CN117951685A - Method and device for executing function code, electronic equipment and storage medium - Google Patents
Method and device for executing function code, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117951685A CN117951685A CN202311745477.8A CN202311745477A CN117951685A CN 117951685 A CN117951685 A CN 117951685A CN 202311745477 A CN202311745477 A CN 202311745477A CN 117951685 A CN117951685 A CN 117951685A
- Authority
- CN
- China
- Prior art keywords
- function code
- return address
- code
- target
- register
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 230000008569 process Effects 0.000 claims abstract description 30
- 230000006870 function Effects 0.000 claims description 336
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 17
- 230000018109 developmental process Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000001965 increasing effect Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a method and a device for executing function codes, electronic equipment and a storage medium. Wherein the method comprises the following steps: before executing the target function code, saving a return address of the target function code in a register, wherein the return address characterizes an address to which regression is directed when a return operation of the target function code is performed; reading a return address from the register after execution of the object function code is completed; and executing the function code after the target function code according to the return address. The method and the device solve the technical problem that the function code has security hole risks in the running process caused by modifying the return address of the running function code in the prior art.
Description
Technical Field
The present application relates to the field of information security, the field of software development, and other related technical fields, and in particular, to a method and apparatus for executing a function code, an electronic device, and a storage medium.
Background
The development of software programs can be traced back to early developments in computer science and information technology. Among them, with the continuous development and popularization of computer technology, software programs are becoming more and more important, and become one of the infrastructures of modern society. In the age of rapid development of software, the challenges of security of software programs are also increasing, wherein stack overflow is a serious problem commonly encountered.
The stack is a common data structure, and has the characteristics of last-in first-out, i.e. the element which finally enters the stack is popped (i.e. destroyed) first. In the running of a software program, the stack may be used to store and manipulate data, including local variables, function parameters, return values, and the like. Stack overflow is a common software program error that typically occurs when a program attempts to access stack space beyond its allocation. Stack overflow may cause problems such as program crashes, deadlocks, data corruption, and even remote arbitrary command execution, so some technical measures need to be taken to prevent it from happening.
In the prior art, an attacker of a software program can implement information security attacks such as stack overflow and the like by rewriting the return address of the function code in the running process of the function code, thereby causing security vulnerability risks of the software program.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The application provides a method, a device, electronic equipment and a storage medium for executing function codes, which at least solve the technical problem that the function codes have security hole risks in the running process caused by modifying the return address of the running function codes in the prior art.
According to an aspect of the present application, there is provided a method of executing function code, including: before executing the target function code, saving a return address of the target function code in a register, wherein the return address characterizes an address to which regression is directed when a return operation of the target function code is performed; reading a return address from the register after execution of the object function code is completed; and executing the function code after the target function code according to the return address.
Optionally, the executing method of the function code further includes: inserting a first code at a location prior to the execution of the object function code, wherein the first code is for pointing to a storage path of a return address of the object function code; a second code is inserted at a location after the object function code, wherein the second code is for a dump path pointing to a return address of the object function code.
Optionally, the executing method of the function code further includes: before executing the target function code, storing a return address of the target function code to a target location in a register by running a first code, wherein the target location in the register is used for storing a random value of a preset byte number, and the target location characterizes a storage path of the return address.
Optionally, the executing method of the function code further includes: after execution of the target function code is complete, the return address of the target function code is read from the register by running the second code and the return address is restored to the target register, wherein the target register is used for storing the currently executing instruction.
Optionally, the executing method of the function code further includes: after the return address is read from the register, determining a to-be-confirmed return address used by the target function code in the running process by running the target function code under the condition that the first code and the second code are forbidden to run; detecting whether the return address to be confirmed is the same as the return address read from the register; determining that the return address of the objective function code is not tampered in the running process under the condition that the return address to be confirmed is the same as the return address read from the register; in case the return address to be confirmed is not identical to the return address read from the register, it is determined that the return address of the objective function code was tampered with during the run.
Optionally, the executing method of the function code further includes: before the target function code is executed, a target value is inserted into a stack frame corresponding to the target function code, wherein the stack frame corresponding to the target function code is used for storing a return address and a local variable of the target function code, and the position of the target value in the stack frame is located between the return address and the local variable of the target function code.
Optionally, the executing method of the function code further includes: after inserting the target value in the stack frame corresponding to the target function code, detecting whether the target value in the stack frame changes or not during the execution of the target function code; under the condition that the target value changes, determining that a program error occurs in the running process of the target function code; and under the condition that the target value is not changed, determining that the target function code operates normally.
According to another aspect of the present application, there is also provided an execution apparatus of function code, wherein the apparatus includes: a processing unit configured to store a return address of the target function code in a register before the target function code is executed, wherein the return address characterizes an address to which regression is directed when a return operation of the target function code is executed; a reading unit for reading the return address from the register after the execution of the object function code is completed; and the execution unit is used for executing the function codes after the target function codes according to the return address.
According to another aspect of the present application, there is also provided a computer readable storage medium, in which a computer program is stored, wherein the computer readable storage medium is controlled to execute the execution method of the function code of any one of the above items when the computer program is run.
According to another aspect of the present application, there is also provided an electronic device, wherein the electronic device includes one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a method of executing the function code of any of the above.
In the present application, the return address of the objective function code is saved in a register before the execution of the objective function code in such a manner that the return address of the objective function code is saved in the register, wherein the return address characterizes the address to which regression is directed when the return operation of the objective function code is performed. Then, after the execution of the objective function code is completed, the return address is read from the register, and the function code after the objective function code is executed according to the return address.
As can be seen from the foregoing, the present application, by saving the return address of the target function code in the register before the execution of the target function code and reading the return address from the register after the execution of the target function code is completed, prevents the problem in the prior art that the security hole risk exists in the function code during the execution process caused by modifying the return address of the running function code because the non-tampered return address is already saved in the register before the execution of the target function code and the subsequent return address reading operation is also to directly read the non-tampered return address from the register.
Therefore, the technical scheme of the application achieves the aim of ensuring that the untampered return address is always called during the running of the function code, thereby realizing the technical effect of improving the running safety of the function code, and further solving the technical problem that the security vulnerability risk exists in the running process of the function code caused by modifying the return address of the running function code in the prior art.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an alternative method of execution of function code according to an embodiment of the application;
FIG. 2 is a schematic diagram of an alternative execution device of function code according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the related information and data related to the present application (including, but not limited to, data for presentation and data for analysis, etc.) are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
The application is further illustrated below in conjunction with the examples.
Example 1
According to an embodiment of the present application, there is provided an embodiment of a method of executing function code, it being noted that the steps shown in the flowcharts of the figures may be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowcharts, in some cases the steps shown or described may be executed in an order different from that shown or described herein.
It should be noted that a code execution system may be used as an execution body of the execution method of the function code according to the embodiment of the present application, where the code execution system may be a software program, for example, a software program including at least one function code. In addition, the code execution system can also be an embedded system combining software and hardware, wherein when the code execution system is used as the embedded system, the software program included in the code execution system comprises at least one function code.
FIG. 1 is a flowchart of an alternative method of executing function code, according to an embodiment of the application, as shown in FIG. 1, the method comprising the steps of:
Step S101, before executing the objective function code, saving the return address of the objective function code in a register.
In step S101, the return address characterizes the address to which regression is directed when the return operation of the objective function code is performed.
In addition, the objective function code may be any one of at least one function code included in the code execution system, or the objective function code may be a function code currently to be executed by the code execution system.
The objective function code may be a function code for implementing various function operation logics, and the logic of the specific operation of the function code itself is not particularly limited in the present application.
Optionally, the function code is called by pointing to the address of the function code through a pointer pointing to the function code, and the function code returns to the position pointed to by the return address.
Alternatively, the register for holding the return address of the objective function code may be a register capable of storing data in a specified area. For example, FS (File Segment Register) registers may be used to hold the return address of the object function code.
Wherein the FS register is a register in the x86 architecture processor that is used to store a file segment descriptor of the current process, and when the processor performs an access file operation, the FS register is used to determine the file segment to be used. By setting the value of the FS register, the software program may directly access the data structure or file buffer associated with the file, thereby improving the efficiency and speed of file reading and writing.
Note that, in the FS register, a random value of 8 bytes is stored in a 40 th byte position.
It should be noted that, a stack overflow attack is usually to tamper with the return address of the function code when the function code is running (because the return address is exposed to the outside when the function code is running), and thus, since the return address of the target function code stored in the register of the present application is the return address acquired before the target function code is executed, the return address stored in the register must be the correct return address that has not been tampered with. In other words, according to the technical solution of the present application, before executing the objective function code, the code execution system protects the return address of the objective function code in the register in advance.
Step S102, after the execution of the target function code is completed, the return address is read from the register.
Optionally, after the execution of the object function code is completed, the code execution system needs to continue to complete subsequent code execution based on the return address of the object function code, and thus the code execution system will read the return address from the register.
Since the return address stored in the register is a return address which is obtained before the execution of the target function code and which has not been tampered with, the return address read from the register after the execution of the target function code is completed is also a return address which has not been tampered with. In other words, even if the externally exposed return address of the object function code is tampered with during execution of the object function code, the correct execution of the subsequent code is not affected, since the return address upon which the subsequent code executes is the correct non-tampered return address in the register and is not a tampered return address.
Step S103, executing the function codes after the target function codes according to the return address.
Optionally, the following are three application scenario examples of the execution method of the function code in the embodiment of the present application:
Example 1: application to operating systems, which are often one of the most vulnerable targets to security vulnerabilities. By adopting the execution method of the function code, which is equivalent to providing a stack overflow protection technology, an operating system can carry out boundary inspection and stack protection on input data, thereby preventing malicious programs or attackers from tampering with a system memory or executing any code by utilizing stack overflow loopholes.
Example 2: applications are found in web applications, including but not limited to data management applications running on web servers, database servers, etc., which are vulnerable to stack overflow attacks because they often handle input information from users on the network. By using the stack overflow protection technology of the application, the application programs can perform reasonable boundary checking and length verification on the input so as to avoid stack overflow loopholes from being utilized.
Example 3: in the application to a browser, the browser is often a target of malware and network attack because the browser records browsing information of a user. By using the stack overflow protection technology provided by the application, the browser can monitor and protect the execution process of the JavaScript code or the plug-in, and prevent the malicious script from executing the malicious code by using the stack overflow loophole.
As can be seen from the above, by implementing the method for executing the function code in the embodiment of the present application, the security, stability and reliability of the software program when running the function code can be improved, so that the software program is effectively protected from being threatened by malicious attacks, and the possibility of being invaded by an attacker is avoided.
The technical scheme of the application at least has the following technical effects:
(1) The security of the software program is improved, and as stack overflow is a common security hole, an attacker can execute malicious codes by modifying data in the stack. Therefore, by adopting the function code execution method in the embodiment of the application, the threat caused by stack overflow attack can be effectively reduced, and the overall security of the software program can be improved.
(2) The method for executing the function code in the embodiment of the application can effectively prevent the remote execution code attack and protect the software program from the remote attack because the stack overflow attack can be utilized to remotely execute the malicious code.
(3) The stability of the software program is enhanced, and the stack overflow vulnerability can cause the software program to crash or terminate abnormally, so that the function code execution method in the embodiment of the application can detect and prevent the occurrence of the conditions, thereby enhancing the stability and the reliability of the software program.
(4) The risk of network attack is reduced, and because stack overflow attack is one of the main means of many network attacks, the risk of the software program to suffer from network attack can be greatly reduced by deploying the function code execution scheme in the embodiment of the application.
In summary, the present application saves the return address of the target function code in the register before the execution of the target function code, and reads the return address from the register after the execution of the target function code is completed, so that even if the return address of the target function code is tampered during the running process, the return address which is not tampered is already saved in the register before the execution of the target function code, and the subsequent return address reading operation directly reads the return address which is not tampered from the register, thereby ensuring that the program can always execute the related operation of the target function code with the return address which is not tampered, and avoiding the problem that the function code caused by modifying the return address of the running function code has security hole risk during the running process in the prior art.
In an alternative embodiment, the code execution system may insert the first code at a location prior to the target function code prior to executing the target function code, wherein the first code is to point to a storage path of a return address of the target function code.
Alternatively, the first code may be a piece of assembly code, wherein the first code functions to save the return address of the object function code into a specified area of the register, for example, in the case that the register is an FS register, the first code is used to save the return address of the object function code into a forty-byte storage area of the FS register.
In an alternative embodiment, the code execution system further inserts a second code at a location after the object function code, wherein the second code is for a dump path pointing to a return address of the object function code.
Alternatively, the second code may be a different piece of assembly code than the first code, wherein the first code functions to read out the value in the specified region of the register and transfer it to the register for holding the currently executing instruction. For example, in the case where the register is an FS register, the first code is for reading out the value in the memory area of the forty bytes of the FS register and transferring to the register for holding the instruction currently being executed.
In an alternative embodiment, the return address of the object function code is stored to a target location in a register by running the first code before the object function code is executed, wherein the target location in the register is used to store a random value of a preset number of bytes, the target location characterizing a storage path of the return address.
Optionally, a piece of assembly code (i.e., the first code) is inserted before the object function code runs, where the function of the assembly code is to save the return address of the object function code to the forty-byte region (corresponding to the target location of the register) saved to the FS register. When the code execution system runs into this piece of assembly code, the code execution system may save the return address of the object function code to the forty-byte region of the FS register.
In an alternative embodiment, after execution of the object function code is completed, the return address of the object function code is read from the register by running the second code and the return address is dumped into the object register, where the object register is used to hold the instruction currently being executed.
Optionally, a piece of assembly code (i.e., a second code) is inserted at the end of the object function code, where the function of the code is to assign the value of the forty bytes of the FS register to the instruction register (corresponding to the object register). When the target function code is executed and needs to be returned according to the return address, the return operation is carried out through the return address which is transferred to the target register, so that even if stack overflow coverage attack occurs, the target function code is returned to the return address which is not tampered before to execute the next operation.
In an alternative embodiment, the code execution system may also determine, after reading the return address from the register, the return address to be validated for use by the object function code during execution by executing the object function code, with execution of the first code and the second code disabled. Then, the code execution system detects whether the return address to be confirmed is the same as the return address read from the register, and determines that the return address of the target function code is not tampered in the running process under the condition that the return address to be confirmed is the same as the return address read from the register; in case the return address to be confirmed is not identical to the return address read from the register, it is determined that the return address of the objective function code was tampered with during the run.
Alternatively, the above operations may be performed on an irregular basis for detecting whether the objective function code is subject to stack overflow attacks. It is easy to understand that in the case where the execution of the first code and the second code is prohibited, if the target function code is subjected to a stack overflow attack, and the stack overflow attack modifies the return address of the target function code, the return address to be confirmed used in the execution of the target function code will be different from the return address read from the register, and thus it is deduced that the code execution system can determine that the target function code is subjected to the stack overflow attack at this time, and this time the stack overflow attack is performed by tampering with the return address of the target function code.
Alternatively, if the return address to be validated is the same as the return address read from the register, the code execution system may determine that the return address of the target function code was not tampered with during execution, and that the target function code was not subject to stack overflow attacks.
By the method, whether the target function code is attacked by stack overflow or not is detected, and the function attacked by stack overflow can be examined timely. For example, if a software program suspected of suffering from stack overflow attack needs to be examined, but the software program contains a large number of function codes, in order to accurately and rapidly lock which function code suffers from stack overflow attack, each function code can be examined one by adopting the method of the application, and the examination method is simple and efficient, and only needs to turn on/off the first code and the second code corresponding to each function code.
In an alternative embodiment, the code execution system may further insert a target value in a stack frame corresponding to the target function code before the target function code is executed, where the stack frame corresponding to the target function code is used to store a return address and a local variable of the target function code, and a position of the target value in the stack frame is located between the return address and the local variable of the target function code.
Alternatively, the target value may be a special random value, inserted into the stack frame corresponding to the target function code, and located between the local variable and the return address. The storage mode of the target value is that the target value is stored in a stack frame in a push mode.
In an alternative embodiment, during execution of the objective function code, the code execution system may further detect whether a target value in the stack frame changes, and in the case that the target value changes, the code execution system determines that a program error occurs in the objective function code during running; and under the condition that the target value is not changed, the code execution system determines that the target function code operates normally.
Optionally, during execution of the objective function code (including when it is about to return), the code execution system monitors whether the objective value in the stack frame changes (e.g., is modified), and if it is detected that the objective value changes, the code execution system determines that the objective function code has a program error during operation, the objective function code will be immediately and forcefully disabled, and the program in which the objective function code is located will also stop running. By the design mode, the difficulty of modifying the stack by an attacker can be greatly increased, so that common stack overflow attacks such as buffer overflow, stack damage and the like can be effectively prevented.
From the foregoing, it can be seen that, by the technical solution of the embodiments of the present application, at least the following objects can be achieved:
1. The confidentiality of critical data is protected, and since the critical data such as function parameters, local variables, return addresses and the like are usually stored in a stack, stack overflow attack can cause the data to be tampered or leaked. By adopting the stack overflow protection technology provided by the application, the integrity and confidentiality of key data can be protected, and the abuse of an attacker can be prevented.
2. The security of the software system is improved, and as stack overflow is a common security hole, an attacker can execute malicious codes or acquire system rights by utilizing the stack overflow hole. Therefore, by implementing the stack overflow protection technology provided by the application, the potential hazard of the loopholes can be effectively reduced, and the safety of a software system is improved.
3. Preventing remote execution code attacks, which can cause an attacker to inject malicious code into the program's stack and execute it at the attacker's controlled location. Therefore, the stack overflow protection technology provided by the application can prevent remote execution code attack and ensure that the program only executes codes at expected positions.
4. Temporary buffer overflow is prevented, which may also result in temporary buffer overflow, such as string buffer overflow, due to stack overflow. Therefore, by adopting the stack overflow protection technology provided by the application, the writing of data can be controlled, the overflow of a temporary buffer area can be avoided, and the stability and the reliability of a software system are improved.
As can be seen from the foregoing, the present application, by saving the return address of the target function code in the register before the execution of the target function code and reading the return address from the register after the execution of the target function code is completed, prevents the problem in the prior art that the security hole risk exists in the function code during the execution process caused by modifying the return address of the running function code because the non-tampered return address is already saved in the register before the execution of the target function code and the subsequent return address reading operation is also to directly read the non-tampered return address from the register.
Therefore, the technical scheme of the application achieves the aim of ensuring that the correct return address is always called in the running process of the function code, thereby realizing the technical effect of improving the running safety of the function code, and further solving the technical problem that the security vulnerability risk exists in the running process of the function code caused by modifying the return address of the running function code in the prior art.
Example 2
According to an embodiment of the present application, an embodiment of an execution apparatus of function code is provided. FIG. 2 is a schematic diagram of an alternative execution device of function codes according to an embodiment of the present application, and as shown in FIG. 2, the execution device of function codes includes: a processing unit 201, a reading unit 202 and an executing unit 203.
Wherein the processing unit 201 is configured to store, before executing the target function code, a return address of the target function code in a register, where the return address characterizes an address to which a return operation of the target function code is directed when the return operation is executed; a reading unit 202 for reading the return address from the register after the execution of the target function code is completed; and an execution unit 203 for executing the function code after the target function code according to the return address.
Alternatively, the objective function code may be any one of at least one function code included in the software program, or the objective function code may be a function code currently to be executed by the code execution system. The objective function code may be a function code for implementing various function operation logics, and the logic of the specific operation of the function code itself is not particularly limited in the present application.
Optionally, the function code is called by pointing to the address of the function code through a pointer pointing to the function code, and the function code returns to the position pointed to by the return address.
Alternatively, the register for holding the return address of the objective function code may be a register capable of storing data in a specified area. For example, FS (File Segment Register) registers may be used to hold the return address of the object function code.
Wherein the FS register is a register in the x86 architecture processor that is used to store a file segment descriptor of the current process, and when the processor performs an access file operation, the FS register is used to determine the file segment to be used. By setting the value of the FS register, the software program may directly access the data structure or file buffer associated with the file, thereby improving the efficiency and speed of file reading and writing.
Note that, in the FS register, a random value of 8 bytes is stored in a 40 th byte position.
It should be noted that, a stack overflow attack is generally to tamper with the return address of the function code when the function code is running (because the return address is exposed to the outside when the function code is running), and therefore, since the return address of the target function code held in the register of the present application is a return address acquired before the target function code is executed, the return address held in the register must be the correct return address that has not been tampered with. In other words, according to the technical solution of the present application, before executing the objective function code, the code execution system protects the return address of the objective function code in the register in advance.
It should be noted that, since the return address stored in the register is a return address which is acquired before the execution of the target function code and which has not been tampered with, the return address read from the register after the execution of the target function code is completed is also a return address which has not been tampered with. In other words, even if the externally exposed return address of the object function code is tampered with during execution of the object function code, the correct execution of the subsequent code is not affected, since the return address upon which the subsequent code executes is the correct non-tampered return address in the register and is not a tampered return address.
Optionally, the following are three application scenario examples of the execution method of the function code in the embodiment of the present application:
Example 1: application to operating systems, which are often one of the most vulnerable targets to security vulnerabilities. By adopting the execution method of the function code, which is equivalent to providing a stack overflow protection technology, an operating system can carry out boundary inspection and stack protection on input data, thereby preventing malicious programs or attackers from tampering with a system memory or executing any code by utilizing stack overflow loopholes.
Example 2: applications are found in web applications, including but not limited to data management applications running on web servers, database servers, etc., which are vulnerable to stack overflow attacks because they often handle input information from users on the network. By using the stack overflow protection technology of the application, the application programs can perform reasonable boundary checking and length verification on the input so as to avoid stack overflow loopholes from being utilized.
Example 3: in the application to a browser, the browser is often a target of malware and network attack because the browser records browsing information of a user. By using the stack overflow protection technology provided by the application, the browser can monitor and protect the execution process of the JavaScript code or the plug-in, and prevent the malicious script from executing the malicious code by using the stack overflow loophole.
As can be seen from the above, by implementing the method for executing the function code in the embodiment of the present application, the security, stability and reliability of the software program when running the function code can be improved, so that the software program is effectively protected from being threatened by malicious attacks, and the possibility of being invaded by an attacker is avoided. The technical scheme of the application at least has the following technical effects:
(1) The security of the software program is improved, and as stack overflow is a common security hole, an attacker can execute malicious codes by modifying data in the stack. Therefore, by adopting the function code execution method in the embodiment of the application, the threat caused by stack overflow attack can be effectively reduced, and the overall security of the software program can be improved.
(2) The method for executing the function code in the embodiment of the application can effectively prevent the remote execution code attack and protect the software program from the remote attack because the stack overflow attack can be utilized to remotely execute the malicious code.
(3) The stability of the software program is enhanced, and the stack overflow vulnerability can cause the software program to crash or terminate abnormally, so that the function code execution method in the embodiment of the application can detect and prevent the occurrence of the conditions, thereby enhancing the stability and the reliability of the software program.
(4) The risk of network attack is reduced, and because stack overflow attack is one of the main means of many network attacks, the risk of the software program to suffer from network attack can be greatly reduced by deploying the function code execution scheme in the embodiment of the application.
In summary, the present application saves the return address of the target function code in the register before the execution of the target function code, and reads the return address from the register after the execution of the target function code is completed, so that even if the return address of the target function code is tampered during the running process, the return address which is not tampered is already saved in the register before the execution of the target function code, and the subsequent return address reading operation directly reads the return address which is not tampered from the register, thereby ensuring that the program can always execute the related operation of the target function code with the return address which is not tampered, and avoiding the problem that the function code caused by modifying the return address of the running function code has security hole risk during the running process in the prior art.
Optionally, the executing device of the function code further includes: a first code insertion unit and a second code insertion unit. A first code insertion unit, configured to insert a first code at a location located before the target function code, where the first code is used for pointing to a storage path of a return address of the target function code; and a second code insertion unit for inserting a second code at a position located after the target function code, wherein the second code is used for pointing to a dump path of a return address of the target function code.
Alternatively, the second code may be a different piece of assembly code than the first code, wherein the first code functions to read out the value in the specified region of the register and transfer it to the register for holding the currently executing instruction. For example, in the case where the register is an FS register, the first code is for reading out the value in the memory area of the forty bytes of the FS register and transferring to the register for holding the instruction currently being executed.
Optionally, a piece of assembly code (i.e., the first code) is inserted before the object function code runs, where the function of the assembly code is to save the return address of the object function code to the forty-byte region (corresponding to the target location of the register) saved to the FS register. When the code execution system runs into this piece of assembly code, the code execution system may save the return address of the object function code to the forty-byte region of the FS register.
Optionally, the processing unit 201 includes: and the storage subunit is used for storing the return address of the target function code to a target position in a register by running the first code before executing the target function code, wherein the target position in the register is used for storing a random value of a preset byte number, and the target position represents a storage path of the return address.
Optionally, the reading unit 202 includes: and the reading subunit is used for reading the return address of the target function code from the register by running the second code after the execution of the target function code is completed, and saving the return address into the target register, wherein the target register is used for storing the currently executing instruction.
Optionally, the executing device of the function code further includes: the device comprises a first determining unit, a detecting unit, a second determining unit and a third determining unit. The first determining unit is used for determining a to-be-confirmed return address used in the running process of the objective function code by running the objective function code under the condition that the first code and the second code are forbidden to run; a detection unit for detecting whether the return address to be confirmed is the same as the return address read from the register; a second determining unit for determining that the return address of the objective function code is not tampered in the running process, in the case that the return address to be confirmed is the same as the return address read from the register; and a third determining unit for determining that the return address of the objective function code is tampered in the running process when the return address to be confirmed is different from the return address read from the register.
It is easy to understand that in the case where the execution of the first code and the second code is prohibited, if the objective function code is subjected to a stack overflow attack, and the stack overflow attack modifies the return address of the objective function code, the return address to be confirmed used by the objective function code during the execution will be different from the return address read from the register, and thus it is deduced that the objective function code is subjected to the stack overflow attack at this time, and this stack overflow attack is performed by tampering with the return address of the objective function code.
Alternatively, if the return address to be validated is the same as the return address read from the register, it may be determined that the return address of the objective function code has not been tampered with during execution, and the objective function code has not been attacked by stack overflow.
By the method, whether the target function code is attacked by stack overflow or not is detected, and the function attacked by stack overflow can be examined timely. For example, if a software program suspected of suffering from stack overflow attack needs to be examined, but the software program contains a large number of function codes, in order to accurately and rapidly lock which function code suffers from stack overflow attack, each function code can be examined one by adopting the method of the application, and the examination method is simple and efficient, and only needs to turn on/off the first code and the second code corresponding to each function code.
Optionally, the executing device of the function code further includes: and the target value inserting unit is used for inserting a target value into a stack frame corresponding to the target function code before the target function code is executed, wherein the stack frame corresponding to the target function code is used for storing the return address and the local variable of the target function code, and the position of the target value in the stack frame is positioned between the return address and the local variable of the target function code.
Alternatively, the target value may be a special random value, inserted into the stack frame corresponding to the target function code, and located between the local variable and the return address. The storage mode of the target value is that the target value is stored in a stack frame in a push mode.
Optionally, the executing device of the function code further includes: a first detection unit, a fourth determination unit and a fifth determination unit. The first detection unit is used for detecting whether the target value in the stack frame changes or not during the execution of the target function code; a fourth determining unit, configured to determine that a program error occurs in the objective function code during the operation process when the objective numerical value changes; and the fifth determining unit is used for determining that the objective function code operates normally under the condition that the objective value is not changed.
From the foregoing, it can be seen that, by the technical solution of the embodiments of the present application, at least the following objects can be achieved:
1. The confidentiality of critical data is protected, and since the critical data such as function parameters, local variables, return addresses and the like are usually stored in a stack, stack overflow attack can cause the data to be tampered or leaked. By adopting the stack overflow protection technology provided by the application, the integrity and confidentiality of key data can be protected, and the abuse of an attacker can be prevented.
2. The security of the software system is improved, and as stack overflow is a common security hole, an attacker can execute malicious codes or acquire system rights by utilizing the stack overflow hole. Therefore, by implementing the stack overflow protection technology provided by the application, the potential hazard of the loopholes can be effectively reduced, and the safety of a software system is improved.
3. Preventing remote execution code attacks, which can cause an attacker to inject malicious code into the program's stack and execute it at the attacker's controlled location. Therefore, the stack overflow protection technology provided by the application can prevent remote execution code attack and ensure that the program only executes codes at expected positions.
4. Temporary buffer overflow is prevented, which may also result in temporary buffer overflow, such as string buffer overflow, due to stack overflow. Therefore, by adopting the stack overflow protection technology provided by the application, the writing of data can be controlled, the overflow of a temporary buffer area can be avoided, and the stability and the reliability of a software system are improved.
The specific manner in which the respective units perform the operations has been described in detail in relation to the embodiments of the method with respect to the execution means of the function code in the above embodiments, and will not be described in detail here.
Example 3
According to another aspect of the embodiments of the present application, there is also provided a computer readable storage medium, including a stored computer program, where the computer program when executed controls a device in which the computer readable storage medium is located to execute the method for executing the function code of any one of the foregoing embodiments 1.
Example 4
According to another aspect of the embodiment of the present application, there is also provided an electronic device, including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the execution method of the function code of any one of the above-described embodiments 1 via execution of executable instructions.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method for executing function code, comprising:
storing a return address of an object function code in a register prior to executing the object function code, wherein the return address characterizes an address to which a return operation of the object function code is directed when executing the return operation;
reading the return address from the register after the execution of the object function code is completed;
and executing the function codes after the target function codes according to the return address.
2. The method of executing function code according to claim 1, wherein before executing the object function code, the method of executing function code further comprises:
Inserting a first code at a location preceding the object function code, wherein the first code is for a storage path pointing to a return address of the object function code;
And inserting a second code at a position behind the target function code, wherein the second code is used for pointing to a dump path of a return address of the target function code.
3. The method of executing function code according to claim 2, wherein storing the return address of the object function code in a register before executing the object function code comprises:
Before executing the target function code, storing a return address of the target function code to a target position in the register by running the first code, wherein the target position in the register is used for storing a random value of a preset byte number, and the target position represents a storage path of the return address.
4. The method of executing function code according to claim 2, wherein reading the return address from the register after the execution of the object function code is completed, comprises:
after the execution of the target function code is completed, the return address of the target function code is read from the register by running the second code, and the return address is transferred to a target register, wherein the target register is used for storing an instruction which is currently being executed.
5. The method of executing function code according to claim 2, wherein after reading the return address from the register, the method of executing function code further comprises:
Determining a return address to be confirmed used by the objective function code in the running process by running the objective function code under the condition that the first code and the second code are forbidden to run;
Detecting whether the return address to be confirmed is the same as the return address read from the register;
Determining that the return address of the objective function code is not tampered in the running process under the condition that the return address to be confirmed is the same as the return address read from the register;
And determining that the return address of the target function code is tampered in the running process when the return address to be confirmed is different from the return address read from the register.
6. The method of executing function code according to claim 1, wherein the method of executing function code further comprises:
Before the target function code is executed, a target value is inserted into a stack frame corresponding to the target function code, wherein the stack frame corresponding to the target function code is used for storing a return address and a local variable of the target function code, and the position of the target value in the stack frame is located between the return address and the local variable of the target function code.
7. The method for executing function code according to claim 6, wherein after inserting the target value in the stack frame corresponding to the target function code, the method for executing function code further comprises:
Detecting whether a target value in the stack frame changes during execution of the target function code;
under the condition that the target value changes, determining that the program error occurs in the running process of the target function code;
and under the condition that the target value is not changed, determining that the target function code operates normally.
8. An execution device of function code, comprising:
A processing unit configured to store, before execution of an object function code, a return address of the object function code in a register, wherein the return address characterizes an address to which regression is directed when a return operation of the object function code is executed;
a reading unit configured to read the return address from the register after execution of the objective function code is completed;
and the execution unit is used for executing the function codes after the target function codes according to the return address.
9. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and wherein the computer program when run controls a device in which the computer readable storage medium is located to execute the method of executing the function code according to any one of claims 1 to 7.
10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of executing the function code of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311745477.8A CN117951685A (en) | 2023-12-18 | 2023-12-18 | Method and device for executing function code, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311745477.8A CN117951685A (en) | 2023-12-18 | 2023-12-18 | Method and device for executing function code, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117951685A true CN117951685A (en) | 2024-04-30 |
Family
ID=90795087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311745477.8A Pending CN117951685A (en) | 2023-12-18 | 2023-12-18 | Method and device for executing function code, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117951685A (en) |
-
2023
- 2023-12-18 CN CN202311745477.8A patent/CN117951685A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| JP6370747B2 (en) | System and method for virtual machine monitor based anti-malware security | |
| US8272059B2 (en) | System and method for identification and blocking of malicious code for web browser script engines | |
| US6941473B2 (en) | Memory device, stack protection system, computer system, compiler, stack protection method, storage medium and program transmission apparatus | |
| EP3069254B1 (en) | Improved control flow integrity system and method | |
| Payne et al. | Lares: An architecture for secure active monitoring using virtualization | |
| US8195953B1 (en) | Computer program with built-in malware protection | |
| EP2420950B1 (en) | Information processing system, information processing method, information processing program, computer readable medium and computer data signal | |
| US7631356B2 (en) | System and method for foreign code detection | |
| EP1662379A1 (en) | False code prevention method and prevention program | |
| CN107690645A (en) | Use the behavior malware detection of interpreter virtual machine | |
| US20070266435A1 (en) | System and method for intrusion detection in a computer system | |
| Kong et al. | Improving software security via runtime instruction-level taint checking | |
| CN105512548B (en) | Based on hiding executable mirror image and inject the method for dll protection code images | |
| AU2021319159B2 (en) | Advanced ransomware detection | |
| US20140317742A1 (en) | Hypervisor-based buffer overflow detection and prevention | |
| US7620983B1 (en) | Behavior profiling | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| CN117951685A (en) | Method and device for executing function code, electronic equipment and storage medium | |
| Roth et al. | Implicit buffer overflow protection using memory segregation | |
| Hossain et al. | Software security with hardware in mind | |
| Lokhande et al. | A study of hardware architecture based attacks to bypass operating system security | |
| Wampler et al. | A method for detecting linux kernel module rootkits | |
| Karwayun et al. | War of Control Hijacking: Attacks and Defenses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |