CN110717181B - Non-control data attack detection method and device based on novel program dependency graph - Google Patents
Non-control data attack detection method and device based on novel program dependency graph Download PDFInfo
- Publication number
- CN110717181B CN110717181B CN201910848694.7A CN201910848694A CN110717181B CN 110717181 B CN110717181 B CN 110717181B CN 201910848694 A CN201910848694 A CN 201910848694A CN 110717181 B CN110717181 B CN 110717181B
- Authority
- CN
- China
- Prior art keywords
- security
- program
- control data
- sensitive
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention belongs to the technical field of network security space, and particularly relates to a method and a device for detecting uncontrolled data attack based on a novel program dependency graph, wherein a novel program dependency graph of a security-sensitive uncontrolled data set and basic block granularity in a program is constructed through static analysis, and the intermediate language representation of a program LLVM is inserted; and verifying the access and calling operations of the security-sensitive non-control data in the program during running so as to protect the data stream integrity of the security-sensitive non-control data. The invention combines the control flow and the data flow of the program, and realizes the data flow integrity protection of non-control data which is sensitive to the safety in the target program according to the novel program dependence graph during the operation; the protected non-control data is reduced to a security-sensitive non-control data set, analysis and instrumentation processing are carried out on the granularity of basic blocks, the running efficiency of a program is guaranteed, the security and performance overhead are balanced, the universality is good, and a new solution is provided for the attack detection of the non-control data.
Description
Technical Field
The invention belongs to the technical field of network security space, and particularly relates to a method and a device for detecting uncontrolled data attack based on a novel program dependency graph, which can be used for detecting uncontrolled data attack behaviors existing in a target program.
Background
The cyber space is a network connecting various information technology infrastructures, including the Internet, various computer systems, and interpersonal virtual environments. The network is not only a carrier and medium for messages, it also improves people's thinking. To some extent, people are given network and information attributes. Therefore, the core of cyberspace security can be considered as information security. Nowadays, information technology and its industrial application have seen unprecedented proliferation, and cyberspace security issues have become more and more prominent. The network security is divided into the following parts due to different environments and applications: system security, network security, information dissemination security and information content security. The system safety is to ensure the safety of the information processing and transmission system, and the method focuses on ensuring the normal operation of the system, avoiding the damage and the loss of the information stored, processed and transmitted by the system due to the leap and the damage of the system, and avoiding the information leakage caused by the electromagnetic leakage and the interference to other people or the interference of other people. Despite decades of security research, memory corruption attacks still pose a significant threat to software systems. This is because most high performance applications are written in languages with insecure memory such as C and C + +, and software developers neglect factors such as the importance of software and system security in order to improve performance and compatibility. Memory corruption attacks typically exploit memory corruption vulnerabilities in programs to implement control flow attacks and non-control data attacks. The control flow attack executes a malicious code sequence by hijacking the control flow of a program, so that malicious attack behaviors are realized, and as security researchers continuously and deeply research on the control flow attack defense, the cost for successfully constructing a control flow attack is higher and higher, so that an attacker tries to realize the malicious attack behaviors by using security-sensitive non-control data in the program, and the existing control flow attack defense and protection mechanism is bypassed.
Unlike control-flow attacks, non-control-data attacks alter the benign behavior of a program by manipulating security-sensitive non-control data in the program without disrupting the control-flow integrity of the program. The attack targets include: 1) information leakage, such as password leakage or private key leakage; 2) upgrading the authority, such as operating user identity data; 3) performance degradation, such as resource wasting attacks; 4) bypassing the security mitigation mechanism. DOP (Data-Oriented Programming) is a high-level technique for constructing expressive uncontrolled Data attacks, and by concatenating short instruction sequences (Data-Oriented gadgets) consisting of loads, stores, and some arithmetic micro-operations, and executing these carefully designed sequences, an attacker can achieve graph-based completeness calculations in program memory. Because the non-control data cannot violate the integrity of the control Flow, the existing control Flow attack detection method cannot effectively detect the attack, and the dfi (date Flow integrity) can defend against the non-control data attack, but introduces up to 103% of performance overhead, so that the method is difficult to deploy and apply in a practical environment.
Disclosure of Invention
Therefore, the invention provides a method and a device for detecting the attack of the uncontrolled data based on a novel program dependency graph, which combine the control flow and the data flow of a program, realize the data flow integrity protection of the uncontrolled data which is sensitive to the safety in a target program according to the novel program dependency graph during the operation, ensure the normal execution of the non-malicious program, detect and terminate the operation of the malicious attack, have low performance cost and are easier to deploy.
According to the design scheme provided by the invention, the method for detecting the uncontrolled data attack based on the novel program dependency graph comprises the following steps:
identifying and positioning security sensitive uncontrolled data in the target program through static analysis, acquiring a security sensitive uncontrolled data table, and generating a traditional program dependency graph of the granularity of basic blocks of the target program;
adding annotations containing security sensitive uncontrolled data identified and positioned in the target program on the directed edge by combining the traditional program dependency graph, and constructing a novel program dependency graph of the target program;
according to the novel program dependency graph, code instrumentation is carried out in basic blocks related to access and calling of security sensitive non-control data;
when the target program is executed, the attack detection of the process is carried out by combining the novel program dependency graph and the security sensitive uncontrolled data table so as to ensure the integrity of the data flow of the security sensitive uncontrolled data in the target program.
As the non-control data attack detection method, the security sensitive non-control data further comprises the function parameter of the self-defined function in the target program, the system call parameter and the variable which has the dependency relationship with the function parameter and the system call parameter.
As the non-control data attack detection method, the method for identifying and positioning security sensitive non-control data further comprises the following steps:
generating an intermediate language representation corresponding to the target program by using a compiler, and generating a program dependency graph corresponding to the basic block granularity;
analyzing the intermediate language representation corresponding to the target program, identifying and positioning the security sensitive uncontrolled data, and constructing a security sensitive uncontrolled data table in the target program.
As a non-control data attack detection method of the present invention, further, the identified and located security sensitive non-control data includes: identifying and positioning a self-defined function and a system calling function through sensitive function analysis; and identifying and positioning variables which have dependency relationship with the user-defined function parameters and the system call parameters through data dependency analysis.
As the uncontrolled data attack detection method, comments are further added to directed edges of a traditional program dependency graph, and the situations correspond to security sensitive uncontrolled data situations accessed and called when a basic block is executed, wherein the situations comprise access behaviors when the security sensitive uncontrolled data is used as an arithmetic logic operation object operation and calling behaviors when the security sensitive uncontrolled data is used as a function parameter operation.
As the non-control data attack detection method of the present invention, further, code instrumentation is performed, including the following:
taking a basic block i from the intermediate code of the target program;
according to the novel program dependence graph, judging whether the basic block has access and calls the same security sensitive non-control data, if so, respectively inserting instrumentation codes after the corresponding access operation and before the calling operation, judging whether all the basic blocks of the target program are subjected to instrumentation processing, and if not, entering the next step of code instrumentation;
judging whether the basic block i has the condition of accessing security-sensitive non-control data, if so, inserting a instrumentation code at an outlet of the basic block i, and if not, entering the next step of code instrumentation;
judging whether the condition of calling safety-sensitive non-control data exists in the basic block i, and if so, inserting an inserting code at an inlet of the basic block i; otherwise, judging whether all basic blocks of the target program are subjected to pile insertion processing;
if the target program has basic blocks to wait for instrumentation, i is i +1, and returning to the first step in code instrumentation; otherwise, the instrumentation of the target program code is completed.
As the non-control data attack detection method of the present invention, further, the target program runs to perform process attack detection, including the following contents:
when the target program executes the instrumentation code, triggering an exception;
according to the novel program dependence graph, positioning a basic block number triggering an exception;
judging whether the basic block has access and calls the same security-sensitive non-control data, if so, positioning the basic block at a trigger abnormal position, and when the trigger abnormal position is the position for accessing the security-sensitive non-control data, acquiring the value of the security-sensitive non-control data of the accessed operation in the memory of the current target process, and updating the corresponding value in a security-sensitive non-control data table; when the abnormal position is triggered before the security sensitive non-control data is called, verifying the data stream integrity of the security sensitive non-control data to be called, and executing the next step of process attack detection;
judging whether the basic block has the condition of accessing the security-sensitive non-control data, if so, acquiring the value of the security-sensitive non-control data of the accessed operation in the target process memory, and updating the corresponding value in a security-sensitive non-control data table; then, finishing the processing of the exception and informing the target process to continue running; if the condition of accessing the security sensitive non-control data does not exist in the basic block, executing the next step of process attack detection;
and judging whether the basic block has the condition of calling the safety sensitive non-control data, if so, detecting and verifying the data stream integrity of the safety sensitive non-control data to be called, if not, judging that the abnormity triggered by the current target process is an unexpected abnormity condition, and stopping the running of the target process.
As the non-control data attack detection method of the present invention, further, the verification of the integrity of the data stream of the security sensitive non-control data comprises the following contents: acquiring a value of security sensitive non-control data to be called in a target process memory, inquiring a corresponding value in a security sensitive non-control data table, verifying the consistency of the security sensitive non-control data table, finishing exception handling if the verification is passed, and informing a target process to continue to operate; otherwise, judging that the non-control data is maliciously tampered before calling, considering that the non-control data attack behavior exists, and immediately stopping the running of the target process.
As the non-control data attack detection method, further, when the target program runs, the abnormal situation of the target program triggered by the execution of the instrumentation code is automatically processed, and the security sensitive non-control data table stored in the kernel space is updated and recorded, so that the attack detection of the non-control data is completed.
Furthermore, the present invention also provides a device for detecting uncontrolled data attack based on a novel program dependency graph, comprising: a static analysis module, a novel dependency graph construction module, a instrumentation module and a processing module, wherein,
the static analysis module is used for identifying and positioning the security sensitive uncontrolled data in the target program through static analysis and generating a security sensitive uncontrolled data table and a traditional program dependency graph of the granularity of basic blocks of the target program;
the novel dependency graph building module is used for combining the traditional program dependency graph, adding annotations containing safety sensitive uncontrolled data identified and positioned in the target program on directed edges of the traditional program dependency graph, and constructing the novel program dependency graph of the target program;
the instrumentation module is used for performing code instrumentation in a basic block related to accessing and calling the security sensitive non-control data according to the novel program dependency graph;
and the processing module is used for carrying out attack detection on the process by combining the novel program dependence graph and the security sensitive uncontrolled data table when the target program is executed so as to ensure the data flow integrity of the security sensitive uncontrolled data in the target program.
The invention has the beneficial effects that:
the invention can be divided into two stages according to the working process: a static analysis stage and a dynamic protection stage, wherein a novel program dependency graph is constructed through static analysis of a target program, and a protected executable program is generated; updating a security sensitive non-control data table during running at a dynamic protection stage, verifying the consistency of security sensitive non-control data in a target process, and ensuring the integrity of data streams of the security sensitive non-control data in a target program so as to ensure the normal execution of a non-malicious program and detect and terminate the running of malicious attacks; compared with the existing non-control data attack detection or protection method, the method has the following advantages: a) the universality of the method, the existing method is limited to a certain specific architecture and platform, but the technical scheme of the invention is not limited to a specific hardware environment, and is a universal method capable of detecting the existing non-control data attack; b) the technical scheme of the invention reduces the non-control data set to be protected into the security-sensitive non-control data, and performs pile insertion by taking the basic block granularity as a unit, thereby realizing the data flow integrity protection of the security-sensitive non-control data during the operation, making up the defect of large cost caused by monitoring the instruction granularity, ensuring the operation efficiency of the program, having small performance cost, being easy to deploy and having better application prospect.
Description of the drawings:
FIG. 1 is a flow chart of an attack detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an attack detection flow in an embodiment of the present invention;
FIG. 3 is a sample of a novel program dependency graph in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an attack detection apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a workflow of a static analysis module according to an embodiment of the present invention;
FIG. 6 is a flow chart of the operation of the stake insertion module of the present invention;
FIG. 7 is a flowchart of the operation of the processing module of the present invention.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The existing non-control Data attack detection technology (DFI) achieves defense against non-control Data attacks by verifying whether operations on variables conform to a Data Flow Graph (DFG). However, the DFI needs to perform reachability analysis on each operation of the variable, which may cause false alarm of the DFI because the reachability analysis may be redundant and complex for some read operations, and also introduce a large overhead to protect the integrity of the data stream of all variables, making it difficult to deploy the method in a practical environment. The embodiment of the invention, as shown in fig. 1, provides a non-control data attack detection method based on a novel program dependency graph, which comprises the following contents:
s101) identifying and positioning security sensitive uncontrolled data in the target program through static analysis, acquiring a security sensitive uncontrolled data table, and generating a traditional program dependency graph of the basic block granularity of the target program;
s102) combining the traditional program dependency graph, adding annotations containing safety sensitive uncontrolled data identified and positioned in the target program on the directed edge of the traditional program dependency graph, and constructing a novel program dependency graph of the target program;
s103) according to the novel program dependency graph, code instrumentation is carried out in a basic block related to access calling of security sensitive non-control data;
s104) when the target program is executed, the attack detection of the process is carried out by combining the novel program dependency graph and the security sensitive uncontrolled data table so as to ensure the data flow integrity of the security sensitive uncontrolled data in the target program.
By defining a novel program dependency graph, corresponding annotations are added on certain directed edges of the program dependency graph, and annotation information is mainly security-sensitive non-control data which can be accessed or called when a basic block is executed, so that control flow and data flow of a program are combined, data flow integrity protection of the security-sensitive non-control data in a target program is realized according to the novel program dependency graph during operation, non-control data attack can be successfully detected, performance cost is lower than that of a DFI method, and the method is easier to deploy.
In the embodiment of the present invention, as shown in fig. 2, the method can be divided into two stages according to the workflow: a static analysis phase and a dynamic protection phase. The static analysis stage is mainly responsible for carrying out static analysis on the target program, constructing a corresponding novel program dependence graph, and finally carrying out instrumentation processing on the source program according to the novel program dependence graph to generate a protected executable program; and the dynamic protection stage is mainly responsible for updating the security-sensitive non-control data table during running and verifying the consistency of the security-sensitive non-control data in the target process, so that the data flow integrity of the security-sensitive non-control data in the target program is ensured. And the static analysis module is responsible for the static analysis work of the source program. The static analysis uses the basic block as granularity to generate a program dependency graph of a source program, is responsible for identifying and positioning security-sensitive non-control data in the program, and divides operation behaviors of the program on the non-control data into two behaviors of access and call, wherein the access behavior refers to a behavior that the non-control data is used as an arithmetic logic operation object for operation, and the call behavior refers to a behavior that the non-control data is used as a function parameter for operation. And after the static analysis is completed, constructing a novel program dependency graph corresponding to the target program. The target source program is then instrumented in accordance with the novel program dependency graph, specifically, instrumented code is inserted in basic blocks involved in accessing and invoking security-sensitive non-control data. The method comprises the steps that when certain basic block accesses and calls the same security-sensitive non-control data, instrumentation codes are inserted after the non-control data are accessed in the basic block, and the instrumentation codes are inserted before the non-control data are called in the basic block, so that the legality of the non-control data accessed and operated by the basic block can be verified in a dynamic protection stage; when some basic block has access to the security-sensitive non-control data, inserting instrumentation code at the exit of the basic block, so that in the dynamic protection phase, when the basic block finishes executing, the value of the accessed security-sensitive non-control data in the program memory can be obtained, and the value of the corresponding security-sensitive non-control data is updated in the security-sensitive non-control data table. And when the calling security-sensitive non-control data exists in a certain basic block, inserting instrumentation codes into the entry of the basic block, so that in a dynamic protection stage, the value of the called security-sensitive non-control data in a program memory can be acquired before the basic block starts to execute, and consistency verification is carried out on the value and the corresponding value in the security-sensitive non-control data table. The compiler is responsible for compiling the instrumented source program into a binary executable file; the security-sensitive non-control data table is used for storing security-sensitive non-control data sets in the target program and corresponding values of the security-sensitive non-control data sets, and the table is stored in a kernel space of the system to prevent the values in the security-sensitive non-control data sets from being maliciously tampered.
The invention adds annotation information on the directed edge of the traditional program dependency graph, and realizes the combination of the control flow and the data flow of the program by annotating the security-sensitive non-control data which needs to be accessed and called when the basic block is executed on the corresponding directed edge based on the security-sensitive non-control data set obtained by static analysis, thereby being capable of guiding and verifying the data flow integrity of the security-sensitive non-control data in the program during the operation. As shown in fig. 3, the upper part is a program sample, and the lower part is a corresponding novel program dependency graph, the novel program dependency graph sample in the graph is constructed by analyzing the LLVM intermediate language representation file of the source program by using an LLVM compiler, wherein part of variables are security-sensitive non-control data identified and located in static analysis, and variables annotated to directed edges are security-critical non-control data that need to be accessed and called when the basic block is executed. As the non-control data attack detection method in the embodiment of the invention, further, the security sensitive non-control data comprises the function parameter of the self-defined function in the target program, the system call parameter and the variable which has the dependency relationship with the function parameter and the system call parameter. Further, the identified and located security-sensitive non-control data comprises: identifying and positioning a self-defined function and a system calling function through sensitive function analysis; and identifying and positioning variables which have dependency relationship with the user-defined function parameters and the system call parameters through data dependency analysis.
As a method for detecting a non-control data attack according to the present invention, a new program dependency graph corresponding to a source program is constructed as shown in fig. 5. First, a Clang compiler is used to generate an LLVM intermediate language representation of the target program and generate a traditional program dependency graph of the target program at the basic block level. And obtaining the data dependency relationship and the control dependency relationship in the target program by analyzing the program dependency graph. In the embodiment of the invention, the function parameter, the system calling parameter and the variable which has a dependency relationship with the two non-control data are used as the security-sensitive non-control data. The static analysis module searches the user-defined function and the system call function in the LLVM intermediate language representation of the target program through a sensitive function analysis method, identifies and positions the function parameters and the system call parameters, and then identifies and positions variables with dependency relations with the function parameters and the system call parameters by utilizing data dependency analysis. Finally, the static analysis module constructs a security-sensitive non-control data set in the target program and identifies and locates all elements in the set. On the basis, the generated traditional program dependency graph is combined, and annotations are added on corresponding directed edges to construct a novel program dependency graph of the target program.
As a non-control data attack detection method of the present invention, further, referring to fig. 6, instrumentation is performed by writing pass in LLVM intermediate language representation of a target program according to a novel program dependency graph generated by static analysis. Firstly, a basic block i is taken from the intermediate code of a target program, and whether the situation that the same security-sensitive non-control data is accessed and called exists in the basic block is judged according to a novel program dependency graph. If the situation that the same security-sensitive non-control data is accessed and called exists in the basic block i, inserting instrumentation codes after the corresponding access operation and before the calling operation respectively, and judging whether instrumentation processing of all basic blocks of the target program is finished or not; and if the basic block i does not have access and call the same security-sensitive non-control data, judging whether the basic block i has the condition of accessing the security-sensitive non-control data. If the situation of accessing security-sensitive non-control data exists in the basic block i, inserting instrumentation codes at the outlet of the basic block i; otherwise, judging whether the condition of calling the safety-sensitive non-control data exists in the basic block i. If yes, inserting a instrumentation code at an inlet of the basic block i; otherwise, judging whether the basic block i is the last basic block to be subjected to pile insertion processing. The above process is a complete flow of pile insertion for a basic block, and if it is determined that the basic block i is not the last basic block to be subjected to pile insertion, the basic block to be subjected to pile insertion is taken down from the intermediate code; otherwise, the instrumentation module completes instrumentation processing on the target program.
As a non-control data attack detection method of the present invention, further, as shown in fig. 7, when a target process in a user space executes instrumentation code, an exception is triggered and falls into a kernel space, and at this time, a processing module processes the exception according to a novel program dependency graph corresponding to the target process. First, the processing module locates the basic block number that triggers the exception. Then, whether the situation that the same security-sensitive non-control data is accessed and called exists in the basic block is judged. If the basic block has the conditions of accessing and calling the same security-sensitive non-control data, further positioning a position for triggering exception in the basic block, and if the position for triggering exception is after the security-sensitive non-control data is accessed, acquiring the value of the security-sensitive non-control data of the accessed operation in the target process memory at the moment, and updating the corresponding value in a security-sensitive non-control data table; and if the position of the trigger exception is before the security-sensitive non-control data is called, acquiring the value of the security-sensitive non-control data in the memory of the target process at the moment, inquiring the corresponding value in the security-sensitive non-control data table, and verifying the consistency of the values. If the verification is passed, the exception processing is finished, and the target process is informed to continue running; otherwise, the non-control data is maliciously tampered before being called, the non-control data attack behavior is considered to exist, and the running of the target process is immediately terminated.
If the basic block has no access and calls the same security-sensitive non-control data, further judging whether the basic block has the access security-sensitive non-control data. If the situation of accessing the security-sensitive non-control data exists in the basic block, obtaining the value of the security-sensitive non-control data of the accessed operation in the target process memory, and updating the corresponding value in a security-sensitive non-control data table. Then, the exception processing is finished, and the target process is informed to continue running. If the situation of accessing the security-sensitive non-control data does not exist in the basic block, whether the situation of calling the security-sensitive non-control data exists in the basic block is further judged. If the condition of calling the security-sensitive non-control data exists in the basic block, obtaining the value of the security-sensitive non-control data to be called in the target process memory, inquiring the corresponding value in the security-sensitive non-control data table, and verifying the consistency of the values. If the verification is passed, the exception processing is finished, and the target process is informed to continue running; otherwise, the non-control data is maliciously tampered before being called, the non-control data attack behavior is considered to exist, and the running of the target process is immediately terminated. If the situation of calling the safety sensitive non-control data does not exist in the basic block, the exception triggered by the current target process is considered as an unexpected exception situation. For security reasons, it is considered that at this time, a suspected malicious behavior may still exist, which causes the unexpected exception, and therefore, the processing module still considers that a non-control data attack exists and immediately terminates the running of the target process.
Based on the foregoing method, an embodiment of the present invention further provides a device for detecting uncontrolled data attack based on a novel program dependency graph, as shown in fig. 4, including: a static analysis module 101, a new dependency graph construction module 102, an instrumentation module 103, and a processing module 104, wherein,
the static analysis module 101 is configured to identify and locate security-sensitive non-control data in the target program through static analysis, and generate a security-sensitive non-control data table and a conventional program dependency graph of the granularity of a basic block of the target program;
the novel dependency graph building module 102 is used for combining the traditional program dependency graph, adding annotations containing safety sensitive uncontrolled data identified and positioned in the target program on directed edges of the traditional program dependency graph, and constructing the novel program dependency graph of the target program;
the instrumentation module 103 is used for performing code instrumentation in a basic block related to access and call of security sensitive non-control data according to the novel program dependency graph;
and the processing module 104 is configured to, when the target program is executed, perform attack detection on the process by combining the novel program dependency graph and the security sensitive uncontrolled data table, so as to ensure integrity of a data stream of the security sensitive uncontrolled data in the target program.
With reference to fig. 2, in the architecture of the apparatus, the static analysis module is responsible for static analysis work on a source program, the instrumentation module is responsible for inserting instrumentation codes, the instrumentation codes are mainly used for inserting the instrumentation codes into basic blocks related to accessing and calling security-sensitive non-control data according to a novel program dependency graph corresponding to the source program, the compiler is responsible for compiling the instrumented source program into a binary executable file, the security-sensitive non-control data table is responsible for storing a security-sensitive non-control data set and corresponding values thereof in a target program, and the table is stored in a kernel space of the system to prevent malicious tampering of the values therein; the processing module is responsible for processing the exception triggered by executing the instrumentation code when the target process runs in the kernel space. Based on the new program dependency graph of the target process, the processing module can determine a certain basic block that triggers the exception, and the security-sensitive non-control data objects that the basic block will involve for access and invocation. And then, processing the exception so as to ensure the data flow integrity of the security-sensitive non-control data in the target process. The protected non-control data is reduced to a security-sensitive non-control data set, analysis and instrumentation processing are carried out on the granularity of basic blocks, the running efficiency of a program is guaranteed, the security and performance overhead are balanced, the universality is good, and a new solution is provided for the attack detection of the non-control data.
As described above, in the embodiment of the present invention, by constructing the new program dependency graph of the target program and based on the new program dependency graph, the attack detection on the non-control data at runtime is realized, and the advantages are that: 1. the universality is better, the implementation is not limited to a specific hardware environment, the protection can be implemented aiming at application programs under various hardware platform environments, and the attack behavior of non-control data existing in a target program is detected; 2. the performance overhead is small, the security-sensitive non-control data in the target program is extracted, and the data flow integrity protection is carried out on the security-sensitive non-control data, so that the problem of high overhead of carrying out the data flow protection on all the non-control data by the traditional DFI method is solved; 3. the scheme is light and flexible, can be conveniently deployed in an actual application environment, realizes the static analysis and source program compiling functions in a static analysis stage by expanding the LLVM compiler, and realizes the non-control data attack detection function in a dynamic protection stage by expanding a kernel space and inserting a processing module and a security-sensitive non-control data table.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A non-control data attack detection method based on a novel program dependency graph is characterized by comprising the following steps:
A) identifying and positioning security sensitive uncontrolled data in the target program through static analysis, acquiring a security sensitive uncontrolled data table, and generating a traditional program dependency graph of the granularity of basic blocks of the target program;
B) adding annotations containing security sensitive uncontrolled data identified and positioned in the target program on the directed edge by combining the traditional program dependency graph, and constructing a novel program dependency graph of the target program;
C) according to the novel program dependency graph, code instrumentation is carried out in basic blocks related to access and calling of security sensitive non-control data;
D) when the target program is executed, the attack detection of the process is carried out by combining the novel program dependency graph and the security sensitive uncontrolled data table so as to ensure the integrity of the data flow of the security sensitive uncontrolled data in the target program;
D) the target program runs to carry out process attack detection, and the process attack detection comprises the following contents:
D1) when the target program executes the instrumentation code, triggering an exception;
D2) according to the novel program dependence graph, positioning a basic block number triggering an exception;
D3) judging whether the basic block has access and calls the same security-sensitive non-control data, if so, positioning the basic block at a trigger abnormal position, and when the trigger abnormal position is the position for accessing the security-sensitive non-control data, acquiring the value of the security-sensitive non-control data of the accessed operation in the memory of the current target process, and updating the corresponding value in a security-sensitive non-control data table; when the position of the trigger exception is before the security sensitive non-control data is called, verifying the data stream integrity of the security sensitive non-control data to be called, and executing the step D4);
D4) judging whether the basic block has the condition of accessing the security-sensitive non-control data, if so, acquiring the value of the security-sensitive non-control data of the accessed operation in the target process memory, and updating the corresponding value in a security-sensitive non-control data table; then, finishing the processing of the exception and informing the target process to continue running; if the basic block does not have the condition of accessing the security-sensitive non-control data, executing step D5);
D5) and judging whether the basic block has the condition of calling the safety sensitive non-control data, if so, detecting and verifying the data stream integrity of the safety sensitive non-control data to be called, if not, judging that the abnormity triggered by the current target process is an unexpected abnormity condition, and stopping the running of the target process.
2. The method for detecting attack on uncontrolled data based on new program dependency graph according to claim 1, wherein the security sensitive uncontrolled data in a) includes function parameters of custom functions in the target program, system call parameters, and variables having dependency relationship with the function parameters and the system call parameters.
3. The method for detecting uncontrolled data attack based on the novel program dependency graph as claimed in claim 1, wherein the identification and location of security-sensitive uncontrolled data in a) comprises the following steps:
A1) generating an intermediate language representation corresponding to the target program by using a compiler, and generating a program dependency graph corresponding to the basic block granularity;
A2) analyzing the intermediate language representation corresponding to the target program, identifying and positioning the security sensitive uncontrolled data, and constructing a security sensitive uncontrolled data table in the target program.
4. The method for detecting uncontrolled data attack based on the novel program dependency graph as claimed in claim 3, wherein the security sensitive uncontrolled data identified and located in A2) comprises: identifying a custom function and a system call function through sensitive function analysis, and extracting and positioning parameters corresponding to the custom function and the system call function; and identifying and positioning variables which have dependency relationship with the custom function parameters and the system call parameters through data dependency analysis.
5. The method for detecting uncontrolled data attack based on the novel program dependency graph in claim 1, wherein B) is characterized in that annotations are added to the directed edges, and correspond to the situation of the security sensitive uncontrolled data accessed and called when the basic block is executed, and the situation comprises the access behavior when the security sensitive uncontrolled data is used as the arithmetic logic operation object operation and the calling behavior when the security sensitive uncontrolled data is used as the function parameter operation.
6. The method for detecting uncontrolled data attack based on the novel program dependency graph as claimed in claim 1, wherein code instrumentation is performed in C), and the method comprises the following steps:
C1) taking a basic block i from the intermediate code of the target program;
C2) according to the novel program dependence graph, judging whether the basic block has access and calls the same security sensitive non-control data, if so, respectively inserting instrumentation codes after the corresponding access operation and before the calling operation, judging whether all the basic blocks of the target program are instrumented, and if not, entering the step C3);
C3) judging whether the basic block i has the condition of accessing security-sensitive non-control data, if so, inserting instrumentation codes at the outlet of the basic block i, and if not, entering the step C4);
C4) judging whether the condition of calling safety-sensitive non-control data exists in the basic block i, and if so, inserting an inserting code at an inlet of the basic block i; otherwise, judging whether all basic blocks of the target program are subjected to pile insertion processing;
C5) if the target program has basic blocks to wait for the instrumentation processing, i is i +1, and the process returns to step C1); otherwise, the instrumentation of the target program code is completed.
7. The method for detecting uncontrolled data attack based on the novel program dependency graph in claim 1, wherein the verification of the integrity of the data stream of the security-sensitive uncontrolled data in D) comprises the following steps: acquiring a value of security sensitive non-control data to be called in a target process memory, inquiring a corresponding value in a security sensitive non-control data table, verifying the consistency of the security sensitive non-control data table, finishing exception handling if the verification is passed, and informing a target process to continue to operate; otherwise, judging that the non-control data is maliciously tampered before calling, considering that the non-control data attack behavior exists, and immediately stopping the running of the target process.
8. The method for detecting attack on uncontrolled data based on the novel program dependency graph as claimed in claim 1, wherein in D), when the target program runs, the abnormal situation triggered by execution of instrumentation code of the target program is automatically processed, and the security sensitive uncontrolled data table stored in the kernel space is updated and recorded, so as to complete the attack detection on uncontrolled data.
9. A novel program dependency graph-based uncontrolled data attack detection device, which is realized based on the method of claim 1, and comprises: a static analysis module, a novel dependency graph construction module, a instrumentation module and a processing module, wherein,
the static analysis module is used for identifying and positioning the security sensitive uncontrolled data in the target program through static analysis and generating a security sensitive uncontrolled data table and a traditional program dependency graph of the granularity of basic blocks of the target program;
the novel dependency graph building module is used for combining the traditional program dependency graph, adding annotations containing safety sensitive uncontrolled data identified and positioned in the target program on the directed edge, and building a novel program dependency graph of the target program;
the instrumentation module is used for performing code instrumentation in a basic block related to accessing and calling the security sensitive non-control data according to the novel program dependency graph;
and the processing module is used for carrying out attack detection on the process by combining the novel program dependence graph and the security sensitive uncontrolled data table when the target program is executed so as to ensure the data flow integrity of the security sensitive uncontrolled data in the target program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910848694.7A CN110717181B (en) | 2019-09-09 | 2019-09-09 | Non-control data attack detection method and device based on novel program dependency graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910848694.7A CN110717181B (en) | 2019-09-09 | 2019-09-09 | Non-control data attack detection method and device based on novel program dependency graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110717181A CN110717181A (en) | 2020-01-21 |
| CN110717181B true CN110717181B (en) | 2021-07-02 |
Family
ID=69209830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910848694.7A Active CN110717181B (en) | 2019-09-09 | 2019-09-09 | Non-control data attack detection method and device based on novel program dependency graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110717181B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111881485B (en) * | 2020-07-14 | 2022-04-05 | 浙江大学 | Core sensitive data integrity protection method based on ARM pointer verification |
| CN115051810B (en) * | 2022-06-20 | 2023-07-25 | 北京大学 | Interface type digital object authenticity verification method and device based on remote proof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101473300A (en) * | 2006-06-23 | 2009-07-01 | 微软公司 | Securing software by enforcing data flow integrity |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| CN109918903A (en) * | 2019-03-06 | 2019-06-21 | 西安电子科技大学 | A kind of program non-control attack guarding method based on LLVM compiler |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106796637B (en) * | 2014-10-14 | 2020-08-25 | 日本电信电话株式会社 | Analysis device and analysis method |
-
2019
- 2019-09-09 CN CN201910848694.7A patent/CN110717181B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101473300A (en) * | 2006-06-23 | 2009-07-01 | 微软公司 | Securing software by enforcing data flow integrity |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| CN109918903A (en) * | 2019-03-06 | 2019-06-21 | 西安电子科技大学 | A kind of program non-control attack guarding method based on LLVM compiler |
Non-Patent Citations (2)
| Title |
|---|
| Windows内存防护机制研究;鲁婷婷;《网络与信息安全学报》;20171031;第3卷(第10期);全文 * |
| 执行上下文感知的半自动化软件调试方法研究;赵磊;《中国博士学位论文全文数据库》;20150515;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110717181A (en) | 2020-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
| JP6829718B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| JP5908132B2 (en) | Apparatus and method for detecting attack using vulnerability of program | |
| EP3039608B1 (en) | Hardware and software execution profiling | |
| JP6706273B2 (en) | Behavioral Malware Detection Using Interpreted Virtual Machines | |
| EP2946330B1 (en) | Method and system for protecting computerized systems from malicious code | |
| GB2499932B (en) | Detecting a return-oriented programming exploit | |
| EP3462358B1 (en) | System and method for detection of malicious code in the address space of processes | |
| EP2515250A1 (en) | System and method for detection of complex malware | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| JP2019502197A (en) | System and method for detection of malicious code in runtime generated code | |
| JP2013239149A (en) | File inspection apparatus and method for malicious files | |
| Balachandran et al. | Potent and stealthy control flow obfuscation by stack based self-modifying code | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| JP2016525760A (en) | Identify irrelevant code | |
| CN110717181B (en) | Non-control data attack detection method and device based on novel program dependency graph | |
| CN108319850B (en) | Sandbox detection method, sandbox system and sandbox equipment | |
| Chen et al. | Efficient detection of the return-oriented programming malicious code | |
| CN113779578A (en) | Intelligent confusion method and system for mobile terminal application | |
| US10885184B1 (en) | Rearranging executables in memory to prevent rop attacks | |
| Shila et al. | I can detect you: Using intrusion checkers to resist malicious firmware attacks | |
| Coudray et al. | PICON: control flow integrity on LLVM IR | |
| KR100985071B1 (en) | Method and Apparatus for detection and prevention malicious code using script languages for computer system | |
| Zhao et al. | Automatic extraction of secrets from malware | |
| Qin et al. | Defending against ROP attacks with nearly zero overhead |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |