CN112966258A - Control flow integrity protection method, system and device and readable storage medium - Google Patents

Control flow integrity protection method, system and device and readable storage medium Download PDF

Info

Publication number
CN112966258A
CN112966258A CN202110300061.XA CN202110300061A CN112966258A CN 112966258 A CN112966258 A CN 112966258A CN 202110300061 A CN202110300061 A CN 202110300061A CN 112966258 A CN112966258 A CN 112966258A
Authority
CN
China
Prior art keywords
program
protected
control flow
information
function pointer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110300061.XA
Other languages
Chinese (zh)
Other versions
CN112966258B (en
Inventor
李金库
李睿
向昊
姚青松
马建峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202110300061.XA priority Critical patent/CN112966258B/en
Publication of CN112966258A publication Critical patent/CN112966258A/en
Application granted granted Critical
Publication of CN112966258B publication Critical patent/CN112966258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a control flow integrity protection method, a system, equipment and a readable storage medium, which comprises the steps of obtaining a control flow graph of a program to be protected, wherein position information and source point information of a function pointer are recorded; leading the control flow graph into a program to be protected; acquiring context information of a program in operation by utilizing store instruction instrumentation, and storing the context information in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information and verify the validity of a jump target actually operated by a program; the method records the position information and the source point information of a function pointer by using a control flow graph; verifying the validity of a control flow jump target through store instruction instrumentation; the method is carried out in an intermediate code layer of the program without modifying a program source code; the store instruction instrumentation effectively improves the analysis precision, can process the source point information of the function pointer in the composite type, processes the instruction for indirect jump by using the function pointer in the global variable, and has smaller safety parameter and higher safety performance.

Description

Control flow integrity protection method, system and device and readable storage medium
Technical Field
The invention belongs to the technical field of network space security, relates to protection against malicious attacks, and particularly relates to a control flow integrity protection method, system and device and a readable storage medium.
Background
Control-Flow Integrity protection (CFI) is a technology for defending against Control-Flow hijacking attacks, which generates a Control Flow graph by analyzing a program source code or an intermediate code, so that each indirect Control-Flow transfer instruction or jump instruction (indirect call/indirect jmp/ret) corresponds to an effective target set, and the target validity of each indirect jump instruction is ensured during program operation; therefore, the more accurate the control flow graph is, the better the protection effect of the CFI is; and the accuracy of control flow integrity protection can be effectively improved by adopting the context information.
Currently, researchers in the industry have proposed a wide variety of context-sensitive CFI techniques; for example, PathArmor [ v.van der Veen et al, ACM CCS 2015] records the last executed branches of a program using the lbr (last Branch record) function of the Intel processor; pitttypot [ r.ding et al, usenex Security 2017] records program execution paths using the trace PT function of an Intel processor; the two types of context information recorded by adopting the hardware function of the processor can distinguish the execution paths of the programs; but the effective target of the indirect control flow transfer instruction can be executed only when the effective target is effective on the current execution path; in addition, researchers provide a method for backtracking a return address on a call stack based on context information of the call stack, and construct an execution path (CFI-LB) [ m.khandker et al, EuroS & P2019 ], so that according to the number of return addresses of different numbers on the backtracking call stack, execution paths with different granularities can be constructed to serve as context information, and effective target sets are divided.
The effective target set of each indirect control flow transfer instruction is called an Equivalence Class (EC), and path-sensitive CFIs can reduce the average size of the EC, but have no good effect on processing larger ECs in a program; origin-reactive Control Flow Integrity (OS-CFI) [ m.khandaker et al, useenix Security 2019] uses source point information, which refers to a location where a function pointer is written or updated, as context information; dividing the target set according to the source point information, effectively dividing a larger target set of some indirect jump instructions in a program, and defending a series of virtual functions according to the sequence set by an attacker by utilizing the characteristic of C + + object-oriented programming and utilizing a virtual function table in a tampering class to execute a series of virtual functions to complete attack targets (COOP attacks); however, the OS-CFI records only a simple type of function pointer initialization operation, does not process function pointer source point information in a complex type, and cannot process an instruction for indirect jump using a function pointer in a global variable.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a control flow integrity protection method, a system, a device and a readable storage medium, which aim to solve the problems that in the prior art, when source point information is used as context information, only simple type function pointer initialization operation is recorded, the source point information of a function pointer in a composite type is not processed, and an instruction for indirect jump by using the function pointer in a global variable cannot be processed.
In order to achieve the purpose, the invention adopts the technical scheme that:
the invention provides a control flow integrity protection method, which comprises the following steps:
acquiring a control flow diagram of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected;
leading a control flow graph of a program to be protected into the program to be protected;
acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table;
inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
Further, the process of obtaining the control flow graph of the program to be protected specifically includes:
compiling the source code of the program to be protected by using the LLVM Clang tool modified by the instrumentation by adopting an LLVM compiler to obtain an intermediate code of the program to be protected;
and performing static analysis on the intermediate code of the program to be protected by using the modified SVF tool source code to obtain a control flow diagram of the program to be protected.
Further, by using the modified SVF tool source code, performing static analysis on the intermediate code of the program to be protected, and obtaining a control flow graph of the program to be protected specifically as follows:
analyzing the program to be protected by adopting a function characteristic matching method to obtain an effective target set corresponding to the indirect call instruction;
performing static analysis on the global variable to obtain the position information of the function pointer;
performing static analysis on the store instruction to obtain source point information of the function pointer;
and distinguishing the targets in the effective target set corresponding to the indirect call instruction by using the position information of the function pointer and the source point information of the function pointer to obtain a control flow diagram of the program to be protected.
Further, the expression of the CFG tuple in the control flow graph of the program to be protected is:
(origin/position,ICT,target)
wherein origin is source point information of the function pointer, ICT is position information of the indirect call instruction, target is a specific target, and poison is position information of the function pointer.
Further, the process of importing the control flow graph of the program to be protected into the program to be protected is specifically as follows:
printing data of the cfg _ label segment by using an objdump command, and classifying a control flow graph of a program to be protected according to the data of the cfg _ label segment by using a python script to generate a binary file;
and importing the binary file into the program file to be protected by adopting a PASS tool of the LLVM compiler.
Further, the process of acquiring the context information of the program to be protected during running by using the store instruction instrumentation and storing the context information of the program to be protected during running in the MPX table is specifically as follows:
adding an EmitStoreToMetadata function at store instruction generation by CodeGenfunction. cpp, using the Intel MPX tool, by modifying the Clang/lib/CodeGen file; storing the collected context information into an MPX table; the context information includes location information of the function pointer and source point information of the function pointer.
Further, the process of verifying the target validity of the program running by using the context information specifically includes:
if the source point information exists, whether an (origin, ICT, target) entry is contained or not is searched in the hash table; if yes, allowing operation; if the (origin, ICT, target) entry is not contained, the operation is terminated;
if the source point information does not exist, obtaining position information from each indirect call instruction backtracking to a getelementr instruction, and inquiring an MPX table according to the position information until the position of a function pointer in the global variable is backtracked; searching whether the hash table contains (position, ICT, target) entries or not according to the current target and the position information; if yes, allowing operation; if the (position, ICT, target) item is not contained, the operation is terminated;
and if the source point information and the position information cannot be searched in the MPX table, terminating the operation.
The invention also provides a control flow integrity protection system, which comprises a static analysis module and a pile insertion verification module;
the static analysis module is used for acquiring a control flow graph of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected;
the instrumentation verification module is used for guiding the control flow graph of the program to be protected into the program to be protected and operating the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
The invention also provides control flow integrity protection equipment, which comprises a memory, a processor and executable instructions which are stored in the memory and can be operated in the processor; the processor, when executing the executable instructions, implements the control flow integrity protection method.
The invention also provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, implement the control flow integrity protection method.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a control flow integrity protection method and a control flow integrity protection system, wherein a control flow graph of a program to be protected is obtained, and position information of a function pointer and source point information of the function pointer are recorded by utilizing the control flow graph; verifying the legitimacy of a control flow jump target during program operation through store instruction instrumentation; the control flow graph and the store instruction are obtained in an intermediate code layer of the program, and program source codes do not need to be modified; by adopting the store instruction for pile insertion, the analysis precision is effectively improved, and the source point information and the position information of the function pointer are protected; the source point information and the position information of the function pointer in the composite type can be processed, the instruction for indirect jump by using the function pointer in the global variable is processed, the safety parameter is small, and the safety performance is high.
Further, based on the LLVM compiler technology, analyzing the intermediate code by using a modified SVF tool to generate a static analysis graph, and verifying the legality of a control flow transfer target during program operation through store instruction instrumentation; the invention analyzes and performs the pile-inserting operation of the store instruction at the intermediate code layer of the program without modifying the source program code.
Furthermore, the static analysis adds the analysis of the position information and the source point information of the global variable containing the function pointer, and adds the analysis of the composite type variable containing the function pointer at the intermediate code store instruction, so that the accuracy of the static analysis is improved; the verification module uses an Intel MPX technology, records source point information and position information when a program runs, and realizes protection of key data.
The control flow integrity protection method can protect all control data in a program to be protected and non-control data related to the position of the control data, not only can realize the protection of an application program, but also can compile and generate a safety kernel to provide protection for the whole operating system.
Drawings
FIG. 1 is a flow chart of a control flow integrity protection method according to the present invention;
FIG. 2 is a sub-flow diagram of a static analysis module according to the present invention;
FIG. 3 is a verification module stake insertion sub-flow diagram of the present invention;
FIG. 4 is a graph of safety comparisons for each benchmark safety parameter calculated by benchmark testing of SPEC CPU2006 for the example and OS-CFI, respectively.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects of the present invention more apparent, the following embodiments further describe the present invention in detail. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a control flow integrity protection method, which comprises the following steps:
step 1, compiling a source code of a program to be protected by using the LLVM Clang modified by the instrumentation by using an LLVM compiler to obtain an intermediate code of the program to be protected; performing static analysis on the intermediate code of the program to be protected by using the modified SVF tool source code to obtain a control flow diagram of the program to be protected; the method comprises the steps of recording position information of a function pointer in a global variable and source point information of the function pointer in a control flow graph of a program to be protected.
The static analysis is carried out on the intermediate code of the program to be protected by using the modified SVF tool source code, and the process of obtaining the control flow graph of the program to be protected is as follows:
analyzing the program to be protected by the modified SVF tool by adopting a function characteristic matching method to obtain an effective target set corresponding to the indirect call instruction; the expression of the effective template set corresponding to the indirect call instruction is as follows: { targetA, targetB, … }; performing static analysis on the global variable to obtain the position information of the function pointer; the position information of the function pointer is recorded by a map function (target, position); performing static analysis on the store instruction to obtain source point information of the function pointer; wherein, the source point information of the function pointer adopts map function record (target, origin); and distinguishing the targets in the effective target set corresponding to the indirect call instruction by using the position information of the function pointer and the source point information of the function pointer to obtain a control flow diagram of the program to be protected.
In the invention, because each keyword of the map function can only appear once, the source point information can be updated according to the characteristic; if the position information of the function pointers in the global variable is rewritten when the program to be protected runs, origin information replacement position information can be updated, and each function pointer is guaranteed to have a unique identification value; the invention distinguishes the targets in the effective target set corresponding to the indirect call instruction by using the identification information of the function pointer, and generates a context-sensitive control flow diagram.
In the invention, the modified SVF tool source code uses a map function to correspond a store instruction of a write pointer and a call/jmp instruction of a call pointer, finds all source points of each indirect control flow transfer instruction, and writes the source points into a control flow graph; analyzing the global variable containing the function pointer, recording the position of the function pointer in the global variable by using a map function, and writing the position into a control flow diagram; and compiling the modified SVF tool, and generating a context-sensitive control flow graph by using the modified SVF tool.
In the invention, the expression of the tuple in the control flow graph of the program to be protected is as follows:
(origin/position,ICT,target)
wherein origin is source point information of the function pointer, ICT is position information of the indirect call instruction, target is a specific target, and poison is position information of the function pointer.
Step 2, importing a control flow graph of the program to be protected into the program to be protected, and operating the program to be protected; specifically, the objdump command is used for printing data of the cfg _ label segment, and a python script is used for classifying the generated control flow graph according to the data of the cfg _ label segment to generate a binary file; and importing the binary file into the program file to be protected by using a PASS tool of the LLVM compiler.
Step 3, utilizing the store instruction to perform instrumentation, acquiring the context information of the program to be protected during operation, and storing the context information of the program to be protected during operation in an MPX table; the specific process is as follows:
adding an EmitStoreToMetadata function at store instruction generation by CodeGenfunction. cpp, using the Intel MPX tool, by modifying the Clang/lib/CodeGen file; storing the collected context information into an MPX table; the context information includes location information of the function pointer and source point information of the function pointer.
And 4, inquiring the MPX table by utilizing indirect call instruction instrumentation, acquiring the position information of the function pointer and the source point information of the function pointer, and verifying the validity of the jump target actually run by the program by utilizing the position information of the function pointer and the source point information of the function pointer.
In the invention, the process of verifying the target validity of the program in operation by using the position information of the function pointer and the source point information of the function pointer is specifically as follows:
if the source point information exists, searching whether the hash table contains an entry (origin, ICT, target) or not, and if so, allowing operation; if the entry is not included, the run is terminated.
If the source point information does not exist, the target may be a function pointer in the global variable, position information is obtained from each indirect call instruction backtracking to a getelementr instruction, and the MPX table is inquired according to the position information until the position of the function pointer in the global variable is backtracked; searching whether the hash table contains the (position, ICT, target) entry or not according to the current target and the position information, and if so, allowing operation; if the entry is not included, the run is terminated.
If the source point information and the position information cannot be searched in the MPX table, errors occur in metadata collection in CFG tuples in a control flow graph of the protection program, the program to be protected is possibly attacked, and the operation is stopped.
The invention also provides a control flow integrity protection system, which comprises a static analysis module and a pile insertion verification module; the static analysis module is used for acquiring a control flow graph of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected; the instrumentation verification module is used for guiding the control flow graph of the program to be protected into the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
The invention also provides a control flow integrity protection device comprising a processor, a memory and a computer program stored in the memory and executable on the processor.
When the processor executes the computer program, the following method is realized:
acquiring a control flow diagram of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected; leading a control flow graph of a program to be protected into the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
Or, when the processor executes the computer program, the processor realizes the functions of each module in the control flow integrity protection system; for example: the static analysis module is used for acquiring a control flow graph of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected; the instrumentation verification module is used for guiding the control flow graph of the program to be protected into the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
The computer program may be partitioned into one or more modules/units that are stored in the memory and executed by the processor to implement the invention.
The control flow integrity protection device can be a computing device such as a desktop computer, a notebook computer, a palm computer and a cloud server. The control flow integrity protection device may include, but is not limited to, a processor and a memory.
The processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc.
The memory may be used to store the computer programs and/or modules, and the processor may implement the various functions of the control flow integrity protection system by running or executing the computer programs and/or modules stored in the memory, as well as invoking data stored in the memory.
The integrated module/unit of the control flow integrity protection system of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software functional unit and sold or used as an independent product. Based on such understanding, all or part of the flow in the method according to the above embodiments may be implemented by a computer program, which may be stored in a computer readable storage medium and used by a processor to implement the steps of the control flow integrity protection method described above.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer memory, Read-only memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc.
It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
Examples
The embodiment belongs to the field of network space security, relates to protection of malicious attacks, and particularly relates to a context-sensitive control flow integrity protection method based on an LLVM compiler, which can be used for protecting the security of system software.
As shown in fig. 1-3, the present embodiment provides a control flow integrity protection method and system, which perform static analysis on an intermediate code of a program to be protected by using an open-source SVF tool based on an LLVM compiler, to obtain a control flow graph of the program to be protected; the method comprises the steps that position information of a function pointer in a global variable and source point information of the function pointer are recorded in a control flow graph of a program to be protected; the method comprises the steps of modifying an LLVM compiler to perform instrumentation modification on a program to be protected, recording context information of the program to be protected during running by using an Intel MPX (Memory Protection eXtensions) function, and verifying whether an actual target of an indirect transfer instruction is legal during running of the program to be protected.
The method specifically comprises the following steps:
step 1, compiling a program source code to be protected into an intermediate code through an LLVM compiler; copying an execution code file to a program source file to compile to generate an intermediate code; the source program is compiled through the LLVM Clang after instrumentation modification to generate an intermediate code, and in the embodiment, static analysis and instrumentation verification are performed in the intermediate code without modifying the source code of the program.
The specific process is as follows:
step 11, modifying a Clang/lib/CodeGen file, adding an EmitStoreToMetadata function to CodeGenfunction.cpp, performing instrumentation to update an instruction of an MPX table, and collecting context information of a program to be protected during running, wherein the context information comprises position information of a function pointer and source point information of the function pointer; the detailed process is as follows:
step 11a, creating a store instruction by using a createStore instruction;
step 11b, judging that the target operand of the store instruction is a simple function pointer or a composite type containing the function pointer, if the target operand is the simple function pointer, executing step 11c, and if the target operand is the composite type containing the function pointer, executing step 11 i;
step 11c, obtaining return address information on a call stack of the store instruction by using a getIntrinsic instruction;
step 11d, generating a hash value for the return address information and the current store instruction by using a hash function, namely creating source point information origin;
step 11e, using the getPrevNode instruction to trace back to two gettelementptr instructions before the store instruction, obtaining position information ptr1_ id and ptr2_ id, wherein ptr1_ id is destination position information, and ptr2_ id is source position information;
step 11f, obtaining the target pointer information ptr of the store instruction by using the getPointer instruction;
step 11g, creating an update _ MPX _ table function by using a createdrunnetfunction function, wherein parameters are function pointer information ptr and source point information origin, writing the (ptr, origin) as a (key, value) pair of the MPX table into the MPX table, and recording source point information during operation for verifying the validity of an actual indirect jump target;
step 11h, using a createdrunnetimefunction to create an update _ mpx _ table2 function, wherein the parameters are position information ptr1_ id and ptr2_ id; writing (ptr1_ id, ptr2_ id) as (key, value) pairs of the MPX table into the MPX table, recording position transfer information during operation, and being used for backtracking function pointer position information of a global variable and source point information of a function pointer, and verifying the validity of an actual indirect jump target;
step 11i, returning to a store instruction;
step 12, modifying an EmitCall function in CGCall.cpp, and verifying whether an actual target of the indirect call instruction is legal or not in runtime: the method comprises the following specific steps:
step 12a, judging whether the current call instruction is an indirect call instruction, if so, executing step 12b, otherwise, executing step 12 d;
step 12b, using a getPrevnode instruction to backtrack to a getletmentptr instruction before a call instruction, and acquiring position information ptr _ id;
step 12c, creating a pcall _ reference _ monitor function by using the createdrunnetfunction, wherein parameters are called caller information and position information ptr _ id, inquiring MPX table source point information according to the caller pointer information, or inquiring the MPX table to trace back to the function pointer position of the global variable according to the position information ptr _ id, and the function is used for verifying the target validity when the program runs;
step 12d, returning an EmitCall instruction;
step 13, modifying the getVirtualFunctionPointer function in Itanium CXXABI. cpp, and verifying whether the virtual call is legal at runtime: creating a vcall _ reference _ monitor function by using a createRuntimeFunction, wherein the parameter is called caller information, inquiring the vtable information of an MPX table according to a virtual function pointer vptr of the caller, and verifying the target validity when a program runs;
step 14, replacing all createStore instructions in the residual files in the Clang/lib/CodeGen folder with EmitStoreToMetadata functions;
step 15, copying the execution code file to the program source file to be protected, and modifying the makefile: the method comprises the following specific steps:
step 15a, the execution code file comprises an Intel MPX operation file which is used for using the function of the Intel MPX and newly adding and defining special instruction operation;
step 15b, the execution code file oscfi.c file defines functions of update _ MPX _ table, reference _ monitor and the like, and is used for realizing the functions of updating MPX table source point information and position information and verifying target validity; and defining functions such as hash _ insert and the like, wherein the functions are used for importing the static analysis graph to generate a safe executable file;
step 15c, modifying the makefile, wherein the execution code file is required to be added at the source instruction;
and step 16, performing make instruction compilation by using the Clang/Clang + + to generate intermediate codes.
In the step 1, the position information and the source point information of a function pointer are recorded by analyzing a global variable; the calculation of the function pointer requires a base address and an offset, and therefore, for the function pointer in the global variable, the address of the sub-element of the composite data structure needs to be recorded. For example, function pointers in a global array are combined with array subscripts corresponding to each function pointer and information of an array where the function pointers are located, and a unique identifier can be allocated to each function pointer by using a hash function; the method using the non-control data can effectively improve the accuracy of CFI protection.
Step 2, modifying the source codes of the SVF tool, and performing static analysis on the intermediate codes of the program to be protected by using the modified SVF tool to obtain a control flow graph of the program to be protected; utilizing an SVF tool to analyze the orientation of the intermediate code to generate a control flow graph; writing the control flow graph into a hash function table in the form of (origin/position, ICT, target); wherein origin is source point information of a function pointer, ICT is a position of an indirect call instruction, target is a specific target, and poison is position information of the function pointer in a global variable.
In step 2, the static analysis is carried out by using the modified SVF tool, and the modified SVF tool analysis intermediate code provides a feature table for pointer analysis; the function pointer is characterized by being an aggregate of information such as function return value types, function parameter numbers and the like; the modified SVF tool converts the LLVM instruction into a graphical representation form PAG; each node PAGNODE represents a pointer; each edge PAGEdge represents a constraint, i.e., an instruction, between two pointers; the user can analyze different types of pointers and instructions to obtain the control flow graph according to requirements.
In the embodiment, the store instruction is mainly analyzed to obtain source point information and position information; the store instruction may write or change a value in the target pointer address. For an indirect call instruction, the source point information is the instruction for updating the function pointer for the last time; and (4) backtracking from the current indirect call instruction to the nearest store instruction by using an SVF tool, and recording the source point information and the position information into the hash function table.
If the indirect call instruction uses a function pointer in the global variable, if the pointer is initialized, the instruction backtracking generally cannot be performed to the store instruction, and the source point information and the position information cannot be obtained; writing the function pointer position information in the step 2 into a hash function table by using function feature matching; the value of the function pointer in the global variable may also be overwritten while the program is running; and if the store instruction rewrites the value of the function pointer in the global variable, updating the source point information and the position information in the hash function table according to the analysis of the store instruction in the step 3.
The specific process is as follows:
step 21, modifying source codes of the SVF tool, using a map function to enable a store instruction of a write pointer and a call/jmp instruction of a call pointer to be in one-to-one correspondence, finding all source point information of each indirect control flow transfer instruction, and writing the source point information into a control flow graph;
step 22, analyzing the global variable containing the function pointer, recording the position of the function pointer in the global variable by using a map function, and writing the position into a control flow graph; the method comprises the following specific steps:
step 22a, traversing all global variables and recording the position information of a function pointer; for example, a global array records the name and subscript of the array where the function pointer is located, and generates an identifier through a hash function;
step 22b, for the control flow graph generated by function type matching, distinguishing each effective target of the ICT by using the hash mark generated in the step 22a, and accurately controlling the flow graph;
step 23, compiling the modified SVF tool, and generating a context-sensitive control flow graph by using the modified SVF tool;
step 3, printing data of the cfg _ label segment by using an objdump command, and classifying the generated control flow graph by using a python script according to the data of the cfg _ label segment to generate a binary file;
step 4, importing the binary system diagram into a program file by using an LLVM PASS tool; in the embodiment, the analyzed and obtained control flow graph uses the difference between the address information of the intermediate code and the pointer address for generating the actual operation of the final binary file; therefore, the IR address and the address at runtime need to be mapped; clang has a label-as-use extension that stores the tag address in an array and assigns the array to a custom section. The LLVM compiler automatically converts the addresses in the labels at runtime; but the array is marked with (__ attribute __ ((_used ())) to avoid compiler optimizations that would delete segments in which data is not written; in this embodiment, the extended function is used, a cfg _ label is inserted after each call instruction, and the LLVM PASS writes the generated control flow graph into an array of cfg _ label segments for verifying the target validity at runtime.
Step 5, repeatedly executing the steps 3 and 4 for adjustment, wherein the generated control flow diagrams have differences due to different compiling optimization degrees;
step 6, generating a final safe executable file; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire source point information and position information, and verifying the target validity of the program in operation by utilizing the source point information and the position information;
the specific process is as follows:
step 61, obtaining context information of runtime by inserting pile into store instruction
Setting the context information of the function pointer to be (key, value) pair for storage; the key is the address or destination location information of the function pointer, and the value is the source point information or source location information.
Using partial functions of an Intel MPX tool, collecting parameter information to an MPX table and executing protection; MPX is a checking system realized based on hardware functions, and under the support of a compiler, a kernel and the like, MPX can check the overflow of the boundary of a memory to prevent the attack of buffer overflow and the like, but the MPX has limitations on the efficiency and the accuracy of the boundary check of a larger program. The invention only uses MPX table to store protection context information; the MPX boundary table stores context information using pointer address indices. The boundary table directory uses special register access, adds a new instruction set to operate on the MPX table, and thus can provide protection for the data therein.
Adding an emitstoreToMetadata function at the store instruction generation of CodeGenfunction. cpp by modifying the Clang/lib/CodeGen file, the instruction for instrumentation writing to the MPX table collects context information, and the detailed operation is as follows:
step 61a, creating a store instruction by using a createStore instruction;
step 61b, judging that the target operand of the store instruction is a function pointer or a composite type containing the function pointer, if so, executing step 61c, otherwise, executing step 61 i;
step 61c, obtaining return information on a call stack of the store instruction by using a getIntrinsic instruction;
step 61d, generating a hash value for the return information and the current store instruction by using a hash function, namely creating source point information origin;
step 61e, using a getRevNode instruction to backtrack to a gettelementptr instruction before the store, obtaining position information ptr1_ id and ptr2_ id, wherein ptr1_ id is destination position information, and ptr2_ id is source position information; function pointers in the global variables can be converted into function pointers of a specified type through a bitcast instruction, and the pointers of the specified type are used at an indirect call instruction, so that position information needs to be recorded, and the position of the initially initialized function pointer is traced back;
step 61f, obtaining the target pointer information ptr of the store instruction by using the getPointer instruction;
step 61g, creating an update _ MPX _ table function by using a createfruitimefunction function, wherein parameters are function pointer information ptr and source point information origin, writing the (ptr, origin) as a (key, value) pair of the MPX table into the MPX table, and recording source point information during operation for verifying the source point information;
step 61h, creating an update _ MPX _ table2 function by using a createfruimtunction function, wherein the parameters are position information ptr1_ id and ptr2_ id, writing (ptr1_ id and ptr2_ id) into an MPX table as a key (value) pair of the MPX table, and recording position transfer information during running for tracing back to the position information of a function pointer of a global variable;
step 61i, returning to a store instruction;
and step 61j, replacing all createStore instructions in all source codes under the Clang/lib/CodeGen folder with EmitStoreToMetadata functions.
Step 62, indirectly invoking instruction instrumentation verification function
Inquiring an MPX table by using a target function pointer address of a current indirect call instruction to acquire source point information; if the source point information exists, searching whether the hash table contains an entry (origin, ICT, target) or not, and if so, allowing operation; if the entry is not included, the run is terminated.
If the source point information does not exist, the target can be a function pointer in the global variable, the method obtains the position information from each indirect call instruction backtracking to a getelementr instruction, and queries the MPX table according to the position information until the position of the function pointer in the global variable is backtracked. Searching whether the hash table contains the item (position, ICT, target) or not according to the current target and the position information, and if so, allowing operation; if the entry is not included, the run is terminated.
If the source point information and the position information cannot be searched in the MPX table, the metadata collection is wrong, the program is possibly attacked, and the operation is stopped;
in step 62 of this embodiment, the method of modifying EmitCall function in cgcall. cpp is used to verify whether the actual target of the indirect call instruction is legal at runtime: the detailed operation is as follows:
step 62a1, judging whether the current call instruction is an indirect call instruction, if so, executing step 62a2, otherwise, executing step 62a 4;
step 62a2, using getPrevNode instruction to backtrack to getementptor instruction before call instruction, obtaining position information ptr _ id;
step 62a3, create pcall _ reference _ monitor function using createdrunnimefunction, parameters are callee caller information and location information ptr _ id. Inquiring MPX table source point information according to the pointer information of the callee; if the source point information cannot be obtained, the call may be a function pointer in the global variable, and then the MPX table is inquired according to the position information ptr _ id to trace back to the function pointer position of the global variable, so that the validity of the target is verified when the program runs;
step 62a4, returning to an EmitCall function;
step 62b, modify getvirtualfunctional pointer function at itanium cxxabi. cpp for runtime verification whether the dummy call is legal: creating a vcall _ reference _ monitor function by using the createdrunnimefunction, wherein the parameter is called caller information, and inquiring MPX table source point information (vtable) according to the caller pointer information (vptr) for verifying the target validity when the program runs;
the control flow integrity protection method and system provided by the invention are based on the LLVM compiler technology, use the SVF tool to analyze the intermediate code to generate a static analysis graph, and verify the legitimacy of a control flow transfer target during program operation through instruction instrumentation; the invention carries out analysis and instruction instrumentation operation on the intermediate code layer of the program without modifying the source program code; the static analysis adds the position information analysis of the global variable containing the function pointer; the analysis of the composite type variable containing the function pointer is added at the intermediate code store instruction, so that the accuracy of static analysis is improved; the verification module uses an Intel MPX technology, records source point information and position information during operation, and realizes protection on key data; the invention can protect all control data in the program and non-control data related to the position of the control data, not only can realize the protection of the application program, but also can compile and generate a safety kernel to provide protection for the whole operating system.
The embodiment also provides a control flow integrity protection system, which comprises a static analysis module and an instrumentation verification module;
the static analysis module is used for acquiring a control flow graph of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected;
the instrumentation verification module is used for guiding the control flow graph of the program to be protected into the program to be protected and operating the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
The embodiment also provides a control flow integrity protection device, which is characterized by comprising a memory, a processor and executable instructions stored in the memory and capable of running in the processor; the processor, when executing the executable instructions, implements the method of: acquiring a control flow diagram of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected; leading a control flow graph of a program to be protected into the program to be protected, and operating the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
Also provided in this embodiment is a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, implement a method comprising: acquiring a control flow diagram of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected; leading a control flow graph of a program to be protected into the program to be protected, and operating the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
The computer-readable storage medium in the present embodiment includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For a description of a relevant part in the control flow integrity protection system, the device, and the readable storage medium described in this embodiment, reference may be made to a detailed description of a corresponding part in the control flow integrity protection method described in this embodiment, and details are not repeated here.
The following is further illustrated by specific experiments:
1) conditions of the experiment
The experiment is realized on the basis of an LLVM (Low Level Virtual machine) compiler; the LLVM compiler is compiled in C + + and is used for optimizing compile time, link time, run time and idle time of a program which is compiled in any programming language; the LLVM compiler is kept open for developers and is compatible with the existing scripts; ubuntu20.04 currently has set the LLVM compiler as the default compiler; the function test experiment is based on an Intel skylake processor i5-6500, a memory 16GB, an operating system ubuntu16.04, and a kernel of standard ubuntu 4.4.0-139-general.
2) Content of the experiment
Selecting benchmark test tool SPEC CPU2006 to compare executable files generated by the embodiment and the OS-CFI, and counting the average size AVG of EC of each SPEC testECAnd maximum EC size LC according to equation QSCFI=AVGECX LC calculation of safety parameters, wherein QSCFIThe smaller the value, the better the safety; the test results of this experiment are shown in fig. 4.
3) Analysis of results
As can be seen from fig. 4, the safety parameters of this embodiment are very small, and the safety performance is better, and part of the benchmark tests (445.gobmk, 450.soplex, 453. povray); compared with the prior OS-CFI, the security parameter is greatly improved, and the security is better than the prior OS-CFI.
The control flow integrity protection method and system comprise a static analysis module and a instrumentation verification module based on a compiler, wherein the static analysis mainly comprises position information of a function pointer in a global variable and source point information written into the function pointer; the instrumentation verification module mainly comprises context information of the store instruction instrumentation collecting operation and an instrumentation verification function at the indirect call instruction.
The control flow integrity protection method and the control flow integrity protection system record the mapping information of the virtual function pointer and the virtual function table, and realize the protection of virtual calling; in the C + + program, each class having a virtual function has a virtual function table, and actually, function pointers of all virtual functions in the class, that is, the start positions of the function pointer array, are recorded. When a virtual function is called through the object pointer, the code generated by the compiler acquires the vtable pointer of the object class first, and then calls the corresponding item in the vtable. In the case of calls by object pointers, it is not possible to determine during compilation whether the pointer points to a base class object or a derived class object, or to which derived class object. However, when the calling statement is executed during the running period, it is determined that the compiled calling code can obtain the correct vtable according to the specific object and call the correct virtual function, thereby realizing the polymorphism.
The above-described embodiment is only one of the embodiments that can implement the technical solution of the present invention, and the scope of the present invention is not limited by the embodiment, but includes any variations, substitutions and other embodiments that can be easily conceived by those skilled in the art within the technical scope of the present invention disclosed.

Claims (10)

1. A control flow integrity protection method, comprising the steps of:
acquiring a control flow diagram of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected;
leading a control flow graph of a program to be protected into the program to be protected;
acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table;
inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
2. The control flow integrity protection method according to claim 1, wherein the process of obtaining the control flow graph of the program to be protected specifically includes:
compiling the source code of the program to be protected by using the LLVM Clang tool modified by the instrumentation by adopting an LLVM compiler to obtain an intermediate code of the program to be protected;
and performing static analysis on the intermediate code of the program to be protected by using the modified SVF tool source code to obtain a control flow diagram of the program to be protected.
3. The control flow integrity protection method according to claim 2, characterized in that the static analysis is performed on the intermediate code of the program to be protected by using the modified SVF tool source code, and the process of obtaining the control flow graph of the program to be protected is specifically as follows:
analyzing the program to be protected by adopting a function characteristic matching method to obtain an effective target set corresponding to the indirect call instruction;
performing static analysis on the global variable to obtain the position information of the function pointer;
performing static analysis on the store instruction to obtain source point information of the function pointer;
and distinguishing the targets in the effective target set corresponding to the indirect call instruction by using the position information of the function pointer and the source point information of the function pointer to obtain a control flow diagram of the program to be protected.
4. The control flow integrity protection method of claim 1, wherein the expression of the CFG tuple in the control flow graph of the program to be protected is:
(origin/position,ICT,target)
wherein origin is source point information of the function pointer, ICT is position information of the indirect call instruction, target is a specific target, and poison is position information of the function pointer.
5. The method for controlling flow integrity protection according to claim 1, wherein a process of importing the control flow graph of the program to be protected into the program to be protected is specifically as follows:
printing data of the cfg _ label segment by using an objdump command, and classifying a control flow graph of a program to be protected according to the data of the cfg _ label segment by using a python script to generate a binary file;
and importing the binary file into the program file to be protected by adopting a PASS tool of the LLVM compiler.
6. The control flow integrity protection method according to claim 1, characterized in that the process of obtaining the context information of the program to be protected during running by using store instruction instrumentation and storing the context information of the program to be protected during running in the MPX table is specifically as follows:
adding an EmitStoreToMetadata function at store instruction generation by CodeGenfunction. cpp, using the Intel MPX tool, by modifying the Clang/lib/CodeGen file; storing the collected context information into an MPX table; the context information includes location information of the function pointer and source point information of the function pointer.
7. The method for controlling flow complete line protection according to claim 6, wherein the process of verifying the target validity of the program run-time by using the context information is specifically as follows:
if the source point information exists, whether an (origin, ICT, target) entry is contained or not is searched in the hash table; if yes, allowing operation; if the (origin, ICT, target) entry is not contained, the operation is terminated;
if the source point information does not exist, obtaining position information from each indirect call instruction backtracking to a getelementr instruction, and inquiring an MPX table according to the position information until the position of a function pointer in the global variable is backtracked; searching whether the hash table contains (position, ICT, target) entries or not according to the current target and the position information; if yes, allowing operation; if the (position, ICT, target) item is not contained, the operation is terminated;
and if the source point information and the position information cannot be searched in the MPX table, terminating the operation.
8. A control flow integrity protection system is characterized by comprising a static analysis module and a pile insertion verification module;
the static analysis module is used for acquiring a control flow graph of a program to be protected; the method comprises the steps that position information of a function pointer and source point information of the function pointer are recorded in a control flow graph of a program to be protected;
the instrumentation verification module is used for guiding the control flow graph of the program to be protected into the program to be protected and operating the program to be protected; acquiring context information of the program to be protected during operation by utilizing store instruction instrumentation, and storing the context information of the program to be protected during operation in an MPX table; inquiring an MPX table by utilizing indirect call instruction instrumentation to acquire context information; and verifying the validity of the jump target actually run by the program by using the context information.
9. A control flow integrity protection device comprising a memory, a processor, and executable instructions stored in the memory and executable in the processor; the processor, when executing the executable instructions, implements the method of any of claims 1-7.
10. A computer-readable storage medium having stored thereon computer-executable instructions which, when executed by a processor, implement the method of any one of claims 1-7.
CN202110300061.XA 2021-03-22 2021-03-22 Control flow integrity protection method, system and device and readable storage medium Active CN112966258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110300061.XA CN112966258B (en) 2021-03-22 2021-03-22 Control flow integrity protection method, system and device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110300061.XA CN112966258B (en) 2021-03-22 2021-03-22 Control flow integrity protection method, system and device and readable storage medium

Publications (2)

Publication Number Publication Date
CN112966258A true CN112966258A (en) 2021-06-15
CN112966258B CN112966258B (en) 2022-12-30

Family

ID=76277976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110300061.XA Active CN112966258B (en) 2021-03-22 2021-03-22 Control flow integrity protection method, system and device and readable storage medium

Country Status (1)

Country Link
CN (1) CN112966258B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023019807A1 (en) * 2021-08-17 2023-02-23 中国科学院软件研究所 Risc-v mechanism and o-cfi mechanism-based defense method and apparatus for code reuse attacks

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090282393A1 (en) * 2006-06-23 2009-11-12 Microsoft Corporation Securing Software By Enforcing Data Flow Integrity
US20100192026A1 (en) * 2009-01-27 2010-07-29 Microsoft Corporation Implementations of program runtime checks
US20150370560A1 (en) * 2014-06-09 2015-12-24 Lehigh University Methods for enforcing control flow of a computer program
US20160300060A1 (en) * 2012-10-23 2016-10-13 Galois, Inc. Software security via control flow integrity checking
CN107194252A (en) * 2017-05-09 2017-09-22 华中科技大学 The program control flow completeness protection method and system of a kind of complete context-sensitive
CN109918903A (en) * 2019-03-06 2019-06-21 西安电子科技大学 A kind of program non-control attack guarding method based on LLVM compiler
CN110647748A (en) * 2019-09-10 2020-01-03 北京理工大学 Code multiplexing attack detection system and method based on hardware characteristics
CN111898120A (en) * 2020-06-29 2020-11-06 中国科学院信息工程研究所 Control flow integrity protection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090282393A1 (en) * 2006-06-23 2009-11-12 Microsoft Corporation Securing Software By Enforcing Data Flow Integrity
US20100192026A1 (en) * 2009-01-27 2010-07-29 Microsoft Corporation Implementations of program runtime checks
US20160300060A1 (en) * 2012-10-23 2016-10-13 Galois, Inc. Software security via control flow integrity checking
US20150370560A1 (en) * 2014-06-09 2015-12-24 Lehigh University Methods for enforcing control flow of a computer program
CN107194252A (en) * 2017-05-09 2017-09-22 华中科技大学 The program control flow completeness protection method and system of a kind of complete context-sensitive
CN109918903A (en) * 2019-03-06 2019-06-21 西安电子科技大学 A kind of program non-control attack guarding method based on LLVM compiler
CN110647748A (en) * 2019-09-10 2020-01-03 北京理工大学 Code multiplexing attack detection system and method based on hardware characteristics
CN111898120A (en) * 2020-06-29 2020-11-06 中国科学院信息工程研究所 Control flow integrity protection method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
M. KHANDAKER等: "《2019 IEEE European Symposium on Security and Privacy (EuroS&P)》", 22 August 2019 *
代伟等: "基于地址完整性检查的函数指针攻击检测", 《计算机应用》 *
沈钦涛等: "上下文敏感的控制流完整性保护的改进方法", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023019807A1 (en) * 2021-08-17 2023-02-23 中国科学院软件研究所 Risc-v mechanism and o-cfi mechanism-based defense method and apparatus for code reuse attacks
GB2617719A (en) * 2021-08-17 2023-10-18 Inst Software Cas RISC-V mechanism and O-CFI mechanism-based defense method and apparatus for code reuse attacks

Also Published As

Publication number Publication date
CN112966258B (en) 2022-12-30

Similar Documents

Publication Publication Date Title
US11157640B2 (en) Protecting sensitive data in software products and in generating core dumps
CN109643343B (en) Kernel-based detection of target application functions using virtual address mapping
Hu et al. Binmatch: A semantics-based hybrid approach on binary code clone analysis
CN104636256A (en) Memory access abnormity detecting method and memory access abnormity detecting device
US20090100410A1 (en) System and method for tracking software changes
Signer Gas cost analysis for ethereum smart contracts
Khandaker et al. Adaptive call-site sensitive control flow integrity
US11568044B2 (en) Method and apparatus for vetting universal serial bus device firmware
Wei et al. State-sensitive points-to analysis for the dynamic behavior of JavaScript objects
US20200143061A1 (en) Method and apparatus for tracking location of input data that causes binary vulnerability
CN104133733A (en) Memory error detection method
US11868465B2 (en) Binary image stack cookie protection
Cloosters et al. {SGXFuzz}: Efficiently synthesizing nested structures for {SGX} enclave fuzzing
CN112966258B (en) Control flow integrity protection method, system and device and readable storage medium
Lehmann et al. Fuzzm: Finding memory bugs through binary-only instrumentation and fuzzing of webassembly
Liu et al. Exploring missed optimizations in webassembly optimizers
US10162629B1 (en) Compiler independent identification of application components
Liao et al. Mobilefindr: Function similarity identification for reversing mobile binaries
Jianming et al. PVDF: An automatic patch-based vulnerability description and fuzzing method
Schüette et al. Practical application-level dynamic taint analysis of Android apps
KR102341137B1 (en) Code converting method based on intermediate language and electronic device including the same
Scherer et al. I/o interaction analysis of binary code
Puhan et al. Program crash analysis based on taint analysis
US11886589B2 (en) Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method
Zhang et al. Multi-transaction sequence vulnerability detection for smart contracts based on inter-path data dependency

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant