JP2020027512A - Converter, conversion program, and program conversion method - Google Patents

Abstract

To detect the falsification of a return address by an attack taking advantage of software vulnerability and prevent improper program execution.SOLUTION: The present invention inserts, between a function call instruction and the next instruction included in a conversion target program, an identification label for specifying a place to which to be returned after the processing of a function called by the function call instruction is terminated. The conversion target program is converted so as to calculate the absolute address of the identification label at execution time and hold it. Furthermore, the conversion target program is converted so as to jump to the identification label when the address indicated as a return destination by a return instruction at execution time is found, by determination a match, to match the address to which to be returned (absolute address of the identification label at conversion target program execution time is calculated and held), and to terminate the program when said address does not match, thereby detecting the falsification of the return address and prevent wrongful program execution in advance.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for detecting return address tampering due to an attack using software vulnerability to prevent execution of an unauthorized program.

  Information leakage due to execution of an unauthorized program on a computer has become a problem. These malicious programs often use software vulnerabilities.

  A typical example is a buffer overflow attack. When a function is called in the operation of a program on a computer, the return address is stored in a register or a stack area in memory to enable the function to return to the caller of the function. An attack that overwrites a return address on the stack area with an invalid address by using a URL is well known.

  Patent Literature 1 discloses a conversion device that converts a program so as to prevent occurrence of a buffer overflow.

  Patent Literature 2 discloses a processor including means for preventing execution of an unauthorized program due to a buffer overflow.

Japanese Patent No. 5820754 Japanese Patent No. 5777843

  However, in addition to the buffer overflow attack, there is an attack that rewrites a return address to an illegal address by using a software vulnerability. For example, if the shared library is coded in a position-independent manner, the absolute address of the executable file is resolved by dynamic link at the time of execution of the executable file. Since it is assumed that all the absolute addresses indicating the program called in the main processing are known before the execution of the main processing, it is impossible to cope with the case where the return address is rewritten to an incorrect address.

  Means for saving the return address in a register may be considered, but there is a limit in hardware resources, and a software solution is required.

  SUMMARY OF THE INVENTION The present invention has been made in view of such circumstances, and solves the above-described problem, detects return address falsification due to an attack using a software vulnerability, and prevents execution of an unauthorized program. It is an object to provide a conversion device, a conversion program, and a program conversion method.

  A conversion device, a conversion program, and a program conversion method using a computer according to the present invention solve the above-described problem by converting a conversion target program so as to realize the following mechanism.

(Mechanism)
According to the present invention, an identification label for specifying a place to return to after the processing of the function called by the function call instruction is completed is inserted between the function call instruction included in the conversion target program and the next instruction. At the time of execution, an absolute address of the identification label is calculated, and the conversion target program is converted so as to be held. Further, when it is determined whether the address indicated by the return instruction as the return destination at the time of execution matches the address to be returned (the absolute address of the identification label at the time of execution of the conversion target program that is calculated and held) and matches. Is returned (jump to the identification label) as it is, and if they do not match, the conversion target program is converted so as to terminate the program.

  In order to solve the problem by realizing the above-described mechanism, the present invention provides an executable object file which constitutes a conversion target program, a directory where a source file exists, an object file which constitutes a source file, and a symbol name. Are generated based on the memory map, indicating that the relationship information indicates the relationship between the two.

  In order to solve the problem by realizing the above-described mechanism, the present invention calculates a start address of a conversion target program and a start address of a shared library linked to the conversion target program based on a memory map, and issues an instruction to hold the instruction. Immediately after the execution of the conversion target program, the instruction is inserted into the conversion target program so that the instruction can be called from the conversion target program. Note that, in the present specification, the “instruction for calculating and holding the start address of the conversion target program and the start address of the shared library linked to the conversion target program based on the memory map” is referred to as a “load address calculation instruction”. . The same applies to the following.

  In order to solve the problem by realizing the above-described mechanism, the present invention detects a function call instruction included in a conversion target program and specifies a place to return after processing of the function called by the function call instruction is completed And generating an identification label between the detected function call instruction and the next instruction.

  In order to solve the problem by realizing the above-described mechanism, the present invention detects a return instruction included in a conversion target program, and detects the detected return instruction when an address indicated by the return instruction as a return destination when the conversion target program is executed. It is characterized in that it is determined whether or not it matches the absolute address to be returned calculated from the address of the identification label, and if it does not match, the instruction is rewritten to an instruction for branching to a return address check instruction for terminating the program to be converted. Note that, in the present document, it is determined that the address indicated by the return instruction at the time of execution of the conversion target program matches with the address to be returned calculated from the identification label address. The instruction to be terminated is described as a "return address check instruction." The same applies to the following.

  In order to realize the above-described mechanism and solve the problem, the present invention is characterized in that a return address check instruction is generated and inserted into a conversion target program.

  In order to realize the above-described mechanism and solve the problem, the present invention is characterized in that an address of an identification label is acquired, and the acquired address is associated with the identification label and held as an identification label address.

  In order to solve the problem by realizing the above-described mechanism, the present invention determines whether the conversion target program starts normally, terminates the program conversion if it starts normally, and if it does not start normally Is characterized by performing a process of instructing re-acquisition of an identification label address, instructing an update of a return address check instruction, and determining whether to normally start again.

  As described above, according to the present invention, it is possible to solve the above-described problem and detect the falsification of the return address due to the attack using the vulnerability of the software, thereby preventing the execution of the unauthorized program.

FIG. 3 is a block diagram illustrating a configuration example of a conversion device. It is a hardware configuration of a conversion device. 6 is a flowchart illustrating an operation of the conversion device. FIG. 5 is a diagram schematically illustrating an example of relation information. It is an example of a memory map. It is a flowchart of a symbol name search. 9 is a flowchart illustrating load address calculation instruction insertion processing. It is a processing flow performed by a load address calculation instruction. FIG. 9 is a diagram illustrating an outline of an operation of a conversion target program after conversion. It is a flowchart which shows an identification label generation insertion process and a return instruction rewriting process. It is a flowchart which shows an identification label output process. 9 is a flowchart illustrating a return address check instruction generation and insertion process. It is a flowchart explaining generation | occurrence | production of a return address check instruction. It is a flowchart which shows an identification label address acquisition process. It is a flowchart which shows a return address check command update process. It is a flowchart which shows the detail about a return address update. It is a flowchart which shows the identification label production | generation insertion processing in 2nd Embodiment. It is a flowchart shown about standard library function identification label output. 9 is a flowchart illustrating a return address check instruction generation and insertion process according to the second embodiment. It is a flowchart which shows a standard function call part generation output process.

  An embodiment of the present invention will be described with reference to the drawings. In each of the drawings, the same or corresponding portions are denoted by the same reference characters, and redundant description will be omitted.

(1st Embodiment)
The conversion device according to the present embodiment is a conversion device that converts a program so as to stop and detect alteration of a return address due to an attack using software vulnerability.

  FIG. 1 is a block diagram illustrating a configuration of a conversion device 10 according to the present embodiment. As shown in FIG. 1, the conversion apparatus 10 includes a relation information generation unit 100, a load address calculation instruction insertion unit 110, a compiler 120, an identification label generation and insertion unit 130, a return instruction rewriting unit 140, an identification label address acquisition unit 150, a return An address check instruction generation / insertion unit 160 and a return address check instruction update unit 170 are provided.

  The relation information generation unit 100 is configured to execute a relation information indicating a relation in which a directory in which a source file exists, an object file forming the source file, and a symbol name are linked to each other with respect to an executable object file forming the conversion target program. Is generated based on the memory map.

  The load address calculation instruction insertion unit 110 has a function of inserting a load address calculation instruction into the conversion target program so that the instruction can be called from the conversion target program immediately after the execution of the conversion target program starts. .

  The compiler 120 converts the source program of the conversion target program into an object file such as an executable file and a shared library or an assembly program.

  The identification label generation / insertion unit 130 detects a function call instruction included in the conversion target program, and generates an identification label for specifying a place to return to after the processing of the function called by the function call instruction is completed. A function of inserting an identification label between the function call instruction and the next instruction.

  The return instruction rewriting unit 140 has a function of detecting a return instruction included in the conversion target program and rewriting the detected return instruction into an instruction that branches to a return address check instruction.

  The return address check instruction generation / insertion unit 160 has a function of generating and inserting a return address check instruction in the conversion target program.

  The identification label address acquisition unit 150 has a function of acquiring the address of the identification label from the object file, linking the acquired address with the identification label, and holding the acquired address as the identification label address.

  The return address check instruction updating unit 170 determines whether the conversion target program starts normally, terminates the conversion of the program if it starts normally, and reacquires the identification label address if it does not start normally. It has a function to issue a command, update a return address check command, and determine whether or not to normally start again.

  The conversion device 10 shown in FIG. 1 has the hardware configuration 20 shown in FIG. As shown in FIG. 2, the conversion device 10 physically includes a central processing unit (CPU) 210, an input device 220, an output device 230, a main storage device (RAM / ROM) 240, an auxiliary storage device 250, and the like. It is configured as a computer system. Further, the CPU has a plurality of registers 260 as a temporary storage circuit.

  Each function of the conversion device 10 is controlled by controlling the central processing unit (CPU) 210 by reading predetermined computer software into a central processing unit (CPU) 210, a main storage device (RAM / ROM) 240, or the like shown in FIG. , The input device 220 and the output device 230 are operated, and data is read from and written to the main storage device (RAM / ROM) 240 and the auxiliary storage device 250.

  Next, the operation of the conversion device 10 according to the present embodiment will be described. FIG. 3 is a flowchart illustrating the operation of the conversion device 10 according to the present embodiment. As shown in FIG. 3, the processing performed by the conversion device 10 is roughly divided into three blocks: an information acquisition processing block B10, an instruction generation insertion processing block B20, and a check processing block B30. In consideration of the ease of explanation, Linux (registered trademark) is used as an operation system, C language is used as a programming language, GNU compiler collection (hereinafter, GCC) is used as a compiler, and file formats generated by the compiler are used below. Although the description will be made assuming that the ELF is used, the same applies to an environment in which a computer behaves in a similar manner.

  The conversion device 10 starts the operation illustrated in FIG. 3 by, for example, explicitly instructing the start of the operation after loading the conversion target program and the program linked to the conversion target program into the process space.

  The operation of the conversion device 10 according to the present embodiment will be described with reference to the flowchart shown in FIG.

  When the operation of the conversion device 10 is started, a conversion target program is designated for the conversion device 10. The conversion program started by the conversion apparatus 10 is specified by giving, as arguments, a directory full path of all executable files which are conversion target programs and a directory full path of source files of all executable files which are conversion target programs. Similarly, the full path of the object file and the full path of the source file are given as arguments for all the shared libraries that are linked to the executable file and are the conversion target programs. The reason for providing the arguments in this way is to prevent shortage of return address check instructions for functions in the shared library because the same shared library may be linked with multiple executable files. .

  As shown in S301 of FIG. 3, the conversion device 10 performs a sequential conversion process on all the executable files that are the conversion target programs specified as described above. The following processing is performed by inheriting the directory full path information in which the executable file of the conversion target program, which is provided at the start of the operation of the conversion apparatus 10 and exists. First, the processing of the information acquisition processing block B10 will be described.

  The relation information generation unit 100 performs a relation information generation process (S303). The relation information generation process (S303) includes, for an object file such as an executable file or a shared library that constitutes the conversion target program, a directory in which the source file exists, and an object file corresponding to each source file (hereinafter, a configuration object file This is a process of generating relationship information indicating a relationship between the symbol name and the symbol name based on the memory map.

  FIG. 4 is a diagram schematically illustrating an example of the related information generated by the related information generating unit 100 performing the related information generating process (S303) in order to facilitate understanding of the following description. The relation information generation processing (S303) will be described using the relation information shown in FIG. 4 as an example.

  The relation information generation unit 100 acquires a memory map. The memory map is a file in which information of a data structure indicating a state of a process is mapped in a kernel of the operating system. The exact starting address of each region of the process space can be obtained by the memory map. For example, in Linux (registered trademark), each process ID exists under the / proc directory. The process ID can be obtained by a getpid function in the C language.

  FIG. 5 shows an example of the memory map. Reference numeral a indicates the start address, reference numeral b indicates the end address, reference numeral c indicates the access authority, and reference numeral d indicates the full path. Both the executable file (code e) and the shared library (code f) can be identified from the fact that the access authority (code c) is r-xp (readable, write-inhibited, executable).

  The relation information generation unit 100 extracts the full path (code d) from the acquired memory map for the object file whose access authority (code c) is r-xp, and generates the object file array shown in FIG. Note that even if the access right (code c) is r-xp, an object file such as a loader that does not need to be checked may be excluded from the extraction target in order to increase the processing efficiency.

  The relation information generation unit 100 links the generated object file array 40 to the directory full path of the executable file which is the conversion target program given as an argument, the directory full path of the source file, and the executable file. Using the full path of the object file directory and the full path of the source file for the shared library that is the target program, a process of associating with the source file directory is performed. Thus, the object file array 40 and the source file directory 41 shown in FIG.

  Next, the relation information generation unit 100 performs a symbol name check to generate the relation information shown in FIG. The relation information generation unit 100 sequentially performs a symbol name check shown in the flowchart of FIG. 6 on the source file directory 41 shown in FIG. The process is executed on the source file directory 41 until there are no more elements in the directory (S601).

  In the process of S603, it is determined whether the element is a directory. If the element is a directory, it is necessary to check the symbol name also in the directory, so the symbol name checking process (S605) is performed for the directory. If the element is not a directory, the flow shifts to determination processing in S607.

  In the process of S607, it is determined whether the element is an object file. The file name extension is. If it is o, it is determined to be an object file. If it is determined that the element is an object file, the element is associated with the source file directory 41 as the constituent object file 42 as shown in FIG. After that, the processing shifts to S609. If it is determined that the element is not an object file, the process moves to the next element in the directory.

  In the process of S609, a symbol is obtained. In Linux (registered trademark), a symbol can be obtained by an nm command. A process (S611) for associating the acquired symbol name 43 with the configuration object file 42 as shown in FIG. 4 is performed.

  When there are no more elements in the directory, the process ends.

  When the related information generating process (S303) by the related information generating unit 100 is completed, the related information illustrated in FIG. 4 is generated.

  Next, the load address calculation instruction insertion unit 110 performs load address calculation instruction insertion processing (S305). The load address calculation instruction insertion process (S305) is a process of inserting a code into the conversion target program so that the load target calculation instruction can be called from the conversion target program immediately after the execution of the conversion target program starts.

  The address of a shared library that is position-independently coded cannot be determined unless it is loaded. For this reason, the load address calculation instruction insertion unit 110 inserts a code into the conversion target program so that the load address calculation instruction can be called from the conversion target program immediately after the execution of the conversion target program is started. Enable to get start address.

  FIG. 7 is a flowchart showing the load address calculation instruction insertion processing. The load address calculation instruction insertion processing will be described with reference to the flowchart shown in FIG.

  In the process of S701, a source file directory corresponding to the first element of the object file array shown in FIG. 4 is obtained. In the memory map, since the executable file is always the first element, the first element of the object file array always corresponds to the executable file. When the processing in S701 ends, the flow shifts to the processing in S703.

  In the process of S703, the source file directory corresponding to the first element of the obtained object file array is sequentially processed until there are no more elements in the directory.

  In the process of S705, it is determined whether the element is a directory. If the element is a directory, the load address calculation instruction insertion processing needs to be performed also in the directory, so the load address calculation instruction insertion processing for the directory (S707) is executed. If the element is not a directory, the flow shifts to determination processing in S709.

  In the process of S709, it is determined whether the element is a source file. For example, a source file written in the C language is a file having an extension “.C”. If the element is not a source file, move to the next element. If the element is a source file, the file is opened and the process proceeds to S711.

  In the processing of S711, the main function is sequentially read to the end of the source file to find a main function (S713). If the main function is found, the code for calling the load address calculation instruction is described at the beginning of the main function (line immediately after the main function of the source file is described) (S715). Thus, when the main function is called during execution of the converted program, the load address calculation instruction is called first.

  In the process of S715, a code for calling the load address calculation instruction in the main function is newly described. In the process of S717, the Makefile is rewritten because it is necessary to compile and link with the source file including the substance of the newly called load address calculation instruction. The above is the processing of the information acquisition processing block B10.

  When the load address calculation instruction insertion processing (S305) by the load address calculation instruction insertion unit 110 is completed, the conversion device 10 compiles (S307) using the rewritten Makefile by the compiler 120 to create an executable file. At this time, the conversion device 10 outputs an assembly file to the source files in all the source file directories 41 of FIG. 4 as an assembly file used in the subsequent instruction generation / insertion processing block B20.

  Here, apart from the processing flow of FIG. 3, the operation of the load address calculation instruction at the time of executing the converted program will be described. The load address calculation instruction calculates the start address of the program to be converted and the start address of the program linked to the program to be converted, concatenates them into one character string in ascending order of address, and outputs the result to a file. The character string that has been read is stored as a new memory area in the process space as readable and unwritable, and the start address of this memory area is stored in a static variable.

  FIG. 8 is a processing flow executed by the load address calculation instruction. Since the code for calling the load address calculation instruction is described immediately after the main function, the processing flow shown in FIG. 8 is executed by the load address calculation instruction immediately after execution of the converted program.

  In the process of S801, the process ID of the started process is acquired. The process ID can be obtained by a getpid function in the C language. When the processing in S801 ends, the flow shifts to the processing in S803.

  In the process of S803, a memory map of the obtained process ID is obtained. A memory map exists for each process ID under the / proc directory. When the processing in S803 ends, the flow shifts to the processing in S805.

  In the process of S805, the acquired memory map is acquired in order from the first line, and it is determined whether the access right is r-xp (readable, writable, executable) (S807). And extract the shared library.

  In the processing of S809, the start address of the r-xp row (see reference symbol a in FIG. 5) is obtained, and a character string in which the obtained start addresses are concatenated is generated. The number of bytes of each start address is unified so that the start address can be restored from a character string generated in a later process. For example, with regard to the number of bytes, the address is corrected to 16 bytes by filling in 0s. Since the byte order (endian) differs depending on the processor and platform, a character string is generated according to the environment. Information about the type of endian is described in the ELF header. When the processing in S809 ends for all r-xp rows in the memory map, the processing shifts to S811.

  In the process of S811, the character string combined with the start address is read-only written to the memory area using the mmap function so as not to be falsified. One static variable is defined as a start address storage variable, and the start address of a memory area in which a character string is written to the static variable in a read-only manner is stored.

  Since the start address of each object is described every 16 bytes from the beginning of the character string written read-only in the memory area specified by the start address storage variable, reading the character string from the target position Can be obtained.

  In this way, the load address calculation instruction calculates and holds the start address of the conversion target program and the start address of the shared library linked to the conversion target program based on the memory map.

  Next, before proceeding to the description of the processing of the instruction generation / insertion processing block B20 shown in FIG. 3, the operation of the conversion target program after conversion by the conversion device 10 is described in consideration of the following description. The relationship between the instruction generation and insertion processing block B20 and the processing from S309 to S313 will be briefly described.

  FIG. 9 is a diagram for explaining an outline of the operation of the conversion target program after the conversion. FIG. 9 illustrates a case where the function myfunc is called.

  An outline of the operation of the conversion target program after the conversion will be described with reference to FIG. When the function myfunc is called by the call myfunc in the source code described in the caller's assembly language (hereinafter, referred to as assembly code), the processing shifts to the function myfunc in the callee assembly file. In the callee assembly file, the ret instruction for returning to the caller after the processing of the function myfunc is completed has been rewritten to the jump instruction (903) to the return address check instruction. Therefore, when the processing of the function myfunc ends, the processing shifts to the return address check instruction (905) described in the same callee assembly file. In the return address check instruction, it is determined whether the return destination is correct based on the check logic. If the return destination is not correct, the process is terminated. If it is determined that the return destination is correct, the process is executed next to the call instruction in the caller assembly file. Jump to the identification label described in the line.

  The outline of the relationship between the operation of the conversion target program after the conversion and the processing of S309 to S313 of the instruction generation and insertion processing block B20 will be described with reference to FIG. In the processing of the instruction generation / insertion processing block B20, the program is converted by rewriting the assembly code of the conversion target program so as to perform the operation shown in FIG. The identification label generation / insertion processing (S309) detects a function call instruction from the caller assembly file and adds an identification label (901) for specifying a place to return to after the processing of the function called by the function call instruction is completed. The identification label (901) is inserted between the generated and detected function call instruction and the next instruction. The return instruction rewriting process (S311) detects a return instruction from the callee assembly file, and rewrites the detected return instruction into an instruction (903) that branches to a return address check instruction. The return address check instruction generation / insertion processing (S313) generates a return address check instruction (905) and inserts it into the callee assembly file.

  As described above, in the present embodiment, it is possible to determine whether the return destination is correct by describing the return address check instruction in the callee assembly file. However, when the function to be called is a standard function, the standard function is provided in binary, so that the return address check instruction cannot be directly described in the assembly file. Therefore, in the first embodiment, the standard functions used by the conversion target program are directly assembled by arranging a self-made standard function that performs the same operation as a new shared library with reference to the published source code. Enables you to write a return address check instruction in a file. According to this method, falsification of the return address can be completely prevented. An embodiment in which a standard function provided in binary is used as it is will be described later as a second embodiment.

  Returning to FIG. 3, the processing of the instruction generation / insertion processing block B20 will be described. The identification label generation and insertion unit 130 performs an identification label generation and insertion process (S309). The identification label generation / insertion process (S309) detects a function call instruction included in the conversion target program, and generates an identification label for specifying a place to return to after the processing of the function called by the function call instruction is completed. This is a process of inserting an identification label between the detected function call instruction and the next instruction.

  FIG. 10 is a flowchart showing the identification label generation and insertion processing (S309) and the return instruction rewriting processing (S311). The assembly code is read, and the assembly code is rewritten according to the processing shown in the flowchart of FIG. First, the identification label generation and insertion processing (S309) will be described with reference to FIG.

  The identification label generation and insertion unit 130 performs an identification label generation and insertion process (S309). The identification label generation and insertion processing (S309) is executed for each assembly file. In the processing of S1001, the following processing is sequentially performed from the first line to the end of the assembly file.

  The process of S1003 is a process of finding a call instruction to detect a function call instruction included in the conversion target program. If a call instruction is found, the flow shifts to the process of S1005.

  In the processing of S1005, an identification label for specifying a place to return to after the processing of the call instruction found in the processing of S1003 and the function called on the line following the call instruction is completed is generated and output as an assembly code. .

  FIG. 11 is a flowchart showing the identification label output processing (S1005). The rewriting process is performed by generating the assembly code. In FIG. 11, a case where the function print_msg shown in FIG. 4 is called by a call instruction will be described as an example. In FIG. 4, the function print_msg is composed of a symbol name print_msg, a configuration object file sample_1. o and exists in the source directory / usr / local / src / sample_1 /.

  In the process of S1101, a return source identification label is generated. The rules for naming the identification labels are not limited as long as they can be identified. Here, as an example, a common character string “.ATTC_RET_LB” indicating a return source identification label, a character string “35xqh754” obtained by hashing an existing source directory / usr / local / src / sample_1 /, a source file name The identification label is generated by combining "sample_1" and the serial number "$ 2". The same function may be called multiple times in the same assembly code. However, since the return source is different even for the same function, processing is performed so that the identification label name is not duplicated. In the example of FIG. 11, serial numbers are assigned to the identification labels so that the identification label names do not overlap. When the processing in S1101 ends, the flow shifts to the processing in S1103.

  In the processing of S1103 and S1105, an identification label insertion processing is performed. The identification label generated in the process of S1101 is inserted between the call instruction for calling the function and the next instruction. When the processing in S1105 ends, the flow shifts to the processing in S1107.

  In the process of S1107, a return source identification label file is generated, and the function name (1109), the identification label name (1111), and the address value (1113) are written and stored. Each line of the return source identification label file is sorted by function name (S1107). In the processing stage of S1107, 0000000000000000 is uniformly written as the initial value in the address value (1113). This value is updated when the address of the identification label is acquired in the identification label address acquisition processing (S315) described later. As a result, the address value (1113) is held in the return source identification label file.

  Next, the return instruction rewriting process (S311) will be described with reference to FIG. The return instruction rewriting unit 140 performs a return instruction rewriting process (S311). The return instruction rewriting process (S311) is executed for each assembly file. In the processing of S1001, the processing is sequentially performed from the first line to the end of the assembly file.

  The process of S1007 is a process of finding a ret instruction to detect a return instruction included in the conversion target program. If a ret instruction is found, the flow shifts to the processing of S1009.

  The process of S1009 rewrites the detected return instruction to an instruction that branches to a return address check instruction. Specifically, as shown in FIG. 9, the ret instruction is rewritten to a jmp instruction that jumps to the label of the return address check instruction described in the same source file.

  The return address check instruction exists independently for each function to be called, and describes a check logic for each return source identification label to be checked. For this reason, the label name of the return address check instruction needs to be assigned so as not to be duplicated for each called function. In this embodiment, a character string obtained by combining the identification label name (1111) excluding the serial number of the return source identification label file shown in FIG. 11 and the function name (1109) is given as the label name of the return address check instruction. . Specifically, the label name of the return address check instruction corresponding to the function print_msg in FIG. 11 is ATTC_RET_LB_35xqh754_sample_1 @ print_msg.

  In the process of S1011, a line that is neither the call instruction nor the ret instruction in the assembly code is output as it is. The processing is performed up to the end of the assembly file, and the identification label generation and insertion processing (S309) and the return instruction rewriting processing (S311) are completed.

  The return address check instruction generation / insertion unit 150 performs a return address check instruction generation / insertion process (S313). The return address check instruction generation and insertion processing (S313) performs processing of generating and inserting a return address check instruction in the conversion target program.

  FIG. 12 is a flowchart showing the return address check instruction generation and insertion processing (S313). Based on the relation information generated by the relation information generation unit 100 (see FIG. 4), for all the source file directories 41 (S1201), the symbols included in the assembly file corresponding to the related configuration object file 42 (S1203) With the name 43 as an argument (S1205), a return address check instruction for a function corresponding to the symbol name as an argument is generated and output to an assembly file including the function (see FIG. 9).

  FIG. 13 is a flowchart illustrating in detail the generation of the return address check instruction, which is the process of S1207. The return address check instruction is generated for each function corresponding to the symbol name in the assembly file. However, since there are a plurality of return sources, a determination is made for each identification label in the return source identification label file (see FIG. 11). Consists of check logic. More specifically, the return address check instruction, when executing the converted program, stores the address indicated by the return instruction as the return destination in the register A, and the address to be returned in the register B (the calculated and held conversion target program). The falsification of the return address is detected by determining whether the absolute address of the identification label at the time of execution is the same as the register A and the register B, respectively.

  The generation of the return address check instruction will be described with reference to FIG. As described above, the return address check instruction generation and insertion processing (S313) has as an argument the symbol name included in the assembly file based on the relation information generated by the relation information generation unit 100. Here, the description proceeds with the symbol name of the argument being print_msg. In the process of S1301, the following processes are sequentially performed on the elements of the return source identification label file (see FIG. 11) generated by the identification label generation / insertion unit 130 up to the end.

  In the process of S1303, it is determined whether the function name 1109 described in the return source identification file matches the function name given as a symbol name as an argument. If they do not match, the process moves to the next line in the return source identification file and repeats the process. If they match, the process moves to S1305.

  In the process of S1305, it is determined whether or not the function name given by the symbol name as the argument is the first line that appears as the function name described in the return source identification file. Since the return source identification label file is sorted by the function name, by sequentially reading the file, it can be determined whether the function name appears first. In the return source identification file shown in FIG. 11, the function name print_msg is described over four lines, but since the function names have been sorted, the second line of the element of the return source identification file appears first in the function name print_msg. Line. If it is determined in step S1305 that the function name given as a symbol name as an argument is the first line that appears as the function name described in the return source identification file, the process advances to step S1307.

  The process of S1307 outputs a label indicating that the instruction is a return address check instruction of a function described in the return source identification file. As described above, the label name of the return address check instruction corresponding to the function print_msg of FIG. 11 is ATTC_RET_LB_35xqh754_sample_1 @ print_msg. In the processing from S1309, a check logic for each return source identification label is described for the function after this label. When the processing in S1307 ends, the flow shifts to the processing in S1309.

  The process of S1309 outputs an instruction to save the stack to the register A. When the converted program is started, the return address is stored in the register A because the stack pointer points to the return address when the return address check instruction is called. When the processing in S1309 ends, the flow shifts to the processing in S1311.

  The processing from S1311 to S1325 is performed when the post-conversion program is executed, the return address to be compared with the return address stored in the register A (the absolute address of the calculated and held identification label at the time of execution of the conversion target program). ) Is output to the register B. As a preparatory process, the conversion device 10 inquires and acquires the address of the identification label in the return source identification file using the nm command. At this time, if the value described in the entry point of the ELF header of the file in which the identification label is described is a relative address, the address that can be obtained is a position-independent coded file, and the address is a relative address (offset value). Becomes Therefore, the check logic is generated so that the converted program obtains the absolute address by the calculation at the check timing when the converted program is executed.

The process of S1311 determines whether the object file in which the identification label is described is position-independent coded. Specifically, it is determined whether the entry point is a relative address by referring to the ELF header of the executable file or the shared library in which the identification label is described. Whether the address is a relative address can be determined based on whether the entry point is smaller than 4,000,000 in hexadecimal. If it is determined in step S1311 that the object file in which the identification label is described is encoded in position-independent manner, the process proceeds to step S1313.

  The processing from S1313 to S1319 is processing when the identification label exists in the position-independent coded object file. In this case, the address of the identification label is an offset value. Therefore, the absolute address of the identification label is obtained by adding the offset value of the identification label in the return source identification file to the start address of the loaded object file in which the identification label is described.

  The processing from S1313 to S1319 will be described in detail. The processing from S1313 to S1317 outputs an instruction to calculate the absolute address of the start address of the object file in which the identification label is described and store the absolute address in the register B.

  At the time of executing the converted program, immediately after the execution, the load address calculation instruction (FIG. 8) obtains the start address of the conversion target program and the start address of the shared library linked to the conversion target program based on the memory map. A character string obtained by concatenating the start addresses is written to the memory area in a read-only manner. Then, the start address of this memory area is held in the start address storage variable. When the address of the identification label is an offset value, the return address check instruction generation / insertion unit 150 generates an instruction for checking the return address using the address acquired and held by the load address calculation instruction (FIG. 8). And insert.

  The process of S1313 outputs an instruction to transfer to the register B the reference address of the start address storage variable (the start address of the memory area in which the character string in which the start address of the loaded object file is linked) is written.

  The processing in S1315 is performed by adding the element number of the object array (the number in the loading order starting from 0) to the head address of the memory area in which the character string concatenated with the start address of the loaded object file acquired in the processing in S1313 ), The start address of the object file is described by adding the distance from the head of the character string written in the memory area to the target position where the start address of the object file is described in the register B. The instruction for calculating the address of the target position is transferred.

  The process of S1317 outputs an instruction to transfer to the register B the reference destination (start address of the object file) of the address at the target position where the start address of the object file is described.

  In the process of S1319, an instruction to add the address value 1113 corresponding to the identification label 1111 described in the return source identification label file to the register B is output. When the program after the conversion is executed, the address of the identification label acquired by the nm command is described in the address value 1113 by the identification label address acquisition processing (S315) performed by the identification label address acquisition unit 160 described later. As determined in the processing, the address value 1113 of the identification label takes an offset value. The process of S1319 generates an instruction for calculating the absolute address of the identification label by adding the start address of the loaded object file and the address value (offset) of the identification label.

  If it is determined in step S1311 that the object file in which the identification label is described is not coded in a position independent manner, the process proceeds to step S1321. In this case, the address of the identification label is an absolute address. In the process of S1321, it is determined whether the assembly file is a self-made so source.

  The case where the assembly file is a self-made so source corresponds to a case where a function of a self-made shared library is called in an executable file. Since the address value 1113 corresponding to the identification label 1111 described in the return source identification label file exists in the executable file, it becomes an absolute address, and outputs an instruction to be transferred to the register B as it is (S1323).

  The case where the assembly file is not a self-made so source corresponds to a case where a function in the executable file is called in the executable file. At the time of execution, an instruction for acquiring the address of the identification label and transferring it to the register B is output (S1325). As an example, leaq. ATTC_RET_LB_35xqh754_sample_1-1 (% rip),% r11. In this embodiment, the exemplified functions are used.

  The process of S1327 outputs an instruction to compare registers A and B. The process of S1329 outputs an instruction to jump to an OK label if the result of the comparison is a match. The instruction to jump to the return address stored in the register A is described in the OK label destination of the jump destination. The above processing is repeated for the function (S1331). In the function print_msg shown in FIG. 11, the number of appearances (four times) of the function print_msg is processed, check logic is output, and described in the callee assembly file.

  When the processing for the function is completed to the end (S1331), an instruction to jump to the NG label is output (S1335). At the NG label destination of the jump destination, an instruction to end the process is described. The above is the processing of the instruction generation / insertion processing block B20.

    Returning to FIG. 3, the processing of the check processing block B30 will be described. The check processing block B30 acquires the address of the identification label, associates the acquired address with the identification label, and holds the acquired address as the identification label address (S315), and determines whether the conversion target program starts normally. If it starts normally, it ends the program conversion.If it does not start normally, it instructs re-acquisition of the identification label address, instructs the update of the return address check instruction, and restarts normally. It consists of a return address check instruction update process (S317) for performing the determination process.

  When the processing shifts to the check processing block B30, first, an executable file and a shared library are created once. The check processing block B30 is for confirming that the program rewritten in the processing of the instruction generation / insertion processing block B20 starts normally.

  FIG. 14 is a flowchart showing the identification label address acquisition processing (S315). The identification label address acquisition unit 160 executes an identification label address acquisition process (S315). Based on the relationship information (see FIG. 4) generated by the relationship information generation unit 100, the corresponding object files 40 are obtained for all the source file directories 41 (S1401) (S1403). The symbol name and the address after the executable file is created for the symbol are acquired from each object file by the nm command (S1405). The address value 1113 of the return source identification file is rewritten for a symbol whose name matches that of the symbol name (S1409). Through this series of processing, the address value 1113 of the return source identification file becomes the address value at the time of execution, and is associated with the identification label.

  FIG. 15 is a flowchart showing the return address check instruction update processing (S317). The return address check instruction update processing section 170 executes the return address check instruction update processing (S317). By executing the return address check command generation (FIG. 13) again to reflect the rewritten address value 1113 of the return source identification file to the address value acquired in the identification label address acquisition process (S315), the return source identification file A return address check instruction in which the address value at the time of execution is embedded as the address value 1113 of the instruction is generated. Also, when the return address check instruction is inserted into the assembly file by the return address check instruction generation / insertion processing (S313), the file size becomes larger than the initial size, so that the address value of the inserted identification label changes. In this case, the return address takes a value different from the originally assumed value, it is determined that the return address has been falsified, and the process ends abnormally. Therefore, in order to cope with such a situation, create an executable file and a shared library and check whether it operates normally.If it starts normally, terminate the program conversion.If it does not start normally, , An instruction to re-acquire the identification label address, an instruction to update the return address check instruction, and a process to determine whether or not to normally start again.

  The return address check instruction update processing (S317) will be described with reference to FIG. Based on the relation information generated by the relation information generation unit 100 (see FIG. 4), the assembly file names corresponding to the related configuration object files 42 (S1503) are used as arguments for all the source file directories 41 (S1501). Then, the return address check logic described in the assembly file as the argument is updated (S1505). Thereafter, an executable file and a shared library are created (S1507), and the executable file is activated (S1509). A determination is made as to whether or not normal startup has been performed (S1511). If it does not start normally, the process returns to the identification label address acquisition process (S315) and continues the execution.

  FIG. 16 is a flowchart showing details of the return address check logic update (S1505). The update of the return address check logic (S1505) will be described with reference to FIG. In the process of S1601, the assembly file specified by the argument is opened, and rewriting is performed sequentially from the first line to the end. In the process of S1603, it is determined whether or not the part describes the check logic. If it is not the description part of the check logic, the line is output as it is (S1605) and the process proceeds to the next line (S1613). If it is the description part of the check logic, it is determined whether or not it is a return address check label described for each function (S1607). If the label is not a return address check label, the process moves to the next line (S1613). If the label is a return address check label, a function name is obtained from the label (S1609), and a return address check instruction is generated (FIG. 13) using the obtained function name as an argument (S1611).

  The above is the processing of the check processing block B30. When the processing of the check processing block B30 is completed, returning to FIG. 3, the processing shifts to the conversion processing of the next conversion target program specified by the argument (S301). When the conversion process is completed for all the conversion target programs, the conversion of the conversion target program by the conversion device 10 is completed.

(2nd Embodiment)
The conversion device according to the present embodiment is a conversion device that converts a program so that, in addition to the functions of the conversion device according to the first embodiment, the address of the identification label is acquired at the time of execution for a standard function and stored in a register. .

  If the function to be called is a standard function, the standard function is provided in binary, so the return address check instruction cannot be described directly in the source file. On the other hand, since the standard function is not coded in a position-independent manner, when the address is obtained, it becomes an absolute address. The conversion device of the second embodiment converts the conversion target program so that the address of the identification label is acquired at the time of execution and stored in the register for the standard function. Compared to the first embodiment, it is versatile because it is not necessary to arrange a self-made standard function that performs the same operation based on the published source code as a new shared library, while as described below, Since the register is repeatedly saved and restored on the stack by a function call or the like, the risk of tampering is higher than in the first embodiment.

  In the second embodiment, the identification label generation and insertion processing (S309) and the return address check instruction generation and insertion processing (S313) are different from the first embodiment. In each case, processing when the function to be called is a standard function is added. The following description focuses on the processing added in the second embodiment.

  FIG. 17 is a flowchart illustrating an identification label generation and insertion process according to the second embodiment. Unlike the identification label generation and insertion processing (FIG. 10) in the first embodiment, after detecting the call instruction (S1003), it is determined whether the called function is a standard function (S1713). If it is not a standard function, the same processing as in the first embodiment is performed. In the case of the standard function, the flow shifts to standard library function identification label output (S1715). The processing in S1717 generates a list of standard functions used for each assembly file. This is because, even if the same standard function (for example, printf) is written in a different assembly file, the address of the return source after processing of the standard function is different.

  FIG. 18 is a flowchart showing the standard library function identification label output (S1715). Rewrite the call instruction that calls the standard function. An instruction (S1805) for acquiring an address of an identification label for specifying a place to return to after execution of the standard function called by the call instruction and storing the address in a register, and generating a label for calling the standard function Then, an instruction to jump to the label (S1807) is output. After the processing of the standard function called by the call instruction following the jump instruction, an identification label for specifying a place to return to is output (S1809).

  FIG. 19 is a flowchart showing (S313) the return address check instruction generation and insertion processing in the second embodiment. A standard function call part generation and output process (S1909) is added to the process flow (FIG. 12) in the first embodiment.

  FIG. 20 is a flowchart showing the standard function call process generation and output process (S1909). The standard function call process is a process of executing the standard function when jumping to the label for calling the standard function generated in the process of S1807 and returning to an appropriate address previously stored in the register after the process of the standard function is completed. It is.

  In the processing of S2003, standard function call processing is sequentially generated for standard functions that are elements of the list of standard functions for each assembly file generated in the processing of S1717. In the process of S2005, the label for calling the standard function generated in the process of S1807 is output. In the process of S2007, an instruction to call the function is output. In the process of S2009, an instruction to jump to the standard function call common process is output. As shown in FIG. 20, in the standard function call common process at the jump destination, the process jumps to the address of the identification label for specifying the place to return, which is obtained at the time of execution in the process of S1805 and stored in the register.

(Third embodiment)
The present embodiment is a conversion program for causing a computer system to function as the conversion device 10. The configuration of the computer system is as shown in FIG.

  The conversion program includes a main module, an input module, an output module, and an arithmetic processing module. The main module is a part that comprehensively controls the conversion process. The input module operates the computer system to input a program to be converted and the output module to output the converted program. The arithmetic processing module includes a relation information generation module, a load address calculation instruction insertion module, a compiler, an identification label generation and insertion module, a return instruction rewriting module, an identification label address acquisition module, a return address check instruction generation and insertion module, and a return address check instruction update module. Is provided. The functions realized by executing the main module, the input module, the output module, and the arithmetic processing module include a relation information generation unit 100, a load address calculation instruction insertion unit 110, a compiler 120, and an identification label generation and insertion unit 130 of the conversion device 10. , Return instruction rewriting unit 140, return address check instruction generation and insertion unit 150, identification label address acquisition unit 160, and return address check instruction update unit 170, respectively.

REFERENCE SIGNS LIST 10 conversion device 100 relational information generation unit 110 load address calculation instruction insertion unit 120 compiler 130 identification label generation and insertion unit 140 return instruction rewriting unit 150 return address check instruction generation and insertion unit 160 identification label address acquisition unit 170 return address check instruction update unit 20 Hardware configuration 210 Central processing unit (CPU)
220 input device 230 output device 240 main storage device (RAM / ROM)
250 Auxiliary storage device 260 Multiple registers B10 Information acquisition processing block B20 Instruction generation and insertion processing block B30 Check processing block

Claims (5)

A conversion device that converts a program so as to stop when the return address is tampered with,
Based on the memory map, for the executable object files that make up the conversion target program, the relationship information that indicates the relationship between the directory where the source files exist, the object files that make up the source files, and the symbol names is generated based on the memory map A relational information generator,
The start address of the conversion target program and the start address of the shared library linked to the conversion target program are calculated based on the memory map, and an instruction to be held is obtained from the conversion target program immediately after the execution of the conversion target program is started. A start address calculation instruction insertion unit to be inserted into the conversion target program so that the instruction can be called;
The function call instruction included in the conversion target program is detected, and an identification label for specifying a place to return after the processing of the function called by the function call instruction is completed is generated. Inserting the identification label between the next instruction, an identification label generation insertion unit,
A return instruction included in the conversion target program is detected, and the detected return instruction is matched with the absolute address to be returned calculated from the address of the identification label when the address indicated by the return instruction as the return destination when the conversion target program is executed. A return instruction rewriting unit for rewriting to an instruction for branching to a return address check instruction for terminating the program to be converted when it is determined that they do not match,
A return address check instruction generation and insertion unit that generates and inserts the return address check instruction in the conversion target program;
Acquiring the address of the identification label, holding the acquired address as the identification label address in association with the identification label, an identification label address acquisition unit,
It is determined whether the conversion target program starts normally.If the program starts normally, the program conversion is terminated.If the program does not start normally, the identification label address acquisition unit reacquires the identification label address. A return address check instruction update unit, which instructs the return address check instruction generation / insertion unit to update the return address check instruction, and performs a process of determining whether to normally start again.
Conversion device characterized by comprising: The return address check instruction generated by the return address check instruction generation / insertion section describes an identification label for specifying a place to return to after the processing of the function called by the function call instruction is completed when the conversion target program is executed. If the obtained file is position-independent coded, by obtaining and adding the offset value of the identification label to the start address of the file in which the identification label is described, if the position-independent coding is not performed, Calculates the address to return by obtaining the address of the identification label,
The conversion device according to claim 1, wherein: When the function called by the detected function call instruction is a standard function, the identification label generation / insertion unit specifies the instruction to call the standard function by specifying a place to return after the processing of the standard function is completed. Processing for obtaining the address of the identification label at the time of execution and storing it in a register and an instruction branching to the standard function, and inserting the identification label between the instruction branching to the standard function and the next instruction To
The return address check instruction generation and insertion unit generates an instruction to return to the address stored in the register by the identification label generation and insertion unit after the processing of the standard function is completed, and inserts the instruction into the conversion target program.
The conversion device according to claim 1 or 2, further comprising: On the computer,
A conversion program for executing a program conversion so as to detect and stop return address tampering,
Based on the memory map, for the executable object files that make up the conversion target program, the relationship information that indicates the relationship between the directory where the source files exist, the object files that make up the source files, and the symbol names is generated based on the memory map A relation information generation processing step;
The start address of the conversion target program and the start address of the shared library linked to the conversion target program are calculated based on the memory map, and an instruction to be held is obtained from the conversion target program immediately after the execution of the conversion target program is started. Inserting a start address calculation instruction into the conversion target program so that the instruction can be called;
The function call instruction included in the conversion target program is detected, and an identification label for specifying a place to return after the processing of the function called by the function call instruction is completed is generated. Inserting the identification label between the next instruction, identification label generation insertion processing step,
A return instruction included in the conversion target program is detected, and the detected return instruction is matched with the absolute address to be returned calculated from the address of the identification label when the address indicated by the return instruction as the return destination when the conversion target program is executed. A return instruction rewriting processing step of rewriting the instruction to branch to a return address check instruction for terminating the program to be converted when it is determined that they do not match,
A return address check instruction generation / insertion processing step of generating and inserting the return address check instruction in the conversion target program;
Acquiring the address of the identification label, holding the acquired address as the identification label address in association with the identification label, an identification label address acquisition processing step,
It is determined whether the conversion target program starts normally.If the program starts normally, the program conversion is terminated.If the program does not start normally, the identification label address acquisition unit reacquires the identification label address. A return address check instruction update processing step of instructing the return address check instruction generation / insertion unit to update the return address check instruction, and performing a process of determining whether to normally start again.
Conversion program to execute A program conversion method for converting a program to detect return address tampering and stop,
A conversion program for executing a program conversion so as to detect and stop return address tampering,
Based on the memory map, for the executable object files that make up the conversion target program, the relationship information that indicates the relationship between the directory where the source files exist, the object files that make up the source files, and the symbol names is generated based on the memory map A relation information generation processing step;
The start address of the conversion target program and the start address of the shared library linked to the conversion target program are calculated based on the memory map, and an instruction to be held is obtained from the conversion target program immediately after the execution of the conversion target program is started. Inserting a start address calculation instruction into the conversion target program so that the instruction can be called;
A function call instruction included in the conversion target program is detected, and an identification label for specifying a place to return to after the processing of the function called by the function call instruction is completed is generated. Inserting the identification label between the next instruction, identification label generation insertion processing step,
A return instruction included in the conversion target program is detected, and the detected return instruction is matched with the absolute address to be returned calculated from the address of the identification label when the address indicated as the return destination by the return instruction when executing the conversion target program. A return instruction rewriting processing step of rewriting the instruction to branch to a return address check instruction for terminating the program to be converted if it is determined that the two do not match, and
A return address check instruction generation and insertion processing step of generating and inserting the return address check instruction in the conversion target program;
Acquiring the address of the identification label, holding the acquired address as the identification label address in association with the identification label, an identification label address acquisition processing step,
It is determined whether the conversion target program starts normally.If the program starts normally, the conversion of the program ends.If the program does not start normally, the identification label address acquisition unit reacquires the identification label address. A return address check instruction update processing step of instructing the return address check instruction generation / insertion unit to update the return address check instruction, and performing a process of determining whether to normally start again.
Conversion method of computer-executed program