CN112784261A - Method for program execution and corresponding system, computer device and medium - Google Patents

Method for program execution and corresponding system, computer device and medium Download PDF

Info

Publication number
CN112784261A
CN112784261A CN202110004771.8A CN202110004771A CN112784261A CN 112784261 A CN112784261 A CN 112784261A CN 202110004771 A CN202110004771 A CN 202110004771A CN 112784261 A CN112784261 A CN 112784261A
Authority
CN
China
Prior art keywords
address
buffer
predetermined
program
return
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110004771.8A
Other languages
Chinese (zh)
Other versions
CN112784261B (en
Inventor
马永清
韩勇桥
王英彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Lanjun Wangan Technology Development Co ltd
Original Assignee
Beijing Lanjun Wangan Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Lanjun Wangan Technology Development Co ltd filed Critical Beijing Lanjun Wangan Technology Development Co ltd
Priority to CN202110004771.8A priority Critical patent/CN112784261B/en
Publication of CN112784261A publication Critical patent/CN112784261A/en
Application granted granted Critical
Publication of CN112784261B publication Critical patent/CN112784261B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Methods and corresponding systems, computer devices, and media for program execution are provided. The method comprises the following steps: when a program needs to execute a function calling instruction, a preset return address returned from a called function is stored in a buffer area and a dynamic address translation table after being encrypted; reading and decrypting the corresponding address data in the buffer and updating the address data in the buffer before executing the function return instruction as follows: if the decrypted data is a legal address, writing the decrypted data into a buffer area, and if the decrypted data is an illegal address, reading a corresponding encrypted return address from a dynamic address translation table, decrypting the encrypted return address and writing the decrypted return address into a corresponding position of the buffer area; the updated data is read from the buffer as the target return address to execute a function return instruction to jump the program to that address. The invention can realize dynamic detection and processing of buffer overflow, and simultaneously relieve the problem of protection failure caused by the fact that the backup return address is modified at the same time.

Description

Method for program execution and corresponding system, computer device and medium
Technical Field
The present invention relates to program execution, and more particularly, to a method for program execution for buffer overflow and corresponding system, computer device and computer readable storage medium.
Background
Buffer overflow is a very common problem and is widely present in various operating systems and application software. According to the situation, the buffer overflow can cause the results of program operation failure, system downtime, restart and the like. More seriously, an attacker can execute unauthorized instructions by using buffer overflow, and even obtain system privileges, thereby performing various illegal operations.
Some solutions have been proposed in the prior art for the problem of buffer overflow. For example, a scheme using a static detection mode scans the syntax, structure, and semantics of a source code without running a program, and completes buffer overflow detection before the program runs; the scheme can not carry out buffer overflow detection on the program without source codes and can not prevent undetected or newly discovered bugs. In addition, a scheme using a dynamic detection mode introduces boundary check code, recompiles the program, for example, using a BoundsChecker/SafeBound/compiler switch, and terminates the program if an overflow is detected during the program running process. In addition, a prior art solution utilizes a protection mechanism of the CPU/operating system to perform write/execute permission restriction on the buffer, such as Data Execution Protection (DEP), Address Space allocation random loading (ASLR), and so on; such a scheme requires the CPU or operating system to support certain functional features, resulting in additional utilization of CPU or operating system resources. In addition, there is a known scheme using a Shadow Stack (Shadow Stack) technique, which backs up Stack contents and restores the Stack contents after completion of function call and before returning from a called function; however, the shadow stack technique does not solve the problem of backup return addresses being overwritten at the same time.
Disclosure of Invention
It is an object of the present invention to provide an improved solution to buffer overflow, which is able to address or alleviate at least some of the above mentioned problems of the prior art while handling buffer overflow.
Specifically, according to a first aspect of the present invention, there is provided a method for program execution, comprising:
encrypting a predetermined return address returned from a called function whenever the program is to execute a function call instruction to call the function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for the program to run and a predetermined translation table location of a dynamic address translation table stored in a memory in which the buffer is located;
before the program executes a function return instruction returned from the called function,
-reading data stored at the predetermined buffer position of the buffer and decrypting the read data; and
-updating data stored at said predetermined buffer position of said buffer in the following manner: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating step: reading said encrypted predetermined return address from said predetermined translation table location of said dynamic address translation table, decrypting it and writing said decrypted predetermined return address into said predetermined buffer location of said buffer;
and
reading the updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
According to a second aspect of the present invention, there is provided a system for program execution, comprising:
the memory comprises a buffer area for program operation; and
a processor adapted to communicate with the memory and configured to:
encrypting a predetermined return address returned from a called function whenever the program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for the program to run and a predetermined translation table location of a dynamic address translation table stored in the memory;
before the program executes a function return instruction returned from the called function,
-reading data stored at the predetermined buffer position of the buffer and decrypting the read data; and
-updating data stored at said predetermined buffer position of said buffer in the following manner: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating step: reading said encrypted predetermined return address from said predetermined translation table location of said dynamic address translation table, decrypting it and writing said decrypted predetermined return address into said predetermined buffer location of said buffer;
and
reading the updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
According to a third aspect of the invention, there is provided a computer device comprising a memory and a processor, the memory having stored thereon computer instructions which, when executed by the processor, cause the method described above to be performed.
According to a fourth aspect of the invention, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, cause the method described above to be performed.
By using the scheme of the invention, the buffer overflow can be dynamically detected and processed during the running process of the program, no matter whether the program has source code or not, and no dependence on specific operating system or CPU characteristics is required, and related additional benefits such as no need of waiting for the release of a program patch, convenience of program maintenance and reduction of occupation of operating system or CPU resources can be realized. In addition, the scheme of the invention can solve or relieve the problem of protection failure caused by the fact that the backup return address is modified at the same time.
Drawings
Non-limiting and non-exhaustive embodiments of the present invention are described by way of example with reference to the following drawings,
wherein:
FIG. 1 is a diagram of an example memory region allocated for an application;
FIG. 2 is a schematic diagram illustrating a flow chart of a method according to an embodiment of the invention;
FIG. 3 is a schematic diagram illustrating a flow diagram of an exception handling process according to one embodiment of the invention;
FIG. 4 is a diagram illustrating correlation processing according to an embodiment of the invention;
FIG. 5 is a schematic diagram illustrating a system according to an embodiment of the invention.
Detailed Description
In order to make the above and other features and advantages of the present invention more apparent, the present invention is further described below with reference to the accompanying drawings. It is understood that the specific embodiments described herein are for purposes of illustration only and are not intended to be limiting.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be apparent to one of ordinary skill in the art that the specific details need not be employed to practice the present invention. In other instances, well-known steps or operations are not described in detail to avoid obscuring the invention.
A "buffer" is a contiguous memory region, which is the memory space or location used when a program is running. FIG. 1 is a diagram of an example memory region allocated for an application, illustrating that the memory region includes, in order from bottom to top: a code segment for storing program code; the data segment is used for storing global variables, static variables and the like; a stack or stack for storing local variables, parameter values of functions, any other possible information related to functions or function calls, etc., such as return addresses required for executing function return instructions; and heaps, i.e., dynamic memory allocation regions, for allowing programs to dynamically apply for a certain size of memory at runtime. The difference between local and global variables is that a local variable is defined in a particular function: if a local variable is defined in a function, the variable can only be called in the function; however, global variables may be defined either within the main function or outside the function, and this type of variable may be called anywhere. The memory area for program execution may include more or less segments as needed, for example, may include environment/parameter segments for storing a copy of system environment variables that a process may need at run time.
In buffer overflow, stack overflow is most dangerous because an intruder can take advantage of stack overflow, changing the address of the returning program when the function returns, letting it jump to an arbitrary address, thereby causing serious consequences, e.g., one is a program crash resulting in denial of service, another is a program jumping and executing a piece of malicious code, such as getting a shell, which is then desired.
The present invention aims to propose a solution for buffer overflow, in particular stack overflow. The general idea of the invention is to monitor all function call (call) and function return (ret) instructions of a program by dynamically tracking the execution of the program in the following way: when executing each function call instruction, encrypting the corresponding predetermined return address, storing the encrypted return address in a predetermined buffer area position of a buffer area and a predetermined conversion table position of a dynamic address conversion table, and decrypting data from the predetermined buffer area position before completing the call of the called function and executing the corresponding function return instruction; writing the decrypted data to a predetermined buffer location of the buffer to update the data stored therein if the decrypted data is a legitimate address, and updating the data stored in the predetermined buffer location of the buffer by performing an exception handling step if the decrypted data is a illegitimate address, wherein the exception handling step includes at least the following exception updating step: reading the encrypted preset return address from the preset conversion table position of the dynamic address conversion table, decrypting the encrypted preset return address and writing the decrypted preset return address into the preset buffer area position of the buffer area; and executing the function return instruction to continue running the program by taking the updated data of the predetermined buffer position of the buffer as the target return address. Herein, a "program" should be broadly interpreted as any instruction or code segment, which can be executed to implement one or more functions, and may be a main program or a sub program.
The decryption of data at a predetermined buffer location of a buffer to an illegal address (e.g., garbled) may correspond to different situations. For example, one possible scenario is: the predetermined return address stored in the stack is illegally overwritten or overwritten, for example by a malicious attack by an attacker, before the called function finishes executing during the execution of the function call instruction; another possible scenario is: the predetermined return address stored in the stack during execution of the function call instruction is modified legitimately, for example by the author of the program, or for other possible reasons.
Optionally, the present invention may correspondingly execute different exception handling steps for different situations based on a pre-established exception address information table. Here, the exception address information table includes at least a legally modified return address associated with each of one or more specific function call instructions of the program, wherein for each of the specific function call instructions the legally modified return address associated therewith is different from a predetermined return address originally returned from the called function called thereby. In one embodiment, in the case where the decrypted data is an illegal address, the performing an exception handling step includes: judging whether a pre-established abnormal address information table comprises address information which is the same as or consistent with the illegal address; if the determination result is positive, writing the decrypted data into the predetermined buffer location of the buffer to update the data stored therein, and if the determination result is negative, performing the above-described exception updating step of reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address into the predetermined buffer location of the buffer to update the data stored therein. Therefore, the condition that the predetermined return address originally returned from the corresponding called function and stored in the stack before the function return instruction is executed is legally modified can be identified and considered, the normal operation of the program under the condition is ensured, and the software compatibility with the self-modifying instruction is realized.
The dynamic address translation table may be created in various possible ways. For example, the dynamic address translation table may be dynamically established during program execution by monitoring the execution of function call instructions by the running program. In one embodiment, for each running program, a dynamic address translation table is generated, which includes, for each function call instruction executed by the program, a predetermined return address returned from a called function called by the function call instruction, and may optionally include other possible information associated with the function call instruction, such as context information associated with the function call of the function call instruction, which may include, for example and without limitation, an instruction pointer value, i.e., EIP value, corresponding to the execution of the function call instruction, i.e., an instruction address corresponding to the function call instruction. The return address stored in the dynamic address translation table may be encrypted. Other information stored in the dynamic address translation table may be encrypted or unencrypted. For example, each time a program executes a function call instruction or each time a program first executes a function call instruction, the corresponding return address just pushed is encrypted, the unencrypted return address just pushed is replaced with the encrypted return address, and the encrypted return address and optionally context information associated with the function call instruction are saved in a newly created or created table, thereby creating or updating a dynamic address translation table for the program. If a function call instruction is executed more than once during program execution, the operation of saving the corresponding return address and optionally the associated context information in the dynamic address translation table may be performed only when the function call instruction is executed for the first time, or may be performed each time the function call instruction is executed. Saving context information associated with the function call in the dynamic address translation table facilitates subsequent lookup of the corresponding encrypted predetermined return address in the dynamic address translation table. The dynamic address translation table may be stored in the memory, in particular in a region of the memory other than a buffer for program execution. After the program has been executed, the dynamic address translation tables created for it may be purged from memory.
The table of exception address information may be created in a variety of possible ways. For example, for each program, a corresponding exception address information table may be created; alternatively, an exception address information table may correspond to two or more programs, where for each program the exception address information table has a table portion or strip of information specific to that program. In one embodiment, for the targeted target program, the exception address information table is established by training in advance to analyze and record the return address modified by an exception in the program running process. For example, the data and usage flow of the program under various normal operating conditions, especially the execution of data and program instructions (e.g., copyright verification, identification, critical data access, etc.) that may occur or be subject to buffer modification, may be simulated using auxiliary tools, automated scripts, and/or human-assisted operations; meanwhile, the internal function call of the program is monitored, the return address which is modified abnormally and optional related information such as context related to the function call are collected and recorded, and the recorded return address and the optional related information are encrypted to form an abnormal address information table. For example, the program author may proactively modify a return address corresponding to the function call instruction for some purpose to generate a modified return address, which may be stored in the exception address information table for matching in the exception handling step. According to the situation, the established abnormal address information table can be updated by adding, deleting or changing the return address and possible related information associated with a certain function call instruction or certain function call instructions of the program; this can be done, for example, by further simulating, monitoring, analyzing, and data/information recording the program run. Generally, the more data and the wider the range are simulated for a program, the more comprehensive and accurate the corresponding abnormal address information table information is obtained. Advantageously, the return address stored in the exception address information table is encrypted. Other information stored in the table of exception address information may be encrypted or unencrypted. Context information associated with the function call stored in the abnormal address information table may be used to assist in determining whether the illegal address under consideration corresponds to a particular situation in which the return address reflected by the relevant piece of information in the abnormal address information table was legitimately modified. The table of abnormal address information may be stored in another storage device, such as an external memory, different from the memory when not used, and loaded into the memory when used. The table of exception address information may be saved for a period of time or permanently, as desired.
The addresses referred to herein may be absolute addresses or relative addresses. For example, the return address in the dynamic address translation table may preferably be an absolute address, and the return address in the exception address information table may preferably be a relative address with respect to the program entry address. In case the stored addresses are relative addresses, the corresponding absolute addresses may be determined, for example, based on the program entry address and an offset of the relative address with respect thereto.
Fig. 2 schematically shows a flow diagram 200 of a method according to an embodiment of the invention. Method 200 may include step 201, step 202, step 203, step 204, step 205, and step 206.
The method starts in step 201. In step 201, whenever a program executes a function call instruction to call a function, a predetermined return address returned from the called function is encrypted, and the encrypted predetermined return address is stored in a predetermined buffer location of a buffer for program execution and a predetermined translation table location of a dynamic address translation table.
At step 202, after the called function is executed and before a function return instruction returned from the called function is executed, data stored in a predetermined buffer position of the buffer is read and the read data is decrypted.
In step 203, it is determined whether the decrypted data obtained in step 202 is a valid address.
If the determination at step 203 is positive, the method proceeds to step 204. At step 204, the decrypted data is written to a predetermined buffer location of the buffer to update the data therein.
If the determination at step 203 is negative, the method proceeds to step 205. At step 205, an exception handling step is performed to update the data stored in the predetermined buffer location of the buffer. In one embodiment, the performing exception handling step comprises performing the following exception update step: the encrypted predetermined return address is read from a predetermined translation table location of the dynamic address translation table, decrypted and written to a predetermined buffer location of the buffer. In another embodiment, performing exception handling steps may include performing an exception handling process as shown in FIG. 3, which will be described later.
At step 206, the updated data is read from the predetermined buffer location of the buffer as the target return address, and the function return instruction is executed based on the target return address to cause the program to jump to the target return address to continue running.
As shown in fig. 3, the exception handling process may include a step 3051, a step 3052 and a step 3053.
The exception handling process may be triggered by decrypted data from the stack being an illegal address. At step 3051, it is judged whether the illegal address is included in an abnormal address information table established in advance.
If the determination at step 3051 is positive, the process proceeds to step 3052. At step 3052, the decrypted data is written to a predetermined buffer location of the buffer to update the data therein.
If the determination at step 3051 is negative, the process proceeds to step 3053. At step 3053, the data stored in the predetermined buffer location of the buffer is updated with the encrypted return address in the dynamic address translation table, i.e.: and executing the exception updating step, namely reading the encrypted preset return address from the preset conversion table position of the dynamic address conversion table, decrypting the encrypted preset return address and writing the decrypted preset return address into the preset buffer position of the buffer.
The present invention is further described with reference to FIG. 4 in conjunction with an exemplary code segment, stack, dynamic address translation table, and exception address information table. As shown in fig. 4, the code segment of the buffer for program execution stores program code, and the instruction pointer EIP indicates that a function call instruction is to be executed by the program, and at this time, the corresponding return address is encrypted and stored in both the stack and the dynamic address translation table — as indicated by a solid line between the code segment and the stack and a solid line between the code segment and the dynamic address translation table. After the called function is executed and before the corresponding return instruction is executed: if the data of the position in the stack, where the encrypted return address is originally stored, is decrypted to be a legal address, the legal address is stored in the position so as to update the data in the position; if the decrypted data is an illegal address, the illegal address is matched with a modified address in a pre-established abnormal address information table to determine whether the decrypted data or the corresponding saved address in the dynamic address translation table is used for updating the data stored at the position of the stack. The need to use a dynamic address translation table and an exception address information table in the case where the decrypted data from the stack indicates an incorrect return address is schematically illustrated in figure 4 by dashed lines. In addition to the return address, the stack in FIG. 4 is also shown holding data such as temporary data, held EIP, parameters, etc.
The present invention may be implemented as a system for program execution that may include a memory and a processor adapted to communicate with the memory and configured to execute computer instructions to perform some or all of the steps of the method for program execution of the present invention.
Fig. 5 schematically illustrates a system 500 according to an embodiment of the invention. System 500 includes memory 501, external memory 502, and processor 503. Both memory 501 and external memory 502 are communicatively coupled to processor 503, and in addition, memory 501 and external memory 502 are communicatively coupled. Herein, "memory" may also be referred to as "internal memory" and "external memory" may also be referred to as "external memory".
The memory 501 may include a memory area, i.e., a buffer, for program execution and additional memory areas, e.g., an address table for storing dynamic address translation tables and possibly exception information loaded from the external memory 502. External memory 502 may include various possible forms of external memory such as, but not limited to, hard disks, floppy disks, optical disks, U-disks, and the like. The exception information address table may be stored in external memory 502 when not being used. The processor 503 may be configured to control execution of program code loaded into the memory 501 and load an exception information address table from the external memory 502 to the memory 501 when needed. The processor 503 may be configured to execute computer instructions to perform some or all of the steps of the method for program execution of the present invention.
The invention can also be implemented as a system as follows: the device comprises an information extraction module, an encryption and decryption module, a monitoring module and an exception handling module. The monitoring module can monitor the running of the program, track the function call instruction and the function return instruction of the program and process the data in the stack; the information extraction module can record and extract information for calling and returning the internal function of the program during the running period of the program with the aid of the monitoring module so as to generate a dynamic address conversion table and an abnormal address information table; the encryption and decryption module can encrypt and decrypt data such as the return address, for example, according to a predetermined encryption algorithm and a predetermined decryption algorithm; the exception handling module may intervene and perform corresponding processing to recover the target return address when the decrypted address obtained from the stack is an illegal address.
It will be appreciated by those of ordinary skill in the art that the schematic diagram shown in fig. 5 is merely an illustration of some of the structures associated with aspects of the present invention and does not constitute a limitation of the computer devices, processors or computer program instructions embodying aspects of the present invention. Particular computer apparatus, processors, or computer program instructions may include more or fewer components or modules than shown, or may combine or split certain components or modules, or may have different arrangements of components or modules.
It will be understood that the specific features, operations and details described herein above with respect to the method of the present invention may also be similarly applied to the system of the present invention, or vice versa. In addition, each step of the method of the present invention described above may be performed by a respective component or unit of the system of the present invention.
It should be understood that the various modules/units of the system of the present invention may be implemented in whole or in part by software, hardware, firmware, or a combination thereof. The modules/units may be embedded in the processor of the computer device in the form of hardware or firmware or independent from the processor, or may be stored in the memory of the computer device in the form of software for being called by the processor to execute the operations of the modules/units. Each of the modules/units may be implemented as a separate component or module, or two or more modules/units may be implemented as a single component or module.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored thereon computer instructions executable by the processor, the computer instructions, when executed by the processor, instructing the processor to perform the steps of the method of the invention. The computer device may broadly be a server, a terminal, or any other electronic device having the necessary computing and/or processing capabilities. In one embodiment, the computer device may include a processor, memory, a network interface, a communication interface, etc., connected by a system bus. The processor of the computer device may be used to provide the necessary computing, processing and/or control capabilities. The memory of the computer device may include non-volatile storage media and internal memory. An operating system, a computer program, and the like may be stored in or on the non-volatile storage medium. The internal memory may provide an environment for the operating system and the computer programs in the non-volatile storage medium to run. The network interface and the communication interface of the computer device may be used to connect and communicate with an external device through a network. The computer program, when being executed by a processor, performs the steps of the method for program execution of the invention.
The present invention may be embodied as a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, cause the steps of the method of the present invention to be performed. In one embodiment, the computer instructions are distributed across a plurality of computer devices or processors coupled by a network such that the computer instructions are stored, accessed, and executed by one or more computer devices or processors in a distributed fashion. A single method step/operation, or two or more method steps/operations, may be performed by a single computer device or processor or by two or more computer devices or processors. One or more method steps/operations may be performed by one or more computer devices or processors, and one or more other method steps/operations may be performed by one or more other computer devices or processors. One or more computer devices or processors may perform a single method step/operation, or perform two or more method steps/operations.
It will be understood by those of ordinary skill in the art that all or a portion of the steps for program execution of the present invention may be directed to associated hardware, such as a computer device or processor, for performing by computer instructions, which may be stored in a non-transitory computer readable storage medium, that when executed result in the steps for program execution of the present invention being performed. Any reference herein to memory, storage, databases, or other media may include non-volatile and/or volatile memory, as appropriate. Examples of non-volatile memory include read-only memory (ROM), programmable ROM (prom), electrically programmable ROM (eprom), electrically erasable programmable ROM (eeprom), flash memory, magnetic tape, floppy disk, magneto-optical data storage device, hard disk, solid state disk, and the like. Examples of volatile memory include Random Access Memory (RAM), external cache memory, and the like.
The respective technical features described above may be arbitrarily combined. Although not all possible combinations of features are described, any combination of features should be considered to be covered by the present specification as long as there is no contradiction between such combinations.
While the present invention has been described in connection with the embodiments, it is to be understood by those skilled in the art that the foregoing description and drawings are merely illustrative and not restrictive of the broad invention, and that this invention not be limited to the disclosed embodiments. Various modifications and variations are possible without departing from the spirit of the invention.

Claims (12)

1. A method for program execution, comprising:
encrypting a predetermined return address returned from a called function whenever the program is to execute a function call instruction to call the function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for the program to run and a predetermined translation table location of a dynamic address translation table stored in a memory in which the buffer is located;
before the program executes a function return instruction returned from the called function,
-reading data stored at the predetermined buffer position of the buffer and decrypting the read data; and
-updating data stored at said predetermined buffer position of said buffer in the following manner: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating step: reading said encrypted predetermined return address from said predetermined translation table location of said dynamic address translation table, decrypting it and writing said decrypted predetermined return address into said predetermined buffer location of said buffer;
and
reading the updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
2. The method of claim 1, wherein the exception handling step further comprises:
judging whether address information which is the same as or consistent with the illegal address is included in a pre-established abnormal address information table, wherein the abnormal address information table comprises legally modified return addresses which are associated with each of one or more specific function call instructions; and the number of the first and second groups,
if the judgment result is positive, writing the decrypted data into the preset buffer area position of the buffer area,
wherein the abnormality updating step is executed only if the determination result is negative.
3. The method of claim 2, wherein the exception address information table further comprises context information associated with each of the one or more particular function call instructions.
4. The method of claim 2, wherein the exception address information table is stored in an external memory of a system in which the internal memory resides.
5. The method of any of claims 1 to 4, wherein the dynamic address translation table is stored in a region of the memory other than the buffer.
6. A system for program execution, comprising:
the memory comprises a buffer area for program operation; and
a processor adapted to communicate with the memory and configured to:
encrypting a predetermined return address returned from a called function whenever the program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for the program to run and a predetermined translation table location of a dynamic address translation table stored in the memory;
before the program executes a function return instruction returned from the called function,
-reading data stored at the predetermined buffer position of the buffer and decrypting the read data; and
-updating data stored at said predetermined buffer position of said buffer in the following manner: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating step: reading said encrypted predetermined return address from said predetermined translation table location of said dynamic address translation table, decrypting it and writing said decrypted predetermined return address into said predetermined buffer location of said buffer;
and
reading the updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
7. The system of claim 6, wherein the exception handling step further comprises:
judging whether address information which is the same as or consistent with the illegal address is included in a pre-established abnormal address information table, wherein the abnormal address information table comprises legally modified return addresses which are associated with each of one or more specific function call instructions; and the number of the first and second groups,
if the judgment result is positive, writing the decrypted data into the preset buffer area position of the buffer area,
wherein the abnormality updating step is executed only if the determination result is negative.
8. The system of claim 7, wherein the exception address information table further comprises context information associated with each of the one or more particular function call instructions.
9. The system of claim 7, further comprising an external memory, wherein the processor is further adapted to communicate with the external memory, the exception address information table being stored in the external memory.
10. The system of any of claims 6 to 9, wherein the dynamic address translation table is stored in a region of the memory other than the buffer.
11. A computer device comprising a memory and a processor, the memory having stored thereon computer instructions that, when executed by the processor, cause the method of any of claims 1-5 to be performed.
12. A non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, cause the method according to any one of claims 1 to 5 to be performed.
CN202110004771.8A 2021-01-04 2021-01-04 Method for program operation and corresponding system, computer device and medium Active CN112784261B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110004771.8A CN112784261B (en) 2021-01-04 2021-01-04 Method for program operation and corresponding system, computer device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110004771.8A CN112784261B (en) 2021-01-04 2021-01-04 Method for program operation and corresponding system, computer device and medium

Publications (2)

Publication Number Publication Date
CN112784261A true CN112784261A (en) 2021-05-11
CN112784261B CN112784261B (en) 2023-10-27

Family

ID=75754005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110004771.8A Active CN112784261B (en) 2021-01-04 2021-01-04 Method for program operation and corresponding system, computer device and medium

Country Status (1)

Country Link
CN (1) CN112784261B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312088A (en) * 2021-06-29 2021-08-27 北京熵核科技有限公司 Method and device for executing program instruction

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4047161A (en) * 1976-04-30 1977-09-06 International Business Machines Corporation Task management apparatus
CN1447244A (en) * 2003-04-03 2003-10-08 杭州中天微系统有限公司 Method designed in CPU for detecting buffer area overflow
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
CN1886728A (en) * 2003-09-04 2006-12-27 科学园株式会社 False code prevention method and prevention program and the program recording medium
CN103514405A (en) * 2013-07-08 2014-01-15 北京深思数盾科技有限公司 Method and system for detecting buffer overflow
CN104766015A (en) * 2015-04-10 2015-07-08 北京理工大学 Function call based dynamic detection method for buffer overflow vulnerability
CN105184169A (en) * 2015-09-14 2015-12-23 电子科技大学 Method for vulnerability detection in Windows operating environment based on instrumentation tool
CN105426752A (en) * 2015-11-24 2016-03-23 无锡江南计算技术研究所 Buffer region overflow protection method
CN109409086A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The device that return address is tampered in detection storehouse based on newly-increased instruction
CN109635562A (en) * 2018-12-11 2019-04-16 哈尔滨工程大学 A kind of instruction modification virtual platform execution method towards the defence of kernel stack overflow
CN109840410A (en) * 2017-12-28 2019-06-04 中国科学院计算技术研究所 The method and system of data isolation and protection in a kind of process

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4047161A (en) * 1976-04-30 1977-09-06 International Business Machines Corporation Task management apparatus
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
CN1447244A (en) * 2003-04-03 2003-10-08 杭州中天微系统有限公司 Method designed in CPU for detecting buffer area overflow
CN1886728A (en) * 2003-09-04 2006-12-27 科学园株式会社 False code prevention method and prevention program and the program recording medium
CN103514405A (en) * 2013-07-08 2014-01-15 北京深思数盾科技有限公司 Method and system for detecting buffer overflow
CN104766015A (en) * 2015-04-10 2015-07-08 北京理工大学 Function call based dynamic detection method for buffer overflow vulnerability
CN105184169A (en) * 2015-09-14 2015-12-23 电子科技大学 Method for vulnerability detection in Windows operating environment based on instrumentation tool
CN105426752A (en) * 2015-11-24 2016-03-23 无锡江南计算技术研究所 Buffer region overflow protection method
CN109840410A (en) * 2017-12-28 2019-06-04 中国科学院计算技术研究所 The method and system of data isolation and protection in a kind of process
CN109409086A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The device that return address is tampered in detection storehouse based on newly-increased instruction
CN109635562A (en) * 2018-12-11 2019-04-16 哈尔滨工程大学 A kind of instruction modification virtual platform execution method towards the defence of kernel stack overflow

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312088A (en) * 2021-06-29 2021-08-27 北京熵核科技有限公司 Method and device for executing program instruction

Also Published As

Publication number Publication date
CN112784261B (en) 2023-10-27

Similar Documents

Publication Publication Date Title
US8364973B2 (en) Dynamic generation of integrity manifest for run-time verification of software program
US9530001B2 (en) System and method for below-operating system trapping and securing loading of code into memory
US8601273B2 (en) Signed manifest for run-time verification of software program identity and integrity
EP3779745B1 (en) Code pointer authentication for hardware flow control
US9392016B2 (en) System and method for below-operating system regulation and control of self-modifying code
US8925089B2 (en) System and method for below-operating system modification of malicious code on an electronic device
US8234638B2 (en) Creating a relatively unique environment for computing platforms
US10089498B2 (en) Memory integrity checking
CN109446799A (en) Internal storage data guard method, security component and computer equipment and storage medium
CN114186239A (en) Program white list method and device based on path information
CN112784261B (en) Method for program operation and corresponding system, computer device and medium
CN110348180B (en) Application program starting control method and device
CN117272286A (en) TEE-based process dynamic integrity measurement method and system
US20220407695A1 (en) Electronic device and control method thereof
JP4643201B2 (en) Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program
CN116737526A (en) Code segment dynamic measurement method and device and electronic equipment
CN108292260B (en) Apparatus and method for software self-test
CN116910768B (en) Attack defending method, system, device and medium
CN116842505B (en) Method, device and storage medium for constructing process trusted domain based on windows operating system
US11354407B2 (en) Techniques for library behavior verification
US20220092171A1 (en) Malicious code protection for computer systems based on system call table modification and runtime application patching
CN118673474A (en) Link method, equipment and medium for preventing dynamic link library hijacking
CN117786658A (en) Unauthorized application determination method, electronic device, and computer-readable medium
WO2012005565A1 (en) A method for rootkit resistance based on a trusted chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant