CN115795486A - Fault injection protection method based on binary system rewriting - Google Patents
Fault injection protection method based on binary system rewriting Download PDFInfo
- Publication number
- CN115795486A CN115795486A CN202310069973.XA CN202310069973A CN115795486A CN 115795486 A CN115795486 A CN 115795486A CN 202310069973 A CN202310069973 A CN 202310069973A CN 115795486 A CN115795486 A CN 115795486A
- Authority
- CN
- China
- Prior art keywords
- fault
- binary
- binary file
- protection method
- fault injection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention belongs to the technical field of code conversion, and particularly relates to a fault injection protection method based on binary system rewriting. The fault injection protection method based on binary system rewriting comprises the following steps: step 1, simulating the fault of a target binary file under a fault model in a fault injection mode, and generating a list which is vulnerable to attack; step 2, repairing the vulnerable instruction in the fault list by using a local protection strategy to obtain a repaired binary file; and 3, repeating the operations of the step 1 and the step 2 on the repaired binary file until no new fault occurs. According to the fault injection protection method based on binary rewriting, a strategy is injected at an assembly code level in a disassembling mode through reassembly; and an iteration and simulation driven framework is provided, which only inserts countermeasures for the vulnerable part of the program, so that the binary file can be repaired in a targeted manner.
Description
Technical Field
The invention belongs to the technical field of code conversion, and particularly relates to a fault injection protection method based on binary rewriting.
Background
Fault injection attacks, also called fault attacks, are becoming more and more common, and a successful fault attack may result in information leakage or authority promotion, and even cause a crash of the whole system. For example, the secure boot of ARM may be affected by voltage faults, enabling an attacker to load controlled values in a Program Counter (PC); the safe boot loader on the Android smartphone can be bypassed by using laser injection faults. For such attacks, firstly, protection is performed from a hardware level, and secondly, at a software level, most of the protection countermeasures for the software level at present need to access the source code of the program, which is impractical in some cases.
Binary re-writing has many important applications in software security and systems, such as program hardening, auto-repair, instrumentation, optimization, bounds checking, and so on. The advantages of binary rewriting are: it can be applied even in the case where the source code of the software is not available, thereby achieving the purpose of protecting the software. The goal of binary rewriting is to add, delete, and replace instructions in the binary code. There are currently two main types of binary rewrite techniques: static and dynamic. In static binary overwriting, a binary file is overwritten on a disk prior to program execution. There are three main types of static binary rewrite schemes, the first being an assembly-level based bypass policy (throttling), which works through hook out underlying instructions, but this approach results in high performance degradation and additional code overhead. The second is a reconfigurable disassembling mode (readable disassembly system), the method uses a rule that the disassembling code can be relocated to disassemble an executable file, and the generated code can be assembled back to a working binary file without manual operation, which is a disassembling-reassembling process overall. The third is a full translation scheme that uses a compiler-based front-end to translate low-level machine code into a high-level Intermediate Representation (IR) for architecture-independent binary rewriting.
Disclosure of Invention
Aiming at the defects and shortcomings of protection measures of fault injection in the prior art, such as unknown source codes, high operation cost, high performance loss and the like, the invention provides a fault injection protection method based on binary rewriting.
The technical scheme adopted by the invention for solving the technical problems is as follows: the fault injection protection method based on binary rewriting comprises the following steps:
step 1, simulating the fault of a target binary file under a fault model in a fault injection mode, and generating a list which is vulnerable to attack;
step 2, repairing the vulnerable instruction in the fault list by using a local protection strategy to obtain a repaired binary file;
and 3, repeating the operations of the step 1 and the step 2 on the repaired binary file until no new fault occurs.
Further, the step 2 is realized by the following steps: pointer analysis is performed on the target binary file by adopting a Ddisasm tool, an intermediate representation is generated in the form of intermediate representation (GTIRB) of the GrammaTech binary file, and then the intermediate representation is operated through a Python GTIRB library and is recompiled into an executable binary file.
Further, the local protection policy is to locally insert protected instruction code, and includes: a protect mov instruction or a protect cmp instruction.
Further, the protection mov instruction is specifically: after the execution of the mov operation, the results of the two memory locations are compared and in case the two memory locations do not coincide, a fault handler is invoked.
Further, the protection cmp instruction is specifically: and executing two comparisons, comparing whether the results of the two comparisons are equal, and if not, calling a fault processing program.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. a static binary rewriting scheme is adopted to inject protection countermeasures, and the protection mode does not need to know the source code of a program, so that the method is suitable for most commercial software;
2. protection strategies are injected at the assembly code level by reassembling the disassembled form, so that the binary file can be repaired in a targeted manner;
3. the running overhead is small, copying each instruction means an overhead of at least 300% in code size for classical copy schemes, since for each instruction it will add another copy of the instruction and a comparison process between their results. The method proposed by the invention only aims at vulnerable points, so that the method can be better executed than a simple replication scheme.
Drawings
FIG. 1 is an overall flowchart of the binary-rewrite-based fault injection protection method of the present invention;
FIG. 2 is a flow diagram of a local protection mode of mov operation;
FIG. 3 is a flow diagram of a local protection mode of cmp operation.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely in the following description with reference to the embodiments of the present invention and the accompanying drawings. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Embodiment 1 provides a fault injection protection method based on binary rewriting, which reduces fault injection vulnerabilities in a binary file by using an iteration method driven by fault simulation, and repairs the binary file by continuously iterating until no fault injection vulnerabilities occur.
The method in this embodiment is mainly implemented by using a system as shown in fig. 1, and the system is composed of two main components: one fault and one patch. The fault engine simulates the fault in a certain fault model in the target binary file and generates a list of vulnerabilities, which means that the fault is triggered in the target binary file. The stitcher uses the list generated by the faulting program to patch the binary. The patcher will patch each bug as locally as possible without affecting the code around it. The patched binary file is then run through the bug and patcher again, repeating the iteration process until no more bugs occur or can be repaired. The method specifically comprises the following steps:
1. fault simulation
First, an error model, such as a single-bit flip error model, a byte error model, etc., is selected that is intended to protect the target binary file from damage. The fault machine accepts a target binary and two inputs: one "good" input and one "bad" input. For example, a "good" entry is the correct password, while a "bad" entry is any value other than the correct password. First, the inputs of "good" and "bad" are performed to see the difference in execution trajectory between them. When the target binary file is run with "bad" input, the trace of all executed instructions can be effectively recorded. Then, for each offset in the trace, taking the single-bit flip error model as an example, the binary is run until that offset in the trace, one bit in the instruction is flipped at the offset, and then execution continues, with the target binary either crashing, or executing as an incorrect input, or behaving differently (as a correct input). If it appears as a correct input, this is a successful failure, the track offset and the error that caused it are recorded, in which case the bit offset in the command at the track offset is recorded, resulting in a failure list in which all successful failures are recorded.
2. Fault (leak) repair
The "successful failure list" from the failed machine is addressed locally in the patcher. The patcher replaces the vulnerable instructions with a known reinforcement pattern. For example, consider the operation of a fault under an "instruction skip" fault model, which identifies a fault in which the skipping of the mov instruction is successful at timestamp 40. The local countermeasures are to execute the mov twice or to add a compare instruction to verify that the mov has been executed before. Note that these countermeasures can lead to repeated reads, but redundancy is key to reducing fault injection attacks.
The invention realizes a concept verification patching program based on a GrammaTech Ddisasm tool and a Python binary operation library, and the method specifically comprises the following steps: the Ddisasm tool executes pointer analysis on the target binary file, generates an Intermediate Representation (IR) in the form of a GrammaTech binary file intermediate representation (GTIRB), then can operate the intermediate representation through a Python GTIRB library, and recompiles the intermediate representation into an executable file, wherein the recompiled executable file is the repaired binary file, namely the patched binary file.
In the method for repairing the fault, the invention adopts a local protection strategy and inserts protected codes in a local part. The following are two local protection strategies:
(1) Protecting mov instructions
To protect the mov operation from fault attacks, after the execution of the mov operation, the results of the two memory locations are compared and in case of inconsistency, a fault handler is invoked: the running of the software is stopped, or the program is crashed firstly, so that the target file is prevented from being attacked, and the protection effect is achieved. The specific flow is shown in fig. 2.
(2) Protection cmp instructions
The cmp instructions are protected from error attacks by performing two comparisons and comparing their result flags, and when the two comparisons are not equal, a fault handler is invoked, and the specific flow is shown in fig. 3. To this end, the present invention uses the pushfq instruction in the x86-64 ISA, which requires a valid stack pointer (rsp).
3. Iteration
After a fault simulation (fault) and a patch (patcher) are run, a patched binary is obtained. Running a bug on a patched binary may discover that a new bug has been added due to the addition of patch code and changing the distance between instructions. These new bugs can then be resolved by iteratively running the entire program until a fixed point is reached and no new failures occur.
The fault injection protection method based on binary rewriting provided by the invention can keep the structure of the original binary file by decomposing the binary file and inserting a strategy. And an iteration and simulation driven framework is provided, and the framework only inserts countermeasures for the vulnerable part of the program, so that the binary file can be repaired in a targeted mode.
Claims (5)
1. The fault injection protection method based on binary rewriting is characterized by comprising the following steps:
step 1, simulating the fault of a target binary file under the fault model in a fault injection mode, and generating a vulnerable list;
step 2, repairing the vulnerable instruction in the fault list by using a local protection strategy to obtain a repaired binary file;
and 3, repeating the operations of the step 1 and the step 2 on the repaired binary file until no new fault occurs.
2. The binary overwrite based fault injection protection method of claim 1, wherein the step 2 is implemented by: and performing pointer analysis on the target binary file by adopting a Ddisasm tool, generating an intermediate representation in the form of an intermediate representation of the GrammaTech binary file, operating the intermediate representation through a Python GTIRB library, and recompiling the intermediate representation into an executable binary file.
3. The binary overwrite based fault injection protection method of claim 1 or 2, wherein: the local protection strategy is to insert protected instruction codes locally, and comprises the following steps: a protect mov instruction or a protect cmp instruction.
4. The binary-rewrite-based fault injection protection method according to claim 3, wherein the protection mov instruction is specifically: after the execution of the mov operation, the results of the two memory locations are compared and in case the two memory locations do not coincide, a fault handler is invoked.
5. The binary rewrite-based fault injection protection method of claim 3, wherein the protection cmp instruction is specifically: and executing two comparisons, comparing whether the results of the two comparisons are equal, and calling a fault processing program if the results are not equal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310069973.XA CN115795486B (en) | 2023-02-07 | 2023-02-07 | Fault injection protection method based on binary system rewriting |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310069973.XA CN115795486B (en) | 2023-02-07 | 2023-02-07 | Fault injection protection method based on binary system rewriting |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115795486A true CN115795486A (en) | 2023-03-14 |
| CN115795486B CN115795486B (en) | 2023-04-18 |
Family
ID=85430115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310069973.XA Active CN115795486B (en) | 2023-02-07 | 2023-02-07 | Fault injection protection method based on binary system rewriting |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115795486B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117215811A (en) * | 2023-11-09 | 2023-12-12 | 山东大学 | System call hooking method, device and medium based on binary overwrite |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657247A (en) * | 2015-02-10 | 2015-05-27 | 上海创景计算机系统有限公司 | System and method for realizing universal type fault injection based on JTAG (Joint Test Action Group) debug mode |
| US20190370473A1 (en) * | 2018-05-30 | 2019-12-05 | Nvidia Corporation | Detecting vulnerabilities to fault injection in computer code using machine learning |
| US20210150028A1 (en) * | 2019-11-15 | 2021-05-20 | Kwangwoon University Industry-Academic Collaboration Foundation | Method of defending against memory sharing-based side-channel attacks by embedding random value in binaries |
| CN113206734A (en) * | 2021-04-30 | 2021-08-03 | 桂林电子科技大学 | Method for detecting and resisting differential fault attack |
| CN114637988A (en) * | 2022-03-10 | 2022-06-17 | 中国人民解放军国防科技大学 | Binary-oriented function level software randomization method |
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
| CN115168131A (en) * | 2022-08-01 | 2022-10-11 | 鹏城实验室 | Fault injection CPU abnormal function verification method |
-
2023
- 2023-02-07 CN CN202310069973.XA patent/CN115795486B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657247A (en) * | 2015-02-10 | 2015-05-27 | 上海创景计算机系统有限公司 | System and method for realizing universal type fault injection based on JTAG (Joint Test Action Group) debug mode |
| US20190370473A1 (en) * | 2018-05-30 | 2019-12-05 | Nvidia Corporation | Detecting vulnerabilities to fault injection in computer code using machine learning |
| US20210150028A1 (en) * | 2019-11-15 | 2021-05-20 | Kwangwoon University Industry-Academic Collaboration Foundation | Method of defending against memory sharing-based side-channel attacks by embedding random value in binaries |
| CN113206734A (en) * | 2021-04-30 | 2021-08-03 | 桂林电子科技大学 | Method for detecting and resisting differential fault attack |
| CN114637988A (en) * | 2022-03-10 | 2022-06-17 | 中国人民解放军国防科技大学 | Binary-oriented function level software randomization method |
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
| CN115168131A (en) * | 2022-08-01 | 2022-10-11 | 鹏城实验室 | Fault injection CPU abnormal function verification method |
Non-Patent Citations (2)
| Title |
|---|
| YANHENG REN等: "Fault Detection and Isolation Based on Artificial Immune System for Injection Molding Machine" * |
| 徐松;刘强;: "集成电路故障注入攻击仿真方法" * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117215811A (en) * | 2023-11-09 | 2023-12-12 | 山东大学 | System call hooking method, device and medium based on binary overwrite |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115795486B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107193731B (en) | Fuzzy test coverage improvement method using control variation | |
| Griesmayer et al. | Repair of boolean programs with an application to C | |
| Kiaei et al. | Rewrite to reinforce: Rewriting the binary to apply countermeasures against fault injection | |
| CN115795486B (en) | Fault injection protection method based on binary system rewriting | |
| Given-Wilson et al. | An automated formal process for detecting fault injection vulnerabilities in binaries and case study on present | |
| Zubair et al. | PEM: Remote forensic acquisition of PLC memory in industrial control systems | |
| Hoffmann et al. | ARMORY: fully automated and exhaustive fault simulation on ARM-M binaries | |
| JP4754635B2 (en) | Control flow protection mechanism | |
| WO2022111262A1 (en) | Hotfix generation method and apparatus, server, and machine readable storage medium | |
| Boespflug et al. | Countermeasures optimization in multiple fault-injection context | |
| CN110647748A (en) | Code multiplexing attack detection system and method based on hardware characteristics | |
| Given-Wilson et al. | Formalising fault injection and countermeasures | |
| Liu et al. | Pangr: a behavior-based automatic vulnerability detection and exploitation framework | |
| Ducousso et al. | Adversarial Reachability for Program-level Security Analysis. | |
| Alshaer et al. | Microarchitecture-aware fault models: Experimental evidence and cross-layer inference methodology | |
| Friedman et al. | Automatically repairing stripped executables with cfg microsurgery | |
| Salls et al. | Piston: Uncooperative remote runtime patching | |
| Cheng et al. | Automatic fix for C integer errors by precision improvement | |
| Pescosta et al. | Bounded model checking of speculative non-interference | |
| CN109858252B (en) | Vulnerability analysis and repair method for homemade system | |
| Cao | Parity Shadow Stack: Dynamic Instrumentation based Control Flow Security for IoT Devices | |
| Wang et al. | DOPdefender: An approach to thwarting data-oriented programming attacks based on a data-aware automaton | |
| Gangolli et al. | A machine learning approach to predict system-level threats from hardware-based fault injection attacks on iot software | |
| Grechko et al. | Secure software developing recommendations | |
| Elwan | Automatic generation of control, flow hijacking exploits for software vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |