CN115525890A - Program protection method, detector, electronic device, and storage medium - Google Patents

Program protection method, detector, electronic device, and storage medium Download PDF

Info

Publication number
CN115525890A
CN115525890A CN202110711467.7A CN202110711467A CN115525890A CN 115525890 A CN115525890 A CN 115525890A CN 202110711467 A CN202110711467 A CN 202110711467A CN 115525890 A CN115525890 A CN 115525890A
Authority
CN
China
Prior art keywords
instruction
legal
instructions
detector
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110711467.7A
Other languages
Chinese (zh)
Inventor
张吉良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Tencent Technology Shenzhen Co Ltd
Original Assignee
Hunan University
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University, Tencent Technology Shenzhen Co Ltd filed Critical Hunan University
Priority to CN202110711467.7A priority Critical patent/CN115525890A/en
Publication of CN115525890A publication Critical patent/CN115525890A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/36Software reuse

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a program protection method, a detector, an electronic device and a computer readable storage medium; the method comprises the following steps: loading a plurality of instructions to be executed of a program from a memory, identifying non-branch instructions and branch instructions from the plurality of instructions, and acquiring addresses carried by the branch instructions; reading the address prerecorded by aiming at the branch instruction from an index table in the detector, and comparing the address with the address carried by the branch instruction; taking the non-branch instruction and the branch instruction which is consistent in comparison as legal instructions, and storing the legal instructions into a waiting linked list in a detector; and connecting the legal instructions in the waiting linked list according to the corresponding execution sequence, and sending the legal instructions to the processor for execution. By the method and the device, code attack aiming at the program can be effectively prevented on the basis of reducing implementation cost.

Description

Program protection method, detector, electronic device, and storage medium
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a program protection method, a detector, an electronic device, and a computer-readable storage medium.
Background
The electronic device may suffer from code reuse attacks during program execution. The code multiplexing attack achieves the purpose of malice by hijacking the control flow executed by the program, and brings great threat to the safety of the electronic equipment.
Related technologies are roughly divided into a hardware-based defense technology and a software-based defense technology, but the two related technologies can only defend a rather limited code multiplexing attack and both have respective limitations, for example, software-based defense methods both need to modify a program compiler, have high performance overhead and have high cost of being deployed on actual electronic equipment; the defense method based on hardware usually needs to expand an instruction set architecture and modify a compiler, so that the complexity of implementation is increased, and the stability is poor. Therefore, the technical scheme for preventing the code reuse attack is high in implementation cost and low in efficiency and stability.
Disclosure of Invention
Embodiments of the present application provide a method for protecting a program, a detector, an electronic device, and a computer-readable storage medium, which can effectively protect against various code attacks during program execution on the basis of reducing implementation cost.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a program protection method, which is applied to a detector, wherein the detector is electrically connected with a memory and a processor, and the method comprises the following steps:
loading a plurality of instructions to be executed of the program from the memory, identifying non-branch instructions and branch instructions from the plurality of instructions, and acquiring addresses carried by the branch instructions;
reading the address prerecorded by aiming at the branch instruction from an index table in the detector, and comparing the address with the address carried by the branch instruction;
taking the non-branch instruction and the branch instruction which is consistent in comparison as a legal instruction, and storing the legal instruction into a waiting linked list in the detector;
and connecting the legal instructions in the waiting linked list according to the corresponding execution sequence, and sending the legal instructions to a processor for execution.
The embodiment of the application provides a detector, wherein the detector is electrically connected with a memory and a processor; the detector comprises:
the index table module is used for loading a plurality of instructions to be executed of a program from a memory, identifying non-branch instructions and branch instructions from the plurality of instructions, and acquiring addresses carried by the branch instructions; reading the address prerecorded by aiming at the branch instruction from an index table in a detector, and comparing the address with the address carried by the branch instruction; taking the non-branch instruction and the branch instruction which is consistent in comparison as legal instructions, and storing the legal instructions into a waiting linked list in the detector;
and the waiting linked list module is used for connecting the legal instructions in the waiting linked list according to the corresponding execution sequence and sending the legal instructions to the processor for execution.
An embodiment of the present application provides an electronic device, including:
a processor, a memory, and a detector; wherein,
the detector is electrically connected with the memory and the processor, and is used for realizing the protection method of the program provided by the embodiment of the application.
The embodiment of the application provides a computer-readable storage medium, which stores executable instructions and is used for realizing the protection method of the program provided by the embodiment of the application when being executed.
The embodiment of the application has the following beneficial effects:
the detector detects the validity of the branch instruction through the index table of the detector, thereby efficiently preventing the execution of various illegal instructions such as code multiplexing attacks without modifying the compiler and the instruction set of the operating electronic equipment; the waiting linked list of the detector stores the legal instructions and connects the legal instructions according to the execution sequence, thereby providing buffer time, reducing the risk of program execution errors and improving the stability of program execution.
Drawings
Fig. 1 is a schematic architecture diagram of an electronic device according to an embodiment of the present application;
FIG. 2 is a schematic diagram of another architecture of an electronic device according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for protecting a program according to an embodiment of the present application;
FIGS. 4A-4B are diagrams of index table styles provided by embodiments of the present application;
FIG. 5 is a flowchart illustrating a branch instruction address matching method according to an embodiment of the present disclosure;
FIG. 6 is a diagram illustrating a structure of a wait list according to an embodiment of the present application;
FIG. 7 is a diagram illustrating a state change of store instructions for each chain of a wait list according to an embodiment of the present application;
fig. 8 is a flowchart illustrating a manner of creating an index table according to an embodiment of the present application;
FIG. 9 is a flowchart illustrating a branch instruction writing to an index table according to an embodiment of the present application;
fig. 10 is a schematic flowchart of a group capacity setting manner provided by an embodiment of the present application;
FIG. 11 is a schematic diagram of a group number setting provided by an embodiment of the present application;
FIG. 12 is a flowchart illustrating a method for protecting a program according to an embodiment of the present application;
FIG. 13 is a block diagram of a detector according to an embodiment of the present disclosure;
FIG. 14 is a diagram of a wait list according to an embodiment of the present application;
fig. 15 is a schematic diagram of a code multiplexing attack detection experimental apparatus provided in an embodiment of the present application;
fig. 16 is a schematic diagram illustrating a time overhead result of the detector provided in the embodiment of the present application.
Detailed Description
In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Where similar language of "first/second" appears in the specification, the following description is added, and where reference is made to the term "first \ second \ third" merely for distinguishing between similar items and not for indicating a particular ordering of items, it is to be understood that "first \ second \ third" may be interchanged both in particular order or sequence as appropriate, so that embodiments of the application described herein may be practiced in other than the order illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.
1) Code Reuse Attack (CRA, code Reuse attach): the attack technology of the malicious target is realized by utilizing the existing code fragments of the program and reordering the fragments into a chain with a specific function.
2) Control Flow Integrity (CFI): by limiting control transfer in program operation, the operation of the instruction of the program is always within the range limited by the control flow graph of the original design of the program.
3) Instruction Set Architecture (ISA): also known as an instruction set or instruction set architecture, is the part of the computer architecture that is relevant to programming, including basic data types, instruction sets, registers, addressing modes, storage hierarchy, interrupts, exception handling, and external Input/Output (I/O). The instruction set architecture includes a series of operation codes (opcodes) and basic commands that are executed by a particular processor.
4) Instruction (Instruction): is a command that instructs a computer to perform an operation, and the instructions are stored in memory in binary code, i.e., the instructions are a fixed length 01 sequence. An instruction is typically composed of two parts: an opcode and an address code, wherein the opcode is used to specify the type or nature of the operation to be performed by the instruction, such as fetch, add, or output data; the address code is used to indicate the content of the operation object or the address of the storage unit (such as a memory) where the operation object is located.
Additionally, due to the sequential execution of the instructions, execution of the program will be completed. To illustrate the execution of an instruction, the instruction is first fetched and analyzed. According to the order prescribed by the program, the currently executed instruction is fetched from the memory and sent to the instruction register of the processor, and the fetched instruction is analyzed, namely the operation is determined according to the operation code in the instruction. The second is to execute the instruction. Based on the instruction analysis, a series of control potentials are sent by the processor to perform the operation, so as to direct the relevant components of the electronic device to perform the operation, and to provide for the removal of an instruction.
5) Field-Programmable Gate Array (FPGA): the semi-custom circuit belongs to a semi-custom circuit in an application-specific integrated circuit, is a programmable logic array, and can effectively solve the problem that the number of gate circuits of the original device is small. The basic structure of the FPGA comprises a programmable input/output unit, a configurable logic block, a digital clock management module, an embedded block Random Access Memory (RAM), a wiring resource, an embedded special hard core and a bottom layer embedded functional unit.
In the related art, the protection of the program is realized by adopting a software-assisted mode and a hardware-assisted mode. In the software-assisted program protection method, code reuse attack is prevented by modifying program source codes, so that the method usually brings high performance overhead and high deployment cost. While the program protection method based on hardware assistance can effectively reduce performance overhead, the instruction set architecture still needs to be expanded and a compiler needs to be modified, and the stability is poor. In addition, most related program protection methods (or code multiplexing attack protection methods) have a common problem that only certain types of code multiplexing attacks can be protected.
Based on this, embodiments of the present application provide a method for protecting a program, a detector, an electronic device, and a computer-readable storage medium, which can monitor a branch instruction through an index table in the detector, and ensure that a processor of the electronic device can only execute a legal instruction, thereby preventing execution of various types of attack instructions and effectively protecting against program attacks.
First, an electronic device provided in an embodiment of the present application is described, referring to fig. 1, fig. 1 is a schematic structural diagram of the electronic device provided in the embodiment of the present application, an electronic device 100 includes a memory 200, a detector 300 and a processor 400, and the detector 300 is electrically connected to the memory 200 and the processor 400.
In some embodiments, the processor may be various general purpose processors such as a central processing unit CPU, a Microprocessor (MCU); the memory can be various Random Access Memories (RAMs), such as DRAMs, SRAMs, etc.; the detector may be implemented using a dedicated processor, such as an ASIC, DSP, programmable Logic Device (PLD), complex Programmable Logic Device (CPLD), FPGA.
In some embodiments, the detector may use various Read Only Memories (ROM), RAM or a combination of both to store necessary data such as a Wait chain list (DWL), an index table, the ROM or RAM may be integrated into the detector, or may be a Memory separate from the detector and integrated with the detector on the same on-chip electronic device (SOC), such as FLASH Memory (FLASH). Wherein, the ROM is adopted to store the index table, so that the power-off storage can be maintained.
In some embodiments, the electronic device may be a terminal device or a server. The terminal device may be, but is not limited to, a laptop computer, a tablet computer, a desktop computer, a smart phone, a dedicated messaging device, a portable game device, a smart speaker, a smart watch, and the like. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, content Delivery Network (CDN), big data and an artificial intelligence platform.
The memory 200 is used for receiving a request for a load instruction sent from the processor 400 and is also used for storing a plurality of instructions of a program to be executed.
A detector 300, configured to load a plurality of instructions to be executed of a program from the memory 200, identify a non-branch instruction and a branch instruction from the plurality of instructions, and obtain an address carried by the branch instruction; reading the address prerecorded by the branch instruction from the index table of the detector, and comparing the address with the address carried by the branch instruction; taking the non-branch instruction and the branch instruction which is consistent in comparison as legal instructions, and storing the legal instructions into a waiting linked list in a detector; and connecting the legal instructions in the waiting chain table according to the corresponding execution sequence, and sending the legal instructions to the processor 400 for execution.
And a processor 400, configured to receive the legal instruction sent by the detector 300 through the wait chain table, and execute the legal instruction obtained from the detector according to a normal program execution order.
The detector 300 is further configured to interrupt program execution and send an interrupt request to the processor 400 when detecting that an illegal instruction exists in a plurality of instructions to be executed in the program loaded from the memory 200.
Taking an electronic device as an example, continuing to describe the electronic device provided in the embodiment of the present application, referring to fig. 2, based on fig. 1, fig. 2 is another schematic diagram of an architecture of the electronic device provided in the embodiment of the present application, and on the basis of the electronic device 100 shown in fig. 1, the electronic device may further include: at least one processor 400, a memory 200, a detector 300, at least one network interface 500, and a user interface 600. The various components in electronic device 100 are coupled together by a bus 700. It is understood that the bus system 700 is used to enable connected communication between these components. The bus system 700 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 700 in fig. 2.
The Processor 400 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.
The user interface 600 includes one or more output devices 601, including one or more speakers and/or one or more visual display screens, that enable the presentation of media content. The user interface 600 also includes one or more input devices 602 including user interface components to facilitate user input, such as a keyboard, mouse, microphone, touch screen display screen, camera, other input buttons and controls.
The memory 200 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 200 optionally includes one or more storage devices physically located remote from processor 400.
The memory 200 includes both volatile and nonvolatile memory, and may also include both volatile and nonvolatile memory. The non-volatile memory may be a read only memory ROM and the volatile memory may be a random access memory RAM. The memory 200 described in embodiments herein is intended to comprise any suitable type of memory.
In some embodiments, memory 200 is capable of storing data to support various operations, examples of which include programs, modules, and data structures, or subsets or supersets thereof, as exemplified below.
An operating system 201 including system programs for processing various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks;
a network communication module 202 for reaching other computing devices via one or more (wired or wireless) network interfaces 500, an exemplary network interface 500 comprising: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), etc.;
a presentation module 203 for enabling presentation of information (e.g., a user interface for operating peripherals and displaying content and information) via one or more output devices 601 (e.g., display screens, speakers, etc.) associated with the user interface 600;
an input processing module 204 for detecting one or more user inputs or interactions from one of the one or more input devices 602 and translating the detected inputs or interactions.
The detector 300 may be removable. In some embodiments, the detector is capable of performing a validity check on the branch instruction, and is also capable of storing data. The system comprises the following modules: the index table module 301 and the waiting linked list module 302 may be different logically divided logical function modules, or different hardware function modules divided from a hardware layer, and therefore may be arbitrarily combined or further split according to the realized functions. The functions of the respective modules will be explained below.
Next, a method for protecting a program provided in an embodiment of the present application will be described. In some embodiments, the method for protecting a program provided by the embodiments of the present application is implemented by a detector in an electronic device. Referring to fig. 3, fig. 3 is a schematic flowchart of a protection method for a program according to an embodiment of the present application, and is described with reference to the steps shown in fig. 3.
In step 101, the detector loads a plurality of instructions to be executed of the program from the memory, identifies a non-branch instruction and a branch instruction from the plurality of instructions, and obtains an address carried by the branch instruction.
For example, a branch instruction may alter the execution flow of a program or call a subroutine, the branch instruction allowing a program to use the structure and loops of the subroutine, if-then-else. Wherein the change in execution flow forces a program counter in the processor to point to a new address. Common branch instruction types include jump (jump), call (call), or return (return), among others.
In actual implementation, the program is compiled into an executable file before being executed by the processor, and the executable file includes a series of sets of instructions and data. When the program is started, the processor loads the instructions in the executable file to the memory. Then, the detector loads a plurality of instructions to be executed of the program from the memory, identifies branch instructions and non-branch instructions, continues to execute subsequent detection operations based on address information carried by the branch instructions, sends the detected instructions to the processor as legal instructions to be executed, for example, sends the legal instructions to a processor cache, and reads and executes the legal instructions from the cache by the processor.
The pattern of the instruction loaded from the memory by the detector is explained, and based on the protection method of the program provided by the embodiment of the application, the pattern of the instruction loaded from the memory by the detector is related to the pattern of the index table in the detector. In some embodiments, when the index table in the detector does not include a group number, the instruction loaded from memory is an initial instruction after the program is compiled. In some embodiments, when the group number is included in the index table, the detector detects a plurality of instructions to be executed of the program loaded from the memory, which are not initial instructions after the program is compiled, but are instructions after the detector updates, all branch instructions in the instructions carry the group number, and the group number carried by the branch instructions is added in the creation stage of the index table. The specific process of creating the index table will be described in detail in the subsequent steps.
In step 102, the address prerecorded for the branch instruction is read from the index table in the detector and compared with the address carried by the branch instruction.
For example, the index table in the detector is generated in advance, the index table stores addresses prerecorded for the branch instruction, and the index table records the addresses included by the branch instruction, wherein the types of the addresses include a storage address and a target address.
An Index table, also called a Branch Instruction Index (BID) table, is illustrated, and is a two-dimensional Index table. Fig. 4A-4B are schematic diagrams of index table styles provided by embodiments of the present application. Referring to fig. 4A, the index table includes a plurality of rows, each row including a Target Address (Target Address) of a branch instruction and at least one memory Address (Current Address), which is also referred to as a Current Address. The first column of the index table is used for storing a target address corresponding to the branch instruction, which may be denoted as ADDR Ti Wherein i is the index of the row where the target address is located, and when i is 1, ADDR Ti In particular ADDR T1 And indicates the target address of line 1. The other columns of the row where each target address is located are used to store the memory address corresponding to the branch instruction, which may be denoted as ADDR Ti-Cj Wherein j is an integer, and j is 1, ADDR Ti-Cj In particular ADDR T1-C1 And indicates the first memory address corresponding to the target address of row 1.
In some embodiments, referring to the style of the index table illustrated in fig. 4B, the style of the index table is different from the index table in fig. 4A in that the index table is divided into a plurality of groups, each group including a plurality of rows. Thus, when the detector detects the branch instruction carrying the group number through the index table, the group number carried by the branch instruction is used as an index, and the group where the branch instruction is located is searched in the index table. The mode of searching in the index table through the group number can effectively reduce the time overhead in the checking process.
Illustratively, in fig. 4B, the index table of the detector is divided into n groups (n is an integer greater than or equal to 1), each group includes i rows (i is an integer greater than or equal to 1), i is also referred to as a group capacity, the first group includes rows 1 to i, the second group includes rows i +1 to 2i, and so on, and the nth group is rows n + i +1 to (n + 1) × i. The setting manner of the group capacity i will be described in detail below.
In some embodiments, the manner of comparing addresses is described based on the index table style shown in fig. 4A, the detector obtains target addresses carried by the branch instruction as indexes, compares the target addresses with target addresses included in each row in the index table, that is, compares the target addresses with target addresses in a first column of each row, obtains a row where the target address is located if the target addresses are consistent with the target addresses included in each row, and then continues to compare the storage address carried by the branch instruction with the storage address in the row where the target address is located. For example, the types of addresses include a memory address and a target address, the index table includes a plurality of rows, each row including the target address prerecorded for one branch instruction in the program and at least one memory address; taking a target address carried by the branch instruction as an index, comparing the target address with a target address included in each row in an index table, and taking a row where the target address carried by the branch instruction is located obtained through comparison as a target row; and comparing the storage address carried by the branch instruction with each storage address in the target row.
In other embodiments, the manner of address alignment is illustrated based on the index table pattern shown in FIG. 4B. At this time, the index table of the detector is divided into a plurality of groups, each group including a plurality of lines (the number of lines is a group capacity), and each group has a corresponding group number. When the detector detects the branch instruction loaded from the memory and carrying the group number, the group number carried by the branch instruction is used as an index, the group where the branch instruction is located is searched in the index table, and then the row where the branch instruction is located is searched according to the target address carried by the branch instruction.
For example, referring to fig. 5, fig. 5 is a schematic flowchart of a branch instruction address matching method according to an embodiment of the present disclosure, and is described with reference to the steps shown in fig. 5.
At step 1021, the detector obtains the group number carried by the branch instruction.
For example, the group number carried by the branch instruction is typically located in the instruction header (position of the header), and the length of the group number is related to the instruction set architecture of the current electronic device. The specific description of the group number will be described in the creation stage of the index table.
In step 1022, the detector determines the group corresponding to the group number from the index table of the detector according to the group number, and takes the group corresponding to the group number as the target group.
For example, the group number may be used as an index, and the group number may be compared with each group number in the index table, and when the comparison matches, the group corresponding to the group number may be determined.
In step 1023, the detector reads the target address prerecorded for the branch instruction from the target group, and compares the target address with the target address carried by the branch instruction, and the line of the target address carried by the branch instruction in the target group obtained by comparison is used as the target line.
For example, based on the target group determined in step 1022, a lookup is performed on the rows in the target group to determine the target row, indexed by the target address of the branch instruction.
Step 1024, the detector compares the storage address carried by the branch instruction with at least one storage address in the target row.
For example, the storage address carried by the branch instruction is compared with the storage addresses in other columns in the target row except the first column, and the validity of the branch instruction is determined according to the comparison result. When the comparison result is consistent, the related address information of the currently detected branch instruction exists in the index table, and the detector determines that the current branch instruction is a legal instruction.
The loop is repeated from step 1021 to step 1024 until all branch instructions carrying the group number have been detected. In the process of loop execution, when any branch instruction carrying the group number is detected to be illegal, the execution process is immediately ended.
It should be noted that the detector uses the group number carried by the branch instruction as the index, and performs the lookup in the index table shown in fig. 4B, so as to effectively reduce the time overhead in the checking process and improve the branch instruction detection efficiency.
Explaining how the group number-based lookup reduces the time overhead in the checking process from the time complexity level, the checking process of the branch instruction by the detector can be regarded as two lookups, the first lookup is to find the target address of the branch instruction in the index table, and the second lookup is to find the current address of the branch instruction. The purpose of adding the group number is to optimize the first search process, assuming that the index table has N target addresses in total, if the target address of the branch instruction is directly searched, N times of search are needed, N/2 times of search are averaged, and the complexity is O (N); dividing N target addresses into u (group number) × v (number in group) = N by adopting a grouping scheme, wherein u and v are integers which are more than or equal to 1; in this case, average search (u + v)/2 times is required, and the complexity is
Figure BDA0003133939970000061
Therefore, the index table of the detector is divided into a plurality of groups, the branch instruction carrying the group number is obtained through the index table of the detector, and then the detector searches in the index table by taking the group number carried by the branch instruction as an index, so that the time overhead in the checking process can be effectively reduced.
In some embodiments, the address carried by the branch instruction in the program is processed through the address comparison in step 102 to obtain the comparison result. And when the comparison result is inconsistent, namely when the detector does not find the address information consistent with the current branch instruction in the address prerecorded for the branch instruction in the index table, determining the current branch instruction as an illegal instruction (or attack instruction). For example, the inconsistency of the alignment includes two cases, one is inconsistency of the alignment of the target address; the other condition is that the target address is consistent in comparison and the storage address is inconsistent in comparison. It should be noted that, when the detector detects an illegal command, the execution of the program is directly interrupted for the safety of the electronic device. For example, when the comparison is inconsistent, the branch instruction inconsistent with the comparison is determined as an illegal instruction, and the execution of the program is interrupted.
It should be noted that the attack instruction is an instruction generated by reordering and recompiling the existing code segments of the currently executed program, has a specific function, and can implement a malicious attack on the electronic device. The regenerated instructions can cover legal instructions, and once the processor executes the attack instructions, the program execution flow is redirected to the address wanted by an attacker, so that the safety of the electronic device is greatly threatened. The index table provided by the embodiment of the application detects the branch instruction by a comparison method, and the branch instruction to be detected is a legal instruction only when the pre-recorded information exists in the index table, and accordingly, the attack instruction cannot find the corresponding pre-recorded information in the index table, and is different from the information in the index table necessarily, and cannot pass the verification of the index table. Thus, various attacks can be detected through the index table of the detector.
In step 103, the non-branch instruction and the compared and consistent branch instruction are taken as legal instructions, and the legal instructions are stored in the waiting linked list in the detector.
For example, the legitimate instructions include non-branch instructions in the program-executable instructions, as well as branch instructions that pass through detected by step 102.
Firstly, explaining the structure of a waiting linked list, wherein the waiting linked list comprises at least one chain, each chain comprises at least one block, and the at least one block is used for storing a plurality of legal instructions with continuous sequence numbers in a one-to-one correspondence manner. Referring to fig. 6, fig. 6 is a schematic structural diagram of a wait linked list according to an embodiment of the present disclosure, in some embodiments, the wait linked list may be a two-dimensional bidirectional linked list matrix composed of a plurality of bidirectional chains (called chains for short), where the wait linked list includes p (p is an integer greater than or equal to 1) chains, each chain has q blocks (that is, the chain capacity is q, and q is an integer greater than or equal to 1), and each block in each chain is used to store a legal instruction. These chains work independently of each other to help reduce time overhead.
In order to cope with different instruction loading modes (such as parallel loading and serial loading), the detector can carry out different preprocessing on the legal instruction when the legal instruction is stored in the waiting linked list. In some embodiments, when the hardware configuration of the electronic device is capable of satisfying the condition of instruction parallel loading, in order to reduce the time overhead of detecting the branch instruction, in step 101, the detector may load the instruction from the memory into the memory of the detector in a parallel loading manner. Since the detection of branch instructions is a time-consuming process, there may be a case where non-branch instructions in the later execution order are stored in the waiting list of the detector earlier than branch instructions in the earlier execution order, which may destroy the normal execution order of the program. In order to ensure the normal execution sequence of the program control flow, the detector performs preprocessing operation on the legal instructions, wherein the main preprocessing operation comprises adding sequence numbers to the legal instructions, wherein the sequence numbers are used for representing the execution sequence of the legal instructions in the program. For example, adding a sequence number used for representing the execution sequence of the legal instruction in the program to the legal instruction; and storing the legal instruction into a waiting linked list in the detector according to the corresponding sequence number.
In actual implementation, when the detector loads program instructions in parallel, the detector adds a sequence number to each instruction (no distinction is made between branch and non-branch instructions). The length setting of the sequence number is related to the instruction set architecture and the actual situation of the operating system run by the electronic device.
Illustratively, the current instruction set architecture for X86-64 (64-bit operating system) uses only 48 bits (48 out of 64 bits) as data storage, with 16 bits available for the header. In the case where the instruction header does not include other information, the maximum length of the sequence number cannot exceed 16 bits; when the instruction header comprises other information, the length of all information of the instruction header is ensured not to exceed 16 bits.
In other embodiments, when the hardware configuration of the electronic device cannot satisfy the parallel loading of the instructions, the detector may load the instructions from the memory into the memory of the detector in a serial loading manner, and a loading order of the instructions is consistent with an actual execution order.
The instruction loading mode is continuously explained as a mode of preprocessing the legal instruction based on the waiting linked list (i.e. a mode of adding a sequence number to the legal instruction) in the scene of parallel loading. In some embodiments, when the branch instruction loaded from the memory by the detector carries a group number, the group number is used to characterize the order of the group in which the branch instruction is located in the plurality of groups included in the index table. Note that, in this case, referring to fig. 4B, the form of the index table is divided into a plurality of groups. When the legal instruction is a branch instruction carrying a group number, and when the detector stores the branch instruction in the waiting linked list, in order to ensure that the total length of the instruction does not exceed the specified standard length in the instruction set architecture of the operating system, the detector deletes the group number carried by the branch instruction and adds a corresponding sequence number to the branch instruction. When the legal instruction is a non-branch instruction which does not carry a group number, the detector directly adds a sequence number to the legal instruction. For example, when the legal instruction is a branch instruction loaded into the memory, the detector deletes the group number carried by the legal instruction, and adds a sequence number used for representing the execution sequence of the branch instruction in the program in the legal instruction; when the legal instruction is a non-branch instruction loaded to the memory, the detector adds a sequence number in the non-branch instruction for characterizing the execution sequence of the non-branch instruction in the program.
It should be noted that, when the standard length specified in the instruction set architecture of the operating system of the current electronic device is capable of storing the group number and the serial number at the same time, the detector may not perform the group number deletion operation when storing the legal instruction in the wait chain table until the detector sends the legal instruction stored in the wait chain table to the CPU, and then the detector performs the deletion operation on the group number and the serial number carried by the branch instruction. Therefore, the calculation amount can be reduced, and the efficiency can be improved.
The specific implementation of storing the legal instructions into the waiting linked list by the detector is explained, in some embodiments, when all the links of the waiting linked list are empty links, the detector sequentially writes the legal instructions according to the order of the links; under other conditions, the detector selects a chain with chain capacity not reaching the preset chain capacity from each chain in the waiting chain table as a candidate chain, and then selects a corresponding block in a proper chain from the candidate chain according to the relation between the sequence number carried by the current legal instruction and the sequence number carried by each legal instruction stored in the candidate chain. For example, the detector performs the following for each legal instruction to be stored to the wait chain table as the first legal instruction: and selecting a chain which does not reach the preset chain capacity from the waiting chain table as a candidate chain, and aiming at a second legal instruction stored in any block of any candidate chain, when a first sequence number of the first legal instruction is continuous with a second sequence number of the second legal instruction, storing the first legal instruction in a block adjacent to any block, wherein the second legal instruction is any legal instruction stored in any block.
For example, referring to the waiting linked list shown in fig. 6, assuming that the capacity q =20 of the chain, the number of instructions currently stored in the chain 1 is 17, and the number of instructions stored in the chain 2 is 1, that is, both the chain 1 and the chain 2 are not full (that is, the preset chain capacity is not reached), when the detector is required to store a legal instruction with a sequence number of 3 into the waiting linked list, the implementation process is as follows: the method comprises the steps of obtaining a chain with the chain capacity not reaching 20 in a waiting chain table, such as a chain 1, a chain 2 and the like, taking the chain 1 and the chain 2 as candidate chains, obtaining sequence numbers of legal instructions stored in blocks in the chain 1 and the chain 2 as second sequence numbers, comparing the second sequence numbers with a first sequence number (sequence number 3) carried by the instruction to be stored respectively, and enabling a comparison result to show that a second sequence number (sequence number 2 and sequence number 4) continuous with the sequence number 3 exists in the chain 1, so that the detector can directly store the legal instruction to be stored with the sequence number 3 to an adjacent block of the block where the legal instruction corresponding to the sequence number 2 is located.
In some embodiments, when a serial number continuous with a serial number carried by a legal instruction to be stored does not exist in a selected target chain, a block corresponding to the legal instruction to be stored is determined according to the serial number of the current legal instruction to be stored. For example, for each legal instruction of the wait chain table to be stored in the detector as the first legal instruction, the following processing is performed: selecting a chain which does not reach the preset chain capacity from a waiting chain table of a detector as a candidate chain, aiming at a second legal instruction stored in any block of any candidate chain, determining a sequence number interval of each candidate chain when a second sequence number of the second legal instruction is discontinuous with a first sequence number, taking the sequence number interval in which the first sequence number of the first legal instruction is positioned as a target sequence number interval, and taking the candidate chain corresponding to the target sequence number interval as a target chain; and determining a third legal instruction and a fourth legal instruction in the target chain, wherein the first sequence number of the first legal instruction is between the third sequence number of the third legal instruction and the fourth sequence number of the fourth legal instruction, and the block between the block for storing the third legal instruction and the block between the block for storing the fourth legal instruction in the target chain is an empty block.
In actual implementation, referring to FIG. 6, the wait-for-linked list includes p chains, each chain having q blocks. The sequence number interval corresponding to each chain can be determined, for example, the sequence number interval of chain 1 is [1, q ], the sequence number interval of chain 2 is [ q +1,2q ], the sequence number interval of chain 3 is [2q +1,3q ], and so on, and the sequence number interval corresponding to each chain is obtained. And determining a sequence number interval corresponding to the sequence number carried by the current legal instruction in the waiting linked list based on the sequence number interval of each chain, and further determining a target chain which should be stored by the current legal instruction. And selecting a legal instruction corresponding to a serial number with a serial number difference being the smallest and a serial number with a serial number being smaller than the serial number carried by the legal instruction to be stored from the target chain, and a legal instruction corresponding to a serial number with a serial number difference being the smallest and a serial number with a serial number being larger than the serial number carried by the legal instruction to be stored from the target chain.
Illustratively, assuming the wait-for-linked list includes 3 chains, each of which includes 6 blocks, the sequence number interval for chain 1 is [1,6], the sequence number interval for chain 2 is [7, 12], and the sequence number interval for chain 3 is [13, 18]. The sequence number of the legal instruction to be stored currently is 10, at this time, the corresponding sequence number interval of the legal instruction can be determined to be [7, 12], and the legal instruction storage target chain is determined to be chain 2. The sequence numbers corresponding to the stored legal instructions of the blocks in the chain 2 are 7, 11 and 12, the legal instruction corresponding to the sequence number 11 with the sequence number larger than 10 in the chain 2 and the legal instruction corresponding to the sequence number 7 with the sequence number smaller than 10 in the chain 2 are obtained, and the block between the legal instruction block storing the sequence number 7 and the legal instruction block storing the sequence number 12 is an empty block. The target block of the legal instruction is determined based on the storage condition of each block in the chain 2.
In some embodiments, the sequence number of the instruction to be stored is determined as a first sequence number, and a third legal instruction and a fourth legal instruction are determined in the target chain, wherein the first sequence number is between a third sequence number of the third legal instruction and a fourth sequence number of the fourth legal instruction, then a difference e (e is an integer greater than or equal to 1) between the first sequence number and the third sequence number, and a difference f (f is an integer greater than or equal to 1) between the first sequence number and the fourth sequence number are obtained, and the two obtained differences e and f are compared. When e is smaller than f, the third sequence number of the third combination instruction is closer to the first sequence number, namely the target block is an empty block adjacent to the block for storing the third instruction; when e is greater than f, it means that the fourth sequence number of the fourth legal instruction is closer to the first sequence, i.e. the target block is an empty block adjacent to the block storing the fourth instruction. For example, a first difference between the first sequence number and the third sequence number and a second difference between the first sequence number and the fourth sequence number are determined; when the first difference is smaller than the second difference, storing the first legal instruction into a first empty block, wherein the first empty block is positioned between the block for storing the third legal instruction and the block for storing the fourth legal instruction and is adjacent to the block for storing the third legal instruction; and when the first difference is larger than the second difference, storing the first legal instruction into a second empty block, wherein the second empty block is positioned between the block for storing the third legal instruction and the block for storing the fourth legal instruction and is adjacent to the block for storing the fourth legal instruction.
For example, referring to the waiting linked list shown in fig. 6, assuming that the number of chains is 3 and the chain capacity is 20, the sequence number interval of the chain 1 is [1, 20], the detector sends a legal instruction to be stored with the sequence number 13 to the waiting linked list, determines that the sequence number 13 falls into the sequence number interval [1, 20], determines that the chain 1 is a target storage chain (target chain) to be stored with a legal instruction, and determines that there is no sequence number consecutive to the sequence number 13 in the chain 1, obtains two sequence numbers with the smallest difference from the sequence number 13 in the chain 1, and the sequence number 13 is located between the two sequence numbers, and that the chain 1 satisfies the conditions of the sequence number 10 and the sequence number 15, and selects an empty block between the block storing the legal instruction with the sequence number 10 and the block storing the legal instruction with the sequence number 15, and closest to the block storing the legal instruction with the sequence number 15, as a target block of the legal instruction to be stored.
In some embodiments, it may be determined whether to create an empty block that is consistent with a sequence number of the instruction to be stored as the target block of the instruction to be stored and whether to create an empty block that corresponds to an adjacent sequence number of the sequence number carried by the instruction to be stored, according to a condition of the legal instruction stored in each chain of the current waiting chain table, for example, the detector takes the legal instruction of each waiting chain table to be stored to the detector as the first legal instruction, and performs the following processing: selecting a chain which does not reach the preset chain capacity from a waiting chain table of a detector as a candidate chain, and searching a target block consistent with a first sequence number of a first legal instruction in any candidate chain; when the target block exists, storing the first legal instruction to the target block; and when the target block does not exist and the adjacent sequence number of the first sequence number does not have the corresponding empty block, creating the target block corresponding to the first sequence number and the empty block corresponding to the adjacent sequence number, and storing the first legal instruction to the target block.
Exemplarily, referring to fig. 7, fig. 7 is a schematic diagram of a state change of each chain storage instruction of a wait chain table provided in the embodiment of the present application, where the state change of a chain 1 (a first chain) is taken as an example, an initial state of the chain 1 is only one piece of header information, when a sequence number of an instruction to be stored is 1 (when storing an instruction No. 1), a detector needs to create a null block with sequence number 1 and a null block with sequence number 2, and use the null block with sequence number 1 as a target block for storing the instruction No. 1, where at least one current null block is a null block with sequence number 2; then, when the serial number of the instruction to be stored is 2 (when the instruction No. 2 is stored), the detector originally needs to create an empty block with the serial number 1, an empty block with the serial number 2 and an empty block with the serial number 3, but because the empty block with the serial number 1 and the empty block No. 2 with the serial number consistent with the serial number of the instruction No. 2 (the instruction to be stored with the serial number 2) already exist in the chain 1, only the empty block with the serial number 3 needs to be created at this time, and the instruction No. 2 is stored in the empty block with the serial number 2, and at least one empty block at present is the empty block with the serial number 3; then, when the sequence number of the instruction to be stored is 5 (when the instruction No. 5 is stored), the sequence number of the existing empty block is 3 and the sequence number 5 of the instruction to be stored are not matched, the detector can create an empty block with the sequence number of 4, an empty block with the sequence number of 5 and an empty block with the sequence number of 6, the empty block with the sequence number of 5 is used as a target block for storing the instruction with the sequence number of 5, and at least one empty block at present is an empty block with the sequence numbers of 3, 4 and 6; then, when the sequence number of the instruction to be stored is 10 (when the instruction number 10 is stored), because the sequence numbers (3, 4 and 6) of at least one current empty block are not matched with the sequence number 10, the detector creates an empty block with the sequence number 10 for storing the instruction number 10, an empty block with the sequence number 9 and an empty block with the sequence number 11, and at least one current empty block is the sequence numbers 3, 4, 6, 9 and 11; then, when the sequence number of the instruction to be stored is 16 (when the instruction number 16 is stored), because the sequence numbers (3, 4, 6, 9 and 11) of the current at least one empty block are not matched with the sequence number 16, the detector creates an empty block with the sequence number 16 for storing the instruction number 16, an empty block with the sequence number 15 and an empty block with the sequence number 17, and the current at least one empty block is the sequence numbers 3, 4, 6, 9, 11, 15 and 17.
In step 104, the legal instructions in the waiting list are linked according to the corresponding execution sequence and sent to the processor for execution.
For example, the execution order refers to a normal execution order corresponding to the program control flow.
In some embodiments, when a branch instruction loaded from the memory by the detector carries a group number, a specific implementation manner that the detector connects legal instructions in the waiting chain table according to a corresponding execution sequence is described, and when a full chain exists in the waiting chain table, that is, the number of the legal instructions stored in the chain reaches a preset chain capacity, the detector sequentially connects the legal instructions in the full chain according to the carried sequence number, and determines the corresponding execution sequence. For example, the following is performed for each chain in the wait linked list: when the number of the legal instructions stored in the chain reaches the preset chain capacity, the detector deletes the serial numbers carried by the legal instructions, and sequentially connects the legal instructions stored in each block in the chain according to the serial numbers carried by the legal instructions.
It should be noted that the detector sends a legal instruction of a chain whose chain capacity reaches a preset chain capacity in the waiting chain table to the processor. This approach, in which the detector sends instructions to the processor only when the capacity of a chain in the linked list reaches a predetermined chain capacity, may provide some buffering time to reduce the risk of program execution errors. The detector is helpful to reorder the instructions in the waiting list according to the normal execution order of the program control flow to prevent the program from executing errors.
In some embodiments, referring to fig. 8, fig. 8 is a schematic flowchart of a creating manner of an index table provided in an embodiment of the present application. Based on fig. 3, before step 101, a creation operation of the index table by the detector may also be performed, and the creation process of the index table is described with reference to the steps shown in fig. 8.
In step 201, the detector obtains an address carried by the branch instruction, where the type of the address includes a storage address and a target address.
For example, the type of branch instruction includes jump (jump), call (call), or return (return). Accordingly, the target address may be understood as an address to which the branch instruction is redirected after being executed, such as an address to which a jump instruction needs to jump, an address to which a call instruction needs to call, an address to which a return instruction is to return, and the like.
In step 202, the detector writes the target address carried by the branch instruction into the first column of the index table.
For example, when the index table is an empty table, the detector directly writes the target address carried by the first branch instruction into the first row and the first column of the index table. When the index table is not an empty table, the detector needs to look up whether the target address carried by the current branch instruction is included in the first column in the index table before writing the target address of the branch instruction into the index table. When the target address carried by the current branch instruction does not exist, the target address is written into the first column of the index table. For example, step 202 may be implemented by steps 2021 to 2022, and the target address carried by the branch instruction is written into the first column in the index table.
At step 2021, the detector compares the target address carried by the branch instruction with each target address stored in the first column of the index table.
At step 2022, when the comparison is inconsistent, the detector adds the target address carried by the branch instruction to the first column.
In step 203, the detector writes the memory address carried by the branch instruction into the row where the target address is located.
For example, the store address (current address) of the branch instruction is written to a column other than the first column in the same row of the target address.
And circularly executing the steps 201 to 203 until the detector writes the target addresses and the storage addresses included by all the branch instructions in the plurality of instructions to be executed in the program into the index table, and ending the creation process of the index table.
In some embodiments, in order to increase the efficiency of the instruction detection stages from step 101 to step 104, in the creation stage of the index table, the detector generally groups the index table according to the group capacity (that is, the index table includes a plurality of groups, each group includes a plurality of rows), and adds a group number to the branch instruction prerecorded in each index table, so that in the branch instruction detection stage, the group number carried by the branch instruction can be used as an index to perform fast lookup in the index table, thereby increasing the lookup speed in the index table. For example, referring to fig. 9, fig. 9 is a flowchart illustrating a branch instruction writing index table according to an embodiment of the present application, which is described with reference to the steps shown in fig. 9.
Step 301, the detector compares the target address carried by the branch instruction with each target address stored in the first column of the index table, and takes the row corresponding to the target address carried by the branch instruction obtained by comparison as the target row.
For example, a target address carried by the branch instruction is used as an index, and the existing target address in the index table is searched to determine a row corresponding to the target address.
Step 302, the detector determines a group corresponding to the target row according to the target row and the group capacity, and takes the group corresponding to the target row as a target group.
For example, the group size is used to characterize the maximum number of target addresses that each group can store in the index table, and it is also understood that each group includes the number of rows.
For example, the setting of the group capacity is described first, the setting of the group capacity is closely related to the time overhead of the hardware resources and the execution program, and in some embodiments, the group capacity may be set based on the time overhead and the hardware resources. For example, referring to fig. 10, fig. 10 is a schematic flowchart of a group capacity setting manner provided in an embodiment of the present application, and the setting manner of the group capacity is described with reference to the steps shown in fig. 10.
Step 401, the detector determines a first value range corresponding to the group capacity of each group in the index table according to the hardware resources allocated to the detector.
For example, the minimum value of the group capacity is determined according to the amount of the hardware resources (at this time, the minimum amount of the hardware resources) when the electronic device is guaranteed to normally operate and the instruction is detected in a serial manner, the maximum value of the group capacity is determined according to the amount of the hardware resources (at this time, the maximum amount of the hardware resources) when the electronic device is guaranteed to normally operate and the instruction is detected in a parallel manner, and the amount of the hardware resources is positively correlated with the group capacity. And determining a first value interval corresponding to the group capacity according to the minimum value and the maximum value of the group capacity.
Step 402, the detector determines a second value range corresponding to the group capacity of each group in the index table according to the time overhead of executing the program.
For example, the group size is determined according to the time overhead of executing the program. When the group capacity is the maximum value, that is, the index table includes the minimum groups, when there is only one group, it is equivalent to perform a full-table lookup on the index table, and the larger the time overhead for locating the target row is, the larger the time overhead for executing the program is. When the group capacity is the minimum value, the more groups the index table comprises, the fewer rows each group comprises, the target group is directly positioned according to the group number, then the target row is positioned, the time overhead is greatly reduced, and the time overhead for executing the program is smaller.
In step 403, the detector determines an intersection interval between the first value interval and the second value interval, and selects a group capacity in the intersection value interval.
By the above-described steps 401 to 403, the group capacity satisfying both the hardware performance and the time overhead of executing the program can be set.
Step 303, the detector adds the group number corresponding to the target group to the branch instruction to obtain the branch instruction carrying the group number.
The group number characterizes the order of the groups in the groups included in the index table, the group number is usually set at the corresponding header position of the branch instruction, the length of the group number is related to the architecture of the instruction set where the current detector is located, different instruction set architectures can be used for the header (instruction header) with different lengths, illustratively, the length of each instruction of the current instruction set of X86-64 (64-bit operating system) is 64 bits, wherein only 48 bits are used as data storage, therefore, 16 bits are available for the header, i.e. the maximum length of the header cannot operate 16.
In step 304, the detector replaces the corresponding branch instruction not carrying the group number in the memory based on the branch instruction carrying the group number.
For example, the detector sends back the branch instruction carrying the group number to the memory again, and waits for the instruction detection operations of steps 101 to 104 to be performed. It should be noted that, at this time, the instruction stored in the memory is not the initial instruction after the program is compiled, but the instruction after the processing by the detector, and the main difference is that the branch instruction in the memory carries the corresponding group number at this time.
For example, referring to fig. 11, fig. 11 is a schematic diagram illustrating a group number setting provided by an embodiment of the present application, in stage (1), a detector loads an instruction from a memory into an index table, where the loaded instruction is at least 8 instructions stored in the memory shown on the left side in the figure, and then pre-records information of a branch instruction (the instruction corresponding to 0, 2, 4, 6, and 7 is set as the branch instruction) in the index table, where a style of the index table at this time includes a plurality of groups as shown in fig. 4B. In the stage (2), the detector sends back the branch instruction carrying the group number to the memory again, the detector records the branch instructions (branch instructions corresponding to 0, 2, 4, 6, and 7) in the first group of the index table according to a preset group capacity (10 lines are set for each group), the group number corresponding to the first group is set to 011, the detector adds the corresponding group number 011 to the branch instruction pre-recorded in the index table, and sends back the branch instruction carrying the group number to the memory again, at this time, the instruction pattern stored in the memory is the memory shown in the right side of the figure, that is, each branch instruction (branch instruction corresponding to 0, 2, 4, 6, and 7) carries the group number 011.
In order to increase the calculation speed, a nonvolatile storage medium such as a ROM may be used in the detector, and by virtue of the characteristic that the ROM is not powered down, the index table for the same program may be generated only once, so that multiple times of regeneration of the index table for the same program is avoided, and thus the detection efficiency during repeated operation of the program is improved.
By the above-mentioned instruction detection method in step 101 to step 104, when any branch instruction of the instructions to be executed of the program is detected as an illegal instruction, the execution of the program is directly interrupted. If the program can be normally executed, it is indicated that all branch instructions in the instructions to be executed of the program are legal instructions, so that the electronic equipment can be ensured to execute only the legal instructions, the execution of illegal instructions is prevented, and the safety performance of the electronic equipment is improved.
In some embodiments, a detailed process of the protection method of the program provided in the embodiments of the present application is described with reference to the above steps. Referring to fig. 12, fig. 12 is a schematic flowchart of a program protection method provided in an embodiment of the present application, and is described with reference to the steps shown in fig. 12.
In step 501, the detector loads a plurality of instructions to be executed of the program from the memory.
For example, a plurality of instructions are fetched, and the detector performs the following steps 502 to 514 for each instruction.
Step 502, determine whether the instruction is a branch instruction, if yes, perform step 503, and if not, perform step 510.
Step 503, the storage address and the target address carried by the branch instruction are obtained.
Step 504, the target address carried by the branch instruction is used as an index, and the target address included in each row in the index table is compared.
Step 505, determining the comparison result, if the comparison result is consistent, executing step 506, and if the comparison result is inconsistent, executing step 514.
Step 506, the line where the target address carried by the compared branch instruction is located is taken as a target line.
Step 507, comparing the storage address carried by the branch instruction with each storage address in the target row.
Step 508, determining the comparison result, if the comparison result is consistent, executing step 509, and if the comparison result is inconsistent, executing step 514.
At step 509, the branch instruction is determined to be a valid instruction.
Step 510, determine that the non-branch instruction is a legal instruction.
In step 511, a sequence number used for characterizing the execution sequence of the branch instruction in the program is added to the legal instruction.
For example, the legal instructions include a legal branch instruction, as determined in step 509, and a non-branch instruction, as determined in step 510.
And step 512, storing the legal instruction into a waiting linked list in the detector according to the corresponding sequence number.
And 513, connecting the legal instructions in the waiting linked list according to the corresponding execution sequence, and sending the legal instructions to the processor for execution.
Step 514, determine the branch instruction with inconsistent comparison as an illegal instruction, and interrupt the execution of the program.
The method and the device have the advantages that the detector is arranged between the memory and the processor of the electronic equipment in an electrically connected mode, then the plurality of instructions to be executed of the program are loaded from the memory through the detector, the non-branch instructions and the branch instructions are identified from the plurality of instructions, and the addresses carried by the branch instructions are further obtained, so that the condition that an index table in the detector only detects the branch instructions can be guaranteed, and the hardware overhead of the electronic equipment can be effectively reduced; reading the address prerecorded by the branch instruction from an index table in the detector, and comparing the address with the address carried by the branch instruction; the branch instruction with consistent comparison is determined as a legal instruction, and the legal instruction is stored in a waiting linked list in the detector, so that the condition that only the address carried by the branch instruction is compared with the address in the index table can be ensured, and the condition that the instructions stored in the waiting linked list are legal instructions can be ensured; and finally, connecting the legal instructions in the waiting linked list according to the corresponding execution sequence, and sending the legal instructions to the processor for execution. Therefore, only a legal instruction can be executed, so that the execution of an illegal instruction is prevented, and the attack to the program is effectively protected.
In the following, an exemplary application of the embodiments of the present application in an application scenario of actual code reuse attack detection will be described. Wherein, a detector is deployed on the FPGA to realize the detection of the branch instruction.
Based on the aforementioned limitations in the related art, the protection method for a program (also referred to as a code multiplexing attack defense method) provided by the embodiment of the present application can implement code multiplexing attack detection based on a hardware instruction level, and can effectively combine methods of multiple disciplines such as software security, circuit design, computer architecture, and the like. The problems mainly solved by the embodiment of the application include:
1) The data structure for expressing the program control flow diagram is realized on hardware efficiently, the current address of the instruction and the legal jump address can be stored efficiently, and the optimization is carried out to the greatest extent so as to improve the searching speed;
2) The method can be suitable for various different types of code multiplexing attacks such as return-oriented programming, jump-oriented programming and the like, and has reasonable performance overhead.
In addition, applicants have discovered that a common feature of instruction level code reuse attacks is that they hijack the control flow of an executing program by modifying the target address of a branch instruction. Thus, if the control flow of a program is monitored during its execution, potential modification of branch instructions may be detected, eliminating code reuse attacks. Based on this, the embodiment of the present application proposes to monitor the program control flow in real time by using an index table in a detector, where the detector records the current address and the target address of all branch instructions before the program is executed. During program execution, each branch instruction is examined against this index table. In this way, the electronic device can be guaranteed to execute only legal branch instructions, thereby preventing the execution of code multiplexing attack instructions. In addition, the index table can be stored in a trusted memory which cannot be accessed by an operating system of the electronic equipment, so that the safety is enhanced.
In practical implementation, the detector is installed on an electronic device (terminal or server) to be protected in the form of FPGA (i.e. in an FPGA hardware-assisted manner), a processor in the electronic device serves as a main controller for receiving and sending required information, including compiled instructions and interrupt (break) commands, and all functions involved in the detector run completely on the FPGA. After the corresponding driver is installed, the device corresponding to the detector can provide protection for the host against possible code reuse attacks.
Referring to fig. 13, fig. 13 is a schematic diagram of an architecture of a detector provided in an embodiment of the present application, which is described in detail with reference to fig. 13, and the detector bridges communication between a CPU cache and a memory. Briefly, the main operations of the detector include: (1) loading instructions from a memory; (2) verifying the address of the branch instruction; (3) and sending the legal instruction to a CPU cache for execution. To implement the proposed functionality, the detector provided in the embodiments of the present application consists of two main components, a two-dimensional index table of branch instruction indices (i.e., the index table above) and a two-dimensional double-stranded waitlist (i.e., the waitlist list above). The code multiplexing attack detection mode provided by the embodiment of the application is realized based on the index table and the waiting linked list, and mainly comprises two stages, namely an index table construction stage and a detection stage carried out by a detector based on the index table.
Firstly, before a program is executed by a CPU, a detector loads a corresponding instruction obtained after the program is compiled from a memory, constructs an index table of all branch instructions according to an operation code and an address code included in the instruction, and then stores the index table in a storage device for verifying the instruction in the program. As mentioned above, the storage device may be integrated in the detector, or integrated in the same system-on-chip with the detector, and may be a RAM, a ROM, or a combination of the two. For example, the ROM is used to store an index table of high-frequency programs (i.e., programs whose operating frequency exceeds a frequency threshold), thereby saving the time and hardware resource overhead of repetitive generation.
Secondly, during the program execution, the instruction is loaded into a detector for detection. The instruction is stored to the wait list for execution only if it passes the detection of the detector (i.e., the detection passes are one of not a branch instruction, and integrity is detected by the index table), and is stored to the wait list for execution (either a branch instruction or the wait list is stored directly). Otherwise, for security reasons, the detector will interrupt program execution and send a warning to the user that the currently executing program has been attacked. In order to adapt to the pipeline structure of program execution in the CPU, the whole design of the detector adopts a pipeline mode of waiting for a linked list so as to ensure that the integrity of a control flow is not damaged by an index table and provide buffering time.
The knowledge about the index table, which is a two-dimensional index table including the target addresses and the current addresses of all branch instructions, is explained in detail below. Specifically, as shown in FIG. 4A, ADDR T The first column represents the Target Address of the branch instruction (Target Address), and ADDR T-C The remaining columns represent the current address of the branch instruction. By the same row address pair ADDR T2 And ADDR T2-Cj For example, assume that the branch instruction is a jump instruction whose assembly code is jmp ADDR T2 With the current memory address being ADDR T2-Cj . Compared with the mode of directly recording all address pairs, the design only records once for the same target address, can reduce the times of repeatedly recording the target address, and further greatly reduces the required storage space. For example, the manner in which all address pairs are directly recorded is exemplified, as is the address pair<ADDR T ,ADDR C1 >、<ADDR T ,ADDR C2 >、……、<ADDR T ,ADDR Cj >Etc. wherein ADDR T As a destination address, ADDR C1 ,ADDR C2 ,……,ADDR Cj Represents the Current address, T represents Target, and C represents Current.
To reduce the traversal time of the inspection process, the index table may typically be further divided into different groups. In each group, the maximum number k of storable target addresses (defined as the group capacity, k being an integer of 1 or more) is adjustable.
Reducing the group size k helps to reduce the time overhead, but also increases the number of groups, which in turn increases the hardware overhead. Thus, the parameter set capacity determines the trade-off between hardware overhead and time overhead. In a practical implementation, the group capacity k may be adjusted to suit the needs and high performance requirements of the electronic device.
Next, a process of generating an index table provided in an embodiment of the present application is described, and pseudo codes of the process of generating an index table provided in the embodiment of the present application are as follows:
Figure BDA0003133939970000141
in some embodiments, after the detector loads the instruction to be detected from memory, it first checks whether it is a branch instruction based on the opcode of the instruction. When the instruction to be detected is not a branch instruction (i.e. a non-branch instruction), the detector sends the instruction directly back to the memory (when the index table is generated, if the instruction is not a branch instruction, relevant information is not recorded in the index table), and then the next instruction continues to be loaded from the memory. When the instruction to be detected is a branch instruction (e.g., a jump, call, or return instruction), the detector will read the target address recorded in the branch instruction address code and check whether the target address is included in the first column of the index table.
When the target address of the branch instruction to be detected does not exist in the first column of the index table, the detector writes this new target address under the last element of the current group. If the current group is full, it is written to the first element in the new group. Exemplarily, see the figures4B, if the last element of set 1 is ADDR T2 Then the new target address will be written to ADDR T3 Of the position of (a). If the last element of group 1 is ADDR Ti Then the new target address will be written to the ADDR of group 2 Ti+1 Location. The current address of the instruction will then be written to the same row as the target address. The destination address being ADDR T2 Will write to ADDR in the order in which they occurred T2-Cj
When the target address of the branch instruction to be detected exists in the first column of the index table, the current address of the branch instruction to be detected is directly written after the target address of the same row.
In order to reduce the time overhead in the checking process, i.e. to speed up the instruction lookup, a 12-bit group number (header) is added to each branch instruction (the group numbers of branch instructions belonging to the same group are the same) according to the target address stored in the index table. For example, the instruction header (group number) stored in group 7 is 1110000000000000, and the instruction header stored in group 44 is 001101000000. Note that the current architecture for X86-64 uses only 48 bits (out of 64 bits) as data storage, and therefore, there are 16 bits available for the header.
Finally, the checked instruction is written back to the memory by the detector, and then the next undetected instruction is loaded. The detector will repeat this loop until all instructions are loaded and the generation index table is complete.
Next, a detection process provided in the embodiment of the present application is described, and pseudo codes of the code reuse attack detection process provided in the embodiment of the present application are as follows:
Figure BDA0003133939970000142
Figure BDA0003133939970000151
it should be noted that the checking process of a branch instruction is much more complicated than the checking process of a non-branch instruction. Thus, when checking instructions, checking for branch instructions consumes a greater period of time than checking for non-branch instructions. It should be noted that the checking process is very challenging, and when the detector loads instructions from the memory in a parallel loading manner, there may be a case where non-branch instructions loaded later are preferentially stored in the wait list while the branch instructions loaded earlier are still being checked.
Thus, there are situations where the order of instructions in the wait-for-chain table is different from the order of instructions loaded in the detector. This will destroy the integrity of the instruction stream and cause execution errors or loss of program performance. In order to solve the above problem, the following operations are performed in the detection process: the detector adds a new 12-bit sequence number to each instruction loaded from memory, which represents the order in which the instructions were loaded. It is understood that all instructions are preprocessed (i.e. sequence numbers are added) in order to obtain the correct instruction execution order according to the sequence numbers in the wait chain table. After adding the sequence number, the detector checks whether the loaded instruction is a branch instruction, such as a jump (jump), call (call), or return (return) instruction.
If the detector identifies that the current instruction is not a branch instruction (i.e., a non-branch instruction), the instruction is stored directly to the wait linked list.
If the detector identifies that the current instruction is a branch instruction, the detector will read the group number, target address, memory address (current address) of the branch instruction, checking if there is a valid address pair in the particular group. For example, whether the target address is in the BID is verified, and when the target address exists in the BID, the verification is continued, and whether the current address exists in the row where the current target address exists. At the same time, the detector will delete the 12-bit group number carried by the instruction to ensure that the total length of the header does not exceed 16 bits.
Explaining two different headers (sequence numbers and group numbers) used in a detector, wherein the sequence numbers are added to all instructions, the detector adds the sequence number to each instruction in the instruction detection process, and then deletes the sequence number used for recording the sequence of the instruction entering the detector when storing a legal instruction into a waiting linked list; and the group number is only added to the branch instruction, the detector pre-records the address information of the branch instruction in the index table at the generation stage of the index table, and adds the group number to each branch instruction.
When the instruction to be detected is a non-legal instruction (illegal or attack instruction), the execution of the instruction to be detected will be rejected and the detector will interrupt the whole program.
And when the instruction to be detected is a legal instruction, the detector stores the checked instruction into the waiting linked list, reorders the instruction by adopting further operation in the waiting linked list, and loads a new instruction when the CPU cache sends a next request.
Then, the above operations are repeatedly executed until all the branch instructions are detected by the detector, and the detection process is ended. On the basis of this checking procedure, any modification to the instructions will be detected by the detector, so that code multiplexing attacks can be eliminated.
For explaining the waiting linked list, referring to fig. 14, fig. 14 is a schematic diagram of the waiting linked list provided in the embodiment of the present application, where a main component of the waiting linked list is a two-dimensional doubly linked list matrix composed of a plurality of doubly linked lists. Each chain has q blocks (the number of blocks is defined as the chain capacity) and the chains work independently of each other to help reduce the time overhead. In a single chain, each block will store one examined legal instruction. Similar to the group capacity discussed later, reducing the chain capacity q also helps to save traversal time in a single chain, thereby reducing time overhead.
If the sequence numbers of two legal instructions are consecutive, the detector will directly connect the two legal instructions in the chain in the wait chain table. For any two legal instructions with discontinuous serial numbers, the detector searches for the serial numbers corresponding to the blocks of each chain in the waiting chain table, and records the serial number closest to the serial numbers of the two instructions as an edge (edge).
For example, in fig. 14, taking the example of storing an instruction in chain 1, when storing an instruction with sequence number 3, the detector originally needs to create an empty block with sequence number 2 and an empty block with sequence number 3 because sequence numbers 2 and 4 adjacent to sequence number 3 are present in chain 1, but since a block with sequence number 2 and a block with sequence number 4 are already present in chain 1, the instruction with sequence number 3 can be directly stored in a block with sequence number 3 between the block with sequence number 2 and the block with sequence number 4. Then, when storing the instruction with sequence number 4, because the block with sequence number 3 and the block with sequence number 7 exist in the chain 1, but the block with sequence number 7 is not adjacent to the block with sequence number 4, the detection table will create an empty block with sequence number 5, and store the instruction with sequence number 4 in the block with sequence number 4; similarly, when storing the instruction with sequence number 5, it is necessary to create an empty block with sequence number 4 and an empty block with sequence number 6 originally, and the existing block with sequence number 7 is not adjacent to the block with sequence number 5, and the detection table creates an empty block with sequence number 6 and stores the instruction with sequence number 5 in the block with sequence number 5. Similarly, when storing the instruction with sequence number 8, the chain 1 has a block with sequence number 7 and no block with sequence number 9, the block with sequence number 11 is not adjacent to the block with sequence number 8, the detector creates an empty block with sequence number 9 and stores the instruction with sequence number 8 in the block with sequence number 8, and the process of storing other legal instructions in the waiting chain table is similar to the above process, which is not described in detail in the embodiments of the present application.
After the instruction passes the verification of the detector, the instruction is indicated to be a legal instruction, the detector deletes the serial number of the legal instruction, and compares the instruction part of the legal instruction with all the existing edges in the chain.
If the sequence number carried by the instruction to be stored is matched with the recorded edge in the waiting linked list (namely the sequence number continuous with the sequence number of the legal instruction with two discontinuous sequence numbers which are stored), the instruction to be stored is directly connected to the chain. For example, referring to fig. 14, when an instruction with sequence number 2 is stored in chain 1, since there is a block with sequence number 2 in chain 1 (that is, the sequence number of the instruction to be stored matches the sequence number of the block successfully) and sequence number 2 is recorded as an edge, the instruction to be stored is directly stored in the empty block corresponding to sequence number 2 in chain 1.
If the sequence number carried by the instruction to be stored does not match the recorded edge in the waiting linked list (i.e. the sequence number corresponding to the established block in each chain), the instruction will be stored in the empty block between the blocks corresponding to the two nearest sequence numbers of the instruction sequence number. The detector deletes the sequence number of the block corresponding to the instruction to be stored in the wait chain table, because the wait chain table provided in the embodiment of the present application deletes the original sequence number of the block and the sequence number carried by the instruction to be stored after the instruction to be stored is stored in the block with the same sequence number as the wait chain table, and in addition, judges whether an empty block corresponding to the sequence number adjacent to the sequence number of the instruction to be stored is required to be added. For example, if an instruction with sequence number 5 arrives at the first chain in fig. 14, the detector originally needs to create a block with sequence number 4 and a block with sequence number 6 in chain 1, and at this time, assuming that the block with sequence number 4, the block with sequence number 6, and the block with sequence number 5 already exist in the chain, the detector directly stores the instruction into the block with sequence number 5 and connects with the block with sequence number 4, and it is no longer necessary to create the block with sequence number 4 and the block with sequence number 6. For another example, another instruction with sequence number 13 (i.e., instruction number 13) arrives at the first chain in FIG. 14, at which point it is assumed that the edge with sequence number 13 is not recorded for chain 1, but there is a block with sequence number 12 and a block with sequence number 14. The detector need only create a null block with sequence number 13 between the block with sequence number 12 and the block with sequence number 14 for storing the instruction number 13, without re-recording the edges with sequence numbers 12 and 14.
And repeating the storage process of the legal instruction until the first chain reaches the preset chain capacity (namely the chain is full), and sending the legal instruction of the chain (full chain) with the chain capacity reaching the preset chain capacity in the waiting chain table to the CPU by the detector. This rule (requiring the detector to send the legal instructions in a full chain to the processor while waiting for the capacity of the chain in the linked list to reach the preset chain capacity) may provide some buffering time to reduce the risk of program execution errors. In this manner, the wait-for-linked list facilitates reordering of instructions in the normal execution order of program control flow to prevent program execution errors.
Based on the above detailed description of the implementation process of code reuse attack detection, in practical implementation, a hardware-assisted CRA detector, i.e., CRAlert, is provided. CRAlert may detect different CRAs without modifying the compiler and instruction set. The experimental results of the FPGA implementation prove the feasibility of CRAllert and lower performance overhead.
To verify the feasibility and performance of the proposed scheme, the CRAllert framework can be prototyped using the ML605 FPGA evaluation toolkit, which uses a Virtex-6 FPGA. As a proof of concept, the Intel Core i7-9700 processor is controlled and communicated using the PCIe interface on the FPGA board. And bridges the FPGA and the PC host by driving RIFFA with PCIe from an open source.
Referring to fig. 15, fig. 15 is a schematic view of a code multiplexing attack detection experimental apparatus provided in the embodiment of the present application. In fig. 15, 11 benchmark tests are used to verify the time overhead of using CRAlert, and the obtained experimental result can be seen in fig. 16, and fig. 16 is a schematic diagram of the time overhead result of the detector provided in the embodiment of the present application.
As can be seen from the information of fig. 16, the average time overhead (performance loss) is 0.363%. Compared with four defense methods in the prior art, the protection method of the program provided by the embodiment of the application can defend against jump Programming (JOP) attack and Return Programming (ROP) attack, and further improves the design performance. Meanwhile, the protection architecture of the program provided by the embodiment of the application can detect more types of CRAs with the lowest time overhead.
The detection method based on hardware-assisted code multiplexing attack provided by the embodiment of the application can be realized on an FPGA (field programmable gate array) board, can also be realized on a system on a chip or integrated on a coprocessor of RICS-V (Rich Internet protocol-virtual) and can fundamentally alleviate the code multiplexing attack. Fine-grained CRA detection of program execution is realized through a comprehensive instruction index table. In addition, it can be compatible with current SoftWare/HardWare (SW/HW, softWare/HardWare) environments without modifying existing instruction set architectures and compilers.
Continuing with the exemplary structure of the detector 300 provided by the embodiments of the present application, in some embodiments, as shown in fig. 2, the modules of the detector 300 may include: the index table module 301 is configured to load a plurality of instructions to be executed of the program from a memory, identify a branch instruction in the plurality of instructions, and obtain an address carried by the branch instruction; reading the address prerecorded by aiming at the branch instruction from an index table in a detector, and comparing the address with the address carried by the branch instruction; determining the branch instructions which are consistent in comparison as legal instructions, and storing the legal instructions into a waiting linked list in the detector; a waiting linked list module 302, configured to connect the legal instructions in the waiting linked list according to a corresponding execution order, and send the legal instructions to the processor for execution.
In some embodiments, the types of addresses include a memory address and a target address, the index table includes a plurality of rows, each row including a target address prerecorded for one branch instruction in the program and at least one memory address; the index table module is further configured to compare a target address included in each row in the index table with a target address included in each row in the index table by using the target address carried by the branch instruction as an index, and use a row where the target address carried by the branch instruction obtained by the comparison is located as a target row; and comparing the storage address carried by the branch instruction with each storage address in the target row.
In some embodiments, the branch instruction loaded from the memory carries a group number, where the group number characterizes an order of a group in which the branch instruction is located in a plurality of groups included in the index table, each of the groups includes a plurality of rows, each of the rows includes an address of one of the branch instructions in the program, and the address includes a target address corresponding to the branch instruction and at least one storage address; the index table module is further configured to obtain a group number carried by the branch instruction; determining a group corresponding to the group number from an index table in the detector according to the group number, and taking the group corresponding to the group number as a target group; reading a target address prerecorded by aiming at the branch instruction from the target group, comparing the target address with a target address carried by the branch instruction, and taking a line of the target address carried by the branch instruction in the target group obtained by comparison as a target line; and comparing the storage address carried by the branch instruction with the at least one storage address in the target row.
In some embodiments, the index table module is configured to determine, when the comparison is inconsistent, the branch instruction with inconsistent comparison as an illegal instruction, and interrupt execution of the program.
In some embodiments, the index table module is further configured to add, to the legal instruction, a sequence number used for characterizing an execution sequence of the legal instruction in the program; and storing the legal instructions into a waiting linked list in the detector according to the corresponding sequence numbers, wherein the waiting linked list comprises at least one chain, each chain comprises at least one block, and the at least one block is used for storing a plurality of legal instructions with continuous sequence numbers in a one-to-one correspondence manner.
In some embodiments, the branch instruction loaded from the memory carries a group number, where the group number represents a sequence of a group in which the branch instruction is located in a plurality of groups included in the index table, and the index table module is further configured to delete the group number carried by the legal instruction when the legal instruction is the branch instruction loaded to the memory, and add a sequence number used for representing an execution sequence of the branch instruction in the program to the legal instruction; when the legal instruction is the non-branch instruction loaded to the memory, adding a sequence number used for representing the execution sequence of the non-branch instruction in the program in the non-branch instruction.
In some embodiments, the wait linked list module is further configured to, for each chain in the wait linked list: and when the number of the legal instructions stored in the chain reaches the preset chain capacity, deleting the serial numbers carried by a plurality of the legal instructions, and sequentially connecting the legal instructions stored in each block in the chain according to the serial numbers carried by the legal instructions.
In some embodiments, the wait chain table module is further configured to, for each legal instruction of the wait chain table to be stored in the detector as a first legal instruction, perform the following: and selecting a chain which does not reach the capacity of a preset chain from a waiting chain table of the detector as a candidate chain, and aiming at a second legal instruction stored in any block of the candidate chain, when a first sequence number of the first legal instruction is continuous with a second sequence number of the second legal instruction, storing the first legal instruction in a block adjacent to the any block, wherein the second legal instruction is any legal instruction stored in the any block.
In some embodiments, the wait linked list module is further configured to, for each legal instruction of the wait linked list to be stored in the detector as a first legal instruction, perform the following: selecting a chain which does not reach the preset chain capacity from the waiting chain table of the detector as a candidate chain, aiming at a second legal instruction stored in any block of any candidate chain, determining a sequence number interval of each candidate chain when a second sequence number of the second legal instruction is discontinuous with the first sequence number, taking the sequence number interval in which the first sequence number of the first legal instruction is positioned as a target sequence number interval, and taking the candidate chain corresponding to the target sequence number interval as a target chain; determining a third legal instruction and a fourth legal instruction in the target chain, wherein a first sequence number of the first legal instruction is between a third sequence number of the third legal instruction and a fourth sequence number of the fourth legal instruction, and a block between a block for storing the third legal instruction and a block between blocks for storing the fourth legal instruction in the target chain are empty blocks; storing the first legal instruction to an empty block between a block for storing a third legal instruction and a block for storing a fourth legal instruction.
In some embodiments, the wait chain table module is further configured to determine a first difference between the first sequence number and the third sequence number and a second difference between the first sequence number and the fourth sequence number; when the first difference is smaller than the second difference, storing the first legal instruction to a first empty block, wherein the first empty block is located between a block for storing the third legal instruction and a block for storing the fourth legal instruction and is adjacent to the block for storing the third legal instruction; and when the first difference is larger than the second difference, storing the first legal instruction into a second empty block, wherein the second empty block is positioned between the block for storing the third legal instruction and the block for storing the fourth legal instruction and is adjacent to the block for storing the fourth legal instruction.
In some embodiments, the wait chain table module is further configured to take the legal instruction of each wait chain table to be stored in the detector as a first legal instruction, and perform the following processing: selecting a chain which does not reach the preset chain capacity from the waiting chain table of the detector as a candidate chain; when a target block corresponding to a first sequence number of the first legal instruction is found in any candidate chain, storing the first legal instruction to the target block; when the target block corresponding to the first sequence number of the first legal instruction is not found in any candidate chain and no empty block corresponding to the adjacent sequence number of the first sequence number exists, creating the target block corresponding to the first sequence number and an empty block corresponding to the adjacent sequence number, and storing the first legal instruction in the target block.
In some embodiments, the index table module is to create the index table by: identifying a branch instruction of a plurality of instructions of the program to be executed; for each of the branch instructions, performing the following: acquiring an address carried by the branch instruction, wherein the type of the address comprises a storage address and a target address; and writing the target address carried by the branch instruction into a first column of the index table, and writing the storage address carried by the branch instruction into a row where the target address is located.
In some embodiments, the index table module is further configured to compare a target address carried by the branch instruction with each target address stored in a first column of the index table; and when the comparison is inconsistent, adding the target address carried by the branch instruction to the first row.
In some embodiments, the index table includes a plurality of groups, each of the groups includes a plurality of rows, and the index table module is further configured to compare a target address carried by the branch instruction with each target address stored in a first column of the index table, and use a row corresponding to the target address carried by the branch instruction obtained by the comparison as a target row; determining a group corresponding to the target row according to the target row and the group capacity, and taking the group corresponding to the target row as a target group; wherein the group capacity is used for characterizing the maximum number of target addresses which can be stored in each group in the index table; adding the group number corresponding to the target group to the branch instruction to obtain the branch instruction carrying the group number; and replacing the corresponding branch instruction which does not carry the group number in the memory based on the branch instruction carrying the group number.
In some embodiments, the index table module is further configured to determine the group capacity by: determining a first value interval corresponding to the group capacity of each group in the index table according to the hardware resources allocated to the detector; determining a second value interval corresponding to the group capacity of each group in the index table according to the time overhead of executing the program; and determining an intersection interval of the first value interval and the second value interval, and selecting the group capacity in the intersection value interval.
The embodiment of the present application provides a computer-readable storage medium storing executable instructions, which, when executed by a detector, perform a protection method of a program provided by the embodiment of the present application, for example, a protection method of a program as shown in fig. 3.
In some embodiments, the computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEP ROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.
In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext Markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
In summary, according to the program protection method based on hardware assistance provided in the embodiment of the present application, the index table is used to monitor the program execution instruction in real time, so as to effectively detect an illegal instruction, ensure that the system only executes a legal instruction according to a normal sequence, prevent the execution of the illegal instruction, and effectively avoid the occurrence of an execution error in the program. In addition, the method and the device do not need to modify the existing instruction set architecture and compiler, can be suitable for code reuse attack defense on each instruction set architecture platform, have low performance overhead, and are easy to deploy in an actual environment.
The above description is only an example of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present application are included in the protection scope of the present application.

Claims (15)

1. A method for protecting a program, the method being applied to a detector electrically connected to both a memory and a processor, the method comprising:
loading a plurality of instructions to be executed of the program from the memory, identifying non-branch instructions and branch instructions from the plurality of instructions, and acquiring addresses carried by the branch instructions;
reading the address prerecorded by aiming at the branch instruction from the index table of the detector, and comparing the address with the address carried by the branch instruction;
taking the non-branch instruction and the branch instruction which is consistent in comparison as a legal instruction, and storing the legal instruction into a waiting linked list in the detector;
and connecting the legal instructions in the waiting linked list according to the corresponding execution sequence, and sending the legal instructions to a processor for execution.
2. The method of claim 1,
the types of addresses include a storage address and a target address, the index table includes a plurality of rows, each row including a target address prerecorded for one branch instruction in the program and at least one storage address;
reading the address prerecorded by the branch instruction from the index table in the detector, and comparing the address with the address carried by the branch instruction, wherein the method comprises the following steps:
taking the target address carried by the branch instruction as an index, comparing the target address with the target address included in each line in the index table, and taking the line where the target address carried by the branch instruction is located obtained through comparison as a target line;
and comparing the storage address carried by the branch instruction with each storage address in the target row.
3. The method of claim 1,
a branch instruction loaded from the memory carries a group number, where the group number represents an order of a group in which the branch instruction is located in a plurality of groups included in the index table, each of the groups includes a plurality of rows, each of the rows includes an address of one of the branch instructions in the program, and the address includes a target address corresponding to the branch instruction and at least one storage address;
reading the address prerecorded by the branch instruction from the index table in the detector, and comparing the address with the address carried by the branch instruction, wherein the method comprises the following steps:
acquiring a group number carried by the branch instruction;
determining a group corresponding to the group number from the index table in the detector according to the group number, and taking the group corresponding to the group number as a target group;
reading a target address prerecorded by aiming at the branch instruction from the target group, comparing the target address with a target address carried by the branch instruction, and taking a line of the target address carried by the branch instruction in the target group obtained by comparison as a target line;
and comparing the storage address carried by the branch instruction with the at least one storage address in the target row.
4. The method of claim 1, further comprising:
and when the comparison is inconsistent, determining the branch instruction with inconsistent comparison as an illegal instruction, and interrupting the execution of the program.
5. The method of claim 1, wherein storing the legal instruction in a wait linked list in the detector comprises:
adding a sequence number used for representing the execution sequence of the legal instruction in the program in the legal instruction;
and storing the legal instructions into a waiting linked list in the detector according to the corresponding sequence numbers, wherein the waiting linked list comprises at least one chain, each chain comprises at least one block, and the at least one block is used for storing a plurality of legal instructions with continuous sequence numbers in a one-to-one correspondence manner.
6. The method of claim 5, wherein the branch instruction loaded from the memory carries a group number, the group number characterizing an order of a group in which the branch instruction is located among a plurality of groups included in the index table;
the adding a sequence number used for representing the execution sequence of the legal instruction in the program in the legal instruction comprises:
when the legal instruction is the branch instruction loaded to the memory, deleting a group number carried by the legal instruction, and adding a sequence number used for representing the execution sequence of the branch instruction in the program into the legal instruction;
when the legal instruction is the non-branch instruction loaded to the memory, adding a sequence number used for representing the execution sequence of the non-branch instruction in the program in the non-branch instruction.
7. The method of claim 6, wherein the concatenating the legal instructions in the wait chain table in the corresponding execution order comprises:
performing the following for each chain in the wait chain table:
and when the number of the legal instructions stored in the chain reaches the preset chain capacity, deleting the serial numbers carried by a plurality of the legal instructions, and sequentially connecting the legal instructions stored in each block in the chain according to the serial numbers carried by the legal instructions.
8. The method of claim 1, wherein storing the legal instruction in a wait linked list in the detector comprises:
for each legal instruction of the wait chain table to be stored in the detector as a first legal instruction, performing the following:
selecting a chain which does not reach the preset chain capacity from the waiting chain table of the detector as a candidate chain, aiming at a second legal instruction stored in any block of any candidate chain, determining a sequence number interval of each candidate chain when a second sequence number of the second legal instruction is discontinuous with the first sequence number, taking the sequence number interval in which the first sequence number of the first legal instruction is positioned as a target sequence number interval, and taking the candidate chain corresponding to the target sequence number interval as a target chain;
determining a third legal instruction and a fourth legal instruction in the target chain, wherein a first sequence number of the first legal instruction is between a third sequence number of the third legal instruction and a fourth sequence number of the fourth legal instruction, and a block between a block for storing the third legal instruction and a block between blocks for storing the fourth legal instruction in the target chain are empty blocks;
storing the first legal instruction to an empty block between a block for storing a third legal instruction and a block for storing a fourth legal instruction.
9. The method of claim 1, wherein storing the legal instruction in a wait linked list in the detector comprises:
taking the legal instruction of each waiting linked list to be stored in the detector as a first legal instruction, and executing the following processing:
selecting a chain which does not reach the preset chain capacity from the waiting chain table of the detector as a candidate chain;
when a target block corresponding to a first sequence number of the first legal instruction is found in any candidate chain, storing the first legal instruction to the target block;
and when the target block corresponding to the first sequence number of the first legal instruction is not found in any candidate chain and no empty block corresponding to the adjacent sequence number of the first sequence number exists, creating the target block corresponding to the first sequence number and an empty block corresponding to the adjacent sequence number, and storing the first legal instruction in the target block.
10. The method of claim 1, wherein prior to loading the plurality of instructions of the program to be executed from the memory, the method further comprises:
creating the index table by:
identifying a branch instruction of a plurality of instructions of the program to be executed;
for each of the branch instructions, performing the following:
acquiring an address carried by the branch instruction, wherein the type of the address comprises a storage address and a target address;
and writing a target address carried by the branch instruction into a first column of the index table, and writing a storage address carried by the branch instruction into a row where the target address is located.
11. The method as claimed in claim 10, wherein said writing a target address carried by each of said branch instructions into a first column of said index table comprises:
comparing the target address carried by the branch instruction with each target address stored in the first column of the index table respectively;
and when the comparison is inconsistent, adding the target address carried by the branch instruction to the first row.
12. The method of claim 10, wherein the index table comprises a plurality of groups, each of the groups comprising a plurality of rows, the method further comprising:
comparing the target address carried by the branch instruction with each target address stored in a first column of the index table respectively, and taking a row corresponding to the target address carried by the branch instruction obtained by comparison as a target row;
determining a group corresponding to the target row according to the target row and the group capacity, and taking the group corresponding to the target row as a target group, wherein the group capacity is used for representing the maximum number of target addresses which can be stored in each group in the index table;
adding the group number corresponding to the target group to the branch instruction to obtain the branch instruction carrying the group number;
and replacing the corresponding branch instruction which does not carry the group number in the memory based on the branch instruction carrying the group number.
13. A detector, characterized in that the detector comprises:
the index table module is used for loading a plurality of instructions to be executed of a program from a memory, identifying non-branch instructions and branch instructions from the plurality of instructions, and acquiring addresses carried by the branch instructions; reading the address prerecorded by aiming at the branch instruction from an index table in a detector, and comparing the address with the address carried by the branch instruction; taking the non-branch instruction and the branch instruction which is consistent in comparison as a legal instruction, and storing the legal instruction into a waiting linked list in the detector;
and the waiting linked list module is used for connecting the legal instructions in the waiting linked list according to the corresponding execution sequence and sending the legal instructions to the processor for execution.
14. An electronic device, comprising:
a processor, a memory, and a detector; wherein,
there is an electrical connection between the detector and both the memory and the processor for implementing the method of protecting a program as claimed in any one of claims 1 to 12.
15. A computer-readable storage medium storing executable instructions for implementing, when executed, the method of protecting a program according to any one of claims 1 to 12.
CN202110711467.7A 2021-06-25 2021-06-25 Program protection method, detector, electronic device, and storage medium Pending CN115525890A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110711467.7A CN115525890A (en) 2021-06-25 2021-06-25 Program protection method, detector, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110711467.7A CN115525890A (en) 2021-06-25 2021-06-25 Program protection method, detector, electronic device, and storage medium

Publications (1)

Publication Number Publication Date
CN115525890A true CN115525890A (en) 2022-12-27

Family

ID=84694993

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110711467.7A Pending CN115525890A (en) 2021-06-25 2021-06-25 Program protection method, detector, electronic device, and storage medium

Country Status (1)

Country Link
CN (1) CN115525890A (en)

Similar Documents

Publication Publication Date Title
KR100942795B1 (en) A method and a device for malware detection
US11687645B2 (en) Security control method and computer system
US20090113550A1 (en) Automatic Filter Generation and Generalization
US8060812B2 (en) Methods, systems, and computer program products for class verification
KR20160119140A (en) Region identifying operation for identifying region of a memory attribute unit corresponding to a target memory address
US20130138934A1 (en) Loading configuration information
JP4766487B2 (en) Program alteration detection device
CN103226499A (en) Method and device for restoring abnormal data in internal memory
US9250919B1 (en) Multiple firmware image support in a single memory device
US20100115004A1 (en) Backup system that stores boot data file of embedded system in different strorage sections and method thereof
US11868465B2 (en) Binary image stack cookie protection
US10275595B2 (en) System and method for characterizing malware
US10929536B2 (en) Detecting malware based on address ranges
CN111857882B (en) Extensible SSD card opening firmware loading method and device, computer equipment and storage medium
EP3759606B1 (en) An apparatus and method for accessing metadata when debugging a device
CN111625296A (en) Method for protecting program by constructing code copy
CN115525890A (en) Program protection method, detector, electronic device, and storage medium
CN111061591B (en) System and method for implementing data integrity check based on memory integrity check controller
US20170132025A1 (en) Target process injection prior to execution of marker libraries
CN113139190A (en) Program file detection method and device, electronic equipment and storage medium
US20240004991A1 (en) Execution protection using data colouring
JP5270271B2 (en) Information processing apparatus, information processing method, program, and recording medium
CN117931608B (en) Method and device for counting file cache occupation in vmcore and storage medium
CN116305006A (en) Derived function preprocessing method, derived function preprocessing device, computer equipment and storage medium
JP2015115052A (en) Microprocessor, computer, method of coping with abnormality, and abnormality countermeasure program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination