CN112199681A - Code injection type attack protection method and device based on multi-coding mode CPU - Google Patents
Code injection type attack protection method and device based on multi-coding mode CPU Download PDFInfo
- Publication number
- CN112199681A CN112199681A CN202011141356.9A CN202011141356A CN112199681A CN 112199681 A CN112199681 A CN 112199681A CN 202011141356 A CN202011141356 A CN 202011141356A CN 112199681 A CN112199681 A CN 112199681A
- Authority
- CN
- China
- Prior art keywords
- code
- cpu
- instruction
- coding mode
- coding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000002347 injection Methods 0.000 title claims abstract description 42
- 239000007924 injection Substances 0.000 title claims abstract description 42
- 230000008569 process Effects 0.000 claims abstract description 23
- 230000007246 mechanism Effects 0.000 claims description 29
- 238000006243 chemical reaction Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 13
- 238000013461 design Methods 0.000 claims description 10
- 230000002441 reversible effect Effects 0.000 claims description 4
- 238000013519 translation Methods 0.000 claims description 4
- 230000001960 triggered effect Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 239000000243 solution Substances 0.000 description 6
- 239000002131 composite material Substances 0.000 description 5
- 230000006872 improvement Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 239000002699 waste material Substances 0.000 description 3
- 239000000203 mixture Substances 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a code injection type attack protection method based on a multi-coding mode CPU, which loads a software execution body comprising code subsections of various instruction coding modes through an operating system; in the execution process of the software execution body, the CPU core detects specified abnormity/interruption, if the specified abnormity/interruption is detected, the decoder of the CPU core is controlled to switch the random coding mode, and the code subsections corresponding to the instruction coding mode in the software execution body are decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent to the CPU core to be executed, the execution fails because the attack code cannot be matched with the decoder. The invention realizes the high-entropy randomization of the instruction codes executed by the computer by combining software and hardware, so that an attacker cannot implement expected attacks by injecting a pre-designed code sequence, thereby effectively protecting the code injection type attacks.
Description
Technical Field
The invention relates to a computer security technology, in particular to a code injection type attack protection method and device based on a multi-coding mode CPU.
Background
In a von neumann architecture computer, a well-known principle of a computer storing programs is that instruction codes and data are stored in a storage area such as a RAM (Random Access Memory) together, and a CPU (Central Processing Unit) fetches an instruction from the RAM and executes the instruction. The design mode cannot directly distinguish data and codes from the binary form of the memory, so that the code contained in the user data is given an opportunity to be executed, and the design mode is a substantial reason for the existence of many bugs in the current computer system.
The Code Injection Attack (Code Injection Attack) is the most common Attack with great destructiveness at present, and an attacker injects malicious codes into a user process through a certain method, changes the normal control flow of a program through overflow and other means, and enables the program to execute the malicious codes so as to achieve a certain Attack purpose. The essence of injection is that the data input by the user is executed as code, there are two key conditions, the first is that the user can control the input; the second is the code that the original program needs to execute, and the data input by the user is spliced.
An example of a simple code injection type attack is shown in figure 1. Below fig. 1 is the buffer for a function application and above fig. 1 is the stack of the function. Since the stack is growing in the low address direction, the pointers of the local array buffer are below the buffer. When the data of the data is copied into the buffer, the data of the high address part exceeding the buffer area can "drown out" the original other stack frame data. The attacker injects an attack code (shellcode) at the bottom of the buffer and fills in a new address pointing to the start address of the injected shellcode at the position in the stack of the original return address of the function. Thus, when the function returns, the injected attack code shellcode is executed by the CPU.
The code injection protection methods proposed at present can be basically divided into two categories: (1) static solution (static solution): the harm of code injection attacks is eliminated from the source code level by using a secure programming language, static checking of the source code, enhancements to the compiler, using special secure function libraries, etc.; (2) run-time solution (run-time solution): in the scheme, local or global sandbox or virtual machine, instruction Randomization (RISE) and address space randomization (ASLR) are used, so that code injection attacks can be effectively blocked under extremely low false-miss probability without rewriting and recompiling source codes. However, in general, these solutions have various limitations. Firstly, the performance loss is large; secondly, the protection object is limited, and the protection range is small; thirdly, insufficient protection (missed prevention); fourth, the source code needs to be modified.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: aiming at the problems in the prior art, the invention provides a code injection type attack protection method based on a multi-coding mode CPU (Central processing Unit). according to the method, high-entropy randomization of instruction codes executed by a computer is realized in a mode of combining software and hardware, so that an attacker cannot implement expected attacks by injecting a pre-designed code sequence, and the code injection type attacks are effectively protected.
In order to solve the technical problems, the invention adopts the technical scheme that:
a code injection type attack protection method based on a multi-coding mode CPU comprises the following steps:
1) the operating system loads a software executive body containing code subsections of a plurality of instruction coding modes;
2) in the execution process of the software execution body, the CPU core detects the specified abnormity/interruption, and if the specified abnormity/interruption is detected, the next step is executed in a skipping way;
3) and controlling a decoder of the CPU core to switch the random coding mode, and decoding and executing the code subsections corresponding to the instruction coding mode in the software execution body according to the switched coding mode, so that if the attack code injected by an attacker is sent to the CPU core to be executed, the execution fails because the attack code cannot be matched with the decoder.
Optionally, the step of loading, by the operating system in step 1), the software executable including the code subsegment with multiple instruction encoding modes includes: preparing code segment memory copies corresponding to codes by a code subsection of a software execution body containing multiple instruction coding modes and providing mechanism support of operation switching, so that when CPU decoding rules are switched, the operation environment of a CPU can be switched to a hardware execution environment corresponding to different code segment copies, and the hardware execution environment comprises a general register, a state and control register, a stack register and an instruction register; and simultaneously, the operating system adopts the only memory copy for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when most decoding rules are switched, the data contents in the other sections can be used for the switched code subsections without being corrected.
Optionally, the step of providing a mechanism support for running a handover includes: the virtual memory superposition management mechanism is implemented by superposing page table entries of code subsections of multiple instruction coding modes of a software execution body on the same page directory entry, when a CPU (Central processing Unit) switches the random coding modes, the execution body only needs to be suspended on site, then the values in the page directory entries can be changed to replace the code subsections of different instruction coding modes, and the content of a bypass conversion buffer TLB (translation lookaside buffer) is flushed to ensure that the original virtual address mapping is invalid.
Optionally, step 1) is preceded by a step of compiling and generating a software execution body including code subsections of multiple instruction encoding modes, and when the software execution body is compiled and generated, corresponding multiple code subsections are generated for code sections of the software execution body according to specified instruction encoding mode types, each instruction among the multiple code subsections is only one-to-one mapping for replacing instruction set encoding, so that the multiple code subsections are completely identical in address layout design, and register contents accessed by corresponding instructions and virtual memory addresses are completely identical.
Optionally, the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers, and each front-end decoding unit is configured to execute decoding of a preset random encoding mode when configuration in the corresponding configuration register is valid.
Optionally, a code cache, a key register and a conversion operation unit are arranged at the front end of the decoder of the CPU core, the key register includes key codes corresponding to multiple instruction coding modes one to one, and the conversion operation unit is configured to perform specified reversible operation processing on the instruction code fetched from the code cache and the key code fetched from the key register corresponding to the instruction coding mode, so as to obtain a true input code of the decoder.
Optionally, the exception/interrupt specified in step 2) is from a random trigger, the random trigger includes a random number generator and a timer, wherein the random number generated by the random number generator is used as a trigger delay of the timer from the current time, when the timer is triggered, on one hand, a specified exception/interrupt is generated to notify the CPU core, on the other hand, the random number generator is started to generate a random delay of the next timer, and when the CPU core starts to perform random coding mode switching after receiving the specified exception/interrupt, the CPU core determines the specified instruction coding mode by accessing the random number generator.
Optionally, the multiple instruction encoding modes include a primitive encoding mode, where the primitive encoding mode is an encoding mode of instruction decoding executed when the CPU is reset and started; step 1) is preceded by the step of operating system initialization:
s1), all CPU cores are automatically in the original instruction decoding rule state after being electrified;
s2) the firmware carries on the basic initialization, and loads the system image from the memory or the disk and transfers it to the kernel for execution;
s3) all CPU cores carry out master-slave judgment, a master CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes the initialization code from the code subsection of the native coding mode encoded by the operating system kernel, and initializes the system by the operation steps substantially the same as those of the conventional operating system, the executed operation including: initializing an exception handling vector, enabling cache, establishing a basic page table, enabling virtual address mapping, initializing bus/UI (user interface) equipment/storage equipment, and awakening all slave cores; the slave core is awakened and then executes the local core initialization code of the original coding mode sub-section; the kernel enters a normal operating state.
In addition, the invention also provides a code injection type attack protection device based on the multi-coding mode CPU, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the steps of the code injection type attack protection method based on the multi-coding mode CPU, or the memory is stored with a computer program which is programmed or configured to execute the code injection type attack protection method based on the multi-coding mode CPU.
In addition, the present invention also provides a computer readable storage medium having stored therein a computer program programmed or configured to execute the multi-coding mode CPU-based code injection type attack protection method.
Compared with the prior art, the invention has the following advantages: the invention loads a software executive body of a code subsection containing a plurality of instruction coding modes through an operating system; in the execution process of the software execution body, the CPU core detects specified abnormity/interruption, if the specified abnormity/interruption is detected, the decoder of the CPU core is controlled to switch the random coding mode, and the code subsections corresponding to the instruction coding mode in the software execution body are decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent to the CPU core to be executed, the execution fails because the attack code cannot be matched with the decoder. The invention realizes the high-entropy randomization of the instruction codes executed by the computer by combining software and hardware, so that an attacker cannot implement expected attacks by injecting a pre-designed code sequence, thereby effectively protecting the code injection type attacks. The invention can protect the code injection attack of any direct injection CPU instruction sequence, is not only suitable for protecting the code injection attack of the user program, but also suitable for protecting the code injection attack of the operating system and the kernel program, and does not need to obtain and modify the program source code.
Drawings
Fig. 1 is an example of a code injection type attack in the related art.
FIG. 2 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
FIG. 3 is a schematic diagram of an extension of an improvement on an existing computer system in an embodiment of the present invention.
Fig. 4 is a decoder-related structure of a conventional CPU for comparison in an embodiment of the present invention.
Fig. 5 is a modified version of a decoder according to an embodiment of the present invention.
Fig. 6 shows another modified decoder according to an embodiment of the present invention.
Fig. 7 is a schematic structural diagram of a random flip-flop according to an embodiment of the present invention.
Fig. 8 is a schematic block diagram of an operating system according to an embodiment of the present invention.
FIG. 9 is an example of a software executable including code subsections for two instruction encoding modes according to an embodiment of the present invention.
Fig. 10 is a diagram illustrating an embodiment of virtual memory overlay memory management and switching of code subsections according to the present invention.
Fig. 11 is a flowchart illustrating the implementation of the startup and operation process in the embodiment of the present invention.
Detailed Description
As shown in fig. 2, the code injection type attack protection method based on the multi-coding mode CPU in the present embodiment includes:
1) the operating system loads a software executive body containing code subsections of a plurality of instruction coding modes;
2) in the execution process of the software execution body, the CPU core detects the specified abnormity/interruption, and if the specified abnormity/interruption is detected, the next step is executed in a skipping way;
3) and controlling a decoder of the CPU core to switch the random coding mode, and decoding and executing the code subsections corresponding to the instruction coding mode in the software execution body according to the switched coding mode, so that if the attack code injected by an attacker is sent to the CPU core to be executed, the execution fails because the attack code cannot be matched with the decoder.
When implementing code injection attack, the code injected by an attacker is generally hard code matched with the instruction code of the CPU, and the purpose of the embodiment is to randomize the code coding form in the code sequence sent into the CPU during the running of the computer, but keep the semantics unchanged, so that the deterministic code sequence injected by the attacker in advance cannot be normally executed. In this embodiment, the code injection type attack protection method based on the multi-coding mode CPU performs high-frequency random conversion according to the decoding rules of the decoding component of the CPU core, the operating system selects the program binary code corresponding to the rules according to the corresponding decoding rules to perform switching execution, and if the code injected by an attacker is sent to the CPU core for execution, the execution fails because the code cannot be matched with the decoder.
As an optional implementation manner, the code injection type attack protection method based on the multi-coding mode CPU in the present embodiment adopts a manner of improving and combining a hardware part and a software part to implement the foregoing method. As shown in fig. 3, the hardware part and software part improvement comprises: (1) CPU multi-mode decoding unit hardware extension; (2) random trigger support of hardware; (3) multiple coding mode program support for operating systems; (4) software coding fast switching support for operating systems.
(1) CPU multi-mode decoding unit hardware extension.
In order to enable the CPU to decode multiple instruction encoding modes and switch between the modes, the present embodiment proposes a hardware extension of the CPU multi-mode decoding unit, which requires a decoder of a CPU core to support multiple encoding rules of the same instruction set, and the instruction encodings under different encoding rules have the same length and are in one-to-one correspondence, components of the CPU outside the decoder are compatible with the conventional CPU and have the same working and using manner, and the CPU core has a special register for configuring and indicating the current decoding rule of the CPU. In order to realize hardware extension of the CPU multi-mode decoding unit, the decoder structure of the CPU needs to be improved. Fig. 4 is a conventional CPU structure, which includes main units such as a memory control unit, a front-end decoding unit, and an execution unit. The instruction execution flow is that the instruction is sent to the front-end decoding unit by the instruction fetching component through the storage control unit, and the front-end decoding unit sends out a control signal after decoding and carries out data operation, data transmission and other operations by the execution unit.
Fig. 5 is a modified mode of the decoder structure of the CPU capable of decoding a code in the form of a double instruction code in the present embodiment. Referring to fig. 5, the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers, and each front-end decoding unit is configured to execute decoding of a predetermined random encoding mode when the configuration in the corresponding configuration register is valid. The improved mode is that a front-end decoding unit is added on the basis of the conventional CPU structure shown in FIG. 3, the front-end decoding unit 1 and the front-end decoding unit 2 can respectively decode codes of two different instruction encoding forms, and the encoding forms can be selected through a control register. By implementing the improvement on the composition and design of the CPU, the CPU can decode multiple coding forms of the same instruction set, and can control and switch which coding form is used for decoding.
Fig. 6 is a modified structure of the CPU decoder for selectively decoding an arbitrary multiple-coded version of an instruction set according to the present embodiment. Referring to fig. 6, a code buffer, a key register and a conversion operation unit are arranged at the front end of the decoder of the CPU core, the key register includes key codes corresponding to a plurality of instruction coding modes one to one, and the conversion operation unit is configured to perform specified reversible operation processing on the instruction codes fetched from the code buffer and the key codes fetched from the key register corresponding to the instruction coding modes to obtain the true input codes of the decoder. The design adds a code conversion process in the front-end decoding unit, and the process generates the real input code of the decoder by performing certain reversible operation on the fetched instruction code and the key code in the key register, and then performs normal decoding and execution operation.
In order to implement hardware extension of the CPU multi-mode decoding unit, the functional improvement on the CPU in this embodiment includes: the decoder of the CPU core supports various encoding rules of the same instruction set; the instruction codes under different coding rules have the same length and are in one-to-one correspondence; the components of the CPU outside the decoder are compatible with the traditional CPU and have the same working and using modes; the CPU core is provided with a special register for stipulating and indicating the current decoding rule of the CPU;
(2) random trigger support of hardware.
The switching of the encoding mode may be accomplished by an interrupt (or exception) mechanism of the CPU. Each interrupt processing has an overhead unrelated to the coding mode switching, so that the embodiment recommends (but does not enforce) that the code subsegment is switched when the interrupt related to each switching comes, otherwise, the interrupt only causes the field storage and recovery, which is equivalent to a redundant operation, and wastes the CPU resource. From a security perspective, the present embodiment requires that such interruptions arrive at random times. In view of these considerations, the present embodiment recommends using a configurable hardware approach to randomly generate interrupts, thereby randomly triggering the switching of the encoding modes. It is recommended that a special random trigger be used to automatically trigger the instruction set's decode rule conversion and generate a corresponding exception/interrupt before the conversion, which the CPU has special support for.
In the program execution process, the CPU automatically executes the next instruction through the instruction fetching component, and an external mechanism is required to enable the CPU to switch the decoding mode and fetch the instruction from the corresponding another code subsection, where the external mechanism is generally implemented by an interrupt or an exception, and this embodiment is collectively referred to as an exception/interrupt. Since the method of this embodiment requires high-frequency random switching of the instruction encoding mode, the overhead caused by the interrupt is very significant, and if only a determination is made in one relevant interrupt, no actual encoding switching is caused, and the CPU resources consumed by the interrupt processing are completely wasted. For example, a high-precision timer can be used to generate fixed-frequency interrupts, and during each interrupt processing, whether switching is needed is determined by generating a random number, so that the effect of randomly switching the encoding mode can be achieved, but the interrupt processing without switching wastes a large amount of CPU time. To avoid such waste, the present embodiment further requires that the triggering timing of such interrupts is itself random, the interval between interrupts is random, and when an interrupt arrives, the processing mechanism thereof necessarily triggers the coding mode switching. Thus, the exception/interrupt specified in step 2) of the present embodiment is from a random trigger.
As shown in fig. 7, which is a design example of a specific random flip-flop given in this embodiment, the random flip-flop includes a random number generator and a timer, where a random number generated by the random number generator is used as a trigger delay of the timer from a current time, when the timer is triggered, on one hand, a specified exception/interrupt notification CPU core (CPU core) is generated, and on the other hand, the random number generator is started to generate a random delay of a next timer, and when the CPU core starts to perform random coding mode switching after receiving the specified exception/interrupt, the CPU core determines a specified instruction coding mode by accessing the random number generator. In this embodiment, the timer is a high-precision timer (the precision of which is one order of magnitude with the CPU master frequency), and it can be ensured that when the CPU core receives a random interrupt and starts to perform a code switching operation, a selection decision of a code mode to be switched can be generated by accessing the random number generator.
(3) Multi-coding mode program support for operating systems
In order to adapt to the CPU decoding rule convertible operation mechanism, the operating system needs to prepare the corresponding encoded code segment memory copies for most of the codes running thereon, and provide a mechanism support for runtime switching, so that when the CPU decoding rule is switched, the CPU operation environment can be switched to the hardware execution environment corresponding to different code segment copies. The coding mode of the program executed on the CPU is also switched correspondingly according to the decoding rule of the CPU. The program coding mode switching execution working principle is that the system triggers the operating system to execute switching action through a random generation mechanism, and switches the instruction to be fetched to a code subsection containing different coding modes according to an optional rule. When the granularity of random switching is fine enough, the code sequence injected by an attacker is necessarily an illegal code sequence and generates an exception during execution so as not to successfully implement the attack.
The operating system is responsible for providing necessary support for the execution of the program on the multi-mode instruction coding CPU and the switching of the coding form. In order to adapt to the CPU encoding rule convertible operation mechanism, the operating system needs to prepare the memory copies of the code segments corresponding to the codes for most of the codes running thereon, and provide a mechanism support for operation switching, so that when the CPU decoding rule is switched, the operation environment of the CPU can be switched to the hardware execution environment (including general purpose registers, state and control registers, stack registers, and instruction registers) corresponding to different code segment copies. For data consistency requirements and performance considerations, the operating system employs a unique copy of memory for other segments of the kernel or out-of-kernel process (data segments, stack segments, etc.). When most decoding rules are switched, the data content in these segments can be used for the switched code without having to be modified.
The working principle of program coding rule switching is that 1) the system triggers the operating system to execute switching action through a random generation mechanism, so that the operating system suspends the current program execution, and 2) the instruction to be fetched is switched to a code subsection containing different coding forms according to an optional rule.
When the granularity of random switching is fine enough, the code sequence injected by an attacker is necessarily an illegal code sequence and generates an exception when the code sequence is executed, so that the attack cannot be successfully implemented. The switching of the program coding rules may include two modes of switching of a kernel mode and switching of a user process mode, and may be implemented separately or only one of them, mainly in switching of instruction coding and attaching with as few register or memory content conversion as possible.
The main difference between the operating system structure supporting the random switching during the multi-coding mode operation and the conventional operating system is that: (1) the support of multiple coding modes, namely, a plurality of code sub-section copies are established in the memory space of a program executive body (a kernel, an extranuclear process and the like) of each switchable coding rule; (2) the operating system kernel supports the address space distribution and management functions of multiple copies of the code segment of the operating system kernel and multiple copies of the application code subsegment in the aspect of memory management; (3) the operating system kernel supports an interrupt generation and processing mechanism for switching instruction coding (namely switching among code segment copies) of a currently running program execution body, wherein switching of CPU decoding rules is regarded as a part of a composition mechanism for switching the program execution body among code subsection copies of the program execution body;
in this embodiment, the step of loading, by the operating system in step 1), the software executable including the code subsections of the multiple instruction encoding modes includes: preparing code segment memory copies corresponding to codes by a code subsection of a software execution body containing multiple instruction coding modes and providing mechanism support of operation switching, so that when CPU decoding rules are switched, the operation environment of a CPU can be switched to a hardware execution environment corresponding to different code segment copies, and the hardware execution environment comprises a general register, a state and control register, a stack register and an instruction register; and simultaneously, the operating system adopts the only memory copy for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when most decoding rules are switched, the data contents in the other sections can be used for the switched code subsections without being corrected.
The operation structure of the operating system supporting the multi-coding mode runtime random switching in this embodiment is shown in fig. 8, in which the difference between the operating system and a conventional macro kernel operating system (such as Linux) is mainly highlighted. The user-state composite code segment process is a process generated by a software executive body, and comprises code subsections of a plurality of instruction coding modes, and each instruction coding mode corresponds to an instruction coding rule; the kernel mode is used to provide a switching mechanism, and in addition to the conventional kernel function module of the conventional macro-kernel operating system (such as Linux), the switching mechanism further includes:
the composite code segment memory management module is used for preparing a code segment memory copy corresponding to coding for a code subsection of a software execution body comprising a plurality of instruction coding modes;
code switching exception management, which is used for carrying out error processing when the switching exception occurs;
code switching context management for on-site saving and restoring during switching;
code switching policy management for controlling the manner of switching.
The obvious characteristic of the operating system supporting the random switching during the operation of multiple coding modes is that the software executer supporting the composite code segment runs. The software executive body comprises a user mode process and a kernel, namely a software unit independently provided with a complete virtual address running space. The operating system supporting the random switching of the multi-coding mode runtime particularly expands the code segments of the execution body for supporting the switching of the coding modes, so that the code segments of multiple coding modes and the code segments of multiple addresses coexist and support the switching and running on the CPU dynamically. Fig. 9 shows a specific example and design of such a composite code segment. In this example, for two instruction encoding modes (a mode and B mode) provided by the CPU, the composite code segment includes two independent code subsections compiled according to different requirements, which are: an a-code sub-section and a B-code sub-section. The practical system can also support more instruction coding modes, and the randomness in operation is increased. As shown in fig. 9, the relationship between the a-code subsection and the B-code subsection is that each instruction of the two subsections is only a one-to-one mapping for replacing the instruction set encoding, and the identical address layout design is used, that is, the register content accessed by the corresponding instruction is identical to the virtual memory address.
In this embodiment, step 1) includes a step of compiling and generating a software execution body including code subsections of a plurality of instruction encoding modes, and when the software execution body is compiled and generated, a plurality of corresponding code subsections are generated for code sections of the software execution body according to a specified instruction encoding mode type, each instruction among the plurality of code subsections is only one-to-one mapping for replacing instruction set encoding, so that the plurality of code subsections use the same address layout design, and register contents accessed by corresponding instructions and virtual memory addresses are the same.
(4) Software coding fast switching support for operating systems.
The substantial overhead of the coding switching of the operating system mainly consists of two aspects, namely saving and restoring a program field and performing semantic conversion on a program interruption field during the coding switching. The embodiment provides a corresponding software and hardware mechanism, on one hand, operations required for saving and recovering a program field are avoided or reduced as much as possible, and on the other hand, a new virtual memory management mechanism of an operating system is provided, so that the semantic conversion of the program interruption field is kept with less overhead when the coding mode is switched.
The embodiment requires the CPU to switch the coding mode frequently to effectively "cut off" the execution of the injection code, which puts a high demand on the speed of switching the coding mode. The substantial overhead of the coding switching of the operating system mainly consists of two aspects, namely saving and restoring the program site and performing semantic conversion on the program interruption site during the coding switching. The reason why the present embodiment is divided is that the conventional process scheduling or switching is mainly saving and restoring in the field, and the semantic conversion in the field becomes an additional step of the present embodiment. The program site generally refers to a CPU register site when a program is interrupted, and in this embodiment, only the coding mode is switched, and the program body is not switched, so in order to reduce the overhead of saving and restoring the site, it is preferable to keep the register site unchanged, and avoid the operation of saving and restoring the register with the memory.
The embodiment first describes how to avoid operations of saving and restoring the register, and describes how to keep the register unchanged in the field in the later memory management section. In general, the CPU only depends on the general-purpose register and the stack pointer register (which may be a part of the general-purpose register) for calculation and function call, and this embodiment requires the CPU to provide an additional general-purpose register and stack pointer register to perform the operations required for the code switching action, thereby avoiding direct register field saving and restoring operations. If the hardware does not provide additional registers, the embodiment can also keep the registers needing to be saved and restored to the minimum in the field by limiting the use of the number of the general registers, thereby reducing the saving and restoring expenses.
In this embodiment, the step of providing the mechanism support for operation switching includes: the virtual memory superposition management mechanism is implemented by superposing page table entries of code subsections of multiple instruction coding modes of a software execution body on the same page directory entry, when a CPU (Central processing Unit) switches the random coding modes, the execution body only needs to be suspended on site, then the values in the page directory entries can be changed to replace the code subsections of different instruction coding modes, and the content of a bypass conversion buffer TLB (translation lookaside buffer) is flushed to ensure that the original virtual address mapping is invalid. The embodiment provides a virtual memory overlay type management mechanism to realize smaller on-site semantic conversion overhead. As shown in fig. 10, taking the switching between two encoding modes as an example, the virtual memory overlay management mechanism is implemented by overlaying the page table entries of two code subsections (of different encoding modes) on the same page directory entry, when the CPU switches the instruction set (but keeps the address layout of the code subsections unchanged), only the execution body site needs to be suspended, and then the value in the page directory entry is changed to replace the code subsections, at this time, the contents of tlb (translation Lookaside buffer) should be flushed, so that the original virtual address mapping is disabled. The virtual memory superposition management enables two code subsections corresponding to the front and the back to use the same register semantics and memory data value semantics when the CPU switches the instruction set, thereby reducing the switching overhead to the maximum extent and ensuring the switching performance.
In this embodiment, the multiple instruction encoding modes include a primitive encoding mode, where the primitive encoding mode is an encoding mode of instruction decoding executed when the CPU is reset and started; as shown in sub-diagram a in fig. 11, step 1) further includes, before the step, a step of initializing an operating system:
s1), all CPU cores are automatically in the original instruction decoding rule state after being electrified;
s2) the firmware carries on the basic initialization, and loads the system image from the memory or the disk and transfers it to the kernel for execution;
s3) all CPU cores carry out master-slave judgment, a master CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes the initialization code from the code subsection of the native coding mode encoded by the operating system kernel, and initializes the system by the operation steps substantially the same as those of the conventional operating system, the executed operation including: initializing an exception handling vector, enabling cache, establishing a basic page table, enabling virtual address mapping, initializing bus/UI (user interface) equipment/storage equipment, and awakening all slave cores; the slave core is awakened and then executes the local core initialization code of the original coding mode sub-section; the kernel enters a normal operating state.
Then, the kernel loads code subsections of other coding modes to the memory and establishes corresponding virtual memory mapping page table entries, and the page table entries do not establish connection in the page directory of the current page table, so that the page table entries are not really enabled. At this time, a plurality of kernel code subsections are loaded in the physical memory, including a native instruction coding subsection, a native instruction coding address layout heterogeneous subsection, a non-native instruction coding subsection, a non-native instruction address layout heterogeneous subsection and the like. And the kernel loads and runs the execution body of each application state process in a native instruction mode, and establishes virtual memory mapping for each code subsection and each data subsection. The kernel selects proper time to enable the random switching interrupt generating source, and when the random switching interrupt comes, the interrupt processing mechanism switches the instruction coding mode or the address layout immediately. The timing may be when the kernel has been initialized, or when the application state process has been loaded and run, as shown in sub-diagram (b) in fig. 11. In view of the particularity of the exception/interrupt mechanism, the processing code is completely encoded and executed by the primitive instruction, the CPU core can automatically switch the decoding unit to the primitive instruction encoding mode when the interrupt occurs, and switch the required instruction encoding mode when the kernel or the application state context is restored after the processing is finished.
In addition, the present embodiment also provides a code injection type attack protection device based on a multi-coding mode CPU, which includes a microprocessor and a memory, which are connected to each other, wherein the microprocessor is programmed or configured to execute the steps of the aforementioned code injection type attack protection method based on a multi-coding mode CPU, or the memory stores therein a computer program programmed or configured to execute the aforementioned code injection type attack protection method based on a multi-coding mode CPU.
In addition, the present embodiment also provides a computer-readable storage medium, in which a computer program programmed or configured to execute the foregoing code injection type attack prevention method based on a multi-coding mode CPU is stored.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is directed to methods, apparatus (systems), and computer program products according to embodiments of the application wherein instructions, which execute via a flowchart and/or a processor of the computer program product, create means for implementing functions specified in the flowchart and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.
Claims (10)
1. A code injection type attack protection method based on a multi-coding mode CPU is characterized by comprising the following steps:
1) the operating system loads a software executive body containing code subsections of a plurality of instruction coding modes;
2) in the execution process of the software execution body, the CPU core detects the specified abnormity/interruption, and if the specified abnormity/interruption is detected, the next step is executed in a skipping way;
3) and controlling a decoder of the CPU core to switch the random coding mode, and decoding and executing the code subsections corresponding to the instruction coding mode in the software execution body according to the switched coding mode, so that if the attack code injected by an attacker is sent to the CPU core to be executed, the execution fails because the attack code cannot be matched with the decoder.
2. The method for preventing the code injection type attack based on the multi-coding mode CPU according to claim 1, wherein the step of loading the software executive body containing the code subsections of the plurality of instruction coding modes by the operating system in the step 1) comprises the following steps: preparing code segment memory copies corresponding to codes by a code subsection of a software execution body containing multiple instruction coding modes and providing mechanism support of operation switching, so that when CPU decoding rules are switched, the operation environment of a CPU can be switched to a hardware execution environment corresponding to different code segment copies, and the hardware execution environment comprises a general register, a state and control register, a stack register and an instruction register; and simultaneously, the operating system adopts the only memory copy for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when most decoding rules are switched, the data contents in the other sections can be used for the switched code subsections without being corrected.
3. The method of claim 2, wherein the step of providing mechanism support for operation switching comprises: the virtual memory superposition management mechanism is implemented by superposing page table entries of code subsections of multiple instruction coding modes of a software execution body on the same page directory entry, when a CPU (Central processing Unit) switches the random coding modes, the execution body only needs to be suspended on site, then the values in the page directory entries can be changed to replace the code subsections of different instruction coding modes, and the content of a bypass conversion buffer TLB (translation lookaside buffer) is flushed to ensure that the original virtual address mapping is invalid.
4. The multi-coding-mode CPU-based code injection type attack protection method according to claim 1, wherein the step 1) is preceded by a step of compiling and generating a software execution body including code subsections of a plurality of instruction coding modes, and when the software execution body is compiled and generated, a plurality of corresponding code subsections are generated for code sections of the software execution body according to a specified instruction coding mode type, each instruction between the plurality of code subsections is only a one-to-one mapping for replacing instruction set coding, so that the plurality of code subsections use the identical address layout design, and register contents and memory virtual addresses accessed by corresponding instructions are identical.
5. The method as claimed in claim 1, wherein the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers, and each front-end decoding unit is configured to execute decoding of a predetermined random encoding mode when the configuration in the corresponding configuration register is valid.
6. The method according to claim 1, wherein a code buffer, a key register and a conversion operation unit are arranged at a front end of a decoder of the CPU core, the key register includes key codes corresponding to a plurality of instruction encoding modes, and the conversion operation unit is configured to perform specified reversible operation on the instruction code fetched from the code buffer and the key code fetched from the key register corresponding to the instruction encoding mode to obtain a true input code of the decoder.
7. The method according to claim 1, wherein the exception/interrupt specified in step 2) is from a random trigger, the random trigger comprises a random number generator and a timer, wherein the random number generated by the random number generator is used as a trigger delay of the timer from the current time, when the timer is triggered, on one hand, a specified exception/interrupt is generated to notify the CPU core, and on the other hand, the random number generator is started to generate a random delay of the next timer, and when the CPU core starts to switch the random coding mode after receiving the specified exception/interrupt, the CPU core determines the specified command coding mode by accessing the random number generator.
8. The multi-coding mode CPU-based code injection type attack protection method according to claim 1, wherein the plurality of instruction coding modes include a primitive coding mode, and the primitive coding mode is an encoding mode of instruction decoding executed when the CPU is reset and started; step 1) is preceded by the step of operating system initialization:
s1), all CPU cores are automatically in the original instruction decoding rule state after being electrified;
s2) the firmware carries on the basic initialization, and loads the system image from the memory or the disk and transfers it to the kernel for execution;
s3) all CPU cores carry out master-slave judgment, a master CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes the initialization code from the code subsection of the native coding mode encoded by the operating system kernel, and initializes the system by the operation steps substantially the same as those of the conventional operating system, the executed operation including: initializing an exception handling vector, enabling cache, establishing a basic page table, enabling virtual address mapping, initializing bus/UI (user interface) equipment/storage equipment, and awakening all slave cores; the slave core is awakened and then executes the local core initialization code of the original coding mode sub-section; the kernel enters a normal operating state.
9. A multi-coding mode CPU-based code injection type attack protection device, comprising a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the steps of the multi-coding mode CPU-based code injection type attack protection method according to any one of claims 1 to 8, or the memory stores therein a computer program which is programmed or configured to execute the multi-coding mode CPU-based code injection type attack protection method according to any one of claims 1 to 8.
10. A computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, the computer program being programmed or configured to perform the method for protecting against a multi-coding mode CPU-based code injection attack according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011141356.9A CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011141356.9A CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112199681A true CN112199681A (en) | 2021-01-08 |
| CN112199681B CN112199681B (en) | 2024-03-26 |
Family
ID=74012458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011141356.9A Active CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112199681B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905998A (en) * | 2021-02-26 | 2021-06-04 | 中国人民解放军国防科技大学 | Address-oriented attack protection method and device based on code segment random switching |
| CN116112286A (en) * | 2023-04-04 | 2023-05-12 | 井芯微电子技术(天津)有限公司 | Network anomaly detection and recovery method and device |
| CN117521061A (en) * | 2024-01-05 | 2024-02-06 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5781750A (en) * | 1994-01-11 | 1998-07-14 | Exponential Technology, Inc. | Dual-instruction-set architecture CPU with hidden software emulation mode |
| US20100031360A1 (en) * | 2008-07-31 | 2010-02-04 | Arvind Seshadri | Systems and methods for preventing unauthorized modification of an operating system |
| CN107194246A (en) * | 2017-05-19 | 2017-09-22 | 中国人民解放军信息工程大学 | A kind of CPU for being used to realize dynamic instruction sets randomization |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
-
2020
- 2020-10-22 CN CN202011141356.9A patent/CN112199681B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5781750A (en) * | 1994-01-11 | 1998-07-14 | Exponential Technology, Inc. | Dual-instruction-set architecture CPU with hidden software emulation mode |
| US20100031360A1 (en) * | 2008-07-31 | 2010-02-04 | Arvind Seshadri | Systems and methods for preventing unauthorized modification of an operating system |
| CN107194246A (en) * | 2017-05-19 | 2017-09-22 | 中国人民解放军信息工程大学 | A kind of CPU for being used to realize dynamic instruction sets randomization |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905998A (en) * | 2021-02-26 | 2021-06-04 | 中国人民解放军国防科技大学 | Address-oriented attack protection method and device based on code segment random switching |
| CN112905998B (en) * | 2021-02-26 | 2023-10-03 | 中国人民解放军国防科技大学 | Address-oriented attack protection method and device based on random switching of code segments |
| CN116112286A (en) * | 2023-04-04 | 2023-05-12 | 井芯微电子技术(天津)有限公司 | Network anomaly detection and recovery method and device |
| CN117521061A (en) * | 2024-01-05 | 2024-02-06 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
| CN117521061B (en) * | 2024-01-05 | 2024-03-15 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112199681B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112199681A (en) | Code injection type attack protection method and device based on multi-coding mode CPU | |
| US10360162B2 (en) | Processing systems and methods for transitioning between privilege states based on an address of a next instruction to be fetched | |
| JP4423206B2 (en) | Processor that switches between safe mode and non-safe mode | |
| JP4220476B2 (en) | Virtual-physical memory address mapping in systems with secure and non-secure domains | |
| US7529916B2 (en) | Data processing apparatus and method for controlling access to registers | |
| KR20050035833A (en) | Systems and methods for using synthetic instrictions in a virtual machine | |
| JP2006506752A (en) | Exception types in safety processing systems | |
| JP2004171563A (en) | Technique for access to memory in data processor | |
| US5617553A (en) | Computer system which switches bus protocols and controls the writing of a dirty page bit of an address translation buffer | |
| CN112905998A (en) | Address-oriented attack protection method and device based on code segment random switching | |
| EP4336359A1 (en) | Method for processing page faults and corresponding apparatus | |
| EP0104840B1 (en) | Multiprocessor system including firmware | |
| KR20210110598A (en) | Security predictor for speculative execution | |
| JPH0638237B2 (en) | Data processing system operating in multi-programming mode | |
| JP6882320B2 (en) | Vector instruction processing | |
| JP2004171567A (en) | Follow-up of task between multiple operating systems | |
| WO2012086288A1 (en) | Exception control method, system, and program | |
| US11995218B2 (en) | Processor with a configurable distribution of privileged resources and exceptions between protection rings | |
| KR101961818B1 (en) | Method for memory randomization without process stop and computing device performing thereof | |
| JP7444610B2 (en) | Context data management | |
| Dolev et al. | Stabilization enabling technology | |
| JP2870405B2 (en) | Information processing device | |
| KR100870175B1 (en) | Method of context switch on ARM7 series | |
| Alexander et al. | ARCHITECTED FOR PERFORMANCE--VIRTUALIZATION SUPPORT ON NEHALEM AND WESTMERE PROCESSORS. | |
| CN116700789A (en) | Software controlled flags for requiring stack switching during execution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |