KR20150078806A - Method and system for indirectness branch monitoring of program - Google Patents

Abstract

The present invention relates to a method and a system for monitoring an indirect branch of a program, which comprises following steps. A learning unit generates an address pair table showing a control flow of a program to learn the control flow of the program to be monitored. A verification unit receives a source address and a designation address for an indirect branch instruction within the program in operation and determines whether the received source address and designation address for the indirect branch instruction are present in the address pair table to verify the control flow of the program. Accordingly, the method and the system for monitoring an indirect branch of a program of the present invention determines whether a program is being driven according to a preset control flow when an indirect branch occurs within the program to be executed, prevents modified program codes by a hacker from being executed to ensure the accurate driving of the program according to the preset control flow.

Description

[0001] The present invention relates to a method and system for indirect branch monitoring of a program,

The present invention relates to a method and system for indirect branch monitoring of a program, and more particularly, to a method and system for indirect branch monitoring of a program that can detect in advance that a program to be executed is out of a preset control flow and modulation occurs.

As the technology related to software is developed, a variety of modulated codes have been inserted into networks for programs used in various fields such as security, finance, and the like, and an attacking method for causing the program to malfunction has rapidly emerged.

Such an attack method is a method in which, when an attack occurs during execution of a program, the attack flow code is executed by executing attack code injected by an attacker (code injection attack) (Return-to-libc, ROP).

However, there is a problem that it is difficult to confirm whether a running program is attacked by an external attacker and becomes a predetermined normal control flow.

KR 10-2000-0070127 (METHOD FOR MONITORING PROVIDED IMPLEMENTATION OF SOFTWARE PROGRAM, Siemens Aktiengesellschaft).

In order to solve the problems of the prior art as described above, the present invention provides an indirect branch monitoring method of a program that grasps that a part of a program to be executed is modulated by an external attacker, And systems.

According to another aspect of the present invention, there is provided a method for monitoring an indirect branch of a program, the method comprising: learning a control flow of the program to generate and monitor an address pair table representing a control flow of a learning part program; And verifying the control flow of the program by comparing the source address and the destination address of the indirect branch instruction in the program in which the verification unit is operated and comparing whether the source address and the destination address of the input indirect branch instruction exist in the address pair table, ; ≪ / RTI >

Particularly, it may include learning a control flow of a learning part program for collecting source address and destination address pairs of an indirect branch instruction indicating a control flow in the program to generate an address pair table.

In particular, it may include an address pair table comprising a hash table.

More preferably, when there is no address pair of a source address and a destination address generated in the indirect branching of the program in the address pair table, the verification unit verifies the control flow of the verification unit program that determines that there is a modulation in the control flow in the program Step < / RTI >

More preferably, the step of stopping or terminating the execution of the program when the processing unit does not exist in the address pair table of the source address and the destination address of the input indirect branch instruction.

According to another aspect of the present invention, there is provided an indirect branch monitoring system for a program, comprising: a learning unit for learning a control flow of the program to generate and monitor an address pair table representing a control flow of the program; A verification unit for receiving a source address and a destination address for an indirect branch instruction in an operating program and verifying a control flow of the program by comparing whether a source address and a destination address for the input indirect branch instruction exist in the address pair table; ; And a processor for stopping or terminating the execution of the program when the source address and the destination address of the input indirect branch instruction do not exist in the address pair table.

The indirect branch monitoring method and system of the program of the present invention can detect whether or not a program is driven according to a preset control flow when an indirect branch occurs in a program to be executed and recognize that the program code modulated by the attacker is executed So that the program can be accurately driven according to a preset control flow.

1 is a schematic diagram of an indirect branch monitoring system of a program according to an embodiment of the present invention.
2 is a diagram illustrating a structure of an address pair hash table.
3 is a graph showing the ratio of a bucket chain having a chain length of 1 to the number of bits.
FIG. 4 is a table showing the ratio of verifying whether or not the branch address pair can be verified by comparison according to the number of bits.
5 is a graph for predicting the monitoring execution time of the indirect branch.
FIG. 6 is a table showing the dynamic ratio of the indirect branch instruction to the entire instruction.
FIG. 7 is a table summarizing defense experiments of indirect branch monitoring.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT Hereinafter, the present invention will be described in detail with reference to preferred embodiments and accompanying drawings, which will be easily understood by those skilled in the art. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.

First, the control flow verification will be briefly described before describing the present invention. Control flow verification refers to the operation of extracting the control flow graph through static or dynamic analysis and confirming that only the control movement corresponding to the trunk occurs. If the source address of the branch instruction, which is the starting point of the trunk, and the destination address of the branch, which is the destination of the trunk, belong to the control flow graph, it can be judged as a normal control shift. If you check both the starting and ending points of the trunk, you can use commands already included in the program without any malicious code injection, such as return oriented programming (ROP) or jump oriented programming (JOP) It can detect.

This verification of the control flow is cost-effective if it is performed based on the indirect branch instruction. The attacker changes the control flow of the program by changing the value of the data involved in the control flow. The data related to the control flow is stored in the general variables and referenced by the conditional branch instruction, or stored in the code pointer and referenced by the indirect branch instruction. In particular, the conditional branch instruction branches according to the condition for the value stored in the variable or proceeds to the next instruction immediately. Therefore, for an attack to be successful, you need to know the meaning of the program in advance, know the conditions that can change the control flow as intended, and change the related variable values to satisfy it. However, since the indirect branch instruction branches to the value of the referenced code pointer, it is highly likely that the attack will succeed if the address stored in the code pointer is changed to the address desired by the attacker even though the program does not know the meaning. For this reason, most program attacks target code pointers that contain the address of a command.

In this way, the control flow of the program can be analyzed through static or dynamic analysis.

Control flow analysis by static analysis is performed on the source program or intermediate representation during program compilation or conversion. The analyzed control flow information is represented by a control flow graph, and the graph truncation represents a possible control flow. If you want to use a control flow graph even after conversion to a lower level representation or assembly language in the intermediate representation, you must map the configured control flow graph to the address space of the next step, as appropriate. In particular, most compilers no longer need control flow information in the process of converting to machine language programs, and do not map the control flow to the address space of the machine language program.

This static control flow analysis generally proceeds on a function basis, and a global control flow such as a function call and a feedback should be performed after the connection process. In this stage, the control flow analysis is not easy because the program is in a state of a machine language program. The biggest factor for this is the indirect branch instruction. An indirect branch instruction is a memory or register whose operand is referenced to the value stored in the operand, and then branches to the address after adjusting the program counter value. At this time, the operand value of the indirect branch instruction can not be accurately predicted by static analysis. The same difficulty exists in trying to extract the control flow graph from a running program in a reverse engineering manner in the absence of a source program. Finally, the shared library that is linked to the runtime must have the control flow analysis completed beforehand, and the control flow must be able to be displayed in a position-independent manner.

Or static analysis, it is possible to include a control flow that does not actually occur when all possible control flows are included in the results. From the point of view of the control flow verification of program security objectives, problems that can not be detected can occur. This problem is caused by the limitation of static analysis, but it is a control flow that is included in the control flow but does not actually occur, and may act as a security weakness at the same time.

On the other hand, if the control flow includes only a control flow that can be surely generated or a control flow that can not be analyzed accurately, there may be a problem of false detection.

In addition to the above-mentioned static analysis, a control flow graph can be constructed through a dynamic analysis method. The advantage of this method is that it can handle the control flow between functions and the control flow within the function from the same point of view because it carries out the whole executable program. In particular, analysis of pre-installed executables, such as functions defined in other files or shared libraries, can be bound without bounds. However, the greatest weakness of the control flow by this dynamic analysis is that there are many control flow paths that can not be analyzed. In other words, it depends on the input data to be used, and it is not satisfactory, although studies are under way to analyze which input data can be effectively used.

Hereinafter, an indirect branch monitoring system for a program according to an embodiment of the present invention will be described in detail with reference to FIG.

1 is a schematic diagram of an indirect branch monitoring system of a program according to an embodiment of the present invention.

1, an indirect branch monitoring system 100 of a program according to the present invention includes a learning unit 120, a verification unit 140, and a processing unit 160. As shown in FIG.

The learning unit 120 generates an address pair table indicating a control flow of the program, stores it in the address pair table DB 180, and learns the control flow of the program to be monitored.

The verification unit 140 receives the source address and the destination address of the indirect branch instruction in the program to be operated and compares the source address and the destination address of the input indirect branch instruction in the address pair table, Verify the flow.

The processing unit 160 stops or terminates the execution of the program when the source address and the destination address of the input indirect branch instruction are not present in the address pair table.

Hereinafter, an indirect branch monitoring method of a program according to another embodiment of the present invention will be described in more detail.

In the indirect branch monitoring method for a program according to another embodiment of the present invention, the learning unit 120 generates an address pair table indicating a control flow of the program, stores the address pair table in the address pair table DB 180, Learn the control flow of the program. The learning unit 120 may generate the address pair table by collecting the source address and destination address pairs of the indirect branch instruction by performing the profiling in advance in a safe environment before the program to be monitored is operated. That is, source address and destination address are checked immediately before the indirect branch instruction such as jmp *, call *, return is executed within the target process to be monitored. At this time, the address pair table may be a hash table, and the value of the table corresponds to a part of the indirect branch of the trunk of the control flow. When source address and destination address pairs of the same indirect branch instruction exist in the address pair table, they are not inserted in the address pair table in duplicate. This address pair table is stored in the address pair table DB 180. [

Then, the verification unit 140 operates the program to be monitored and checks whether the control flow belongs to a predetermined normal control flow graph. That is, the source address and the destination address of the indirect branch instruction in the program operated by the verification unit 140 are received, and whenever the indirect branch instruction is generated, whether the corresponding source address and destination address exist in the address pair table To verify the control flow of the program. The verifying unit 140 may determine that there is a modulation in the control flow in the program if there is no address pair of the source address and the destination address generated in the indirect branching of the program in the address pair table. That is, it can be determined that a code pointer has been modulated due to an attack or a control flow is valid, but the learning unit 120 can not detect it.

Thereafter, if the source address and the destination address of the indirect branch instruction input by the processing unit 160 do not exist in the address pair table, the execution of the program is stopped or terminated.

As described above, when the source address and the destination address of the indirect branch instruction are collected by the execution time profiling, a branch instruction that can not be detected according to the input data used in the experiment may exist, and a legitimate branch instruction When executed, false detection occurs.

To prevent this, a control flow graph based on static analysis can be constructed. However, for the static analysis of the executable file, disassembly is necessary, but disassembly for a microprocessor whose length is not constant like x86 can not be performed completely. In addition, indirect branching can not predict the exact destination by static analysis because it reads the address data from memory at runtime to determine the branch destination. In addition, if the address in the virtual memory is different for each process like the shared library, the result of the static analysis must be converted to the execution time virtual memory address. In other words, it is not easy to construct an address pair table that can be used immediately by all processors sharing the library once analysis of the library program.

Dynamic analysis has a legitimate branch that is missing, but a program that performs a simple task, such as a web server, repeats a certain control flow, so that if the address pair table corresponding to a typical control flow is constructed, it can have sufficient practical defense. In addition, since the control flow captured in the dynamic analysis is not a possibility of control movement but is actually a control flow, the dynamic analysis can give more accurate flow information than the static analysis.

Particularly, in order for the verifier to quickly determine whether the control flow is modulated, a data structure having an excellent search performance is needed. The hash table is constructed as a set of indirect branch instruction address s and destination address t pair <s, t> occurring at execution time. The search performance is determined by the hash function for obtaining the key value of the address pair table and the collision processing method of the hash value.

The hash address for accessing the address pair table uses the 2m bits extracted from the lower m bits of each address.

Equation (1) below represents a hash function h _m that receives the lower m bits of the command address s and the destination address t as input values.

[Equation 1]

(1)

(One)

The lower m bits are extracted from each of the instruction address s and the destination address t, and one bit value is shifted to the upper bit by the left shift operation by the length m, and the two bit values are added by the bit sum operation.

In the present invention, the instruction address s is configured to be a higher bit. Since the lower m bits of the address are the most frequent part of the change in value, it is more effective to use the bits of the parts with different probability of collision of hash addresses.

2 is a diagram illustrating a structure of an address pair hash table.

의 각 레코드는 주소 쌍 풀 P 의 인덱스 값과 버킷 체인의 길이를 저장한다. As shown in FIG. 2, in a table structure of a bucket chaining type, all address pairs are stored in the address pair pool P, and the address pairs causing the collision are formed into a bucket chain using a circular link list structure using the chain index table C do. Bucket header table

Stores the index value of the address pair pool P and the length of the bucket chain.

에 저장된 색인이 찾고 있는 주소 쌍이 아니면, 주소 쌍을 찾을 때까지 혹은 체인 길이만큼 원형 체인을 검사한다. 체인 내에서 주소 쌍이 확인되면 버킷 헤더에 저장된 체인 시작 인덱스를 검색된 주소 쌍의 풀 인덱스로 갱신한다. 이에 따라, 버킷 체인의 헤더는 항상 최근에 검색한 주소 쌍 인덱스를 갖고 있게 되어 캐싱 효과를 볼 수 있다. 반복문 안에서 발생하는 간접 분기는 동일한 목적지로 제어 흐름을 이동할 가능성이 높기 때문에 P 의 동일 주소 쌍을 반복해서 검색하게 되는데, 두 번째 검색부터는 한 번의 검색으로 제어 흐름을 검증할 수 있게 된다. When searching for an address pair

If the stored index is not the address pair you are looking for, check the circular chain until you find the address pair or by the chain length. If an address pair is found in the chain, the chain start index stored in the bucket header is updated with the full index of the retrieved address pair. Thus, the header of the bucket chain always has the address pair index searched recently, so that the caching effect can be seen. Since the indirect branching in the loop is likely to move the control flow to the same destination, the same address pair of P is repeatedly searched. From the second search, the control flow can be verified by one search.

3 is a graph showing the ratio of a bucket chain having a chain length of 1 to the number of bits.

As shown in FIG. 3, SPECint 2006 represents the ratio of the chain length of 1 to the number of bits per each benchmark, m, of the bucket chain. This indicator indirectly shows how likely the hash address collision is given by the hash function h _m . For all benchmarks, the greater the m, the greater the percentage of bucket chains with length 1. If m = 10, the ratio of 1 in length is 99% maximum and 97% average.

FIG. 4 is a table showing the ratio of verifying whether or not the branch address pair can be verified by comparison according to the number of bits.

As shown in FIG. 4, this index shows the caching effect when the chain is composed of circular linked lists. The leftmost column in FIG. 4 represents the benchmark name, and the right column represents the ratio of the number of bits extracted from the indirect branch instruction address and destination address m. It can be seen that the ratio increases as m increases for all benchmarks. If m = 8 or more, it can be confirmed that the search can be completed with an average of 1.01 times of comparison in the case of a normal indirect branch instruction. This phenomenon is compared with FIG. 3, and it is shown that even if the chain ratio of the address pair having the length 1 in the hash table is low because the number of bits is small, the performance can be improved by the cache effect of the circular chain structure.

In the present invention, it has been confirmed through experiments that the range of the lower address bit that is actively changing is about m = 16. Especially, when m ≥ 16, there is no significant effect on performance. This phenomenon indicates that most indirect branches move within the 64 KB range.

Hereinafter, the control flow information is stored in the hash table described above, and the indirect costs incurred when the control flow monitoring code is injected into the execution program are predicted through simulation.

Using the dynamic binary metering tool Pin, address-pair traces are generated and stored in a file, allowing the address-pair traces to be shared through processes and files that run the control flow verification program. When the trace reaches the shared file size, it stops tracing and executes the control flow verification program. If all the address pairs in the file are consumed, the verification process enters the execution abort state and the monitored program again generates the address pair trace and stores it in the shared file. When the monitoring target program is repeatedly executed at the end of execution in this manner, a hash table indicating the indirect branch control flow is constructed.

The benchmark program is operated in the verification department in the same experimental environment as the above-mentioned simulation. The verification unit reads the address pair table constructed by the learning unit and transfers the address pair trace to the verification process through the shared file in the same manner as the learning unit. In order to estimate the indirect cost for the control flow, only the address pair search time excluding the input / output time is accumulated.

The experimental environment consisted of a Fedora Core 14 Linux (kernel version 2.6.35.14-106) system with a network with Intel Core 2 Quad Q6600 2.40GHz x86 processor and 4GB memory. Pin (version 2.11 (49303)) was used as a dynamic measurement tool, SPECint 2006 (version 112 (v1.1)) benchmark was used as a target program, and gcc (version 4.6.3) was used as a compiler. In the experiment, data structure composed of hash function h _m was used.

5 is a graph for predicting the monitoring execution time of the indirect branch.

As shown in FIG. 5, the ratio of the indirect branch instruction verification time to the measured execution time in the case of execution without the monitoring function is shown. As the number of bits m used in the hash address increases, search performance improves and execution time decreases. When m ≥ 8, the ratio of indirect cost decreases slowly.

Also, when m = 10, the execution time was increased by 22.3% for C language benchmarks and 131.6% for C ++ benchmarks due to indirect branch monitoring. The cost of indirect branch monitoring differs depending on the programming language used. The last three of the benchmarks were C ++ programs, which were observed to have higher monitoring costs than C programs. The reason for this is that since the member variables are accessed through member functions, the number of return instructions has increased, and indirect function calls have increased due to C ++ virtual function pointers. In order to confirm this, the execution time mixing ratio of the indirect branch instruction is measured, and the result is shown in FIG.

FIG. 6 is a table showing the dynamic ratio of the indirect branch instruction to the entire instruction.

As shown in FIG. 6, the rate at which the indirect branch instruction is executed at the execution time has the largest return, followed by jmp *, call *. The average for the sum of the dynamic ratios is 0.007418 for the C benchmark and 0.029932 for the C ++ benchmark, which is about four times as large as the C ++ language side program.

In addition, attack experiments were performed to reproduce actual attack cases in order to confirm whether the indirect branch monitoring method has program attack detection capability. We also tested the protection against various types of buffer overflow attacks on C programs using the RIPE benchmark. Since the attack detection test of the indirect branch monitoring is an experiment independent of the performance, the experimental environment is implemented using the dynamic measurement tool. The programs used for attacking are proftpd-1.2.7, samba-2.2, and snort-2.4.2.

There is a fatal error in proftpd-1.2.7 that can get administrator privileges using newline characters in ASCII file transfer. The following are the ways to exploit this vulnerability, CVE-2003-0831. When uploading a malicious file to an FTP server and downloading the same file as an ASCII file, it prevents the newline character from being correctly scanned, causing a buffer overflow in the heap. As a result, the address of the function pointer stored in the heap is changed through a buffer overflow, which induces the attacker to execute the desired attack code. We used proftpd-not-pro-enough by Solar Eclipse to exploit this vulnerability. If this attack is executed on the original FTP server, the administrator shell will be launched when the attack is successful. However, when the control flow verification using the indirect branch monitoring method of the program according to the present invention is performed, it is confirmed that the address of the function pointer is changed, so that the attack is confirmed to fail.

There is a fatal bug in samba-2.2.1a that causes a buffer overflow by copying excessive strings to the buffer during the execution of certain functions, and getting administrator privileges. The following are the ways to exploit this vulnerability, CVE-2003-0201.

A remote attacker passes a string of more than 1024 bytes to a variable, causing a buffer overflow. At this time, the return address stored in the stack is changed, and upon return, the attack code is executed and the administrator authority is obtained. We use trans2root.pl written by H D Moore to simulate vulnerability attacks of samba. This attack attempts a random assignment attack to track the return address of the modulated stack. In the original Samba, if the attack succeeds, the screen stops and only the cursor blinks.

At this time, you can acquire administrator privilege through? Hoami 'command. An attack is detected when a control flow verification using indirect branch monitoring is performed. This is because, as in the FTP server, it can be verified that the return address has been changed through comparison with the indirect branch address in the search phase.

The Back Orifice preprocessor in snort-2.4.2 has a buffer overflow vulnerability that could allow arbitrary code to be executed remotely on a vulnerable system. The following are the ways to exploit this vulnerability, CVE-2005-3252. The Back Orifice preprocessor decrypts packets to determine if there is a ping message in the back Orifice. At this time, the ping detection code does not limit the amount of data read from the packet but stores it in a fixed size buffer. This vulnerability handles UDP packets that traverse ports on Back Orifice, and attackers can execute arbitrary code to gain administrative privileges by sending manipulated UDP packets to the host or network.

We also used THCsnortbo.c, written by rd, to recreate snort vulnerability attacks. This attack manipulates variable values in snort's vulnerable code and sends an excessive amount of data containing arbitrary code to the packet, causing a stack buffer overflow, so that it can remotely connect to perform administrative privileges. Returns a specific port. Using NetCat, connect to the IP address and the specific port and confirm that you obtained the administrator privilege by executing 'whoami' command. At this time, if the control flow verification using indirect branch monitoring is performed, the attack fails and the snort is terminated immediately. In the search phase, it can be confirmed that the control flow is changed to an abnormal address by comparing with the indirect branch address.

Finally, we experimented with attacks and defenses against RIPE developed by Wilander and Kamkar in order to test the effectiveness of various types of buffer overflow attacks against C programs. This benchmark, extended by adding format string attacks to the existing 18 programs, allows an attacker to execute shell code by choosing direct attack methods. When performing benchmarks with indirect branch monitoring, all attacks were detected. As a result of this experiment, we can confirm that indirect branch monitoring is effective for various attack methods.

FIG. 7 is a table summarizing defense experiments of indirect branch monitoring.

As shown in FIG. 7, from the left column, a weak software name, a defensive attack type, a defended memory area, and a defensive target can be confirmed.

As described above, the method and system for indirect branch monitoring of a program according to the present invention performs branch address pair verification through comparison with a control flow data structure during execution time in order to protect the control flow. We can find the number of bits of the address pair that optimizes the hash function through the efficiency verification experiment of the address pair table. In addition, we have implemented simulations to measure the performance of the latest processors by applying them, and predicted levels of indirect costs can be expected to be enough for the user to tolerate. In addition, we confirmed that the program can be used safely and practically by effectively defending various attacks by attackers.

Also, an indirect branch monitoring method and system for such a program may be stored in a computer-readable recording medium on which a program for execution by a computer is recorded. At this time, the computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer readable recording medium include ROM, RAM, CD-ROM, DVD 占 ROM, DVD-RAM, magnetic tape, floppy disk, hard disk, optical data storage, and the like. In addition, the computer-readable recording medium may be distributed to network-connected computer devices so that computer-readable codes can be stored and executed in a distributed manner.

The indirect branch monitoring method and system of the program of the present invention can detect whether or not a program is driven according to a preset control flow when an indirect branch occurs in a program to be executed and recognize that the program code modulated by the attacker is executed So that the program can be accurately driven according to a preset control flow.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Do.

120: learning unit 140: verification unit
160: processor 180: address pair table DB

Claims (7)

Learning a control flow of the program to be monitored by generating an address pair table indicating a control flow of the learning part program; And
A source address and a destination address of an indirect branch instruction in the program in which the verification unit is operated, and verifies the control flow of the program by comparing source address and destination address of the input indirect branch instruction in the address pair table step;
A method for monitoring an indirect branch of a program.
The method according to claim 1,
The step of learning the control flow of the learning part program
Wherein the address pair table is generated by collecting source address and destination address pairs of an indirect branch instruction indicating a control flow in the program.
3. The method of claim 2,
The address pair table
A hash table, and a hash table.
The method according to claim 1,
The step of verifying the control flow of the verifying part program
Wherein if there is no address pair of a source address and a destination address generated in indirect branching of the program in the address pair table, it is determined that there is a modulation in the control flow in the program.
The method according to claim 1,
Stopping or terminating the execution of the program if the source address and the destination address of the indirect branch instruction are not present in the address pair table;
Further comprising the steps of:
A computer-readable recording medium on which a program for executing a method according to any one of claims 1 to 5 is recorded.
A learning unit for learning a control flow of the program to be monitored by generating an address pair table indicating a control flow of the program;
A verification unit for receiving a source address and a destination address for an indirect branch instruction in an operating program and verifying a control flow of the program by comparing whether a source address and a destination address for the input indirect branch instruction exist in the address pair table; ; And
A processing unit for stopping or terminating the execution of the program when the source address and the destination address for the input indirect branch instruction do not exist in the address pair table;
The program comprising:

Images