WO2019237862A1 - Procédé d'agencement pour espace d'adresse linéaire, et dispositif informatique - Google Patents
Procédé d'agencement pour espace d'adresse linéaire, et dispositif informatique Download PDFInfo
- Publication number
- WO2019237862A1 WO2019237862A1 PCT/CN2019/086492 CN2019086492W WO2019237862A1 WO 2019237862 A1 WO2019237862 A1 WO 2019237862A1 CN 2019086492 W CN2019086492 W CN 2019086492W WO 2019237862 A1 WO2019237862 A1 WO 2019237862A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- kernel
- page management
- management structure
- register
- address
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/545—Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
Definitions
- the present application relates to the field of information technology, and in particular, to a method and a computing device for establishing an exclusive and fully linear address space for a kernel and a process.
- the memory layout of existing operating systems and applications usually uses a linear address space shared by kernel mode and user mode.
- the kernel occupies part of the address segment, and user mode programs occupy another part of the address segment. This pattern provides an opportunity for the attacker to prepare the attack program in the user mode code area in advance.
- the execution order jumps from the kernel mode to the user mode attack program.
- the user mode program has the kernel mode. Privilege level with great attack power.
- the invention discloses a method for establishing an exclusive and fully linear address space for the kernel and process to ensure the attacker It cannot directly use its attack program prepared in the user mode in advance, nor can it transfer the data obtained from the attack back to the address segment occupied by the user mode program without converting the linear address space. Further, a related redesigned interrupt and other instructions related to privilege level switching are needed, so that when the privilege level switching instruction is executed, the hardware automatically switches the value of the page management structure base address register at the same time.
- the page management structure base address register refers to a page directory base address register or a first-level page table base address register, such as a CR3 register in the INTEL system.
- the present invention discloses a method for laying out a linear address space.
- the method includes: a process and a kernel share a complete linear address space exclusively. If there are other privileged program forms in addition to the process, each privileged program form has an independent linear address space. For the management form, see process.
- the kernel's instruction pointer (for example, eip) cannot in any case directly jump to the user-mode linear address space of the process.
- eip instruction pointer
- the page management structure and page table of the process are managed by the kernel, and there is no kernel code and data in the linear address space of the process, nor any data segment with 0 privilege level and Snippet.
- Each process has its own user stack when in user mode. During the duration of the process, the process always uses its own user stack. When switching between processes, the user stack also switches accordingly;
- the kernel also allocates a kernel stack for each process in the linear address space of the kernel. When the process initiates a system call to enter the kernel, the kernel uses this stack.
- a kernel stack dedicated to an interrupt service program is set in the kernel, and when an interrupt occurs, it is directly switched to the interrupted kernel stack without using the kernel stack of any process.
- a process when a process initiates a system call, it includes the following steps:
- S1 The process pushes parameters into the process stack in a fixed format, and provides the type, number, and length of the parameters;
- the value of the page management structure base address register switches to the physical address of the page management structure of the specified process; when the process switches to the kernel, the page management structure base address The value of the register switches to the physical address of the kernel's page management structure; a process is not allowed to switch directly to another process.
- the page management structure refers to a page directory table or a first-level page table.
- the kernel page management structure base address register and the target process page management structure base address register which are respectively used to store kernel page management
- the value of the process page management structure base address register is set in the kernel as the physical address of the page management structure of a specific process.
- set the page management structure base address register to the value of the kernel page management structure base address register; when you need to switch to the process, set the page management structure base address register to the process page management structure base address register. value.
- the page management structure base register is the register accessed by the CPU when it is addressed.
- the CPU when an interrupt occurs, the CPU first assigns the value of the kernel page management structure base address register to the page management structure base address register before performing other actions.
- the specific way to perform the privilege level check can refer to the way of the existing CPU; under the Intel system, the page management structure base address register refers to the CR3 register; under the Intel system, the interrupt return instruction refers to the iret instruction .
- the CPU judges whether the user program or the kernel program is currently executing according to the privilege level of the code segment register (such as the CS register under the Intel system). If the user program is executing, the page management structure base address register is determined. Assign the value of the kernel page management structure base address register. The remaining actions (such as finding the IDT table, privilege level processing, etc.) are similar to the prior art, and then push the key register values into the kernel stack and save the values of other registers. In tss, save tss in the process management information; if you are executing the kernel program, you do not need to switch the page management structure base address register, and other actions are the same.
- the privilege level of the code segment register such as the CS register under the Intel system.
- the key register includes a code segment register, a data segment register, a stack segment register, an instruction pointer, a stack register, and the like; for example, under the Intel system, the key register may include CS, DS, SS, IP, SP.
- the kernel first calculates the actual physical address corresponding to this address according to the linear address provided by the process and the page management structure of the process stored in memory;
- the kernel reads and writes data through temporary linear addresses
- the kernel After reading and writing, the kernel releases the temporary mapping relationship to the physical address.
- a computing device is characterized in that two registers are added, a kernel page management structure base address register and a target process page management structure base address register, which are respectively used to store the physical address of the kernel's page management structure and the process's page management structure. Physical address.
- the page management structure base address register is set to the value of the kernel page management structure base register; when switching to the process, the page management structure base address register is set to the value of the process page management structure base address register; page management The structure base register is the register accessed by the CPU when it is addressed.
- a page management structure base address register is added for each privilege level to store the page management structure base address of the linear address space corresponding to the privilege level.
- Figure 1 Schematic diagram of the prior art linear address space layout
- Figure 2 Schematic diagram of the linear address space layout of the present invention
- Figure 1 is a schematic diagram of the linear address space layout in the prior art.
- the concept of a kernel in the strict sense does not exist.
- the process In each linear address space, only processes User mode and the kernel mode of the process. When the process is in user mode, it only has access to the access range of user mode code in the linear address space.
- the range of kernel mode code can access the entire linear address space.
- the user mode program of process A can only access the user mode code access range in the linear address space in the figure; when entering the process A kernel mode through a system call, the process A kernel mode program has access to the kernel mode code access range.
- attack execution order branch will be formed.
- the accessible range of the code in the system privilege level covers the entire linear address space including the user-mode linear address space, so once it jumps to the attacked
- the modified position is in the user-mode linear address space, and the attacker prepares the attack code or the attack code disguised as data at the position. Since the attack code is at the system privilege level, the above attack code will be at the system privilege level. Be executed. These codes are carefully prepared by the attacker, which can implement all the functions the attacker wants to have, and the attack power is very strong.
- the present invention establishes a complete linear address space for the user mode of each process, and there is no part of the kernel mode. Create an independent, complete linear address space for the kernel. Achieve linear isolation between kernel and process.
- the layout of the linear address space in the present invention is shown in FIG. 2, and both the process and the kernel share a complete linear address space.
- the process and the kernel share a linear address space, which means that the physical address corresponding to a linear address in user mode still corresponds to the original physical address after entering kernel mode.
- the switch from user mode to kernel mode is essentially a privilege level switch.
- kernel mode in theory, you can directly jump to any code in the current linear address space and directly access any data in this space. At this point, the process and the kernel are not isolated.
- each process enjoys a complete linear space exclusively.
- the page management structure of a process is managed by the kernel.
- the improvement mainly includes the following aspects:
- the starting position of the cs, ds, and ss segments used by the process is 0, the segment length is the maximum addressing space of the CPU, and the privilege level is 3.
- Each process has a kernel-independent page management structure.
- a process can be arbitrarily addressed from 0 to the maximum addressing space. If a page fault occurs, the kernel allocates pages by causing a page fault interrupt. The physical page corresponding to the entire linear space is in the page management structure and the page table. The flags are all 1. A complete linear space is no longer cut into kernel-accessible space and user-process accessible space. When currently in user mode, the entire linear address space belongs to the process.
- Kernel has independent linear address space
- the starting position of the cs, ds, and ss segments used by the kernel is 0, the segment length is the maximum addressing space of the CPU, and the privilege level is 0.
- the kernel has a page management structure that is independent of all processes.
- the kernel can also be arbitrarily addressed from 0 to the maximum addressing space. If a page fault occurs, the kernel allocates pages by causing a page fault interrupt. The U / S flag bit of the physical page corresponding to the entire linear space in the page management structure. Both are 0. The kernel manages the page management structure of all processes.
- Each process has its own user stack in user mode.
- the pages of the stack are allocated by the kernel and belong to the user mode. They are in the linear address space of the process. During the lifetime of a process, the process always uses its own user stack. When switching between processes, the user stack also switches.
- the kernel allocates a kernel stack for the process.
- the kernel uses this stack.
- kernel stack of the process there is also a kernel stack for interrupt service routines. When an interrupt occurs, switch to the interrupted kernel stack without using the kernel stack of any process.
- Each independent thread in the kernel also has its own kernel stack and is not mixed with other kernel stacks.
- the user stack and the kernel stack of the process are recorded in the tss structure of the process, respectively, and the CPU can automatically find the corresponding stack segment, stack top pointer, and stack bottom pointer when switching, to achieve switching.
- the process pushes parameters into the process stack in a fixed format and provides the type, number, and length of the parameters.
- the kernel copies the parameters in the process stack to the kernel stack of the process. Then execute the system call function.
- the kernel When the kernel needs to return data to the user mode, it first writes the data to be copied into the user mode stack of the process, and then switches to the process.
- the process target to be switched is selected, and then the tss and various registers are switched.
- the value of the page management structure base address register is switched from the physical address of the page management structure of one process to the physical address of the page management structure of another process; while in the present invention, the target is The physical address of the page management structure of the process is assigned to the value of the process page management structure base register, and then the value of the process page management structure base register is assigned to the page management structure base register.
- the process and the kernel are in different linear address spaces.
- the CPU When an interrupt occurs while the process is running, the CPU must automatically switch the privilege level and switch the linear address space from the user's linear address space to the kernel's linear address space.
- the IDTR register of the CPU records the address of the interrupt descriptor table (IDT). This address is a linear address and is a linear address in the kernel space. Therefore, before accessing the code address in front of the IDT table, the CPU must first record the value of the page management structure base address register register as the physical address of the kernel page management structure, so that the CPU can access the IDT normally.
- the CPU adds two registers: the kernel page management structure base address register, which stores the physical address of the kernel's page management structure; the target process page management structure base address register, which stores the physical address of the page management structure of the process to be executed.
- the kernel code assigns the physical address of the page management structure to the kernel page management structure base address register. The value of the register is no longer modified until the system exits.
- the kernel code assigns the physical address of the process's page management structure to the target process's page management structure base address register, which is automatically cleared to 0 after the switch is completed.
- the CPU When an interrupt signal (including hardware interrupt, software interrupt, exception) occurs, the CPU first assigns the value of the kernel page management structure base address register to the page management structure base address register before performing other actions, so as to switch the current linear address space to The linear address space of the kernel.
- interrupt signal including hardware interrupt, software interrupt, exception
- the corresponding privilege level check is performed first. This part is the same as the existing CPU. After the return address in the stack is popped, the CPU automatically assigns the value of the process page management structure base register to Page management structure base register. If the value of the process page management structure base register is 0, an exception occurs.
- a process When a process initiates a system call, it enters the kernel through soft interrupts or fast system call instructions. In the existing system, this only brings about the switching of the privilege level and the switching of the stack. In the present invention, it also brings about the switching of the base address register of the page management structure.
- CR3 is the first address of the page management structure of the process
- the value of the kernel page management structure base address register is the first address of the kernel page management structure.
- the process page management structure base address register is first set. The value is assigned to CR3.
- the value of CR3 (the first address of the page management structure of the process) is assigned to the SYSENTER_CR_MSR register.
- SYSEXIT instruction Before EIP jump, read the value of SYSENTER_CR_MSR register and assign it to CR3.
- Soft interrupts are also a type of interrupt.
- the method is basically the same as the interrupt that caused the switch to the kernel.
- the difference is that after entering the kernel through the soft interrupt, the kernel uses the kernel stack of the process that initiated the system call.
- the kernel stack information is obtained from the process. tss.
- the kernel may need to read and write data in the user's linear space. For example, when a file is read or written, a new linear address is temporarily mapped in the kernel's linear space for the address. After the reading and writing is completed, the mapping relationship is released.
- the kernel must calculate the actual physical address based on the process's page management structure, page table, and specific linear address, and then derive the linear address in the kernel from the actual physical address, and then read and write according to the linear address in the kernel.
- the kernel first calculates the actual physical address of this memory according to the linear address provided by the process and the page management structure of the process stored in memory; temporarily maps a new linear address in the kernel for the physical address, and reads and writes.
- the kernel-state eip cannot directly jump to the user-mode linear address space in any case, and the possibility of an attacker preparing the attack code in the user-mode linear address space in advance is completely eliminated.
- the attack program can change the kernel execution order, it can only make the changed kernel execution order jump to other instructions in the kernel itself, or jump to a Meaningful address. If it jumps to a meaningless address, the kernel will immediately or various execution exceptions occur; if it jumps to the kernel's inherent instructions, the attack effect can be very limited. Compared with the execution code arranged by the kernel to the user program, the consequences of these two situations are much weaker, which can effectively curb the effect of the attack.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Memory System Of A Hierarchy Structure (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un procédé d'agencement pour un espace d'adresse linéaire, ainsi qu'un dispositif informatique, qui se rapportent au domaine de la sécurité de l'information. Un processus et un noyau possèdent indépendamment un espace d'adresse linéaire complet ; un registre de liste de répertoire de pages de noyau et un registre de liste de répertoire de pages de processus cible sont ajoutés dans le dispositif informatique permettant de stocker respectivement l'adresse physique d'une liste de répertoires de pages du noyau ainsi que l'adresse physique d'une liste de répertoires de pages du processus. Selon le procédé et le dispositif informatique, un attaquant est incapable d'utiliser directement un programme d'attaque préparé à l'avance dans un état utilisateur et incapable de transférer les données obtenues par l'attaque à un champ d'adresse occupé par un programme d'état utilisateur sans convertir un espace d'adresse linéaire.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810605380.XA CN110597641A (zh) | 2018-06-12 | 2018-06-12 | 一种线性地址空间的布局方法及计算装置 |
CN201810605380.X | 2018-06-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019237862A1 true WO2019237862A1 (fr) | 2019-12-19 |
Family
ID=68841922
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/086492 WO2019237862A1 (fr) | 2018-06-12 | 2019-05-11 | Procédé d'agencement pour espace d'adresse linéaire, et dispositif informatique |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110597641A (fr) |
WO (1) | WO2019237862A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112131019A (zh) * | 2020-09-17 | 2020-12-25 | 国网宁夏电力有限公司营销服务中心(国网宁夏电力有限公司计量中心) | 微内核操作系统进程间快速通信方法 |
CN112579514B (zh) * | 2020-12-10 | 2022-07-26 | 海光信息技术股份有限公司 | 多核处理器堆栈初始化的方法及装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090249019A1 (en) * | 2008-03-28 | 2009-10-01 | Inventec Corporation | Method of allocating physical memory in specified address range under linux system platform |
CN102819497A (zh) * | 2012-05-31 | 2012-12-12 | 华为技术有限公司 | 一种内存分配方法、装置及系统 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103955438B (zh) * | 2014-05-21 | 2016-11-23 | 南京大学 | 基于硬件辅助虚拟化技术的进程内存保护方法 |
US10157268B2 (en) * | 2016-09-27 | 2018-12-18 | Microsoft Technology Licensing, Llc | Return flow guard using control stack identified by processor register |
-
2018
- 2018-06-12 CN CN201810605380.XA patent/CN110597641A/zh active Pending
-
2019
- 2019-05-11 WO PCT/CN2019/086492 patent/WO2019237862A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090249019A1 (en) * | 2008-03-28 | 2009-10-01 | Inventec Corporation | Method of allocating physical memory in specified address range under linux system platform |
CN102819497A (zh) * | 2012-05-31 | 2012-12-12 | 华为技术有限公司 | 一种内存分配方法、装置及系统 |
Non-Patent Citations (2)
Title |
---|
CLUMSY ROOKIE: "Full Analysis of Memory Management in Linux Kernel", LINUX, 8 November 2016 (2016-11-08), pages 1, Retrieved from the Internet <URL:https://www.cnblogs.com/zengyiwen/p/5fd4435a0f2f98a8fd9d4551c42d49f6.html> * |
ISLAMWORSHIP: "Non-official translation: Process Address Space as well as Kernel Stack and User Mode Stack Thereof", 9 June 2011 (2011-06-09), pages 3, 4 - 6-9, Retrieved from the Internet <URL:http://www.docin.com/p-217990541.html> * |
Also Published As
Publication number | Publication date |
---|---|
CN110597641A (zh) | 2019-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
RU2602793C2 (ru) | Способ модификации разрешений на доступ к памяти в защищенной процессорной среде | |
EP1966706B1 (fr) | Identificateur associe a des emplacements de memoire permettant de gerer des acces memoire | |
US8086822B2 (en) | In-place shadow tables for virtualization | |
US8352694B2 (en) | Method of controlling memory access | |
JP5571201B2 (ja) | ハードウェアモードおよびセキュリティフラグに基づく、読み出される命令用のメモリエリアの制限 | |
KR20180033467A (ko) | 진보된 오퍼레이팅 시스템 지원을 갖는 프로세서 | |
RU2580016C1 (ru) | Способ передачи управления между областями памяти | |
WO2020057394A1 (fr) | Procédé et dispositif de surveillance du comportement d'accès mémoire d'un processus d'échantillonnage | |
WO2019237862A1 (fr) | Procédé d'agencement pour espace d'adresse linéaire, et dispositif informatique | |
JP3454854B2 (ja) | メモリ管理装置及び方法 | |
KR100791815B1 (ko) | 컴퓨터 시스템 및 컴퓨터 시스템에서 인스트럭션을 실행하는 방법 | |
WO2019237865A1 (fr) | Procédé de protection de données et dispositif informatique | |
US11200175B2 (en) | Memory accessor invailidation | |
JP2001175486A (ja) | 計算機システム | |
WO2017044124A1 (fr) | Procédé de commutation d'espaces d'adresses virtuels | |
CN114090273B (zh) | 一种进程间通信的方法、装置及计算机存储介质 | |
US20240289151A1 (en) | Address-space-identifier-based security of data transfer requests | |
RU2623883C1 (ru) | Способ выполнения инструкций в системной памяти | |
CN118503959A (zh) | 一种基于硬件虚拟化技术的Windows操作系统下的内存监控方法 | |
Early | ESPRIT LTR 21917 (Pegasus II) Deliverable 2.1. 2 Pentium Port Report | |
JPS6354647A (ja) | 仮想計算機制御方式 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19818780 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19818780 Country of ref document: EP Kind code of ref document: A1 |