CN114707143A - Method and device for monitoring damage attack of memory data - Google Patents
Method and device for monitoring damage attack of memory data Download PDFInfo
- Publication number
- CN114707143A CN114707143A CN202210253761.2A CN202210253761A CN114707143A CN 114707143 A CN114707143 A CN 114707143A CN 202210253761 A CN202210253761 A CN 202210253761A CN 114707143 A CN114707143 A CN 114707143A
- Authority
- CN
- China
- Prior art keywords
- data
- instruction
- memory
- function
- key data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012544 monitoring process Methods 0.000 title claims abstract description 39
- 230000006378 damage Effects 0.000 title abstract description 25
- 230000006870 function Effects 0.000 claims abstract description 117
- 238000004458 analytical method Methods 0.000 claims abstract description 58
- 230000003068 static effect Effects 0.000 claims abstract description 28
- 238000007689 inspection Methods 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims description 18
- 238000005206 flow analysis Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 16
- 238000012806 monitoring device Methods 0.000 claims description 4
- 230000009191 jumping Effects 0.000 claims description 3
- 230000008260 defense mechanism Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 239000011800 void material Substances 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/427—Parsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/44—Encoding
- G06F8/447—Target code generation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/75—Structural analysis for program understanding
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for monitoring memory data damage attack, wherein the method comprises the following steps: performing static analysis on the memory data to obtain key data; inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data; and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data. The invention reduces the protection data volume by locking the key data in the memory data, provides a data flow integrity defense mechanism based on the key data, and more efficiently monitors the memory data damage attack when the program runs.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for monitoring memory data damage attacks.
Background
Various memory bugs can exist in programs written in C/C + + language. The memory bug refers to a security problem that a programmer may make a behavior violating the design of a program itself due to a temporal or spatial error in the operation of a memory in the process of writing software. Attackers can implement various attacks by triggering the bugs and revealing or modifying the memory data, thereby causing serious harm.
Common attacks include Return-oriented programming (ROP) attacks, Jump-oriented programming (JOP) attacks, and Data-oriented programming (DOP) attacks, among others. The ROP attacker puts the addresses of a series of accessories into a stack, when a CPU runs to Return, the CPU takes out a first address and jumps to the accessory to start executing, when the first accessory is executed, a Return instruction at the end takes out a second address and jumps to a second accessory to start executing, and the steps are circulated, so that any malicious behavior is constructed. A JOP attack uses a jump-ended code fragment as an accessory and a jump as a connection between different accessories. Data on the stack is controlled by stack overflow and then popped into a general purpose register using a pop instruction. The memory data is stored in the general register by modifying the memory data and utilizing a load instruction. The DOP attack modifies data variables participating in operation, such as library function parameters, circulation parameters, conditional branch parameters and the like, through memory bugs, and completes malicious attack without changing control flow.
The key point of these attacks is to damage the memory data during operation and to read and write it arbitrarily. At present, a Data Flow Integrity (DFI) mechanism is often adopted as a main stream technology, and by protecting memory Data at the time of running, abnormal behaviors of a program are discovered, so that the attack is prevented. However, the DFI mechanism employs an over-approximation analysis process to obtain a legal write set of data for protecting all memory data. Redundant information exists, accuracy is difficult to guarantee, and safety is weakened. When a program runs, due to the design of a tag checking mechanism, a great memory overhead and performance loss are brought.
Disclosure of Invention
The invention provides a method for monitoring memory data damage attack, which is used for solving the defects of insufficient safety and huge performance overhead in the prior art and realizing the high-efficiency monitoring of the memory data damage attack.
The invention provides a method for monitoring memory data damage attack, which comprises the following steps:
performing static analysis on the memory data to obtain key data;
inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data;
and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
According to the monitoring method for the memory data damage attack provided by the invention, the static analysis is carried out on the memory data to obtain the key data, and the method comprises the following steps:
performing data flow analysis on the memory data to obtain initial key data;
performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data, wherein the accurate key data comprises control flow information and pointer pointing information of the initial key data;
and performing key data propagation analysis according to the data dependency relationship between the initial key data and the accurate key data to obtain the key data.
According to the method for monitoring the memory data damage attack provided by the invention, the initial key data comprises three types, respectively:
the pointer of the over-operation and the parameters of the vulnerable function are carried out;
user input and external data received in the web application;
conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target addresses, and return addresses.
According to the method for monitoring the memory data damage attack provided by the invention, the control flow analysis and the pointer analysis are carried out on the initial key data to obtain the accurate key data, and the method comprises the following steps:
analyzing the initial key data by a control flow to obtain control flow information, wherein the control flow information comprises an in-process program execution process and an inter-process function jumping process;
analyzing the control flow information by a pointer to obtain the pointer pointing information;
and replacing the pointer in the initial key data with the target set pointed in the pointer pointing information to obtain accurate key data.
According to the method for monitoring the memory data damage attack, the pointer analysis adopts an Anderson pointer analysis algorithm.
According to the monitoring method for the memory data damage attack provided by the invention, the tag inspection is carried out according to the tag inspection instruction of the memory read instruction, and the method comprises the following steps:
if the running label of the key data of the memory read instruction is consistent with the legal label, no attack is found; if not, then an attack is discovered.
The invention also provides a device for monitoring the memory data damage attack, which comprises:
the static analysis module is used for carrying out static analysis on the memory data to obtain key data;
a code instrumentation module, configured to insert a tag check instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and insert a tag setting instruction before a memory write instruction of the memory data, to obtain an executable file of the memory data;
and the tag checking module is used for executing the executable file and checking tags according to the tag checking instruction of the memory reading instruction, the function calling instruction and the function returning instruction of the key data.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the program, the monitoring method for the memory data damage attack is realized.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for monitoring memory data corruption attacks as described in any of the above.
The present invention also provides a computer program product, including a computer program, where the computer program, when executed by a processor, implements any of the above methods for monitoring a memory data corruption attack.
According to the method and the device for monitoring the memory data damage attack, the key data are locked in the memory data, the protection data volume is reduced, a data flow integrity defense mechanism based on the key data is provided, and the memory data damage attack is monitored more efficiently when a program runs.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for monitoring memory data corruption attack provided by the present invention;
FIG. 2 is a schematic flow diagram of a static analysis provided by the present invention;
FIG. 3 is a flow diagram of control flow analysis and pointer analysis provided by the present invention;
FIG. 4 is a schematic diagram of an attack detection example provided by the present invention
FIG. 5 is a second schematic flowchart of a method for monitoring memory data corruption attack according to the present invention;
FIG. 6 is a schematic structural diagram of a monitoring apparatus for memory data corruption attack according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
ROP: the return-oriented programming uses ret as the end-of-ret code segment as an accessory, combines control over stack space, and uses ret as the connection between different accessories to continuously enable programs to run the accessories. When a program executes a Return, the CPU fetches an address from the current stack and jumps to the code pointed to by this address to begin execution.
DOP: the data-oriented programming attack is to modify data variables participating in operation, such as library function parameters, circulation parameters, conditional branch parameters and the like, through memory bugs, and complete malicious attack without changing control flow.
JOP: jump-oriented programming uses jump-ended code fragments as accessories and jump as connections between different accessories. Data on the stack is controlled by stack overflow and then popped into a general purpose register using a pop instruction. The memory data is stored in the general register by modifying the memory data and utilizing a load instruction.
DFI: and the data flow integrity defense mechanism acquires a legal write set of the data through static analysis, and performs instruction instrumentation on the memory read-write instruction of the data in a code instrumentation mode to obtain an executable file. When the program runs, calculating the label of a memory writing instruction in real time; when the memory read instruction is encountered, performing label check, namely checking whether a label value of the memory write corresponding to the memory read instruction is in a legal write set obtained by static analysis, and if so, continuing to execute; if not, the data is described to be illegally damaged, and an abnormal behavior is generated, and the program execution is terminated.
The fundamental problem with data flow integrity defense mechanisms is that the data being protected is excessive. For memory data corruption attacks, some data is necessary for the attack, and the attack cannot proceed without controlling the data. Therefore, attacks can not be realized only by protecting the data from being controlled. Through the research on the current memory attack and defense, the method and the device clarify the key data related to the memory data damage attack, and can effectively defend the memory data damage attack only by protecting the key data.
The following describes a monitoring method for memory data corruption attack according to the present invention with reference to fig. 1 to 3, where the method includes the following steps:
102, inserting a tag check instruction before a memory read instruction, a function call instruction and a function return instruction of the memory data, and inserting a tag setting instruction before a memory write instruction of the memory data to obtain an executable file of the memory data;
it should be noted that the setting of the tag instruction for the memory write instruction instrumentation is to obtain a runtime tag.
And 103, executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
Note that, objects for executing the tag check instruction, for example, parameters of a vulnerable function, a pointer for performing an arithmetic operation, conditional branch parameters, and the like.
According to the monitoring method for the memory data damage attack, provided by the embodiment of the invention, the key data is locked in the memory data, the protection data volume is reduced, a data flow integrity defense mechanism based on the key data is provided, and the memory data damage attack is monitored more efficiently when a program runs.
In at least one embodiment of the present invention, the performing tag checking according to the tag checking instruction of the memory read instruction includes:
if the tag of the key data of the memory read instruction is consistent with the legal tag during operation, the attack is not found, and the execution is continued; if not, the attack is found and the execution is stopped.
In at least one embodiment of the present invention, the performing tag checking according to the tag checking instruction of the function return instruction and the function call instruction includes:
for the function return instruction, adding a label at the head of the function to protect a function pointer, adding an instruction for checking the label at the tail of the function, and if the label is consistent with the label for protecting the function pointer when the function return instruction runs, not discovering an attack; if not, then an attack is discovered.
For the function call instruction, if the runtime tag of the function pointer of the indirect call instruction is in the corresponding legal tag, no attack is found; if not, an attack is discovered.
In at least one embodiment of the present invention, the statically analyzing the memory data to obtain the key data includes:
it should be noted that the initial key data is obtained after data stream analysis is performed at an Abstract Syntax Tree (AST) layer of a Clang compiler at the front end of the LLVM. And the LLVM generates a relatively complete abstract syntax tree for the program in the compiling syntax analysis process, marks variables and functions according to types, and analyzes assignment operation to obtain corresponding data stream information. A class Clang Plug in AST Vistor is defined, each node is accessed recursively by inheriting the class Recursive AST Vistor. And processing each Decl node through a VisitDecl function, and processing each Stmt node through a VisitStmt function to acquire variable information and data stream transfer relation.
it should be noted that the execution flow and the inter-process call relationship of each function of the program are determined through control flow analysis, so that the control flow information of the program is obtained. The analysis is carried out by taking basic blocks as units, each basic block is provided with a plurality of instructions, the instructions are continuously executed from the first instruction to the last instruction of the basic block, and the basic block is ended by a jump instruction or a return instruction. And obtaining a target set pointed by the pointer by establishing the address relation between the pointer and the pointed variable, and replacing the pointer in the data stream by the pointed target, wherein the variable pointed by the same pointer obtained in the step uses the same label. .
And 203, performing key data propagation analysis according to the data dependency relationship between the initial key data and the accurate key data to obtain the key data.
It should be noted that, because there is a dependency relationship between data, the critical data is tracked, a possible execution path of the program is detected, and the current operation state is identified. And finding out data influencing the key data and expanding the data to obtain final key data.
Specifically, the extension is performed by means of a LogicBlox simulator.
The existing DFI mechanism does not analyze the dependency relationship between data and the control flow of a program, so that pointer analysis is not accurate. In the embodiment of the invention, because the analysis object is only key data, a more accurate analysis process, such as complete control flow analysis, analysis of the dependency relationship between data and the like, can be adopted on the premise of not introducing higher performance overhead.
In at least one embodiment of the present invention, the initial critical data includes three types, which are:
the pointer of the over-operation and the parameters of the vulnerable function are carried out;
user input and external data received in the web application;
conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target addresses, and return addresses.
It should be noted that, in the embodiment of the present invention, the key data includes 11 types of 3 types, as shown in table 1:
TABLE 1
In at least one embodiment of the present invention, the performing data flow analysis on the memory data to obtain initial key data, where the performing data flow analysis on each line of source codes includes:
if a pointer variable is the result of the operation, then it is marked as Unsufe data;
judging whether the function is a function in the vulnerable function set or not, and if so, defining the parameter as Unsemace data;
judging whether the function is a function Input by a user or a function used for receiving external data in the network application program, and if so, defining the parameter as Input data;
judging whether the function is a library function or a system call by processing the function call statement, and if so, defining the parameter as the explicit data;
through extracting the left and right subtrees of the assignment statement, the data stream transfer relation is obtained, the read-write relation of variables is obtained, and particularly, assignment operations of pointers, arrays and structural bodies are processed. If the function pointer is the function pointer, the function pointer is the Exploit data;
through the processing of the conditional branch statement, if the branch statement is a sub node of a loop or a judged conditional branch statement, the variable is the explicit data.
In at least one embodiment of the present invention, performing control flow analysis and pointer analysis on the initial critical data to obtain accurate critical data includes:
301, obtaining the control flow information by analyzing the initial key data through a control flow, wherein the control flow information comprises an in-process program execution process and an inter-process function jump process;
it should be noted that, the control flow analysis is adopted to analyze the branch instructions branch, switch, and the jump instructions call, ret, etc. to obtain the control flow information, and further obtain the data transfer process and the function jump process.
it should be noted that, the pointer is analyzed by using pointer analysis, and a relationship between the pointer and the variable address pointed to by the pointer is established, so as to obtain a target set pointed to by the pointer.
And 303, replacing the pointer in the initial key data with the target set pointed in the pointer pointing information to obtain accurate key data.
In at least one embodiment of the present invention, the pointer analysis employs an Anderson pointer analysis algorithm.
It should be noted that, an Andersen (Andersen) pointer analysis algorithm is used to mark and track pointers or references in the code, and find out the set of targets that the pointer in the program may point to, and the variables pointed to by the same pointer use the same label. The analysis object of the Anderson pointer analysis algorithm comprises Unseal data and explicit data for identifying indirect calling target addresses, return addresses and the like.
In at least one embodiment of the present invention, the tag bits of the tag are 3 bits since the tag number is related to the data classification.
It should be noted that the existing DFI uses 16 bits as the tag bits. According to different functions of data in the memory attack, the 3-bit tag bit is designed according to the category of the key data, so that the space overhead is greatly reduced, and the performance loss is reduced during operation.
In at least one embodiment of the invention, since the critical data is classified into three types according to different roles of the data in the memory attack, and the category of each data can be determined by static analysis. An anomaly is generated because malicious behavior of an attacker alters the class of data. It is therefore desirable to design tags according to the category of critical data.
Specifically, the runtime tag and the legal tag are represented by three bits and binary:
001: representing this data as Unsemace data
010: represents this data as the explicit data
100: indicating that the data is Input data
The label value of the final data is the sum of the three. The common variable labels are all denoted by 000.
The embodiment discloses a section of actual code for attack detection:
1:int main(){
2:char*dfibuf;
3:char buffer[1024];
4:socketConnet();
5:read(client_sockfd,buffer,1024);
6:static void(*pfun2)();
7:static void(*pfun1)();
8:static char*tmpfile,aa[16],*tmpfile1;
9:static void(*pfun)();
10:tmpfile=aa;
11:tmpfile1=aa;
12:static char bb[16];
13:static void(*pfun3)();
14:pfun=pPp;
15:memcpy(aa,buffer,32);
16:(*pfun)();
17:}
fig. 4 is a schematic diagram of an attack detection example according to an embodiment of the present invention, and referring to fig. 4 and the above codes, whether aa and pfin are explicit data, aa or unscafe data is obtained through static analysis, and is protected through a mechanism of adding a tag and checking the tag. Both uninitialized static variables and global variables exist in the bss data segment, so both the variable array aa and the function pointer pfun are stored in the bss segment. When the array aa is written in the 15 th row, its tag is set to 011 in the address tag correspondence table. Writing function pointer pfun in 14 rows, setting tag to be 010, checking tag of pfun in the process of reading function pointer in 16 rows, wherein legal tag of pfun is 010, but as array aa overflows to cover the corresponding memory of pfun, tag corresponding to memory address of pfun is 011 at this time, and does not belong to legal tag set, so error is checked, error is prompted, and program operation is terminated.
Fig. 5 is a flowchart of a method for monitoring a memory data corruption attack according to an embodiment of the present invention. First, a source program is acquired. In the static analysis stage, multiple stages of static dataflow analysis are used to identify critical data. In the code instrumentation phase, a specific tag value is calculated for each datum based on the identified key datum. And (3) implementing read-write inspection of the data tag by inserting the source code program, inserting a tag setting instruction before a memory write instruction, and inserting a tag inspection instruction before a memory read instruction. When a function return instruction is encountered, a label is added at the head of the function, a function pointer is protected, and an instruction for checking the label is added at the tail of the function, so that the return address is ensured not to be modified. And for the function call instruction, obtaining information such as a function name, a function parameter and the like. For the function parameter, if the function parameter is a common function call, the peg insertion is carried out on the memory read-write in the function parameter transmission process, and if the function parameter is not the common function call, the operation is not carried out. Particularly, for an indirect call instruction, a pointer pointing set of an indirect call function needs to be obtained according to pointer analysis, a legal tag corresponding to each pointed function pointer is solved, tag check is added before the indirect call instruction, and finally an executable file is obtained.
And running the executable file, and calculating and storing a corresponding running label when encountering a memory writing instruction. When a memory read instruction is encountered, a runtime tag corresponding to key data in the memory read instruction is obtained. Then, carrying out label check, and if the label value is consistent with a legal label value obtained by static analysis, continuing to execute the program; if not, an error is reported to terminate the program execution. When the function return instruction and the function call instruction are encountered, the corresponding label checking operation is also executed.
The following describes the monitoring device for the memory data corruption attack provided by the present invention, and the monitoring device for the memory data corruption attack described below and the monitoring method for the memory data corruption attack described above can be referred to each other correspondingly. As shown in fig. 6, the apparatus for monitoring memory data corruption attack of the present invention includes:
the static analysis module 601 is used for performing static analysis on the memory data to obtain key data;
a code instrumentation module 602, configured to insert a tag check instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and insert a tag setting instruction before a memory write instruction of the memory data, so as to obtain an executable file of the memory data;
the tag checking module 603 is configured to execute the executable file, and perform tag checking according to the tag checking instruction of the memory read instruction, the function call instruction, and the function return instruction of the key data.
According to the monitoring device for the memory data damage attack, provided by the embodiment of the invention, the amount of protected data is reduced by locking the key data in the memory data, a data flow integrity defense mechanism based on the key data is provided, and the memory data damage attack is monitored more efficiently when a program runs.
In at least one embodiment of the present invention, the performing tag checking according to the tag checking instruction of the memory read instruction includes:
if the running label of the key data of the memory read instruction is consistent with the legal label, the attack is not found, and the execution is continued; if not, the attack is found and the execution is stopped.
In at least one embodiment of the present invention, the performing tag checking according to the tag checking instruction of the function call instruction and the function return instruction includes:
for a function return instruction, adding a label at the head of the function to protect a function pointer, adding an instruction for checking the label at the tail of the function, and if the label is consistent with the label for protecting the function pointer when the function return instruction runs, not finding an attack; if not, then an attack is discovered.
For the function call instruction, if the label of the function pointer of the indirect call instruction is in the corresponding legal label, no attack is found; if not, an attack is discovered.
In at least one embodiment of the present invention, the statically analyzing the memory data to obtain the key data includes:
performing data flow analysis on the memory data to obtain initial key data;
performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data, wherein the accurate key data comprises control flow information and pointer pointing information of the initial key data;
and performing key data propagation analysis according to the data dependency relationship between the initial key data and the accurate key data to obtain the key data.
In at least one embodiment of the present invention, the initial critical data includes three types, which are:
the pointer of the over-operation and the parameters of the vulnerable function are carried out;
user input and external data received in the web application;
conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target addresses, and return addresses.
In at least one embodiment of the present invention, the performing a control flow analysis and a pointer analysis on the initial critical data to obtain accurate critical data includes:
analyzing the initial key data by a control flow to obtain control flow information, wherein the control flow information comprises an in-process program execution process and an inter-process function jumping process;
analyzing the control flow information by a pointer to obtain the pointer pointing information;
and replacing the pointer in the initial key data with the target set pointed in the pointer pointing information to obtain accurate key data.
In at least one embodiment of the present invention, the pointer analysis employs an Anderson pointer analysis algorithm.
Compared with the prior art, the method adopts a more accurate multi-stage static analysis process, so that the analysis result is more accurate, and the redundant information is less. In the embodiment, the RIPE, CVE-2002-.
TABLE 2 RIPE monitoring results
| Defense mechanism | Total number of attacks | Number of successful defenses | Rate of success monitoring |
| DFI | 850 | 663 | 78.00% |
| The invention | 850 | 769 | 90.47% |
Because the protected data set is reduced, the invention is designed to reduce the frequency of runtime checks, thereby reducing the performance overhead during checks. Embodiments of the present invention were tested using SPEC2000, and as shown in Table 3, the overhead was about 10%.
TABLE 3 evaluation results of SPEC2000
Fig. 7 illustrates a physical structure diagram of an electronic device, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. The processor 710 may call logic instructions in the storage 730 to perform a method for monitoring memory data corruption attacks, the method comprising:
performing static analysis on the memory data to obtain key data;
inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data;
and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, where the computer program product includes a computer program, the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute the method for monitoring the memory data corruption attack provided by the above methods, where the method includes:
inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data;
and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program, when executed by a processor, implementing a method for monitoring memory data corruption attacks provided by the above methods, the method comprising:
inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data;
and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on the understanding, the above technical solutions substantially or otherwise contributing to the prior art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A monitoring method for memory data corruption attack is characterized by comprising the following steps:
performing static analysis on the memory data to obtain key data;
inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting a tag setting instruction before a memory writing instruction of the memory data to obtain an executable file of the memory data;
and executing the executable file, and performing label inspection according to the label inspection instruction of the memory read instruction, the function call instruction and the function return instruction of the key data.
2. The method for monitoring the memory data corruption attack according to claim 1, wherein the statically analyzing the memory data to obtain the key data comprises:
performing data flow analysis on the memory data to obtain initial key data;
performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data, wherein the accurate key data comprises control flow information and pointer pointing information of the initial key data;
and performing key data propagation analysis according to the data dependency relationship between the initial key data and the accurate key data to obtain the key data.
3. The method for monitoring memory data corruption attack according to claim 2, wherein the initial critical data comprises three categories, respectively:
the pointer of the over-operation and the parameters of the vulnerable function are carried out;
user input and external data received in the web application;
conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target addresses, and return addresses.
4. The method for monitoring the memory data corruption attack according to claim 2, wherein the performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data comprises:
analyzing the initial key data by a control flow to obtain control flow information, wherein the control flow information comprises an in-process program execution process and an inter-process function jumping process;
pointer analysis is carried out on the control flow information to obtain pointer pointing information;
and replacing the pointer in the initial key data with the target set pointed in the pointer pointing information to obtain accurate key data.
5. The method for monitoring the memory data corruption attack according to claim 4 wherein said pointer analysis employs an Anderson pointer analysis algorithm.
6. The method for monitoring the memory data corruption attack according to any one of claims 1 to 5, wherein the tag check according to the tag check instruction of the memory read instruction comprises:
if the running label of the key data of the memory read instruction is consistent with the legal label, no attack is found; if not, then an attack is discovered.
7. A monitoring device for memory data corruption attacks, comprising:
the static analysis module is used for carrying out static analysis on the memory data to obtain key data;
a code instrumentation module, configured to insert a tag check instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and insert a tag setting instruction before a memory write instruction of the memory data, to obtain an executable file of the memory data;
and the tag checking module is used for executing the executable file and checking tags according to the tag checking instruction of the memory reading instruction, the function calling instruction and the function returning instruction of the key data.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for monitoring memory data corruption attacks according to any one of claims 1 to 6 when executing the program.
9. A non-transitory computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method for monitoring memory data corruption attack according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements a method for monitoring memory data corruption attacks according to any of the claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210253761.2A CN114707143A (en) | 2022-03-15 | 2022-03-15 | Method and device for monitoring damage attack of memory data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210253761.2A CN114707143A (en) | 2022-03-15 | 2022-03-15 | Method and device for monitoring damage attack of memory data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114707143A true CN114707143A (en) | 2022-07-05 |
Family
ID=82169776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210253761.2A Pending CN114707143A (en) | 2022-03-15 | 2022-03-15 | Method and device for monitoring damage attack of memory data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114707143A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1870829A1 (en) * | 2006-06-23 | 2007-12-26 | Microsoft Corporation | Securing software by enforcing data flow integrity |
| KR20180039830A (en) * | 2016-10-11 | 2018-04-19 | 서울대학교산학협력단 | Apparatus and method for detecting code reuse attack |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| CN112906015A (en) * | 2021-01-26 | 2021-06-04 | 浙江大学 | Memory sensitive data encryption protection system based on hardware tag |
| WO2021248665A1 (en) * | 2020-06-08 | 2021-12-16 | 西安电子科技大学 | Sgx side channel attack defense method and system, and medium, program and application |
-
2022
- 2022-03-15 CN CN202210253761.2A patent/CN114707143A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1870829A1 (en) * | 2006-06-23 | 2007-12-26 | Microsoft Corporation | Securing software by enforcing data flow integrity |
| CN101473300A (en) * | 2006-06-23 | 2009-07-01 | 微软公司 | Securing software by enforcing data flow integrity |
| KR20180039830A (en) * | 2016-10-11 | 2018-04-19 | 서울대학교산학협력단 | Apparatus and method for detecting code reuse attack |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| WO2021248665A1 (en) * | 2020-06-08 | 2021-12-16 | 西安电子科技大学 | Sgx side channel attack defense method and system, and medium, program and application |
| CN112906015A (en) * | 2021-01-26 | 2021-06-04 | 浙江大学 | Memory sensitive data encryption protection system based on hardware tag |
Non-Patent Citations (2)
| Title |
|---|
| YUN JONGHYEON: "Disk Triboelectric Nanogenerator‐Based Nonvolatile Memory toward Smart Identification System", 《 ADVANCED FUNCTIONAL MATERIALS》, 2 May 2021 (2021-05-02) * |
| 马梦雨: "内存数据污染攻击和防御综述", 《信息安全学报》, 15 October 2017 (2017-10-15), pages 82 - 98 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| CN109643345B (en) | Techniques for deterministic code stream integrity protection | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| JP7154365B2 (en) | Methods for securing software code | |
| Kalysch et al. | VMAttack: deobfuscating virtualization-based packed binaries | |
| CN110909358A (en) | Shaping vulnerability detection method based on dynamic and static analysis | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| US8775826B2 (en) | Counteracting memory tracing on computing systems by code obfuscation | |
| CN111723345B (en) | Callback function-based control flow obfuscation method and system | |
| US20160171213A1 (en) | Apparatus and method for controlling instruction execution to prevent illegal accesses to a computer | |
| US11210402B2 (en) | Gate-level information flow security | |
| CN111881449B (en) | Auxiliary analysis method and device for malicious codes | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN114756856A (en) | Code reuse attack defense method based on function dynamic loading | |
| Wang et al. | Tunter: assessing exploitability of vulnerabilities with taint-guided exploitable states exploration | |
| Kim et al. | Polymorphic attacks against sequence-based software birthmarks | |
| US11256786B2 (en) | Method to secure a software code | |
| CN113419960B (en) | Seed generation method and system for kernel fuzzy test of trusted operating system | |
| CN114707143A (en) | Method and device for monitoring damage attack of memory data | |
| CN111898120B (en) | Control flow integrity protection method and device | |
| US20220335135A1 (en) | Vulnerability analysis and reporting for embedded systems | |
| CN114637988A (en) | Binary-oriented function level software randomization method | |
| KR102421394B1 (en) | Apparatus and method for detecting malicious code using tracing based on hardware and software | |
| CN115237748A (en) | Symbol execution method based on feedback increment driving | |
| Ding et al. | Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |