CN112182515A - NX security protection-based detection method, terminal and storage medium - Google Patents
NX security protection-based detection method, terminal and storage medium Download PDFInfo
- Publication number
- CN112182515A CN112182515A CN202011168445.2A CN202011168445A CN112182515A CN 112182515 A CN112182515 A CN 112182515A CN 202011168445 A CN202011168445 A CN 202011168445A CN 112182515 A CN112182515 A CN 112182515A
- Authority
- CN
- China
- Prior art keywords
- program
- elf
- protection
- detection method
- security protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 238000000034 method Methods 0.000 abstract description 17
- 230000001960 triggered effect Effects 0.000 abstract description 4
- 230000005856 abnormality Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The invention discloses a detection method, a terminal and a storage medium based on NX safety protection, wherein the method comprises the following steps: acquiring an ELF file of a program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file; and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program. According to the method and the device, whether the NX safety protection is started by the program is judged, the user is reminded to start the NX safety protection when the NX safety protection is not started by the program, if the NX safety protection is started by the program, the abnormality is triggered when the shellcode is executed, so that the program is protected, if no NX safety protection exists, a malicious program can be executed, and the safety of the program is greatly improved.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a detection method based on NX security protection, a terminal and a storage medium.
Background
NX (No-eXecute), meaning, NX (dep), is to mark the memory page where the data is located as non-executable, and when the program overflows and is successfully transferred into shellcode (shellcode is a section of code for executing by using a software bug, shellcode is a 16-system machine code, and since an attacker often obtains shell for name, shellcode is often written by using a machine language, and after a temporary memory eip overflows, a section of shellcode machine code which can be executed by the CPU is stuffed in the shellcode machine code, so that the computer can eXecute any instruction of the attacker), the program will try to eXecute the instruction on the data page, and the CPU will throw an exception instead of executing a malicious instruction.
If the NX security protection is not opened by the program, the malicious program can be executed, and the security of the program cannot be protected.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The invention mainly aims to provide a detection method, a terminal and a storage medium based on NX security protection, and aims to solve the problem that malicious programs can be executed when NX security protection is not started and the security of the programs cannot be protected in the prior art.
In order to achieve the above object, the present invention provides a detection method based on NX security protection, wherein the detection method based on NX security protection comprises the following steps:
acquiring an ELF file of a program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program.
The detecting method based on NX security protection, wherein the determining whether the preset identifier exists in the ELF symbol table information further includes:
and if the preset identifier is judged not to exist in the ELF symbol table information, the program does not start NX safety protection.
The detection method based on NX security protection, wherein the detection method based on NX security protection further comprises:
and if the NX safety protection is not started by the program, prompting a user to start the NX safety protection.
The detection method based on NX security protection is characterized in that the first command is readelf-l.
The detection method based on the NX security protection is characterized in that the preset identification is as follows: GNU _ STACK type.
In addition, to achieve the above object, the present invention further provides a terminal, wherein the terminal includes: the detection program based on NX safety protection realizes the steps of the detection method based on NX safety protection when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores a detection program based on NX security protection, and the detection program based on NX security protection implements the steps of the detection method based on NX security protection when being executed by a processor.
The method comprises the steps of checking ELF program header information of an ELF file by acquiring the ELF file of a program and analyzing a first command of the ELF file; and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program. According to the method and the device, whether the NX safety protection is started by the program is judged, the user is reminded to start the NX safety protection when the NX safety protection is not started by the program, if the NX safety protection is started by the program, the abnormality is triggered when the shellcode is executed, so that the program is protected, if no NX safety protection exists, a malicious program can be executed, and the safety of the program is greatly improved.
Drawings
FIG. 1 is a flow chart of a preferred embodiment of the NX security protection based detection method of the present invention;
fig. 2 is a schematic operating environment of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, the detection method based on NX security protection according to the preferred embodiment of the present invention includes the following steps:
and step S10, acquiring an ELF file of the program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file.
In computer science, an ELF file is a file used for binary files, executable files, object code, shared libraries, and core dump formats.
Specifically, an ELF file is composed of 4 parts, which are an ELF header (i.e., a file header), a Program header table (Program header table), a Section (Section), and a Section header table (Section header table), respectively. In fact, a file does not necessarily contain all the contents, and their positions are not necessarily arranged as shown, only the position of the ELF header is fixed, and the information of the positions, sizes, and the like of the rest of the parts is determined by the values in the ELF header.
After an ELF file of a program is acquired, checking ELF symbol table information of the ELF file through analyzing a first command (the first command is readelf-l) of the ELF file.
The display of specific information can be controlled by parameter options, and the command is very useful in analyzing the format of the ELF file.
Step S20, determining whether a preset identifier exists in the ELF program header information, and if so, indicating that the program has opened NX security protection.
In the computer field, STACK is a non-negligible concept, and STACK (STACK) is a data structure. A stack is a data structure in which data items are arranged in order, and data items can only be inserted and deleted at one end (called the top of the stack). In the application of a single chip microcomputer, a stack is a special storage area, has the main function of temporarily storing data and addresses, and is usually used for protecting breakpoints and sites.
Stacks are important data structures in the field of computer science, which are used in a variety of numerical computing fields. The expression evaluation is a common operation in a compiler, and in the process of arithmetic expression evaluation, a stack is needed to store intermediate values and operators of the expression, so that the result access in the intermediate operation process of the expression has certain automatic management capability. Most compiled programming languages have the property of program recursion, which can enhance the expressive power of the language and reduce the programming difficulty. The recursion depth of a recursive program is usually uncertain and it is necessary to save the return addresses of the subroutine execution into a stack, i.e. a first-in-last-out structure, to ensure the correct order of use of the return addresses of the subroutine. In the functional programming language, the types and numbers of parameters of different sub-functions are different, and the compiler also uses a stack to store the parameters of the sub-program.
Wherein the preset identification is: GNU _ STACK type.
In order to realize the hardware STACK protection of the mainstream machine (such as the NX bit on the amd64 platform), a developer needs to make correct STACK setting on a software package, all platforms have the subject of STACK protection, the purpose of the STACK protection is to repair when the software package fails, and the GNU _ STACK ELF mark is focused on. ELF is an abbreviation for executable and linking format, meaning the executable connection format, ELF is a file format commonly used by all Linux releases, an ELF can be an executable file or library file, and GNU _ STACK is a program header that tells the system how to control the STACK when the ELF is loaded into memory. The GNU stack is divided into an executable stack and a non-executable stack. ELF files ending with an executable stack identifier fall into the following three scenarios:
1. code generated by the GCC that uses an executable stack.
2. The object file generated from the assembly source code contains an identification that indicates to the connector that an executable STACK is needed (i.e., the GNU _ STACK notation set to an executable STACK).
3. The object files generated from the assembly source code do not have the GNU _ STACK notation, which is often the case for some code that will be used on a variety of platforms.
The generation of the executable code on the stack by the GCC occurs when a trampoline nested function is to be implemented, and the code needs to be rewritten if the requirement of the executable stack is to be removed, which is sometimes easier and sometimes less easy.
If an assembly source code contains a GNU _ STACK token indicating that a STACK is to be executed, it is intentional by the designer, and similarly, code rewriting is required to eliminate this requirement.
If an assembly source code does not contain the GNU _ STACK token, the system may default to thinking that an executable STACK is needed, however, if there is no GNU _ STACK token, it is not usually the author that adds, rather than the actual need for an executable STACK by the code itself.
In the first two cases, the identification with the executable STACK is true, and it is only possible to overwrite the code to remove it, however, if the upstream author does not indicate whether an executable STACK is needed for the target file that assembles the source code, then patching it means adding the GNU _ STACK notation in the source code indicates that an executable STACK is not needed.
Generally, the GCC compiles the source code, which will reference the GNU _ STACK notation, and the final object file will not have an executable STACK identifier unless needed, but if you compile assembly source code, the GCC cannot automatically add the GNU _ STACK notation, so it is most common for the source code belonging to ELF binaries that can execute STACKs to be a software package containing the original assembly code, noting that this is not an inline assembly source code, but a pure assembly source code with capitalized. S as suffix.
In the invention, after the ELF symbol table information is acquired, whether a GNU _ STACK type exists in the ELF symbol table information is judged, and if the GNU _ STACK type exists, the program opens NX safety protection.
Further, if it is determined that the GNU _ STACK type does not exist in the ELF symbol table information, it indicates that the program does not open NX security protection. And if the NX security protection is not started by the program, prompting a user to start the NX security protection, and preventing the program from being attacked by a hacker in advance.
That is, in the present invention, if the NX security protection is activated, an exception is triggered when the shellcode is executed, thereby protecting the program, and if the protection is not activated, the malicious program will be executed.
Further, as shown in fig. 2, based on the above detecting method based on NX security protection, the present invention also provides a terminal, which includes a processor 10, a memory 20, and a display 30. Fig. 2 shows only some of the components of the terminal, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The memory 20 may in some embodiments be an internal storage unit of the terminal, such as a hard disk or a memory of the terminal. The memory 20 may also be an external storage device of the terminal in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the memory 20 may also include both an internal storage unit and an external storage device of the terminal. The memory 20 is used for storing application software installed in the terminal and various types of data, such as program codes of the installation terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In an embodiment, the memory 20 stores an NX security protection based detection program 40, and the NX security protection based detection program 40 can be executed by the processor 10, so as to implement the NX security protection based detection method in the present application.
The processor 10 may be a Central Processing Unit (CPU), a microprocessor or other data Processing chip in some embodiments, and is used to run program codes stored in the memory 20 or process data, such as executing the detecting method based on NX security protection.
The display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 30 is used for displaying information at the terminal and for displaying a visual user interface. The components 10-30 of the terminal communicate with each other via a system bus.
In one embodiment, when the processor 10 executes the NX security protection based detection program 40 in the memory 20, the following steps are implemented:
acquiring an ELF file of a program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program.
Wherein, the judging whether the preset identifier exists in the ELF symbol table information further includes:
and if the preset identifier is judged not to exist in the ELF symbol table information, the program does not start NX safety protection.
Wherein, the detecting method based on NX safety protection further comprises:
and if the NX safety protection is not started by the program, prompting a user to start the NX safety protection.
Wherein the first command is readelf-l.
Wherein the preset identification is: GNU _ STACK type.
The present invention also provides a storage medium, wherein the storage medium stores a detection program based on NX security protection, and the steps of the detection method based on NX security protection as described above are implemented when the detection program based on NX security protection is executed by a processor.
In summary, the present invention provides a detection method, a terminal and a storage medium based on NX security protection, where the method includes: acquiring an ELF file of a program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file; and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program. According to the method and the device, whether the NX safety protection is started by the program is judged, the user is reminded to start the NX safety protection when the NX safety protection is not started by the program, if the NX safety protection is started by the program, the abnormality is triggered when the shellcode is executed, so that the program is protected, if no NX safety protection exists, a malicious program can be executed, and the safety of the program is greatly improved.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations may be effected thereto by those of ordinary skill in the art in light of the foregoing description, and that all such modifications and variations are intended to be within the scope of the invention as defined by the appended claims.
Claims (7)
1. A detection method based on NX security protection is characterized in that the detection method based on NX security protection comprises the following steps:
acquiring an ELF file of a program, and checking ELF program header information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset identifier exists in the ELF program header information, if so, indicating that the NX safety protection is opened by the program.
2. The NX security protection-based detection method of claim 1, wherein the determining whether a preset identifier exists in the ELF symbol table information further comprises:
and if the preset identifier is judged not to exist in the ELF symbol table information, the program does not start NX safety protection.
3. The NX-security-protection-based detection method according to claim 2, further comprising:
and if the NX safety protection is not started by the program, prompting a user to start the NX safety protection.
4. The NX-security-protection-based detection method of claim 1, wherein the first command is readelf-l.
5. The NX-security-protection-based detection method according to claim 1 or 2, wherein the preset identifier is: GNU _ STACK type.
6. A terminal, characterized in that the terminal comprises: memory, a processor and an NX security protection based detection program stored on the memory and executable on the processor, the NX security protection based detection program implementing the steps of the NX security protection based detection method as claimed in any one of claims 1 to 5 when executed by the processor.
7. A storage medium, characterized in that the storage medium stores an NX security protection based detection program, which when executed by a processor implements the steps of the NX security protection based detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011168445.2A CN112182515A (en) | 2020-10-28 | 2020-10-28 | NX security protection-based detection method, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011168445.2A CN112182515A (en) | 2020-10-28 | 2020-10-28 | NX security protection-based detection method, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112182515A true CN112182515A (en) | 2021-01-05 |
Family
ID=73922298
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011168445.2A Pending CN112182515A (en) | 2020-10-28 | 2020-10-28 | NX security protection-based detection method, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182515A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109558734A (en) * | 2018-11-28 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of storehouse safety |
| CN109670309A (en) * | 2018-12-21 | 2019-04-23 | 北京天融信网络安全技术有限公司 | A kind of method and device detecting file |
-
2020
- 2020-10-28 CN CN202011168445.2A patent/CN112182515A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109558734A (en) * | 2018-11-28 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of storehouse safety |
| CN109670309A (en) * | 2018-12-21 | 2019-04-23 | 北京天融信网络安全技术有限公司 | A kind of method and device detecting file |
Non-Patent Citations (1)
| Title |
|---|
| 佚名: ""看看checksec"", 《HTTPS://BLOG.CSDN.NET/WEIXIN_34112900/ARTICLE/DETAILS/94313015》, pages 1 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11113384B2 (en) | Stack overflow protection by monitoring addresses of a stack of multi-bit protection codes | |
| CN108351770B (en) | Method and implementation environment for securely implementing program commands | |
| CA2930424C (en) | Improved control flow integrity system and method | |
| CN107526625B (en) | Java intelligent contract security detection method based on bytecode inspection | |
| US11507669B1 (en) | Characterizing, detecting and healing vulnerabilities in computer code | |
| US7051343B2 (en) | Module-by-module verification | |
| US8141035B2 (en) | Method for accessing internal states of objects in object oriented programming | |
| Cook et al. | Model checking boot code from AWS data centers | |
| JP2001075827A (en) | Complete request drive type link accompanying verify processing for every module | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| JP2001043100A (en) | Cashing untrusted module for module-by-module verification | |
| KR101875225B1 (en) | Process, computer program, and device for security of intermediate code of programming for the execution thereof by a virtual machine | |
| US20240095344A1 (en) | Computer implemented method | |
| CN110321674B (en) | Anti-debugging method based on script program, intelligent terminal and storage medium | |
| US8843908B2 (en) | Compiler validation via program verification | |
| Olesen et al. | Coccinelle: tool support for automated cert c secure coding standard certification | |
| Cook et al. | Model checking boot code from AWS data centers | |
| CN112182515A (en) | NX security protection-based detection method, terminal and storage medium | |
| Kästner et al. | Safety-critical software development in c++ | |
| EP3336626B1 (en) | Memory analysis for industrial controllers | |
| US11055202B1 (en) | Compilation scheme for tagged global variables | |
| US20230418950A1 (en) | Methods, Devices, and Systems for Control Flow Integrity | |
| CN112182516A (en) | Detection method based on RELRO security protection, terminal and storage medium | |
| CN112181751A (en) | Detection method based on PIE security protection, terminal and storage medium | |
| Olesen et al. | Clang and Coccinelle: Synergising program analysis tools for CERT C Secure Coding Standard certification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |