CN112199669A - Method and device for detecting ROP attack - Google Patents

Method and device for detecting ROP attack Download PDF

Info

Publication number
CN112199669A
CN112199669A CN202011022208.5A CN202011022208A CN112199669A CN 112199669 A CN112199669 A CN 112199669A CN 202011022208 A CN202011022208 A CN 202011022208A CN 112199669 A CN112199669 A CN 112199669A
Authority
CN
China
Prior art keywords
target
indirect jump
tracking data
baseline
physical memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011022208.5A
Other languages
Chinese (zh)
Other versions
CN112199669B (en
Inventor
陈曦
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011022208.5A priority Critical patent/CN112199669B/en
Publication of CN112199669A publication Critical patent/CN112199669A/en
Application granted granted Critical
Publication of CN112199669B publication Critical patent/CN112199669B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory

Abstract

The application discloses a method, a device, computer equipment and a computer readable storage medium for detecting ROP attack, wherein the method acquires information of a target process, and then tracks the target process by utilizing an IPT mechanism to acquire indirect jump data; establishing a baseline by using the obtained indirect jump data; after a base line is established, a new indirect jump sequence table is established through newly obtained indirect jump tracking data; and then, detecting whether the target process is a process generated by ROP attack or not by comparing the relationship between the indirect jump sequence and the base line. According to the method and the device, the problem of large system loss in the process of detecting the ROP attack in the related technology can be solved without modifying the original binary file and only depending on the functions provided by the chip and the CPU, and the system can be kept at high performance in the process of detecting the ROP attack.

Description

Method and device for detecting ROP attack
Technical Field
The present application relates to the field of information security, and in particular, to a method, an apparatus, a computer device, and a computer-readable storage medium for detecting an ROP attack.
Background
DEP (Data Execution protection) is a security mechanism implemented by a Central Processing Unit (CPU), but since the concept of ROP (Return Oriented Programming), an attack based on ROP can easily bypass DEP, and DEP cannot meet the security requirement of people.
In the prior art, the purpose of detecting or defending ROP attack is usually achieved by the following means, firstly, plug-in modification GCC (GNU Compiler Collection) achieves the purpose of making ROP difficult to construct, but the means is not mature and is easy to cause performance problems; secondly, indirect jump of function tails is eliminated in the compiling period by modifying the binary file, so that the purpose of making ROP difficult to construct is achieved, but the mode belongs to intrusive modification, and the function of software is easy to fail after the binary file is modified. Therefore, the above-mentioned methods for detecting or defending against ROP attacks have a problem of large loss to the system during operation.
At present, no effective solution is provided for the problem of large loss of the system in the process of detecting ROP attack in the related technology.
Disclosure of Invention
The embodiment of the application provides a method, a device, computer equipment and a computer readable storage medium for detecting ROP attack, so as to at least solve the problem of large loss to a system in the process of detecting ROP attack in the related art.
In a first aspect, an embodiment of the present application provides a method for detecting an ROP attack, where the method includes:
acquiring information of a target process;
tracking the target process by using an IPT (Intel Processor Tracing) mechanism and acquiring indirect jump tracking data;
according to the information of the target process, pre-allocating a physical memory for the indirect jump tracking data;
when the indirect jump tracking data fully writes the pre-allocated physical memory, triggering performance monitoring interruption, and recording the times of triggering the performance monitoring interruption;
when the number of times of triggering the performance monitoring interruption reaches a preset triggering number, establishing a baseline according to the indirect jump tracking data before the preset triggering number is reached;
after the baseline is constructed, when the performance monitoring interruption is triggered again, constructing an indirect jump sequence table according to the newly generated indirect jump tracking data;
and when the target process enters a system call, comparing the indirect jump sequence table with the baseline, and detecting whether the target process is a process generated by ROP attack or not according to a comparison result.
In some embodiments, the pre-allocating a physical memory for the indirect jump tracking data according to the information of the target process includes:
acquiring a kernel process description structure of the target process according to the information of the target process;
and pre-allocating a physical memory for the indirect jump tracking data according to the kernel process description structure.
In some embodiments, the pre-allocating a physical memory for the indirect jump tracking data according to the kernel process description structure includes:
acquiring a page directory address of the target process according to the kernel process description structure;
and pre-allocating a physical memory for the indirect jump tracking data according to the page directory address.
In some embodiments, the comparing the indirect jump sequence table with the baseline when the target process enters a system call, and detecting whether the target process is a process generated by an ROP attack according to a comparison result includes:
if the indirect jump sequence list is the substring of the baseline, judging that the target process is not a process generated by ROP attack;
and if the indirect jump sequence list is not the substring of the baseline, judging that the target process is a process generated by ROP attack.
In a second aspect, an embodiment of the present application provides an apparatus for detecting an ROP attack, where the apparatus includes an obtaining module, a tracking module, a physical memory allocation module, a performance monitoring interrupt module, a first building module, a second building module, and a comparison module;
the acquisition module is used for acquiring the information of the target process;
the tracking module is used for tracking the target process by utilizing an IPT mechanism and acquiring indirect jump tracking data;
the physical memory allocation module is used for allocating physical memory for the indirect jump tracking data in advance according to the information of the target process;
the performance monitoring interrupt module is used for triggering performance monitoring interrupt when the indirect jump tracking data fully writes the pre-allocated physical memory, and recording the times of triggering the performance monitoring interrupt;
the first construction module is used for constructing a baseline according to the indirect jump tracking data before the performance monitoring interruption is triggered after the number of times of triggering the performance monitoring interruption reaches a preset triggering number;
the second construction module is used for constructing an indirect jump sequence table according to the newly generated indirect jump tracking data when the performance monitoring interruption is triggered again after the baseline is constructed;
and the comparison module is used for detecting whether the target process is a process generated by ROP attack or not according to a comparison result when the target process enters a system call.
In some embodiments, the physical memory allocation module includes an acquisition unit and an allocation unit;
the acquiring unit is used for acquiring a kernel process description structure of the target process according to the information of the target process;
and the allocation unit is used for allocating a physical memory in advance for the indirect jump tracking data according to the kernel process description structure.
In some of these embodiments, the acquisition unit includes an acquisition subunit and an allocation subunit;
the acquiring subunit is configured to acquire a page directory address of the target process according to the kernel process description structure;
and the allocation subunit is used for allocating a physical memory in advance for the indirect jump tracking data according to the page directory address.
In some of these embodiments, the contrast module comprises a first contrast unit and a second contrast unit;
the first comparison unit is used for judging that the target process is not a process generated by ROP attack if the indirect jump sequence table is a substring of the baseline;
and the second comparison unit is used for judging that the target process is a process generated by ROP attack if the indirect jump sequence table is not a substring of the baseline.
In a third aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements a method for detecting an ROP attack as described in the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements a method for detecting an ROP attack as described in the first aspect above.
Compared with the related art, the method, the device, the computer equipment and the computer readable storage medium for detecting the ROP attack provided by the embodiment of the application acquire the information of the target process, further track the target process by utilizing an IPT mechanism and acquire indirect jump data; establishing a baseline by using the obtained indirect jump data; after a base line is established, a new indirect jump sequence table is established through newly obtained indirect jump tracking data; and then, detecting whether the target process is a process generated by ROP attack or not by comparing the relationship between the indirect jump sequence and the base line. According to the method and the device, the problem of large system loss in the process of detecting the ROP attack in the related technology can be solved without modifying the original binary file and only depending on the functions provided by the chip and the CPU, and the system can be kept at high performance in the process of detecting the ROP attack.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flow chart of a method of detecting an ROP attack according to an embodiment of the present application;
fig. 2 is a block diagram of an apparatus for detecting an ROP attack according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The invention can be used on any chip providing an IPT mechanism and is used for detecting ROP attack.
The IPT mentioned in the present application is an execution tracking mechanism implemented in an Intel processor, and is implemented completely by a hardware mechanism, and can track and record software codes executed in each hardware thread, and reconstruct an execution flow of software according to the recorded data.
The ROP mentioned in the application is a commonly used method for buffer overflow attack, and is characterized in that a plurality of code segments are connected together through jump by using elaborately arranged call stack data and a large number of data storage and return instructions at the tail of functions existing in attacked software, and finally the attack is realized in a system with or capable of executing memory protection.
Among them, DEP (Data Execution protection) is a mechanism depending on the CPU implementation. The page identification of the data is set to be non-executable, when a program has a bug and is attacked by remote code execution, the program can try to execute instructions on an attack load, the attack load is sent remotely, most of the attack load exists in the data page, and the CPU throws an exception instead of executing a malicious instruction.
The present embodiment provides a method for detecting an ROP attack, which may be used to detect an ROP attack, and fig. 1 is a flowchart of a method for detecting an ROP attack according to an embodiment of the present application, and as shown in fig. 1, the method includes:
step S101, information of the target process is obtained.
The above target process refers to a process that checks or defends against an attack using a Control Flow Integrity (CFI) which is a security mechanism, wherein the Control Flow is a sequence composed of a code fragment and a transfer (jump) specification.
Since the method needs to track the target process next to obtain the indirect jump tracking data, before obtaining the information of the target process, it is also necessary to check whether the CPU chip supports Processor tracking (Processor tracking). As an implementable way, it can be checked whether the CPU chip supports processor tracing by:
the EAX register value will be set to 0x7 and the cpu id instruction will be executed.
It is checked whether the EBX register bit25 is set, and if set, it indicates that the CPU chip supports Processor Tracing (Processor Tracing).
After determining that the CPU chip supports Processor Tracing (Processor Tracing), checking whether the Processor Tracing (Processor Tracing) supports the Tracing characteristics necessary for the method requires setting and confirming the following:
setting the EAX register value to 0x14, the cpu id instruction is executed.
The EBX register bit0 is asserted to be 1, and if 1, this indicates support for CR3 page directory register tracking.
The EBX register bit2 is confirmed to be 1, and if it is 1, it indicates that IP register filtering is supported.
The ECX register bit0 is confirmed to be 1, and if it is 1, it indicates that a Physical address output buffer (Table of Physical Addresses) is supported.
And step S102, tracking the target process by utilizing an IPT mechanism and acquiring indirect jump tracking data. The indirect jump tracking data includes data of whether to branch (token Not-token, TNT for short) and Target instruction address data (Target IP, TIP for short).
And step S103, pre-allocating a physical memory for the indirect jump tracking data according to the information of the target process. After allocating physical memory for the indirect jump trace data, the physical memory may also be mapped to virtual memory.
And step S104, when the indirect jump tracking data fully writes the pre-allocated physical memory, triggering performance monitoring interruption, and recording the times of triggering the performance monitoring interruption.
In the Intel platform, when the Counter overflows, the Performance Monitor Interrupt (PMI) is generated. The physical memory allocated for constructing the indirect jump tracking data of the baseline is larger than the physical memory for constructing the indirect jump sequence list.
And step S105, when the number of times of triggering the performance monitoring interruption reaches a preset triggering number, establishing a baseline according to the indirect jump tracking data before the preset triggering number is reached.
The above baseline is also an indirect jump tracking sequence table in nature, and the acquired indirect jump tracking data needs to be decoded before the baseline is constructed using the indirect jump tracking data. The preset triggering times are determined according to the performance of the system and the safety requirements of users.
And step S106, after the baseline is constructed, when the performance monitoring interruption is triggered again, constructing an indirect jump sequence table according to the newly generated indirect jump tracking data.
Before the indirect jump tracking data is used for constructing the indirect jump sequence table, the acquired indirect jump tracking data needs to be decoded.
And S107, when the target process enters a system call, comparing the indirect jump sequence table with the baseline, and detecting whether the target process is a process generated by ROP attack or not according to a comparison result.
As one implementable manner, when the target process enters a system call, the target process is trapped in an interrupt handler in the virtual machine monitor by triggering a debug interrupt. And the interrupt processing program compares the indirect jump sequence table with the baseline and detects whether the target process is a process generated by ROP attack according to a comparison result.
As an application scenario, when a target process needs to enter Kernel Space from User Space, debugging interruption is triggered, and the target process is trapped in an interrupt handler in a virtual machine monitor.
Because the jump address sequence table generated by the ROP attack is greatly different from the jump address sequence table generated by normal program operation, the method and the device judge whether the target process is the process generated by the ROP attack by comparing the baseline generated by the normal program operation with the indirect jump address sequence table generated subsequently.
In the steps from S101 to S107, the target process is tracked by utilizing an IPT mechanism provided by the chip to obtain indirect jump data; establishing a baseline by adopting indirect jump data generated by normal program operation; after a base line is established, a new indirect jump sequence table is established through newly obtained indirect jump tracking data; and then, detecting whether the target process is a process generated by ROP attack or not by comparing the relationship between the indirect jump sequence and the base line. The method can solve the problem of large system loss in the process of detecting the ROP attack in the related technology without modifying the original binary file and only depending on the functions provided by the chip and the CPU, and realizes that the system keeps high performance in the process of detecting the ROP attack.
In an alternative embodiment, the step S103 may be further implemented by:
step S201, according to the information of the target process, obtaining the kernel process description structure of the target process. The process description structure refers to a process data structure used by a process scheduler of a kernel, the kernel process description structure of a Windows operating system is different from that of a Linux operating system, the Windows operating system uses ZwCreateSection + ZwMapViewOfSection, and the Linux operating system uses mmap.
Step S202, according to the kernel process description structure, a physical memory is pre-allocated to the indirect jump tracking data. The physical memory allocated for constructing the indirect jump tracking data of the baseline is larger than the physical memory for constructing the indirect jump sequence list.
Further, in an optional embodiment, the step S202 may be implemented by:
step S301, obtaining the page directory address of the target process according to the kernel process description structure. The page directory address is the target process runtime CR3 register value.
Step S302, according to the page directory address, a physical memory is pre-allocated to the indirect jump tracking data.
In an alternative embodiment, the step S107 can be implemented by the following steps:
step S401, if the indirect jump sequence list is the substring of the baseline, it is determined that the target process is not the process generated by ROP attack.
And S402, if the indirect jump sequence table is not the substring of the baseline, judging that the target process is a process generated by ROP attack.
The baseline is also essentially an indirect jump sequence table. In general, the difference between an indirect jump sequence table generated by an ROP attack process and an indirect jump sequence table generated by a common process is large, so that the application judges whether the target process is the process generated by the ROP attack by comparing whether the indirect jump sequence table is a substring of a baseline. According to the method and the device, the problem of large system loss in the process of detecting the ROP attack in the related technology can be solved without modifying the original binary file and only depending on the functions provided by the chip and the CPU, and the system can keep high performance in the process of detecting the ROP attack.
In this embodiment, a device for detecting an ROP attack is provided, and the device is used to implement the foregoing embodiments and preferred embodiments, which have already been described and are not described again. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 2 is a structural diagram of an apparatus for detecting an ROP attack according to an embodiment of the present disclosure, and as shown in fig. 2, the apparatus includes an obtaining module 21, a tracking module 22, a physical memory allocation module 23, a performance monitoring interrupt module 24, a first constructing module 25, a second constructing module 26, and a comparison module 27.
The obtaining module 21 is configured to obtain information of a target process.
The tracking module 22 is configured to track the target process by using an IPT mechanism, and obtain indirect jump tracking data.
And the physical memory allocation module 23 is configured to pre-allocate a physical memory for the indirect jump tracking data according to the information of the target process.
The performance monitoring interrupt module 24 is configured to trigger a performance monitoring interrupt when the indirect jump trace data fully writes the pre-allocated physical memory, and record the number of times the performance monitoring interrupt is triggered.
The first constructing module 25 is configured to, after the number of times of triggering the performance monitoring interrupt reaches a preset number of times of triggering, construct a baseline according to the indirect jump tracking data before the preset number of times of triggering.
The second constructing module 26 is configured to construct an indirect jump sequence table according to the newly generated indirect jump tracking data when the performance monitoring interruption is triggered again after the baseline is constructed.
The comparing module 27 is configured to, when the target process enters a system call, compare the indirect adjustment sequence table with the baseline, and detect whether the target process is a process generated by an ROP attack according to a comparison result.
Further, in an optional embodiment, the physical memory allocation module 23 includes an obtaining unit and an allocating unit.
The obtaining unit is configured to obtain a kernel process description structure of the target process according to the information of the target process.
And the allocation unit is used for allocating a physical memory in advance for the indirect jump tracking data according to the kernel process description structure.
Further, in an optional embodiment, the obtaining unit includes a obtaining subunit and an allocating subunit;
the acquiring subunit is configured to acquire a page directory address of the target process according to the kernel process description structure;
and the allocation subunit is used for allocating a physical memory in advance for the indirect jump tracking data according to the page directory address.
Further, in an optional embodiment, the comparison module 27 includes a first comparison unit and a second comparison unit;
the first comparison unit is used for judging that the target process is not a process generated by ROP attack if the indirect adjustment sequence table is a substring of the baseline;
and the second comparison unit is used for judging that the target process is a process generated by ROP attack if the indirect adjustment sequence table is not a substring of the baseline.
In an embodiment, a computer device is provided, and fig. 3 is a schematic structural diagram of a computer device according to a method for detecting an ROP attack in an embodiment of the present invention, where the computer device may be a server, and an internal structural diagram of the computer device may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing blockchain transaction query data. The network interface of the computer device is used for communicating with an external terminal through a network connection. When the processor executes the computer program, a method for detecting ROP attack is realized, and the method comprises the following steps:
and S1, acquiring the information of the target process.
And S2, tracking the target process by using an IPT mechanism and acquiring indirect jump tracking data.
And S3, pre-allocating physical memory for the indirect jump tracking data according to the information of the target process.
S4, when the indirect jump trace data fully writes the pre-allocated physical memory, triggering a performance monitoring interrupt, and recording the times of triggering the performance monitoring interrupt.
And S5, when the number of times of triggering the performance monitoring interruption reaches a preset triggering number, establishing a baseline according to the indirect jump tracking data before the preset triggering number is reached.
S6, after the baseline is constructed, when the performance monitoring interruption is triggered again, constructing an indirect jump sequence list according to the newly generated indirect jump tracking data.
S7, when the target process enters the system call, comparing the indirect jump sequence table with the base line, and detecting whether the target process is the process generated by the ROP attack according to the comparison result.
As an implementation manner, in step S3, pre-allocating physical memory for the indirect jump tracking data according to the information of the target process, includes:
acquiring a kernel process description structure of the target process according to the information of the target process;
and pre-allocating a physical memory for the indirect jump tracking data according to the kernel process description structure.
Further, a page directory address of the target process can be acquired according to the kernel process description structure; and then, according to the page directory address, pre-allocating a physical memory for the indirect jump tracking data.
As an implementation manner, the step S7, when the target process enters a system call, comparing the indirect jump sequence table with the baseline, and detecting whether the target process is a process generated by an ROP attack according to a comparison result, includes:
if the indirect jump sequence list is the substring of the baseline, judging that the target process is not a process generated by ROP attack;
and if the indirect jump sequence list is not the substring of the baseline, judging that the target process is a process generated by ROP attack.
Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer-readable storage medium is provided, having stored thereon a computer program which, when executed by a processor, implements a method of detecting an ROP attack, comprising the steps of:
and S1, acquiring the information of the target process.
And S2, tracking the target process by using an IPT mechanism and acquiring indirect jump tracking data.
And S3, pre-allocating physical memory for the indirect jump tracking data according to the information of the target process.
S4, when the indirect jump trace data fully writes the pre-allocated physical memory, triggering a performance monitoring interrupt, and recording the times of triggering the performance monitoring interrupt.
And S5, when the number of times of triggering the performance monitoring interruption reaches a preset triggering number, establishing a baseline according to the indirect jump tracking data before the preset triggering number is reached.
S6, after the baseline is constructed, when the performance monitoring interruption is triggered again, constructing an indirect jump sequence list according to the newly generated indirect jump tracking data.
S7, when the target process enters the system call, comparing the indirect jump sequence table with the base line, and detecting whether the target process is the process generated by the ROP attack according to the comparison result.
As an implementation manner, in step S3, pre-allocating physical memory for the indirect jump tracking data according to the information of the target process, includes:
and acquiring a kernel process description structure of the target process according to the information of the target process.
And pre-allocating a physical memory for the indirect jump tracking data according to the kernel process description structure.
Further, a page directory address of the target process can be acquired according to the kernel process description structure; and then, according to the page directory address, pre-allocating a physical memory for the indirect jump tracking data.
As an implementation manner, the step S7, when the target process enters a system call, comparing the indirect jump sequence table with the baseline, and detecting whether the target process is a process generated by an ROP attack according to a comparison result, includes:
and if the indirect jump sequence list is the substring of the baseline, judging that the target process is not the process generated by the ROP attack.
And if the indirect jump sequence list is not the substring of the baseline, judging that the target process is a process generated by ROP attack.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of detecting an ROP attack, comprising:
acquiring information of a target process;
tracking the target process by using an IPT mechanism and acquiring indirect jump tracking data;
according to the information of the target process, pre-allocating a physical memory for the indirect jump tracking data;
when the indirect jump tracking data fully writes the pre-allocated physical memory, triggering performance monitoring interruption, and recording the times of triggering the performance monitoring interruption;
when the number of times of triggering the performance monitoring interruption reaches a preset triggering number, establishing a baseline according to the indirect jump tracking data before the preset triggering number is reached;
after the baseline is constructed, when the performance monitoring interruption is triggered again, constructing an indirect jump sequence table according to the newly generated indirect jump tracking data;
and when the target process enters a system call, comparing the indirect jump sequence table with the baseline, and detecting whether the target process is a process generated by ROP attack or not according to a comparison result.
2. The method as claimed in claim 1, wherein said pre-allocating physical memory for said indirect jump trace data according to information of said target process comprises:
acquiring a kernel process description structure of the target process according to the information of the target process;
and pre-allocating a physical memory for the indirect jump tracking data according to the kernel process description structure.
3. The method according to claim 2, wherein said pre-allocating physical memory for the indirect jump tracking data according to the kernel process description structure comprises:
acquiring a page directory address of the target process according to the kernel process description structure;
and pre-allocating a physical memory for the indirect jump tracking data according to the page directory address.
4. The method as claimed in any one of claims 1 to 3, wherein the comparing the indirect jump sequence table with the baseline when the target process enters the system call, and detecting whether the target process is a process generated by the ROP attack according to the comparison result comprises:
if the indirect jump sequence list is the substring of the baseline, judging that the target process is not a process generated by ROP attack;
and if the indirect jump sequence list is not the substring of the baseline, judging that the target process is a process generated by ROP attack.
5. A device for detecting ROP attack is characterized by comprising an acquisition module, a tracking module, a physical memory allocation module, a performance monitoring interruption module, a first construction module, a second construction module and a comparison module;
the acquisition module is used for acquiring the information of the target process;
the tracking module is used for tracking the target process by utilizing an IPT mechanism and acquiring indirect jump tracking data;
the physical memory allocation module is used for allocating physical memory for the indirect jump tracking data in advance according to the information of the target process;
the performance monitoring interrupt module is used for triggering performance monitoring interrupt when the indirect jump tracking data fully writes the pre-allocated physical memory, and recording the times of triggering the performance monitoring interrupt;
the first construction module is used for constructing a baseline according to the indirect jump tracking data before the performance monitoring interruption is triggered after the number of times of triggering the performance monitoring interruption reaches a preset triggering number;
the second construction module is used for constructing an indirect jump sequence table according to the newly generated indirect jump tracking data when the performance monitoring interruption is triggered again after the baseline is constructed;
and the comparison module is used for comparing the indirect jump sequence table with the baseline when the target process enters a system call, and detecting whether the target process is a process generated by ROP attack or not according to a comparison result.
6. The apparatus of claim 5, wherein the physical memory allocation module comprises an acquisition unit and an allocation unit;
the acquiring unit is used for acquiring a kernel process description structure of the target process according to the information of the target process;
and the allocation unit is used for allocating a physical memory in advance for the indirect jump tracking data according to the kernel process description structure.
7. The apparatus of claim 6, wherein the obtaining unit comprises an obtaining subunit and an assigning subunit;
the acquiring subunit is configured to acquire a page directory address of the target process according to the kernel process description structure;
and the allocation subunit is used for allocating a physical memory in advance for the indirect jump tracking data according to the page directory address.
8. The apparatus of any one of claims 5 to 7, wherein the comparison module comprises a first comparison unit and a second comparison unit;
the first comparison unit is used for judging that the target process is not a process generated by ROP attack if the indirect jump sequence table is a substring of the baseline;
and the second comparison unit is used for judging that the target process is a process generated by ROP attack if the indirect jump sequence table is not a substring of the baseline.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a method of detecting an ROP attack as claimed in any one of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of detecting an ROP attack as claimed in any one of the claims 1 to 4.
CN202011022208.5A 2020-09-25 2020-09-25 Method and device for detecting ROP attack Active CN112199669B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011022208.5A CN112199669B (en) 2020-09-25 2020-09-25 Method and device for detecting ROP attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011022208.5A CN112199669B (en) 2020-09-25 2020-09-25 Method and device for detecting ROP attack

Publications (2)

Publication Number Publication Date
CN112199669A true CN112199669A (en) 2021-01-08
CN112199669B CN112199669B (en) 2022-05-17

Family

ID=74007316

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011022208.5A Active CN112199669B (en) 2020-09-25 2020-09-25 Method and device for detecting ROP attack

Country Status (1)

Country Link
CN (1) CN112199669B (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1241272A (en) * 1996-09-26 2000-01-12 全斯美达有限公司 Method and apparatus for aliasing memory data in advanced microprocessor
CN1242087A (en) * 1996-12-23 2000-01-19 全斯美达有限公司 A gated store buffer for an advanced microprocessor
CN1516838A (en) * 2001-05-10 2004-07-28 �����ɷ� Mobile communication device having prioritized interrupt controller
CN102663312A (en) * 2012-03-20 2012-09-12 中国科学院信息工程研究所 ROP attack detection method and system based on virtual machine
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework
CN105488397A (en) * 2015-12-02 2016-04-13 国网智能电网研究院 Situation-based ROP attack detection system and method
US20160283714A1 (en) * 2015-03-27 2016-09-29 Michael LeMay Technologies for control flow exploit mitigation using processor trace
WO2016200045A1 (en) * 2015-06-12 2016-12-15 서울대학교 산학협력단 Hardware-based kernel code insertion attack detecting device and method therefor
CN107330323A (en) * 2017-07-10 2017-11-07 电子科技大学 A kind of dynamic testing method of ROP and its mutation attacks based on Pin instruments
US20180096147A1 (en) * 2016-09-30 2018-04-05 Intel Corporation System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks
US20180211046A1 (en) * 2017-01-26 2018-07-26 Intel Corporation Analysis and control of code flow and data flow
US20190042730A1 (en) * 2018-03-28 2019-02-07 Intel Corporation Systems, Methods, And Apparatus For Detecting Control Flow Attacks
CN109508536A (en) * 2017-09-15 2019-03-22 华为技术有限公司 A kind of detection method and device alterring program stream attack
US10284592B1 (en) * 2015-12-17 2019-05-07 Architecture Technology Corporation Application randomization mechanism
CN109992455A (en) * 2017-12-29 2019-07-09 英特尔公司 For suspending processor tracking to carry out the device and method of efficient analysis
CN110059477A (en) * 2019-03-14 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device
CN110188540A (en) * 2019-04-17 2019-08-30 中国科学院软件研究所 A kind of ROP attack detection method based on state of a control tracking
CN110268411A (en) * 2017-02-06 2019-09-20 华为技术有限公司 Control stream integrality in computer system based on processor tracking implementing

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1241272A (en) * 1996-09-26 2000-01-12 全斯美达有限公司 Method and apparatus for aliasing memory data in advanced microprocessor
CN1242087A (en) * 1996-12-23 2000-01-19 全斯美达有限公司 A gated store buffer for an advanced microprocessor
CN1516838A (en) * 2001-05-10 2004-07-28 �����ɷ� Mobile communication device having prioritized interrupt controller
CN102663312A (en) * 2012-03-20 2012-09-12 中国科学院信息工程研究所 ROP attack detection method and system based on virtual machine
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework
US20160283714A1 (en) * 2015-03-27 2016-09-29 Michael LeMay Technologies for control flow exploit mitigation using processor trace
WO2016200045A1 (en) * 2015-06-12 2016-12-15 서울대학교 산학협력단 Hardware-based kernel code insertion attack detecting device and method therefor
CN105488397A (en) * 2015-12-02 2016-04-13 国网智能电网研究院 Situation-based ROP attack detection system and method
US10284592B1 (en) * 2015-12-17 2019-05-07 Architecture Technology Corporation Application randomization mechanism
US20180096147A1 (en) * 2016-09-30 2018-04-05 Intel Corporation System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks
US20180211046A1 (en) * 2017-01-26 2018-07-26 Intel Corporation Analysis and control of code flow and data flow
CN110268411A (en) * 2017-02-06 2019-09-20 华为技术有限公司 Control stream integrality in computer system based on processor tracking implementing
CN107330323A (en) * 2017-07-10 2017-11-07 电子科技大学 A kind of dynamic testing method of ROP and its mutation attacks based on Pin instruments
CN109508536A (en) * 2017-09-15 2019-03-22 华为技术有限公司 A kind of detection method and device alterring program stream attack
CN109992455A (en) * 2017-12-29 2019-07-09 英特尔公司 For suspending processor tracking to carry out the device and method of efficient analysis
US20190042730A1 (en) * 2018-03-28 2019-02-07 Intel Corporation Systems, Methods, And Apparatus For Detecting Control Flow Attacks
CN110059477A (en) * 2019-03-14 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device
CN110188540A (en) * 2019-04-17 2019-08-30 中国科学院软件研究所 A kind of ROP attack detection method based on state of a control tracking

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
JINKU LI: "Fine-CFI: Fine-Grained Control-Flow Integrity for Operating System Kernels", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 *
张军等: "基于硬件的代码复用攻击防御机制综述", 《高技术通讯》 *
李等: "一个基于硬件虚拟化的内核完整性监控方法", 《计算机科学》 *
王心然等: "基于IPT硬件的内核模块ROP透明保护机制", 《软件学报》 *

Also Published As

Publication number Publication date
CN112199669B (en) 2022-05-17

Similar Documents

Publication Publication Date Title
Niu et al. Per-input control-flow integrity
US8819352B2 (en) Hybrid Transactional Memory (HybridTM)
US7543186B2 (en) System and method for implementing software breakpoints
Chen et al. Safestack: Automatically patching stack-based buffer overflow vulnerabilities
CN107357666B (en) Multi-core parallel system processing method based on hardware protection
CN104217139A (en) Processing system
US9864629B2 (en) Real-time code and data protection via CPU transactional memory suppport
CN105095763B (en) Loophole defence method and device, electronic equipment
US7330979B1 (en) Method for protecting the processing of sensitive information in a monolithic security module, and associate security module
CN109086193B (en) Monitoring method, device and system
US10331513B2 (en) Zero overhead code coverage analysis
CN112199669B (en) Method and device for detecting ROP attack
EP1967950A2 (en) Multiprocessor system for continuing program execution upon detection of abnormality
WO2011089478A1 (en) Debugger system, method and computer program product for debugging instructions
CN103617396A (en) Detection method and system of vulnerability exploitation
CN106997313B (en) Signal processing method and system of application program and terminal equipment
US9898420B2 (en) Electronic device, operating system and access control method for protection of a register through an application programming interface
CN110941528B (en) Log buried point setting method, device and system based on fault
CN105653948B (en) Method and device for preventing malicious operation
CN108830078B (en) Malicious code discovery method for industrial control equipment
Sim et al. A Fast and Secure Pipelined Barrel Processor for Safety-Critical Applications for Real-Time Operating Systems
CN107239415B (en) Method and device for executing critical section operation
JP5737290B2 (en) Data processing apparatus and method, and processor unit thereof
RU2216770C2 (en) Input address protection methods
CN112199678A (en) Online evidence obtaining method and device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant