CN112784261B - Method for program operation and corresponding system, computer device and medium - Google Patents
Method for program operation and corresponding system, computer device and medium Download PDFInfo
- Publication number
- CN112784261B CN112784261B CN202110004771.8A CN202110004771A CN112784261B CN 112784261 B CN112784261 B CN 112784261B CN 202110004771 A CN202110004771 A CN 202110004771A CN 112784261 B CN112784261 B CN 112784261B
- Authority
- CN
- China
- Prior art keywords
- address
- buffer
- predetermined
- program
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 239000000872 buffer Substances 0.000 claims abstract description 116
- 230000006870 function Effects 0.000 claims description 89
- 238000013519 translation Methods 0.000 claims description 47
- 230000002159 abnormal effect Effects 0.000 claims description 18
- 230000005856 abnormality Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 9
- 238000006243 chemical reaction Methods 0.000 abstract description 5
- 238000012986 modification Methods 0.000 abstract description 3
- 230000004048 modification Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
Methods for program execution and corresponding systems, computer devices, and media are provided. The method comprises the following steps: each time the program is to execute a function call instruction, storing a predetermined return address returned from the called function in a buffer area and a dynamic address conversion table after encrypting the return address; before executing the function return instruction, the corresponding address data in the buffer is read and decrypted and updated in the following manner: if the decrypted data is legal address, writing the decrypted data into a buffer area, and if the decrypted data is illegal address, reading a corresponding encrypted return address from a dynamic address conversion table, decrypting the encrypted return address and writing the decrypted return address into a corresponding position of the buffer area; the updated data is read from the buffer as the target return address to execute a function return instruction to cause the program to jump to that address. The invention can dynamically detect and process buffer overflow, and simultaneously alleviate the problem of protection failure caused by the simultaneous modification of the backup return address.
Description
Technical Field
The present invention relates to program execution, and more particularly, to a method for program execution for buffer overflow and corresponding system, computer device, and computer-readable storage medium.
Background
Buffer overflow is a very common problem that is widespread among various operating systems, applications. According to circumstances, buffer overflow can lead to program operation failure, system downtime, restarting, and the like. More seriously, an attacker can use buffer overflow to execute unauthorized instructions, even acquire system privileges, and further perform various illegal operations.
Aiming at the problem of cache overflow, some schemes have been proposed in the prior art. For example, a scheme using a static detection mode scans grammar, structure and semantics of source codes under the condition of not running a program, and completes buffer overflow detection before the program runs; the scheme cannot detect buffer overflow for programs without source code, nor can it prevent vulnerabilities that have not been found or newly found. In addition, a scheme using dynamic detection introduces boundary check code, recompiles the program, such as using a BoundsChecker/SafeBound/compiler switch, etc., and terminates the program if an overflow is detected during the program run. In addition, one prior art approach utilizes the protection mechanism of the CPU/operating system to write/execute permission restrictions on buffers, such as with data execution protection (DEP, data Execution Prevention), address space configuration random loading (ASLR, address Space Layout Randomization), etc.; this approach requires the CPU or operating system to support certain functional characteristics, resulting in additional occupation of CPU or operating system resources. In addition, there are known schemes using Shadow Stack (Shadow Stack) technology that back up Stack contents and restore the Stack contents after completing a function call before returning from the called function; however, shadow stack technology does not address the problem of the backup return address being rewritten at the same time.
Disclosure of Invention
It is an object of the present invention to provide an improved solution for buffer overflow which is capable of solving or alleviating at least some of the above-mentioned problems of the prior art while handling buffer overflows.
Specifically, according to a first aspect of the present invention, there is provided a method for program execution, comprising:
encrypting a predetermined return address returned from a called function whenever a program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for running the program and in a predetermined translation table location of a dynamic address translation table stored in a memory in which the buffer is located;
before the program executes a function return instruction returned from the called function,
-reading data stored in said predetermined buffer location of said buffer and decrypting the read data; and
-updating data stored at the predetermined buffer location of the buffer in the following way: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating steps: reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer;
and
reading updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
According to a second aspect of the present invention, there is provided a system for program execution, comprising:
the memory comprises a buffer area for running the program; and
a processor adapted to communicate with the memory and configured to:
encrypting a predetermined return address returned from a called function whenever a program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for running the program and in a predetermined translation table location of a dynamic address translation table stored in the memory;
before the program executes a function return instruction returned from the called function,
-reading data stored in said predetermined buffer location of said buffer and decrypting the read data; and
-updating data stored at the predetermined buffer location of the buffer in the following way: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating steps: reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer;
and
reading updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
According to a third aspect of the present invention there is provided a computer device comprising a memory and a processor, the memory having stored thereon computer instructions which, when executed by the processor, cause the above-described method to be performed.
According to a fourth aspect of the present invention there is provided a non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, cause the above-described method to be performed.
By utilizing the scheme of the invention, buffer overflow can be dynamically detected and processed during the running of the program, whether the program has source codes or not, and the program does not need to depend on specific operating system or CPU characteristics, and related additional benefits can be realized, such as no need to wait for the release of program patches, convenience for the maintenance of the program and reduction of occupation of operating system or CPU resources. In addition, the scheme of the invention can solve or relieve the problem of protection failure caused by the fact that the return address of the backup is simultaneously modified.
Drawings
Non-limiting and non-exhaustive embodiments of the present invention are described by way of example with reference to the following drawings,
wherein:
FIG. 1 is a schematic diagram of an example memory region allocated for an application;
FIG. 2 is a schematic diagram illustrating a flow chart of a method according to an embodiment of the invention;
FIG. 3 is a schematic diagram illustrating a flow chart of an exception handling process according to an embodiment of the invention;
FIG. 4 is a schematic diagram illustrating a correlation process according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a system according to an embodiment of the invention.
Detailed Description
To further clarify the above and other features and advantages of the present invention, a further description of the invention will be rendered by reference to the appended drawings. It should be understood that the specific embodiments presented herein are for purposes of explanation to those skilled in the art and are intended to be illustrative only and not limiting.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the specific details need not be employed to practice the present invention. In other instances, well-known steps or operations have not been described in detail in order to avoid obscuring the invention.
The "buffer" is a contiguous memory area, which is the memory space or location used during program operation. FIG. 1 is a schematic diagram of an example memory region allocated for an application program, showing the memory region comprising, in order from bottom to top: a code segment for storing program code; the data segment is used for storing global variables, static variables and the like; a stack or stack for holding local variables, parameter values of functions, any other possible information related to functions or function calls, etc., such as return addresses required to execute function return instructions; and a heap, i.e. a dynamic memory allocation region, for allowing a program to dynamically apply for memory of a certain size at run-time. The difference between local and global variables is that the local variables are defined in a specific function: if a local variable is defined in a function, that variable can only be called in that function; however, global variables may be defined either in the main function or outside the function, and this type of variable may be called anywhere. The memory area for program execution may include more or fewer segments as desired, for example, may include an environment/parameter segment, a copy of a file for storing system environment variables that may be needed by a process at runtime.
In buffer overflow, the most dangerous is stack overflow, because an intruder can utilize stack overflow to change the address of the returned program to any address when the function returns, thus causing serious consequences, for example, one is that the program crashes to reject service, the other is that the program jumps and executes a piece of malicious code, such as gets a shell, and then is as desired.
The present invention aims to propose a solution for buffer overflows, in particular stack overflows. The general idea of the invention is to monitor all function call (call) instructions and function return (ret) instructions of a program by dynamically tracking the execution of the program in the following manner: encrypting a corresponding predetermined return address when each function call instruction is to be executed, storing the encrypted predetermined return address in a predetermined buffer location of a buffer and a predetermined conversion table location of a dynamic address conversion table, and decrypting data from the predetermined buffer location before the call of the called function is completed and the corresponding function return instruction is executed; writing the decrypted data to a predetermined buffer location of the buffer to update the data stored therein if the decrypted data is a valid address, and updating the data stored in the predetermined buffer location of the buffer by performing an exception handling step if the decrypted data is an illegal address, wherein the exception handling step comprises at least the following exception updating steps: reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer; and executing a function return instruction using the updated data of the predetermined buffer location of the buffer as a target return address to continue running the program. "program" is to be understood broadly herein as any instruction or code segment that can be executed to implement one or more functions, and may be a main program or a subroutine.
The decrypted illegal address (e.g., a scrambling code) of the data at the predetermined buffer location of the buffer may correspond to different situations. For example, one possible case is: the predetermined return address stored in the stack is illegally overwritten or overwritten during execution of the function call instruction before the called function is executed, for example, due to a malicious attack by an attacker; another possible case is: the predetermined return address stored in the stack during execution of the function call instruction is legitimately modified, for example, for the purpose of the program author, or for other possible reasons.
Alternatively, the present invention may correspondingly perform different exception handling steps for the above-described different cases based on a pre-established exception address information table. Here, the exception address information table includes at least a legally modified return address associated with each of one or more particular function call instructions of the program, wherein for each of the particular function call instructions the legally modified return address associated therewith is different from a predetermined return address originally returned from the called function it invoked. In one embodiment, in the case that the decrypted data is an illegal address, performing the exception handling step includes: judging whether the pre-established abnormal address information table comprises address information which is the same as or consistent with the illegal address; if the determination is affirmative, writing the decrypted data into the predetermined buffer location of the buffer to update the data stored therein, and if the determination is negative, performing the above-described abnormality updating step of reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address into the predetermined buffer location of the buffer to update the data stored therein. Therefore, the condition that the preset return address which is stored in the stack before the function return instruction is executed and returned from the corresponding called function is legally modified can be identified and considered, normal running of the program under the condition is ensured, and software compatibility with the self-modifying instruction is realized.
The dynamic address translation table may be created in a variety of possible ways. For example, the dynamic address translation table may be dynamically established during program execution by monitoring the execution of function call instructions by the running program. In one embodiment, for each program running, a dynamic address translation table is generated that includes, for each function call instruction executed by the program, a predetermined return address returned from the called function called by the function call instruction, and may optionally include other possible information associated with the function call instruction, such as context information associated with the function call of the function call instruction, which may include, for example, but not limited to, an instruction pointer value or EIP value corresponding to the execution of the function call instruction, i.e., an instruction address corresponding to the function call instruction. The return address stored in the dynamic address translation table may be encrypted. Other information stored in the dynamic address translation table may be encrypted or unencrypted. For example, each time a program executes a function call instruction or each time a program first executes a function call instruction, the corresponding return address that was just pushed onto the stack is encrypted, the unencrypted return address that was just pushed onto the stack is replaced with the encrypted return address, and the encrypted return address and optionally the context information associated with the function call instruction are saved in a newly created or created table, thereby creating or updating a dynamic address translation table for the program. If a function call instruction is executed more than once during program execution, the operation of saving the corresponding return address and optionally the associated context information in the dynamic address translation table may be performed only when the function call instruction is executed for the first time, or may be performed each time the function call instruction is executed. Saving context information associated with the function call in the dynamic address translation table facilitates subsequent lookup of the corresponding encrypted predetermined return address in the dynamic address translation table. The dynamic address translation table may be stored in memory, particularly in an area of memory other than the buffer used for program execution. After the program is executed, the created dynamic address translation table for it may be purged from memory.
The table of exception address information may be created in a variety of possible ways. For example, for each program, a corresponding table of exception address information may be created; alternatively, an exception address information table may correspond to two or more programs, wherein for each program the exception address information table has a table portion specific to that program or has pieces of information specific to that program. In one embodiment, for the targeted program, an exception address information table is created by pre-training analysis and recording of return addresses that are modified by exceptions during program operation. For example, data and usage flows of the simulation program under various normal operating conditions, particularly execution of data and program instructions (e.g., execution of instructions such as copyright verification, identification, key data access, etc.) that may occur or undergo buffer modifications may be simulated using auxiliary tools, automated scripts, and/or manually assisted operations; meanwhile, by monitoring the function call in the program, the return address modified by abnormality and optional context associated with the function call are collected and recorded, and the recorded return address and optional associated information are encrypted to form an abnormal address information table. For example, the program author may proactively modify the return address corresponding to the function call instruction for some purpose to generate a modified return address, which may be stored in an exception address information table for matching in the exception handling step. According to circumstances, the created abnormal address information table can be updated by adding, deleting or changing the return address and possibly related information associated with a certain function call instruction or some function call instructions of the program; this can be done, for example, by further simulating, monitoring, analyzing and data/information recording the program operation. In general, the more data and the wider the range are simulated for a program, the more comprehensive and accurate the corresponding abnormal address information table information is obtained. Advantageously, the return address stored in the table of abnormal address information is encrypted. The other information stored in the table of abnormal address information may be encrypted or unencrypted. The context information associated with the function call stored in the abnormal address information table may be used to assist in determining whether the illegal address under consideration corresponds to a particular situation in which the return address reflected by the relevant information piece in the abnormal address information table is legitimately modified. The table of abnormal address information may be stored in another storage device other than the memory, such as a memory, when not in use, and loaded into the memory when in use. The table of abnormal address information may be stored for a period of time or permanently, as desired.
The addresses referred to herein may be absolute addresses or relative addresses. For example, the return address in the dynamic address translation table may preferably be an absolute address, and the return address in the exception address information table may preferably be a relative address with respect to the program entry address. In the case where the stored address is a relative address, the corresponding absolute address may be determined, for example, based on the program entry address and the offset of the relative address relative thereto.
Fig. 2 schematically shows a flow chart 200 of a method according to an embodiment of the invention. Method 200 may include step 201, step 202, step 203, step 204, step 205, and step 206.
The method starts in step 201. In step 201, each time the program executes a function call instruction to call a function, a predetermined return address returned from the called function is encrypted, and the encrypted predetermined return address is stored in a predetermined buffer location of a buffer for program execution and in a predetermined translation table location of a dynamic address translation table.
At step 202, after execution of the called function, data stored in a predetermined buffer location of the buffer is read and the read data is decrypted before a function return instruction returned from the called function is executed.
In step 203, it is determined whether the decrypted data obtained in step 202 is a legal address.
If the determination at step 203 is affirmative, the method proceeds to step 204. In step 204, the decrypted data is written to a predetermined buffer location of the buffer to update the data therein.
If the determination of step 203 is negative, the method proceeds to step 205. In step 205, an exception handling step is performed to update data stored at a predetermined buffer location of the buffer. In one embodiment, performing the exception handling step includes performing the following exception updating step: the encrypted predetermined return address is read from a predetermined translation table location of the dynamic address translation table, decrypted, and written to a predetermined buffer location of the buffer. In another embodiment, performing the exception handling step may include performing an exception handling process as shown in FIG. 3, which will be described later.
At step 206, the updated data is read from the predetermined buffer location of the buffer as the target return address, and a function return instruction is executed based on the target return address to cause the program to jump to the target return address for continued operation.
As shown in fig. 3, the exception handling process may include step 3051, step 3052, and step 3053.
The exception handling may be triggered by decrypted data from the stack being an illegal address. In step 3051, it is determined whether the illegal address is included in the abnormal address information table established in advance.
If the determination at step 3051 is affirmative, the process proceeds to step 3052. At step 3052, the decrypted data is written into a predetermined buffer location of the buffer to update the data therein.
If the determination of step 3051 is negative, the process proceeds to step 3053. At step 3053, the data stored in the predetermined buffer location of the buffer is updated with the encrypted return address in the dynamic address translation table, namely: the above-described exception updating step is performed-reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer.
The present invention is further described in connection with exemplary code segments, stacks, dynamic address translation tables, and exception address information tables with reference to FIG. 4. As shown in fig. 4, the code segment of the buffer for program execution stores program code, and the instruction pointer EIP indicates that the program is about to execute a function call instruction, at which point the corresponding return address is encrypted and stored in both the stack and the dynamic address translation table, as indicated by the solid lines between the code segment and the stack and the solid lines between the code segment and the dynamic address translation table. After the called function is executed, before executing the corresponding return instruction: if the data of the position of the original stored encryption return address in the stack is decrypted to be a legal address, the legal address is stored in the position so as to update the data in the position; if the decrypted data is an illegal address, determining whether to update the data stored at the position of the stack by using the decrypted data or a corresponding saved address in a dynamic address translation table by matching the illegal address with a modified address in a pre-established abnormal address information table. The use of a dynamic address translation table and an exception address information table is schematically shown in dashed lines in fig. 4 in case the decrypted data from the stack indicates an incorrect return address. In addition to the return address, the stack in FIG. 4 is also shown as holding data such as temporary data, held EIP, parameters, and the like.
The present invention may be implemented as a system for program execution, the system may include a memory and a processor adapted to communicate with the memory and configured to execute computer instructions to perform some or all of the steps of the method for program execution of the present invention.
Fig. 5 schematically illustrates a system 500 according to an embodiment of the invention. System 500 includes a memory 501, a memory 502, and a processor 503. Memory 501 and external memory 502 are both communicatively coupled to processor 503, and memory 501 and external memory 502 are also communicatively coupled. Herein, the "memory" may also be referred to as "internal memory" and the "external memory" may also be referred to as "external memory".
Memory 501 may include a memory area, i.e., a buffer, for program execution and additional memory areas, such as for storing dynamic address translation tables and possibly exception information address tables loaded from external memory 502. The external memory 502 may include various possible forms of external memory such as, but not limited to, a hard disk, floppy disk, optical disk, U disk, etc. The exception information address table may be stored in the external memory 502 when not in use. The processor 503 may be configured to control the execution of program code loaded into the memory 501 and to load the exception information address table from the external memory 502 to the memory 501 when needed. The processor 503 may be configured to execute computer instructions to perform some or all of the steps of the method for program execution of the present invention.
The invention may also be implemented as a system of: the system comprises an information extraction module, an encryption and decryption module, a monitoring module and an exception handling module. The monitoring module can monitor the running of the program, track the function call instruction and the function return instruction of the program, and process the data in the stack; the information extraction module can record and extract information of the call and return of the internal functions of the program during the running of the program with the aid of the monitoring module so as to generate a dynamic address conversion table and an abnormal address information table; the encryption and decryption module can encrypt and decrypt the data such as the return address and the like, for example, the data is encrypted and decrypted according to a preset encryption algorithm and decryption algorithm; the exception handling module may intervene and perform corresponding processing to recover the target return address when the decrypted address obtained from the stack is an illegitimate address.
It will be appreciated by those of ordinary skill in the art that the schematic diagram shown in FIG. 5 is merely illustrative of some of the structures associated with aspects of the present invention and is not intended to limit the computer device, processor or computer program instructions embodying aspects of the present invention. A particular computer device, processor, or computer program instructions may include more or less components or modules than those shown in the figures, or may combine or split certain components or modules, or may have a different arrangement of components or modules.
It will be appreciated that the specific features, operations and details described herein before in relation to the method of the invention may also be similarly applied to the system of the invention, or vice versa. In addition, each step of the method of the present invention described above may be performed by a corresponding component or unit of the system of the present invention.
It is to be understood that the various modules/units of the system of the present invention may be implemented in whole or in part by software, hardware, firmware, or a combination thereof. The modules/units may each be embedded in a processor of the computer device in hardware or firmware or separate from the processor, or may be stored in a memory of the computer device in software for invocation by the processor to perform the operations of the modules/units. Each of the modules/units may be implemented as a separate component or module, or two or more modules/units may be implemented as a single component or module.
In one embodiment, a computer device is provided that includes a memory and a processor, the memory having stored thereon computer instructions executable by the processor, which when executed by the processor, instruct the processor to perform the steps of the method of the present invention. The computer device may be broadly a server, a terminal, or any other electronic device having the necessary computing and/or processing capabilities. In one embodiment, the computer device may include a processor, memory, network interface, communication interface, etc. connected by a system bus. The processor of the computer device may be used to provide the necessary computing, processing and/or control capabilities. The memory of the computer device may include a non-volatile storage medium and an internal memory. The non-volatile storage medium may have an operating system, computer programs, etc. stored therein or thereon. The internal memory may provide an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface and communication interface of the computer device may be used to connect and communicate with external devices via a network. Which when executed by a processor performs the steps of the method for program execution of the invention.
The present invention may be embodied as a computer readable storage medium having stored thereon computer instructions which when executed by a processor cause the steps of the method of the present invention to be performed. In one embodiment, the computer instructions are distributed over a plurality of computer devices or processors coupled by a network such that the computer instructions are stored, accessed, and executed by one or more computer devices or processors in a distributed fashion. A single method step/operation, or two or more method steps/operations, may be performed by a single computer device or processor, or by two or more computer devices or processors. One or more method steps/operations may be performed by one or more computer devices or processors, and one or more other method steps/operations may be performed by one or more other computer devices or processors. One or more computer devices or processors may perform a single method step/operation or two or more method steps/operations.
Those skilled in the art will appreciate that all or part of the steps for program execution of the present invention may be performed by computer instructions, stored in a non-transitory computer-readable storage medium, that when executed cause the steps for program execution of the present invention to be performed by associated hardware, such as a computer device or processor. Any reference herein to memory, storage, database, or other medium may include non-volatile and/or volatile memory, as the case may be. Examples of nonvolatile memory include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), flash memory, magnetic tape, floppy disk, magneto-optical data storage, hard disk, solid state disk, and the like. Examples of volatile memory include Random Access Memory (RAM), external cache memory, and the like.
The technical features described above may be arbitrarily combined. Although not all possible combinations of features are described, any combination of features should be considered to be covered by the description provided that such combinations are not inconsistent.
While the invention has been described in conjunction with embodiments, it will be understood by those skilled in the art that the foregoing description and drawings are illustrative only and that the invention is not limited to the disclosed embodiments. Various modifications and variations are possible without departing from the spirit of the invention.
Claims (12)
1. A method for program execution, comprising:
encrypting a predetermined return address returned from a called function whenever a program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for running the program and in a predetermined translation table location of a dynamic address translation table stored in a memory in which the buffer is located;
before the program executes a function return instruction returned from the called function,
-reading data stored in said predetermined buffer location of said buffer and decrypting the read data; and
-updating data stored at the predetermined buffer location of the buffer in the following way: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating steps: reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer;
and
reading updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
2. The method of claim 1, wherein the exception handling step further comprises:
determining whether a pre-established abnormal address information table includes address information identical or consistent with the illegal address, wherein the abnormal address information table includes a legally modified return address associated with each of one or more specific function call instructions; the method comprises the steps of,
if the judgment result is affirmative, writing the decrypted data into the preset buffer area position of the buffer area,
wherein the abnormality updating step is executed only in the case where the determination result is negative.
3. The method of claim 2, wherein the exception address information table further comprises context information associated with each of the one or more particular function call instructions.
4. The method of claim 2, wherein the table of exception address information is stored in an external memory of a system in which the memory resides.
5. The method of any of claims 1-4, wherein the dynamic address translation table is stored in an area of the memory other than the buffer.
6. A system for program execution, comprising:
the memory comprises a buffer area for running the program; and
a processor adapted to communicate with the memory and configured to:
encrypting a predetermined return address returned from a called function whenever a program is to execute a function call instruction to call a function, and storing the encrypted predetermined return address in a predetermined buffer location of a buffer for running the program and in a predetermined translation table location of a dynamic address translation table stored in the memory;
before the program executes a function return instruction returned from the called function,
-reading data stored in said predetermined buffer location of said buffer and decrypting the read data; and
-updating data stored at the predetermined buffer location of the buffer in the following way: if the decrypted data is a legal address, writing the decrypted data into the preset buffer area position of the buffer area; if the decrypted data is an illegal address, executing an exception handling step, wherein the exception handling step comprises the following exception updating steps: reading the encrypted predetermined return address from the predetermined translation table location of the dynamic address translation table, decrypting it, and writing the decrypted predetermined return address to the predetermined buffer location of the buffer;
and
reading updated data from the predetermined buffer location of the buffer as a target return address, executing the function return instruction based on the target return address to cause the program to jump to the target return address.
7. The system of claim 6, wherein the exception handling step further comprises:
determining whether a pre-established abnormal address information table includes address information identical or consistent with the illegal address, wherein the abnormal address information table includes a legally modified return address associated with each of one or more specific function call instructions; the method comprises the steps of,
if the judgment result is affirmative, writing the decrypted data into the preset buffer area position of the buffer area,
wherein the abnormality updating step is executed only in the case where the determination result is negative.
8. The system of claim 7, wherein the exception address information table further comprises context information associated with each of the one or more particular function call instructions.
9. The system of claim 7, further comprising a memory, wherein the processor is further adapted to communicate with the memory, the table of abnormal address information being stored in the memory.
10. The system of any of claims 6 to 9, wherein the dynamic address translation table is stored in an area of the memory other than the buffer.
11. A computer device comprising a memory and a processor, the memory having stored thereon computer instructions that, when executed by the processor, cause the method of any of claims 1 to 5 to be performed.
12. A non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, cause the method of any of claims 1 to 5 to be performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110004771.8A CN112784261B (en) | 2021-01-04 | 2021-01-04 | Method for program operation and corresponding system, computer device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110004771.8A CN112784261B (en) | 2021-01-04 | 2021-01-04 | Method for program operation and corresponding system, computer device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112784261A CN112784261A (en) | 2021-05-11 |
| CN112784261B true CN112784261B (en) | 2023-10-27 |
Family
ID=75754005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110004771.8A Active CN112784261B (en) | 2021-01-04 | 2021-01-04 | Method for program operation and corresponding system, computer device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112784261B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113312088B (en) * | 2021-06-29 | 2022-05-17 | 北京熵核科技有限公司 | Method and device for executing program instruction |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4047161A (en) * | 1976-04-30 | 1977-09-06 | International Business Machines Corporation | Task management apparatus |
| CN1447244A (en) * | 2003-04-03 | 2003-10-08 | 杭州中天微系统有限公司 | Method designed in CPU for detecting buffer area overflow |
| CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
| CN103514405A (en) * | 2013-07-08 | 2014-01-15 | 北京深思数盾科技有限公司 | Method and system for detecting buffer overflow |
| CN104766015A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Function call based dynamic detection method for buffer overflow vulnerability |
| CN105184169A (en) * | 2015-09-14 | 2015-12-23 | 电子科技大学 | Method for vulnerability detection in Windows operating environment based on instrumentation tool |
| CN105426752A (en) * | 2015-11-24 | 2016-03-23 | 无锡江南计算技术研究所 | Buffer region overflow protection method |
| CN109409086A (en) * | 2018-09-21 | 2019-03-01 | 中国科学院信息工程研究所 | The device that return address is tampered in detection storehouse based on newly-increased instruction |
| CN109635562A (en) * | 2018-12-11 | 2019-04-16 | 哈尔滨工程大学 | A kind of instruction modification virtual platform execution method towards the defence of kernel stack overflow |
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9213836B2 (en) * | 2000-05-28 | 2015-12-15 | Barhon Mayer, Batya | System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages |
-
2021
- 2021-01-04 CN CN202110004771.8A patent/CN112784261B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4047161A (en) * | 1976-04-30 | 1977-09-06 | International Business Machines Corporation | Task management apparatus |
| CN1447244A (en) * | 2003-04-03 | 2003-10-08 | 杭州中天微系统有限公司 | Method designed in CPU for detecting buffer area overflow |
| CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
| CN103514405A (en) * | 2013-07-08 | 2014-01-15 | 北京深思数盾科技有限公司 | Method and system for detecting buffer overflow |
| CN104766015A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Function call based dynamic detection method for buffer overflow vulnerability |
| CN105184169A (en) * | 2015-09-14 | 2015-12-23 | 电子科技大学 | Method for vulnerability detection in Windows operating environment based on instrumentation tool |
| CN105426752A (en) * | 2015-11-24 | 2016-03-23 | 无锡江南计算技术研究所 | Buffer region overflow protection method |
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
| CN109409086A (en) * | 2018-09-21 | 2019-03-01 | 中国科学院信息工程研究所 | The device that return address is tampered in detection storehouse based on newly-increased instruction |
| CN109635562A (en) * | 2018-12-11 | 2019-04-16 | 哈尔滨工程大学 | A kind of instruction modification virtual platform execution method towards the defence of kernel stack overflow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112784261A (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7765579B2 (en) | Security deployment system | |
| US9514305B2 (en) | Code pointer authentication for hardware flow control | |
| US8234638B2 (en) | Creating a relatively unique environment for computing platforms | |
| US9390264B2 (en) | Hardware-based stack control information protection | |
| US10089498B2 (en) | Memory integrity checking | |
| US20090172814A1 (en) | Dynamic generation of integrity manifest for run-time verification of software program | |
| CN114186239A (en) | Program white list method and device based on path information | |
| CN112784261B (en) | Method for program operation and corresponding system, computer device and medium | |
| KR102579861B1 (en) | In-vehicle software update system and method for controlling the same | |
| CN107209815B (en) | Method for code obfuscation using return-oriented programming | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| US11893113B2 (en) | Return-oriented programming protection | |
| US20220407695A1 (en) | Electronic device and control method thereof | |
| US11354407B2 (en) | Techniques for library behavior verification | |
| US20220092171A1 (en) | Malicious code protection for computer systems based on system call table modification and runtime application patching | |
| WO2023169654A1 (en) | Control flow integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |