CN111027059A - LLVM-based system and method for resisting memory leakage - Google Patents
LLVM-based system and method for resisting memory leakage Download PDFInfo
- Publication number
- CN111027059A CN111027059A CN201911198838.5A CN201911198838A CN111027059A CN 111027059 A CN111027059 A CN 111027059A CN 201911198838 A CN201911198838 A CN 201911198838A CN 111027059 A CN111027059 A CN 111027059A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- code
- instruction
- instructions
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a system and a method for resisting memory leakage based on LLVM, the system comprises a code honeypot device and a data honeypot device, the code honeypot device is used for resisting memory leakage attack based on a code pointer, the method comprises the steps of identifying a cross-function transfer instruction in a code after an LLVM source file is compiled into an IR layer code, inserting a condition judgment instruction, pointing a real end to the jump instruction, creating a copy of a function or a code segment pointed by the jump instruction, creating a honeypot jump instruction pointing to the copy at a condition judgment false end, and finally transferring the copy to a monitored or unexecutable honeypot area; the data honeypot device is used for identifying instructions which are easy to cause code position leakage, and comprises a return address instruction of a program, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction, and inserting corresponding honeypot functions or code generation instructions. The invention can resist the memory leakage attack based on the pointer leakage of the code and the data.
Description
Technical Field
The invention belongs to the field of computer software security, and relates to a technical scheme for resisting memory leakage based on LLVM.
Background
The attack and defense of code multiplexing attack is one of the important research directions of software security. Code reuse attacks accomplish the attack by reusing code already in the program, by hijacking the control flow to the target reuse code. The current randomization method increases the entropy value of the target program, and an attacker cannot directly construct an attack according to the target segment position obtained by offline analysis. Therefore, an attacker obtains the real code position after randomization by adopting memory leakage, thereby correcting the position of the segment or directly searching the segment in the memory.
Some classical approaches locate gadget assisted code reuse attacks through memory leaks. The JIT-ROP searches information positioning code pages such as partial program return addresses in a stack through memory information leakage loopholes. Then it locates the new code page by reading the content in the code page according to the cross-page function call and other control flow transfer instructions. Finally, the codes in the code pages are used for constructing the code multiplexing attack. The blinrop bypasses the protection schemes such as ASLR, DEP, canary and the like by utilizing the characteristic that some service threads can be automatically restarted when crashed, and can more covertly perform memory leakage.
The scheme of the memory leakage auxiliary code reuse attack is improved day by day, and scholars put forward a plurality of defense methods to the scheme. XnR (Excute-no-Read) mechanism stores programs in non-executable code segments, and if online memory information leaks and accesses to the non-executable locations, a page access error occurs and an exception is caused. Readactor + + uses XnR mechanism to put virtual function table into unreadable area, and inserts a large amount of false virtual function pointers in the virtual function table as honey bait to attract attackers. Once the attacker executes the locations pointed to by these false pointers, they fall into traps. Codermor teaches misplacing code segments and replacing the original locations with attractive gadgets to attract attackers whose execution triggers an alert to be captured by the defender. Both methods can relieve memory leak attacks based on execution to a certain extent, but most of the methods cannot be used in an actual industrialized scene because of the problems of high cost, inconvenience in deployment and the like.
Disclosure of Invention
Aiming at the problems in the prior defense technology, the invention provides a system and a method for resisting memory leakage based on LLVM. The method aims to induce attackers to use the codes to complete attacks through the codes and the data honeypots, and achieve the effect of actively defending memory leakage.
The technical scheme adopted by the invention is that the LLVM-based system for resisting memory leakage comprises a code honey pot device and a data honey pot device,
the code honeypot device is used for resisting memory leakage attacks based on code pointers, and comprises the steps of identifying jump instructions across functions after LLVM source files are compiled into IR layer codes, inserting condition judgment instructions in front of the instructions, enabling a real end to point to the jump instructions, then creating copies of the functions or code segments pointed by the jump instructions, creating honeypot jump instructions pointing to the copies at a condition judgment false end, and finally transferring the copies to honeypot areas which are monitored or can not be executed;
the data honeypot device is used for identifying instructions which are easy to cause code position leakage, and comprises a return address instruction of a program, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction, and corresponding honeypot functions or code generation instructions are inserted in front of and behind the instructions.
Furthermore, the code honeypot apparatus includes the following modules,
the sensitive point identification module is used for identifying a jump instruction of a cross-function and recording the instruction after the LLVM source file is compiled into an IR layer code;
the honeypot condition judgment module is used for inserting a condition judgment statement in front of each sensitive point according to the result obtained by the sensitive point identification module, pointing the real end of the judgment statement to the sensitive point, and using the false end to construct a honeypot trap;
the honeypot trap module is used for creating a copy for the function or the code segment pointed by the sensitive point according to the result obtained by the honeypot condition judgment module and storing the false end of the judgment module into a code pointer pointed to the copy;
and the honeypot storage module is used for transferring all the copy functions or code judgments to the monitored or unexecutable area according to the result obtained by the honeypot trap module.
Furthermore, the data honeypot apparatus includes the following modules,
the honeypot return address module is used for identifying a function call instruction of a program and pushing a destination address of the corresponding honeypot function call instruction generated by the code honeypot device into a stack in front of the instruction;
the honeypot function pointer module is used for identifying a program generation function pointer instruction and generating a corresponding honeypot function pointer generated by the code honeypot device nearby the instruction in the same way;
the honeypot virtual function pointer module is used for identifying a virtual function table generation instruction of a program and generating a corresponding honeypot virtual function pointer generated by the code honeypot device nearby the instruction in the same way;
and the honeypot exception handling pointer module is used for identifying an exception handling function generation instruction of the program and generating a corresponding honeypot exception handling function generated by the code honeypot device nearby the instruction in the same way.
The invention also provides a method for resisting memory leakage based on LLVM, which comprises a code honeypot step and a data honeypot step,
the code honeypot step is used for relieving code pointer leakage in memory leakage, and comprises the steps of identifying a jump instruction crossing functions after a source file is compiled into an IR layer code by an LLVM (Linear logic memory), inserting a condition judgment instruction in front of the instruction, pointing a real end to the jump instruction, then creating a copy of the function or code segment pointed by the jump instruction, creating a honeypot jump instruction pointing to the copy at a condition judgment false end, and finally transferring the copy to a honeypot area which is monitored or not executable;
and the data honeypot step is used for relieving the data pointer leakage in the memory leakage, and comprises the steps of identifying instructions which are easy to cause code position leakage after the code honeypot step, wherein the instructions comprise a return address instruction of a program, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction, and inserting corresponding honeypot functions or code generation instructions in front of and behind the instructions.
Furthermore, the code honeypot step includes the substeps of,
step 1, taking a source code to be protected as an input of the LLVM, and compiling the source code into an IR layer code of the LLVM;
step 2, identifying IR layer codes and marking jump instructions of cross-functions;
step 3, inserting a condition judgment instruction before the cross-function jump instruction, wherein the real end points to the jump instruction;
step 4, making a copy of a target function or a code segment of the jump instruction, and inserting the judgment instruction false end into the jump instruction pointing to the copy;
and 5, storing the copy into a monitored or unexecutable honeypot area.
Furthermore, the data honeypot step includes the substeps of,
step 1, after the code honeypot method is completed, identifying a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction of a program, and marking a position;
step 2, extracting a target code or a segment of the instruction at the marked position, and searching a corresponding honeypot copy;
and 3, creating instructions pointing to the honeypot copy in a similar mode according to the types of the marks, and inserting the instructions before and after the mark positions.
Compared with the prior art, the technical scheme of the invention has the following beneficial effects: 1. an LLVM open source compiler is used as a compiling engine, source codes are used as input, modification is carried out on an IR layer, and the problem of inaccurate code identification is avoided; 2. the honeypot idea is completely used, system level modification is not required to be contacted, and compatibility is stronger; 3. the honeypot trapping is carried out from the data and the code, and the trapping probability is higher.
The invention can effectively increase the difficulty of the memory layout analysis of the attacker, and induce the attacker to use honeypot codes and data so as to fall into the trap. Tests show that the invention has low software overhead and can resist memory leak attacks based on pointer leakage of codes and data.
Drawings
Fig. 1 is a schematic diagram of an apparatus of a LLVM-based code honeypot method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of an apparatus of a data honeypot method based on LLVM according to an embodiment of the present invention.
Fig. 3 is an application flowchart of a method for resisting memory leakage based on LLVM in the embodiment of the present invention.
Detailed Description
In order to facilitate the understanding and implementation of the present invention for a person of ordinary skill in the art, the present invention is further described in detail below with reference to the accompanying drawings and examples. It is to be understood that the embodiments described herein are for purposes of illustration and explanation only and are not intended to be limiting.
The technical scheme of the invention provides that the memory leakage attack is relieved by a code honeypot method based on the LLVM and a data honeypot method based on the LLVM. By means of the code and data honeypot insertion during compiling, memory leakage attacks based on code and data pointers are resisted. LLVM is a framework system that constructs a compiler (compiler). The present invention may be implemented in a computer.
The embodiment of the invention provides a method for resisting memory leakage based on an LLVM (Linear virtual memory), which comprises the following steps:
code honeypot step: the method is used for relieving code pointer leakage in memory leakage, and specifically comprises the steps of after a source file is compiled into IR layer codes by an LLVM, identifying jump instructions across functions, inserting a condition judgment instruction in front of the instructions, pointing a real end to the jump instructions, then creating copies of the functions or code segments pointed by the jump instructions, creating honeypot jump instructions pointing to the copies at a condition judgment false end, and finally transferring the copies to monitored or unexecutable honeypot regions.
The code honeypot step specifically comprises the following substeps:
step 1: taking a source code to be protected as an input of the LLVM, and compiling the source code to be protected into an IR layer code of the LLVM;
step 2: identifying IR layer codes and marking jump instructions of cross functions;
and step 3: inserting a condition judgment instruction before a cross-function jump instruction, wherein a real end points to the jump instruction;
and 4, step 4: making a target function or code segment copy of the jump instruction, and inserting a judgment instruction false end into the jump instruction pointing to the copy;
and 5: the copy is deposited into a honeypot area that is monitored or not executable.
Data honeypot step: the method is used for relieving data pointer leakage in memory leakage, and particularly comprises the steps of identifying instructions which are easy to cause code position leakage, such as a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction, an exception handling pointer generation instruction and the like of a program after a code honeypot step, and inserting corresponding honeypot functions or code generation instructions in front of and behind the instructions.
The data honeypot step specifically comprises the following substeps:
step 1: after the code honeypot method is completed, identifying a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction of a program, and marking the position;
step 2: extracting the target code or the segment of the instruction at the marked position, and searching a corresponding honeypot copy;
and step 3: instructions pointing to the honeypot copy are created in a similar manner according to the category of the tag, inserted before and after the tag location.
In specific implementation, a system for resisting memory leakage based on LLVM may also be implemented in a device manner, and correspondingly includes:
the code honeypot device is used for resisting memory leakage attacks based on code pointers, and particularly after an LLVM source file is compiled into an IR layer code, a jump instruction crossing a function is identified, a condition judgment instruction is inserted in front of the instruction, a real end points to the jump instruction, then a copy of the function or code segment pointed by the jump instruction is created, a honeypot jump instruction pointing to the copy is created at a condition judgment false end, and finally the copy is transferred to a monitored or unexecutable honeypot area. After the cross-function transfer instruction in the code is identified, a honeypot transfer instruction is inserted into a parallel position of the cross-function transfer instruction, the honeypot transfer instruction points to a honeypot copy of an original instruction pointing to a target function or a basic block, and the honeypot copy is stored in a monitored and unexecutable area.
The data honeypot device is used for resisting memory leak attacks based on data pointers, and particularly identifies instructions which are easy to cause code position leakage, such as a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction, an exception handling pointer generation instruction and the like of a program after an LLVM source file is compiled into an IR layer code, and inserts corresponding honeypot functions or code generation instructions in front of and behind the instructions. Namely, exception handling, function return instruction and data, virtual function table pointers are searched in a program, and corresponding honeypot data pointers are inserted near the program or at the starting position of the section where the program is located.
The code honeypot device of the embodiment of the invention comprises the following modules: the honeypot fault diagnosis system comprises a sensitive point identification module, a honeypot condition judgment module, a honeypot trap module and a honeypot storage module, which are shown in figure 1.
The sensitive point identification module is used for identifying the IR layer code and marking a jump instruction of a cross-function after the source code to be protected is used as the input of the LLVM and compiled into the IR layer code of the LLVM: after the LLVM source file is compiled into IR layer codes, jump instructions of cross functions are recognized by the sensitive point recognition module and recorded, wherein the instructions comprise call instructions, indirect jump instructions and the like.
The honeypot condition judgment module is used for inserting a condition judgment instruction before the cross-function jump instruction, and the real end points to the jump instruction: after the sensitive point identification module, the honeypot condition judgment module inserts a condition judgment statement in front of each sensitive point, the real end of the judgment statement points to the sensitive point, and the false end is used for constructing a honeypot trap. The insertion judgment instruction can be completed by using a split BaiscBlock instruction, and a judgment condition confusion constraint solver operated by inserting floating point numbers can be used.
The honeypot trap module is used for making a copy of a target function or a code segment of the jump instruction, and inserting the judgment instruction false end into the jump instruction pointing to the copy: after the honeypot condition judgment module, a copy is created for the function or the code segment pointed by the sensitive point, and the false end of the judgment module is stored in a code pointer pointing to the copy. The create copy function may be implemented private with the cliceFunction API.
The honeypot storage module is used for storing the copy into a honeypot area which is monitored or not executable: after the honeypot trap module, all replica functions or code decisions are transferred to the monitored or non-executable regions. In specific implementation, the LLVM back-end generation code needs to be modified, a new section is created, and an Attribute Attribute is added to the copy.
Wherein, the Chinese meaning of the related symbols is as follows:
IR intermediate representation
Call
splitting basic blocks for split BaiscBlock
cloneFunctionAPI cloning function interface
Attribute feature
The data honeypot device of the embodiment of the invention needs to construct the following modules: the honeypot exception handling module comprises a honeypot return address module, a honeypot function pointer module, a honeypot virtual function pointer module and a honeypot exception handling pointer module, which are shown in fig. 2.
The honeypot return address module is used for identifying a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction of a program after the code honeypot device finishes processing, and marking the position; the other modules will be used to extract the object code or fragments of the instructions at the marked locations, find the corresponding honeypot replicas, create instructions pointing to the honeypot replicas in a similar way according to the marked categories, insert before and after the marked locations: after the code honeypot device, identifying a function call instruction of a program, and pushing a destination address of a corresponding honeypot function call instruction generated by the code honeypot device into a stack before the instruction. Push instructions may use push or mov, or create local variables near the return address storage location.
Honeypot function pointer module: after code honeypot, the recognition program generates a function pointer instruction and generates a corresponding honeypot function pointer generated by the code honeypot device in the same manner in the vicinity of the instruction. The basic block that generates the function pointer is here copied in the form of cloneBasicBlock and the generation position therein is replaced.
Honeypot virtual function pointer module: after the code honeypot device, virtual function table generation instructions of the program are identified, and corresponding honeypot virtual function pointers generated by the code honeypot device are generated nearby the instructions in the same way. Here in the same way as the honey pot function pointer module implementation.
Honeypot exception handling pointer module: after the code honeypot device, an exception handling function generation instruction of the program is identified, and a corresponding honeypot exception handling function generated by the code honeypot device is generated nearby the instruction in the same way. Here in the same way as the honey pot function pointer module implementation.
In specific implementation, the invention can be realized in a cross-platform manner and can be used in Windows environment, Linux environment, Unix environment and MacOS environment. In this example, Ubuntu is taken as an example to illustrate the installation and use of the device.
First, under Ubuntu, the/lib/transformations folder of the LLVM downloaded through the official website is opened, in which a folder is newly created that modifies the source file of the LLVM. Storing the source file needed by the device, creating CMakeLists. Txt file, modified/lib/Transforms/cmakelist, with device folder name added. And after modification, compiling according to a standard LLVM compiling mode.
The defense example of the invention is shown in fig. 3, wherein, Gadget refers to a small attack segment, pop rdi, ret, call mprtect and the like which are all examples of small segments, honeypot call refers to honeypot call, the shadow in the cylinder indicates that the inserted pointer points to the pointer category stored in the honeypot area, the shadow square represents the code of the specific honeypot area, the honeypot of the function M is copied with the function M ', the honeypot of the function N is copied with the functions N ' and N ', the honeypot of the function P is copied with the functions P ' and P ', the honeypot of the function Q is copied with the functions Q ' and Q ', the corresponding function addresses are ① and ⑤ …, the normal paths have 1, and the possible honeypot paths have 15.
The technology of the invention is mainly used for increasing the difficulty of memory leakage of an attacker by inserting code and data pointer honeypots. Through the code honeypot, the leakage of the indirect function is obfuscated; and reinforcing the initial position of memory leakage through a data honeypot. The device can effectively relieve code multiplexing attack caused by memory leakage and improve the security of codes.
It should be understood that parts of the specification not set forth in detail are well within the prior art. It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. A system for resisting memory leakage based on LLVM, comprising: comprises a code honey pot device and a data honey pot device,
the code honeypot device is used for resisting memory leakage attacks based on code pointers, and comprises the steps of identifying jump instructions across functions after LLVM source files are compiled into IR layer codes, inserting condition judgment instructions in front of the instructions, enabling a real end to point to the jump instructions, then creating copies of the functions or code segments pointed by the jump instructions, creating honeypot jump instructions pointing to the copies at a condition judgment false end, and finally transferring the copies to honeypot areas which are monitored or can not be executed;
the data honeypot device is used for identifying instructions which are easy to cause code position leakage, and comprises a return address instruction of a program, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction, and corresponding honeypot functions or code generation instructions are inserted in front of and behind the instructions.
2. The LLVM-based system for resisting memory leaks of claim 1, wherein: the code honeypot apparatus includes the following modules,
the sensitive point identification module is used for identifying a jump instruction of a cross-function and recording the instruction after the LLVM source file is compiled into an IR layer code;
the honeypot condition judgment module is used for inserting a condition judgment statement in front of each sensitive point according to the result obtained by the sensitive point identification module, pointing the real end of the judgment statement to the sensitive point, and using the false end to construct a honeypot trap;
the honeypot trap module is used for creating a copy for the function or the code segment pointed by the sensitive point according to the result obtained by the honeypot condition judgment module and storing the false end of the judgment module into a code pointer pointed to the copy;
and the honeypot storage module is used for transferring all the copy functions or code judgments to the monitored or unexecutable area according to the result obtained by the honeypot trap module.
3. The LLVM-based system for resisting memory leaks of claim 1, wherein: the data honeypot apparatus includes the following modules,
the honeypot return address module is used for identifying a function call instruction of a program and pushing a destination address of the corresponding honeypot function call instruction generated by the code honeypot device into a stack in front of the instruction;
the honeypot function pointer module is used for identifying a program generation function pointer instruction and generating a corresponding honeypot function pointer generated by the code honeypot device nearby the instruction in the same way;
the honeypot virtual function pointer module is used for identifying a virtual function table generation instruction of a program and generating a corresponding honeypot virtual function pointer generated by the code honeypot device nearby the instruction in the same way;
and the honeypot exception handling pointer module is used for identifying an exception handling function generation instruction of the program and generating a corresponding honeypot exception handling function generated by the code honeypot device nearby the instruction in the same way.
4. A method for resisting memory leakage based on LLVM, comprising: comprises a code honeypot step and a data honeypot step,
the code honeypot step is used for relieving code pointer leakage in memory leakage, and comprises the steps of identifying a jump instruction crossing functions after a source file is compiled into an IR layer code by an LLVM (Linear logic memory), inserting a condition judgment instruction in front of the instruction, pointing a real end to the jump instruction, then creating a copy of the function or code segment pointed by the jump instruction, creating a honeypot jump instruction pointing to the copy at a condition judgment false end, and finally transferring the copy to a honeypot area which is monitored or not executable;
and the data honeypot step is used for relieving the data pointer leakage in the memory leakage, and comprises the steps of identifying instructions which are easy to cause code position leakage after the code honeypot step, wherein the instructions comprise a return address instruction of a program, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction, and inserting corresponding honeypot functions or code generation instructions in front of and behind the instructions.
5. The LLVM-based method for defending against memory leaks of claim 4, wherein: the code honeypot step includes the sub-steps of,
step 1, taking a source code to be protected as an input of the LLVM, and compiling the source code into an IR layer code of the LLVM;
step 2, identifying IR layer codes and marking jump instructions of cross-functions;
step 3, inserting a condition judgment instruction before the cross-function jump instruction, wherein the real end points to the jump instruction;
step 4, making a copy of a target function or a code segment of the jump instruction, and inserting the judgment instruction false end into the jump instruction pointing to the copy;
and 5, storing the copy into a monitored or unexecutable honeypot area.
6. The LLVM-based method for defending against memory leaks of claim 4, wherein: the data honeypot step includes the sub-steps of,
step 1, after the code honeypot method is completed, identifying a return address instruction, a function pointer generation instruction, a virtual function pointer generation instruction and an exception handling pointer generation instruction of a program, and marking a position;
step 2, extracting a target code or a segment of the instruction at the marked position, and searching a corresponding honeypot copy;
and 3, creating instructions pointing to the honeypot copy in a similar mode according to the types of the marks, and inserting the instructions before and after the mark positions.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911198838.5A CN111027059B (en) | 2019-11-29 | 2019-11-29 | LLVM-based system and method for resisting memory leakage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911198838.5A CN111027059B (en) | 2019-11-29 | 2019-11-29 | LLVM-based system and method for resisting memory leakage |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111027059A true CN111027059A (en) | 2020-04-17 |
CN111027059B CN111027059B (en) | 2022-07-19 |
Family
ID=70207091
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911198838.5A Active CN111027059B (en) | 2019-11-29 | 2019-11-29 | LLVM-based system and method for resisting memory leakage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111027059B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111797388A (en) * | 2020-06-12 | 2020-10-20 | 武汉大学 | JavaScript engine memory information leakage defense method and system based on runtime randomization |
CN113553590A (en) * | 2021-08-12 | 2021-10-26 | 广州锦行网络科技有限公司 | Method for preventing attackers from escaping from honeypots |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101185063A (en) * | 2005-04-18 | 2008-05-21 | 纽约市哥伦比亚大学理事会 | Systems and methods for detecting and inhibiting attacks using honeypots |
CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
CN108446557A (en) * | 2018-03-12 | 2018-08-24 | 江苏中天科技软件技术有限公司 | Security threat active perception method based on defence honey jar |
US10133871B1 (en) * | 2017-12-13 | 2018-11-20 | Booz Allen Hamilton Inc. | Method and system for identifying functional attributes that change the intended operation of a compiled binary extracted from a target system |
CN109918903A (en) * | 2019-03-06 | 2019-06-21 | 西安电子科技大学 | A kind of program non-control attack guarding method based on LLVM compiler |
-
2019
- 2019-11-29 CN CN201911198838.5A patent/CN111027059B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101185063A (en) * | 2005-04-18 | 2008-05-21 | 纽约市哥伦比亚大学理事会 | Systems and methods for detecting and inhibiting attacks using honeypots |
CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
US10133871B1 (en) * | 2017-12-13 | 2018-11-20 | Booz Allen Hamilton Inc. | Method and system for identifying functional attributes that change the intended operation of a compiled binary extracted from a target system |
CN108446557A (en) * | 2018-03-12 | 2018-08-24 | 江苏中天科技软件技术有限公司 | Security threat active perception method based on defence honey jar |
CN109918903A (en) * | 2019-03-06 | 2019-06-21 | 西安电子科技大学 | A kind of program non-control attack guarding method based on LLVM compiler |
Non-Patent Citations (1)
Title |
---|
马越等: "基于蜜罐技术的主动式校园网安全模型研究", 《上饶师范学院学报》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111797388A (en) * | 2020-06-12 | 2020-10-20 | 武汉大学 | JavaScript engine memory information leakage defense method and system based on runtime randomization |
CN113553590A (en) * | 2021-08-12 | 2021-10-26 | 广州锦行网络科技有限公司 | Method for preventing attackers from escaping from honeypots |
CN113553590B (en) * | 2021-08-12 | 2022-03-29 | 广州锦行网络科技有限公司 | Method for preventing attackers from escaping from honeypots |
Also Published As
Publication number | Publication date |
---|---|
CN111027059B (en) | 2022-07-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109643343B (en) | Kernel-based detection of target application functions using virtual address mapping | |
CN108090346B (en) | Code multiplexing attack defense method and system based on data flow monitoring | |
US9147070B2 (en) | Binary translation and randomization system for application security | |
Bhatkar et al. | Address obfuscation: An efficient approach to combat a broad range of memory error exploits | |
US20160065613A1 (en) | System and method for detecting malicious code based on web | |
US7640583B1 (en) | Method and system for protecting anti-malware programs | |
CN105184118B (en) | A kind of Android application program shell adding guard methods and device based on code fragmentation | |
CN111027059B (en) | LLVM-based system and method for resisting memory leakage | |
CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
CN104881610B (en) | A kind of defence method for virtual table hijack attack | |
CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
CN106874758B (en) | Method and device for identifying document code | |
CN105653906A (en) | Anti-kernel-hook method based on address randomization | |
US11556639B2 (en) | Method for automatic creation of malware detection signature | |
Stancill et al. | Check my profile: Leveraging static analysis for fast and accurate detection of rop gadgets | |
CN106951799A (en) | A kind of Android Double Datas subregion construction method | |
CN108009427B (en) | Rapid retrieval method for database vulnerability rules | |
Krasov et al. | Methods for building a trusted environment in Unix operating systems based on the implementation of a digital watermark | |
CN106126225A (en) | A kind of object code reverse engineering approach based on program evolution model | |
Kilic et al. | Blind format string attacks | |
Zeng et al. | Software Watermarking Through Obfuscated Interpretation: Implementation and Analysis. | |
CN107545174B (en) | System and method for resisting control flow hijacking based on LLVM | |
CN106127054A (en) | A kind of system-level safety protecting method towards smart machine control instruction | |
CN102737203A (en) | Virus defense method and system based on program father-son gene relation | |
Flatem | An Analysis of Return-oriented Programming |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |