used to temporarily store the output data of the instruction address register in the CPU, so that the content in the register is the address of the previous instruction.
S20, comparing the previous instruction address in the previous instruction address register with the current instruction address in the instruction address register in the CPU, judging whether the relation between the current instruction address and the previous instruction address is non-increasing, and if so, executing S30;
in this step, the relation between the current instruction address and the previous instruction address can be judged by comparing the content in the previous instruction address register with the content in the instruction address register PC in the CPU, for example, the relation is increased or not increased, if the relation is increased, the execution state of the current instruction is sequential execution; if not, the execution state of the current instruction is a jump operation.
And S30, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, if not, determining that the CPU program flies, wherein the address set comprises the entry addresses of all sequential instruction segments in the CPU program, the interrupt entry address and the entry addresses of all sequential instruction segments in the interrupt service program.
In this step, when determining the jump operation, it is necessary to judge the validity of the jump address (current instruction address). Specifically, an address set including entry addresses of all sequential instruction segments in the CPU program, an interrupt entry address, and entry addresses of all sequential instruction segments in the interrupt service program may be set in advance, so that the integrity of the detected jump address may be ensured. When the judgment is carried out, the current instruction address (the jump address written into the instruction address register at present) is compared with the address value in the address set, if the current instruction address exists in the address set, the current program jump operation is legal, otherwise, the program jump operation is illegal, namely, the CPU program is determined to run away.
Compared with the software detection mode in the prior art, the technical scheme of the embodiment has the following beneficial effects:
1. because the preset address set not only contains the jump address of the jump instruction in the CPU program, but also contains the jump address of the jump instruction in the interrupt entry address and the interrupt service program, the detection addresses under all normal function conditions are covered, and if the address which is not in the set appears, the program runaway can be accurately judged. Therefore, compared with the existing software method which only checks the integrity and the legality of the control flow path of the program and cannot detect the integrity and the legality of the execution flow related to the interrupt event, the technical scheme of the embodiment can improve the coverage and the completeness of the jump detection of the program;
2. when a new instruction is executed, the address comparison operation is started, the detection speed is related to the size of the pre-stored address set, and the operation can be finished within a plurality of clock beats.
Fig. 3 is a flowchart of a second embodiment of the security enforcement method for the CPU program of the present invention, and the difference between the security enforcement method of this embodiment and the embodiment shown in fig. 2 is only:
step S10 further includes: acquiring an instruction sequence execution identifier from a CPU, temporarily storing the instruction sequence execution identifier in an instruction sequence execution identifier register, and acquiring an interrupt enable signal from an interrupt priority determination circuit;
step S30 includes:
when the instruction sequence execution identifier is true and the interrupt enabling signal is false, determining that the CPU program is flown;
and when the instruction sequence execution identifier is false, or the instruction sequence execution identifier is true and the interrupt enable signal is true, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, and if not, determining that the CPU program flies.
In this embodiment, it is first explained that the PC +1 selection signal in the CPU is temporarily stored by setting a register (instruction sequential execution flag register), and if the signal is true, it indicates that there is a sequential execution relationship between the previous instruction and the current instruction. The interrupt enable signal is from the CPU interrupt priority judging circuit, if the signal is true, the execution state of the current instruction is the interrupt service jump operation. In this embodiment, when determining the execution state of the current instruction, the determination is further performed by combining an instruction sequence execution identifier and an interrupt enable signal, in addition to the comparison result between the previous instruction address and the current instruction address, specifically: under the premise that the relation between the previous instruction address and the current instruction address is not increased, if the instruction sequence execution identifier is false, the execution state of the current instruction is normal jump operation; if the instruction sequence execution identifier is true and the interrupt enable signal is true, it indicates that the execution state of the current instruction is interrupt service skip; if the instruction sequence execution identifier is true and the interrupt enable signal is false, it indicates that the execution state of the current instruction is that the CPU is maliciously attacked or affected by an external execution environment, which results in tampering of the content of the instruction address register in the CPU. For normal jump operation and interrupt service jump operation, it is necessary to determine that the CPU program is running away by determining whether the current instruction address exists in the preset address set.
The method for reinforcing the security of the CPU program of the present invention further includes, after step S30:
and S40, when the program is determined to run away, restoring the execution site of the CPU program by backtracking to the current sequence instruction segment or one of the previous sequence instruction segments.
In this embodiment, by tracing back the last sequential instruction segment that has been successfully executed or the current sequential instruction segment in which the run-off situation currently occurs, the site of program execution can be recovered, and the cause of the run-off can be searched, so as to restore the normal execution of the program.
In an optional embodiment, in step S30, if the current instruction address exists in the preset address set, the current instruction address is written into the jump address register;
the step S40 includes:
and when the CPU program is determined to run away, triggering the CPU program to generate an interrupt so that the instruction address register in the CPU reads data from the jump address register.
In this embodiment, a register (jump address register) is set to store the entry address of the currently executed sequential instruction segment in which the runaway condition occurs, and specifically, the current instruction address is written into the register each time it is determined that the program has not run, so that the content of the register is the entry address of the currently executed sequential instruction segment in which the runaway condition occurs. When the program runaway is judged to occur, the CPU program is triggered to generate interruption so that the instruction address register in the CPU reads data from the jump address register, and thus, the content of the instruction address register in the CPU is the entry address of the currently executed sequential instruction segment in the runaway condition.
In another alternative embodiment, in step S30, if the current instruction address exists in the preset address set, writing the data of the ith jump address register into the (i + 1) th jump address register, and writing the current instruction address into the ith register, where i is 1, 2, …, N-1;
the step S40 includes:
when the CPU program is determined to run away, the CPU program is triggered to generate interruption, a jump address register is determined from the N jump address registers, and the instruction address register in the CPU reads data from the determined jump address register.
In this embodiment, N registers (jump address registers) may be provided to store the entry address of the currently executed sequential instruction segment where the race condition occurs and the entry address of the sequential instruction segment that has been successfully executed. Specifically, each time it is determined that the program has not run away, the current instruction address and several instruction addresses before the current instruction are written into the registers, so that the contents of the registers are the entry address of the currently executed sequential instruction segment where the program has run away and the entry address of the successfully executed sequential instruction segment. When the program runaway is judged to occur, a CPU program is triggered to generate interruption, and then a jump address register is determined from N jump address registers according to the current application, so that the instruction address register in the CPU reads data from the determined jump address register, and thus, the content of the instruction address register in the CPU is the entry address of the currently executed sequential instruction segment or the entry address of one of the successfully executed sequential instruction segments in the runaway situation.
In this embodiment, since there is no register equivalent to the jump address register function in the conventional CPU circuit, the accuracy of the sequential instruction segment cannot be achieved in the fault locating and recovery execution in the event of a run-off situation of the CPU program. The embodiment can restore the field of program execution and find the reason of the run-off, thereby restoring the normal execution of the program.
Fig. 4 is a logical structure diagram of a first embodiment of the security reinforcing apparatus for a CPU program according to the present invention, and the security reinforcing apparatus for the embodiment includes an instruction execution state determining module 10, a jump address determining module 20, and a program run-out determining module 30. The instruction execution state determining module 10 is configured to obtain output data of an instruction address register in the CPU, temporarily store the output data as a previous instruction address in the previous instruction address register, compare a previous instruction address in the previous instruction address register with a current instruction address in the instruction address register in the CPU, and determine whether a relationship between the current instruction address and the previous instruction address is non-increasing. The jump address determining module 20 is configured to determine whether a current instruction address in an instruction address register in the CPU exists in a preset address set when a relationship between the current instruction address and a previous instruction address is non-increasing, where the address set includes entry addresses of all sequential instruction segments in the CPU program, an interrupt entry address, and entry addresses of all sequential instruction segments in the interrupt service program. The program run-off determining module 30 is configured to determine that the CPU program runs off when the current instruction address does not exist in the preset address set.
Further, the instruction execution state judgment module 10 is further configured to obtain an instruction sequential execution flag from the CPU, temporarily store the instruction sequential execution flag in the instruction sequential execution flag register, and obtain an interrupt enable signal from the interrupt priority judgment circuit; the program run-off determining module 30 is configured to determine that the CPU program runs off when the instruction sequence execution flag is true and the interrupt enable signal is false; and the CPU is also used for determining that the CPU program is flown away if the current instruction address does not exist in a preset address set when the instruction sequence execution identifier is false or the instruction sequence execution identifier is true and the interrupt enable signal is true.
Fig. 5 is a logical structure diagram of a second embodiment of the security reinforcing apparatus for CPU programs according to the present invention, which differs from the embodiment shown in fig. 4 only in that: still further include program repair module 40, and this program repair module 40 is used for when confirming the CPU program runs off, resume the execution scene of CPU program by tracing back to the present sequential instruction segment or one of the preceding sequential instruction segments.
In an optional embodiment, program repair module 40 is configured to write the current instruction address into the jump address register when the current instruction address exists in a preset address set; and when determining that the CPU program is running away, triggering the CPU program to generate an interrupt so as to enable the instruction address register in the CPU to read data from the jump address register.
In another optional embodiment, the program repair module 40 is configured to, when the current instruction address exists in the preset address set, write data of an i-th jump address register into an i + 1-th jump address register, and write the current instruction address into the i-th jump address register, where i is 1, 2, …, N-1, and N is the number of jump address registers; and the CPU is also used for triggering the CPU program to generate interrupt when the CPU program is determined to run away, determining a jump address register from the N jump address registers, and enabling the instruction address register in the CPU to read data from the determined jump address register.
Fig. 6 is a logic structure diagram of a third embodiment of the security strengthening device for a CPU program according to the present invention, where the security strengthening device in this embodiment includes an instruction execution state judgment module 10, a jump address judgment module 20, a program flight determination module (not shown), and a program repair module 40, and the logic circuit design of these modules may be implemented in the form of source codes such as RTL, or may be implemented in the form of hardware circuits such as ASIC and FPGA integrated into a CPU core. The working process of each module is described as follows:
the core of the instruction execution state judgment module 10 is two registers, one register (previous instruction address register) temporarily stores the output of the instruction address register PC in the CPU, and is used to identify the address of the previous instruction; the other register (instruction sequential execution identification register) registers the PC +1 select signal, and if this signal is true, it identifies the sequential execution relationship between the previous instruction and the current instruction accessed by the current PC register.
The judgment of the normal and abnormal execution conditions by the instruction execution state judgment module 10 includes the following contents:
1. comparing the content in the last instruction address register with the content in the instruction address register PC in the CPU, if the two are in an increasing relationship and the instruction sequential execution identifier is true, the execution state of the current instruction is sequential execution;
2. if the content in the last instruction address register and the content in the instruction address register PC in the CPU are not in an increasing relationship and the instruction sequence execution identifier is false, the execution state of the current instruction is a jump operation, and the legitimacy of the jump address needs to be judged by the jump address judgment module 20;
3. if the content in the last instruction address register and the content in the instruction address register PC in the CPU are not in an increasing relationship, and meanwhile, the instruction sequence execution identifier is true, but the interrupt enable signal from the CPU interrupt priority judging circuit is true, the execution state of the current instruction is interrupt service skip operation, and the legitimacy of the skip address needs to be judged by the skip address judging module 20;
4. if the content of the last instruction address register and the content of the instruction address register PC in the CPU are not in an increasing relationship, but the instruction sequence execution identifier is true, and meanwhile, the interrupt enable signal of the CPU interrupt priority judging circuit is false, the execution state of the current instruction is that the CPU is attacked maliciously or influenced by an external execution environment, the content of the instruction address register in the CPU is tampered, and the program is in a running-off condition.
The core of the jump address judging module 20 is a set of a comparator and a pre-stored jump address, in which all entry addresses of the sequential instruction segment corresponding to the program, the interrupt entry address, and all entry addresses of the sequential instruction segment in the interrupt service program code are stored, so as to ensure the integrity of the detected jump address.
The comparator compares the jump address written into the instruction address register in the CPU with the address value in the pre-stored address set, if the jump address currently written into the instruction address register in the CPU is in the set, it is proved that the current program jump operation is legal, and the address value is written into the current jump address register in the program repair module 40 for storage; otherwise, if the jump address currently written in the instruction address register in the CPU is not in the pre-stored address set, it is a case that the program has run away, and the address value is not written in the current jump address register in the program repair module 40 for saving.
The core of program repair module 40 is the current jump address register and the last jump address register. When the run-away situation is determined to occur, namely the jump address currently written into the instruction address register in the CPU is not in the pre-stored address set, the entry address of the currently executed sequential instruction segment in which the run-away situation occurs is stored in the current jump address register, and the address of the successfully executed sequential instruction segment calling the current sequential instruction segment is stored in the last jump address register. By backtracking the last sequence instruction segment which is successfully executed or the current sequence instruction segment with the current runaway situation, the field of program execution can be recovered, and the cause of runaway can be searched, thereby restoring the normal execution of the program.
Compared with the scheme of the software method used at present, the detection and repair solution for the program runaway situation of the invention adopts a hardware circuit mode to realize the rapid detection of the program runaway situation and utilizes the hardware circuit to realize the rapid repair of the program runaway state, thus achieving the following technical effects:
1. the completeness of the coverage range of program jump detection is realized
The hardware detection method comprises the steps that a pre-stored address set of a jump address judgment module not only contains jump addresses of jump instructions in a program, but also contains interrupt entry addresses and jump addresses of the jump instructions in the interrupt program, detection addresses under all normal function conditions are covered, and if addresses which are not in the set appear, program runaway can be accurately judged to appear.
2. The response speed of program run-off detection is improved
The address comparison operation is started while the temporary storage writing of the PC +1 selection signal in the instruction execution state judgment module of the hardware detection scheme is carried out, the detection speed is related to the size of the pre-stored jump address set, the detection can be finished within a plurality of clock beats through reasonable cache hardware design, and compared with a software detection method, the response speed of program runaway detection is greatly improved.
3. The repair speed of program running is improved
When the hardware repair scheme detects the race condition, the entry address of the currently executed sequential instruction segment is stored in the current jump address register in the program repair module, and the address of the successfully executed sequential instruction segment calling the current sequential instruction segment is stored in the last jump address register. By backtracking the last sequence instruction segment which is successfully executed and the current sequence instruction segment with the current runaway situation, the field of program execution can be recovered, and the cause of runaway can be searched, so that the program is repaired and shifted to normal execution.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.
Claims (8)
1. A security reinforcing method of a CPU program is characterized by comprising the following steps:
s10, acquiring output data of an instruction address register in a CPU, temporarily storing the output data serving as a previous instruction address into the previous instruction address register, acquiring an instruction sequence execution identifier from the CPU, temporarily storing the instruction sequence execution identifier into the instruction sequence execution identifier register, and acquiring an interrupt enable signal from an interrupt priority judging circuit;
s20, comparing the previous instruction address in the previous instruction address register with the current instruction address in the instruction address register in the CPU, judging whether the relation between the current instruction address and the previous instruction address is non-increasing, and if so, executing S30;
s30, when the instruction sequence execution identification is true and the interrupt enabling signal is false, determining that the CPU program is flown away; when the instruction sequence execution identifier is false, or the instruction sequence execution identifier is true and the interrupt enable signal is true, judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set, and if not, determining that the CPU program flies, wherein the address set comprises entry addresses of all sequence instruction segments in the CPU program, interrupt entry addresses and entry addresses of all sequence instruction segments in the interrupt service program.
2. The method for security hardening of a CPU program according to claim 1, further comprising, after the step S30:
and S40, when the CPU program is determined to run away, restoring the execution field of the CPU program by backtracking to the current sequence instruction segment or one of the previous sequence instruction segments.
3. The method for security hardening of a CPU program according to claim 2, wherein in the step S30, if the current instruction address exists in a preset address set, the current instruction address is written into a jump address register; the step S40 includes: and when the CPU program is determined to run away, triggering the CPU program to generate an interrupt so that the instruction address register in the CPU reads data from the jump address register.
4. The method for security hardening of CPU program according to claim 2, wherein in step S30, if the current instruction address exists in a preset address set, writing data of an i-th jump address register into an i + 1-th jump address register, and writing the current instruction address into the i-th jump address register, where i is 1, 2, …, N-1, and N is the number of jump address registers; the step S40 includes: when the CPU program is determined to run away, the CPU program is triggered to generate interruption, a jump address register is determined from the N jump address registers, and the instruction address register in the CPU reads data from the determined jump address register.
5. A security reinforcing apparatus of a CPU program, comprising:
the instruction execution state judging module is used for acquiring an instruction sequence execution identifier from the CPU, temporarily storing the instruction sequence execution identifier into an instruction sequence execution identifier register, and acquiring an interrupt enabling signal from the interrupt priority judging circuit; acquiring output data of an instruction address register in a CPU (Central processing Unit), temporarily storing the output data serving as a previous instruction address into the previous instruction address register, comparing the previous instruction address in the previous instruction address register with a current instruction address in the instruction address register in the CPU, and judging whether the relationship between the current instruction address and the previous instruction address is non-increasing or not;
the jump address judging module is used for judging whether the current instruction address in the instruction address register in the CPU exists in a preset address set when the relationship between the current instruction address and the last instruction address is non-increasing, wherein the address set comprises entry addresses of all sequential instruction segments in a CPU program, an interrupt entry address and entry addresses of all sequential instruction segments in an interrupt service program;
the program run-off determining module is used for determining the CPU program run-off when the instruction sequence execution identifier is true and the interrupt enabling signal is false; and the CPU is also used for determining that the CPU program is flown away if the current instruction address does not exist in the preset address set when the instruction sequence execution identifier is false or the instruction sequence execution identifier is true and the interrupt enable signal is true.
6. The CPU program security reinforcing apparatus according to claim 5, further comprising: and the program repairing module is used for recovering the execution site of the CPU program by backtracking to the current sequence instruction segment or one of the previous sequence instruction segments when the CPU program is determined to run away.
7. The apparatus for security hardening of a CPU program according to claim 6, wherein the program repair module is configured to write the current instruction address into a jump address register when the current instruction address exists in a preset address set; and when determining that the CPU program is running away, triggering the CPU program to generate an interrupt so as to enable the instruction address register in the CPU to read data from the jump address register.
8. The apparatus for security hardening of a CPU program according to claim 6, wherein the program repair module is configured to, when the current instruction address exists in a preset address set, write data of an i-th jump address register into an i + 1-th jump address register, and write the current instruction address into the i-th jump address register, where i is 1, 2, …, N-1, and N is the number of jump address registers; and the CPU is also used for triggering the CPU program to generate interrupt when the CPU program is determined to run away, determining a jump address register from the N jump address registers, and enabling the instruction address register in the CPU to read data from the determined jump address register.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910251029.XA CN110059454B (en) | 2019-03-29 | 2019-03-29 | Method and device for reinforcing safety of CPU program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910251029.XA CN110059454B (en) | 2019-03-29 | 2019-03-29 | Method and device for reinforcing safety of CPU program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110059454A CN110059454A (en) | 2019-07-26 |
| CN110059454B true CN110059454B (en) | 2020-08-18 |
Family
ID=67317987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910251029.XA Active CN110059454B (en) | 2019-03-29 | 2019-03-29 | Method and device for reinforcing safety of CPU program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110059454B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127273B (en) * | 2019-12-31 | 2023-07-14 | 华润微集成电路(无锡)有限公司 | Singlechip detection circuit and corresponding detection method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1677363A (en) * | 2005-04-13 | 2005-10-05 | 柴钰 | Designing method for computer CPU anti-interference |
| CN101034369A (en) * | 2006-03-10 | 2007-09-12 | 北京佳讯飞鸿电气有限责任公司 | Software anti-interference method and device |
| CN101599042A (en) * | 2008-06-02 | 2009-12-09 | 松下电器产业株式会社 | Program fleet detection method and equipment thereof |
| CN102567774A (en) * | 2010-12-27 | 2012-07-11 | 北京中电华大电子设计有限责任公司 | Smart card safety protection circuit and smart card safety protection method |
| CN105700427A (en) * | 2016-01-13 | 2016-06-22 | 武汉合康动力技术有限公司 | Correction method of single chip microcomputer program fleet |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7934073B2 (en) * | 2007-03-14 | 2011-04-26 | Andes Technology Corporation | Method for performing jump and translation state change at the same time |
-
2019
- 2019-03-29 CN CN201910251029.XA patent/CN110059454B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1677363A (en) * | 2005-04-13 | 2005-10-05 | 柴钰 | Designing method for computer CPU anti-interference |
| CN101034369A (en) * | 2006-03-10 | 2007-09-12 | 北京佳讯飞鸿电气有限责任公司 | Software anti-interference method and device |
| CN101599042A (en) * | 2008-06-02 | 2009-12-09 | 松下电器产业株式会社 | Program fleet detection method and equipment thereof |
| CN102567774A (en) * | 2010-12-27 | 2012-07-11 | 北京中电华大电子设计有限责任公司 | Smart card safety protection circuit and smart card safety protection method |
| CN105700427A (en) * | 2016-01-13 | 2016-06-22 | 武汉合康动力技术有限公司 | Correction method of single chip microcomputer program fleet |
Non-Patent Citations (1)
| Title |
|---|
| MCS-51单片机控制工业炉系统的自恢复设计;陈寿元 等;《山东工业大学学报》;19901231;第20卷(第4期);第83-86页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110059454A (en) | 2019-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7793347B2 (en) | Method and system for validating a computer system | |
| JP2002539523A (en) | How to monitor program execution | |
| CN110795128B (en) | Program bug repairing method and device, storage medium and server | |
| CN107194252B (en) | A kind of the program control flow completeness protection method and system of complete context-sensitive | |
| US10248424B2 (en) | Control flow integrity | |
| CN105260659A (en) | Kernel-level code reuse type attack detection method based on QEMU | |
| US10395033B2 (en) | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks | |
| CN108197476B (en) | Vulnerability detection method and device for intelligent terminal equipment | |
| US20130014260A1 (en) | Apparatus, system, and method for preventing infection by malicious code | |
| CN107330323B (en) | Dynamic ROP and variant attack detection method based on Pin tool | |
| CN103955649B (en) | Method for safely starting terminal equipment | |
| CN110059454B (en) | Method and device for reinforcing safety of CPU program | |
| CN115641454A (en) | Target tracking method and device, electronic equipment and computer readable storage medium | |
| CN110414218B (en) | Kernel detection method and device, electronic equipment and storage medium | |
| US20190340112A1 (en) | Test device, test method, and computer readable medium | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN115509691A (en) | Method and system for identifying stack overflow in virtual machine | |
| WO2020037108A1 (en) | Systems and methods for reliably injecting control flow integrity into binaries without source code | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| CN111898120B (en) | Control flow integrity protection method and device | |
| KR102332588B1 (en) | Cache Tamper-Proof Method and System on Android | |
| CN111404715B (en) | Network service instantiation method and device, electronic equipment and storage medium | |
| CN110826066B (en) | Code abstract generation method, device and computer storage medium | |
| US20230401339A1 (en) | Monitoring range determination device, monitoring range determination method, and computer readable medium | |
| US20240080179A1 (en) | Signal determination device, movable object, signal determination method, and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |