WO2019237866A1 - 一种运行时访问控制方法及计算装置 - Google Patents
一种运行时访问控制方法及计算装置 Download PDFInfo
- Publication number
- WO2019237866A1 WO2019237866A1 PCT/CN2019/086498 CN2019086498W WO2019237866A1 WO 2019237866 A1 WO2019237866 A1 WO 2019237866A1 CN 2019086498 W CN2019086498 W CN 2019086498W WO 2019237866 A1 WO2019237866 A1 WO 2019237866A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- msu
- information
- data
- instruction
- instructions
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present application relates to the field of information technology, and in particular, to a runtime isolation method, a runtime access control method, and a computing device.
- checking the syntax can only ensure that the source code does not contain illegal access that is not allowed by the syntax, but at runtime, an attacker may change the program's execution order or data access object by some means, thereby breaking the syntax rules. Encapsulation. For example, the C ++ language stipulates that private members of a class cannot be accessed by other class objects, but if the program is attacked, the attacker changes the function's jump target at runtime, and this protection can be broken.
- the above-mentioned defects of the prior art actually cause the kernel space to be flat.
- the kernel mode code is used to transmit If you handle design flaws in the data, you can use the data prepared by the attacker to modify the kernel data and code almost arbitrarily, and then launch an attack.
- the attacker Once the attacker has completed the above actions, and at the same time, due to the extremely limited inspection mechanism in the existing operating system, the attacker essentially obtains arbitrary access to the computer.
- the present invention discloses a runtime access control method and its corresponding Computing device.
- the present invention discloses a memory system device.
- a specific unit in the memory system device may be referred to as a memory system unit, the memory system unit is referred to as an MSU, and the memory A system device is a collection of specific access controls and the access areas they control.
- the abbreviation MSU in the present invention corresponds to a memory system unit.
- the area includes a CPU-addressable storage space surrounded by a set of boundaries.
- the area must be identified by an access control set.
- the identification refers to recording the information of the area in the MSU information.
- the access control set includes: MSU information, a permission mechanism for accessing the area, and / or a mechanism for prohibiting access to the area.
- the addressable storage space may store data and / or instructions.
- the data and codes of all software are put into designated MSUs separately according to design requirements, that is, no codes and data are placed outside the MSU.
- the CPU refers to a central processing unit.
- the area is composed of one or more continuous storage areas in the same linear address space, and each continuous storage area is defined by the address identifiers at both ends, and the set of all the foregoing address identifiers constitutes the boundary of the area.
- a preferred solution for an area composed of multiple consecutive storage areas is that the consecutive storage areas in the area are disjoint from each other.
- the storage areas where data and code are stored are called data area and instruction area, respectively. Regions of different MSUs do not intersect each other.
- the MSU information includes: MSU boundary information, MSU port information, and MSU attribute information.
- MSU boundary information As an optional implementation manner, an empty port MSU may be set.
- the MSU port information of the empty port MSU is empty and still has MSU boundary information and MSU attribute information.
- the MSU information further includes: MSU user information.
- the permission mechanism includes: allowing non-branch instructions, interrupt instructions, and branch instructions in the current area (without exceeding the current area) to execute in the area, and allowing instructions in the area to access data in the current area. Further, the permission mechanism includes: allowing data to be passed between regions, whether within the region to outside the region or outside the region to the region, by passing parameters; allowing the regions to pass data by sharing physical memory, preferably, passing a large amount The data is shared by physical memory; the permission mechanism for access between regions, that is, beyond or entering the region, further includes: MSUs must execute port transfer instructions through ports, and attribute information and port information must match.
- the prohibition mechanism includes prohibiting execution of instructions in a data area in the area. Except for the permission mechanism, for all cross-region execution instructions (including non-transfer instructions, branch instructions, and mismatches) from within the region to outside the region or from outside the region to the region, cross-region operations to access data will generate exceptions.
- shared data MSU which is characterized by containing only data shared by other MSUs and no instructions; allowing other MSUs to manipulate data through agreed instructions.
- the kernel stack and / or the user stack are placed in the shared data MSU, and the MSU to which the stack belongs must be the shared data MSU, and other MSUs operate the data in the stack by a predetermined instruction.
- the MSU boundary information includes: a set of boundary information of all continuous storage areas in an area identified by an access control set.
- the data structure storing the above information is referred to as boundary data, and the address of the boundary data is associated with and identifiable in the memory system device.
- the device can find the data structure according to the address of the boundary data, and then all the boundary information can be obtained.
- the MSU port information includes an entrance and / or an exit. Specify a limited number of instruction addresses as entrances or exits in the instruction address area within the area identified by the access control set, where each instruction address is an entrance or exit.
- the optional entry is: the destination address of the inter-MSU branch instruction in the area; the optional exit is: the address of the inter-MSU branch instruction.
- the MSU attribute information includes: MSU identification information and MSU type information.
- the MSU identification information refers to a unique identification that is different from other MSUs.
- the type information of the MSU may be one of an ordinary MSU and a shared data MSU.
- the MSU attribute information may further include: user type information to which the MSU belongs, and user identification information to which the MSU belongs.
- the type information of the user to which the MSU belongs refers to the type of the user to which the MSU belongs.
- the user type is the user role
- the user identification information to which the MSU belongs refers to the unique identifier of the user to which the MSU belongs.
- the aforementioned boundary information and / or attribute information and / or MSU port information can be synthesized into a more convenient and complete data structure.
- the matching of the MSU port information and the matching of the MSU attribute information means that in the program initialization phase, the exit, entrance, boundary, identification information, and type information of the MSU required for execution of the transfer instruction are recorded in the MSU descriptor table.
- the information contained in the transfer instruction is compared with the port information and attribute information in the MSU descriptor table. If the results match, it is regarded as legitimate and the transfer instruction is allowed to execute. Otherwise, it is considered illegal and an exception is reported.
- a check MSU is added to the MSU type information.
- An MSU whose type information is marked "Check MSU" is considered to check MSU.
- a non-check MSU is not allowed to directly call another non-check MSU.
- the source MSU must first call the check MSU, and then the check MSU calls the target MSU. When the target MSU returns, it returns to the check MSU first.
- the check MSU returns to the source MSU.
- the non-inspection MSU refers to any other type of MSU other than the inspection MSU.
- terminal MSU is added to the MSU type information.
- An MSU whose type information is marked as "terminal MSU" can only be called by other MSUs, and cannot call other MSUs.
- an empty port MSU is added to the MSU type information.
- the MSU whose type information is marked as "empty port MSU" has no port.
- Other MSUs can call any function of the empty port MSU through the port, but cannot directly access the data of the empty port MSU.
- An empty port MSU calling another MSU must enter the MSU through its port. Function calls can be made between different empty port MSUs, but data cannot be accessed. When the terminal MSU exists, the empty port MSU cannot call the terminal MSU.
- a safe MSU is added to the MSU type information.
- This type of MSU is not allowed to contain instruction areas. Only certain operations that need to save status information can access the MSU.
- the status information may be a return address, an interruption scene, and the like.
- an IO instruction MSU is added to the MSU type information.
- the device contains an IO instruction MSU, only special instructions related to IO operations are allowed to be executed within this type of MSU.
- the attribute matching check rules of this type of MSU are the same as those of the terminal MSU.
- the device may not support checking the implementation of MSU, terminal MSU, empty port MSU, safe MSU, IO instruction MSU, or one or more of them.
- the manufacturing of the memory system device includes: manufacturing an MSU information recording unit and an MSU access control mechanism unit.
- the information recording unit refers to recording and identifying MSU information in the memory system device;
- the access control unit refers to the specific runtime information and the MSU information in the information recording unit, according to the permission mechanism and the prohibition mechanism Control access to the area.
- the memory system device information includes MSU area information, MSU attribute information, MSU port information, and MSU user information;
- the permission mechanism includes: allowing MSUs to transfer through ports that meet the matching specification; allowing other MSUs to access the data of the shared data MSU through specific instructions;
- the prohibition mechanism includes: prohibiting all instructions that directly cross the boundary without passing through the port, prohibiting mutual access between MSUs that do not meet the matching specifications through the port, and prohibiting MSU from accessing data of other MSUs except itself and the shared MSU;
- the controlling the access to the MSU includes: passing those that comply with the permission mechanism, and reporting exceptions that belong to the prohibition mechanism.
- the access control application method based on the manufacturing method of the memory system device includes: adding grammar rules and / or using existing grammar rules and / or using configuration information to write source code that complies with MSU rules.
- Extract and record MSU information generate MSU access actions into corresponding instructions, allocate page layout and determine addressing methods according to the characteristics of the memory system device, generate executable programs according to the requirements of the memory system device, and load the program with the MSU information Load the information recording unit in the memory system device and execute the program.
- the specific format of the MSU information extracted and recorded depends on the characteristics of the information recording unit of the memory system device.
- the universal manufacturing method of the memory system device includes:
- A1. Manufacturing of memory system devices including:
- Making an MSU information recording unit further including:
- the aforementioned MSU information is saved as an MSU control comparison table.
- the memory system device can find the MSU control lookup table.
- the bottom position of the stack accessible by the current MSU is recorded.
- the stack bottom position of the current MSU is: the stack bottom position value of the entire stack area, or the top position of the stack of the MSU calling it before passing parameters.
- Making MSU access control mechanism unit further including:
- the access control mechanism unit is generated according to an access control rule of the MSU
- the access control rule includes:
- next instruction address of the non-transfer instruction, the target address of the transfer instruction within the MSU, and the target address of the data access instruction are allowed to execute as long as they do not exceed the MSU boundary, otherwise an exception is reported;
- the target of the call instruction in the MSU area must be the entrance; further, the location of the call and return instructions between the MSUs must be the exit; further, the correspondence between the exit and the entrance must be specified in advance, and the call between the MSUs must meet the preset Correspondence
- a special case is that when the target is an empty port MSU, there is no need to match the entry; when the calling party is an empty port MSU, there is no need to match the exit;
- Instructions in the MSU can access the data in the MSU. Among them, specific instructions can access the data in the shared data MSU;
- each MSU is divided into its own space, specifically: the bottom position of the stack of the MSU to the top position of the entire stack space, and the bottom position of the stack of the MSU is: calling it The value of the top position of the MSU before the parameter is passed or the bottom position of the entire stack area;
- a certain MSU is not allowed to access the stack space of other MSUs.
- Figure 1 shows that during the operation, with the MSU call, the area in the stack that can be accessed by the current MSU is also changing:
- the current MSU is set to A, and A can access the entire stack range;
- A calls MSU B, and A marks the top position of the stack before passing the actual parameters to B.
- B executes, the accessible stack range of B is The marked position reaches the stack top direction boundary of the entire stack interval;
- B also calls MSU C, which also marks the current top position of the stack before passing the actual parameters.
- the accessible stack interval of C is the position just marked to the top of the entire stack interval.
- Direction boundary; when C returns to B, the stack interval accessible by B is the same as when C is not called.
- the access control rules of the calls between MSUs are:
- the rules are: only ordinary MSUs are allowed to execute call instructions and return instructions;
- the calling and returning access control rules of the IO instruction MSU are the same as those of the terminal MSU.
- the information carried in the instruction is compared with the MSU information recorded in the data structure. If the comparison result meets the MSU access rules, it is released, otherwise it is intercepted.
- the access control method based on the manufacturing method of the memory system device includes:
- Compile the source program containing MSU including:
- Extract MSU information including:
- the programming stage can fully and accurately express and retain the MSU information in the program design, further including:
- the compiler records the extracted information in the form of a syntax tree
- the compiler saves the MSU information as a structure conforming to the MSU control lookup table in the memory system device.
- the compiler analyzes the information recorded in the syntax tree and does not generate executable programs for code that does not comply with MSU access rules.
- the MSU access rule includes:
- functions can call each other and can access global data belonging to the MSU; between MSU, only MSU functions are allowed to call other MSU port functions; calls through function pointers are not allowed; further, Only MSU port functions are allowed to call other MSU port functions; further, only IO instructions MSU are allowed to use specific IO instructions, such as in and out instructions under the INTEL system; MSU code cannot access other MSUs except shared data MSU Data; a special case is to allow other types of MSU to call arbitrary functions of the empty port MSU.
- MSUs with different attributes and the syntax rules for calling and returning between MSUs can be further limited, including:
- the syntax rules for including only ordinary MSUs are: only calls and returns between ordinary MSUs are allowed;
- the calling and returning rules of the IO instruction MSU are the same as those of the terminal MSU.
- Extract information that can only be confirmed at runtime (such as stack area boundary information, heap area boundary information, user information, etc.) and save it in the MSU control comparison table;
- a stack is created for each privileged level, and the area of the privileged stack is set as the area of the shared data MSU so that different MSUs can access the data in the stack;
- the corresponding information is modified in the MSU control comparison table.
- a method for manufacturing a memory system device in a software manner includes: using a software instruction to perform MSU information access under the existing system and performing access control according to the MSU information.
- a method for manufacturing a memory system device using a segment mechanism which includes describing an MSU with a segment under an INTEL 32-bit system, relying on a segment's boundary access control mechanism to implement the MSU's boundary access control mechanism, and relying on software instructions to implement attributes , Port inspection and judgment.
- a method for manufacturing a memory system device by adding a hardware mechanism including: adding part of hardware according to the requirements of MSU information reading and access control, relying on the added hardware to complete reading of MSU information, and according to the MSU information Access control.
- the method is implemented on the basis of the foregoing general manufacturing method of the memory system device, and further includes:
- C-A1 the production of memory system devices, including:
- the specific information includes: MSU boundary information, attribute information, port information, effective / invalidation, MSU ID number, preferably, also includes the type information of the user to which the MSU belongs, and the user identifier to which the MSU belongs information.
- the control lookup table is set in the data area of the MSU to which it belongs.
- the boundary information of all MSUs are logical addresses, and the function addresses in the port information are logical addresses.
- the first address of its lookup table is stored in the data area of each MSU, so that the instructions of this MSU can access its lookup table.
- MSU access control logic is controlled by software instructions, including:
- a judgment instruction is added in front of it to judge whether the transfer destination address belongs to the current MSU instruction area. If it does not, it enters the exception processing flow. If it belongs, the transfer instruction can be executed normally;
- a preferred solution is to identify the locations where these instructions need to be added when compiling, generate these instructions by the compiler, and save them to the executable program.
- the MSU access control logic is implemented by executing instructions for the MSU access control logic in the executable program. For specific instructions, see “Generating MSU Access Control Logic" in this method.
- Access control application methods for manufacturing methods of such memory system devices include:
- This method is implemented on the basis of the aforementioned universal access control application mode of the memory system device, and further includes:
- C-B1 compile the source program containing MSU, including:
- Extract MSU information including:
- the information to be extracted includes: MSU boundary information, attribute information, port information, validity / invalidation, MSU ID number. Preferably, it also includes user type information of the MSU and user identification information of the MSU.
- the control lookup table is set in the data area of the MSU to which it belongs.
- a data pointer is designed in each MSU to point to the control comparison table.
- the call / return instructions between MSUs are the same as the call / return instructions in MSU. Between MSUs, indirect transfers by calling instructions are not allowed.
- the instructions for accessing global MSU and heap data are consistent with the instructions for accessing stack data.
- the user identification information of the MSU and the user type information of the MSU are set in the MSU attributes.
- the method is implemented on the basis of the foregoing general manufacturing method of the memory system device, and further includes:
- D-A1 the production of memory system devices, including:
- Segments are used to describe the independent storage area of the MSU, and the boundary information of the independent storage area is finally stored in the GDT table in the form of segment descriptors;
- the specific information includes: MSU attribute information, port information, validation / invalidation, MSU ID number, mapping table of MSU and segment descriptors belonging to it.
- User type information user identification information to which the MSU belongs.
- the function address in the MSU port information is a logical address.
- the first address of its lookup table is stored in the data area of each MSU, so that the instructions of this MSU can access its lookup table.
- MSU access control logic is controlled by a combination of software instructions and segment mechanisms, including:
- a preferred solution is to identify the locations where these instructions need to be added when compiling, generate these instructions by the compiler, and save them to the executable program.
- the region boundary control of the segment is used to implement the region boundary control of the MSU.
- Access control to the MSU is implemented by executing the attribute and port matching check instructions in the executable program.
- Access control application methods for manufacturing methods of such memory system devices include:
- This method is implemented on the basis of the aforementioned universal access control application mode of the memory system device, and further includes:
- D-B1 compile the source program containing MSU, including:
- D-B1-1 Extract MSU information, including:
- the method further includes:
- the specific information includes: MSU attribute information, port information, validation / invalidation, MSU ID number, mapping table of MSU and segment descriptors belonging to it.
- User type information user identification information to which the MSU belongs.
- All MSUs are in the same linear address space, and the instruction area and data area of each MSU are individually addressed. Its base address is written into the segment base address of the corresponding segment, and its length is written into the segment limit length of the corresponding segment;
- Data pointer types are divided into global data area pointers, heap area pointers, and stack area pointers. All pointer operations must specify their pointer types.
- D-B1-3 Generate instructions related to MSU access, including:
- Inter-MSU call / return instructions use inter-segment call / return instructions. Between MSUs, indirect transfers by calling instructions are not allowed.
- the call / return instruction in the MSU uses the call / return instruction in the segment.
- the instruction to access the global data, heap data, and stack data of this MSU must specify its corresponding segment selector.
- the user identification information of the MSU and the user type information of the MSU are set in the MSU attributes.
- E-A1 the production of memory system devices, including:
- the specific information includes: MSU boundary information, MSU attribute information, port information, validation / invalidation, MSU ID number. Preferably, it also includes user type information of the MSU and user identification information of the MSU. Set the control comparison table in the data area of the MSU to which it belongs;
- the boundary information of the MSU is a linear address; the function address in the port information is a logical address.
- the memory system device can automatically read the control comparison table.
- MSU access control logic is controlled by hardware, including:
- Add new hardware for MSU access control a register for recording the location of the MSU descriptor table and a register for recording the current MSU descriptor;
- the CPU When the CPU needs MSU information for access control, it finds the current MSU descriptor and performs MSU boundary, attribute, and port checks based on the register used to record the location of the MSU descriptor table and the register used to record the current MSU descriptor.
- the values in the "MSU user identification information" and "MSU user type information" in the target MSU descriptor table are automatically used to set the current user and current role.
- the hardware performs MSU boundary, attribute, and port checks by comparing the MSU information carried in the instruction with the information in the MSU descriptor to implement access control on the MSU.
- This method is implemented on the basis of the aforementioned universal access control application mode of the memory system device, and further includes:
- E-B1 compile the source program containing MSU, including:
- Extract MSU information including:
- the method further includes:
- the table includes the descriptor of each MSU.
- the specific information includes: MSU boundary information, attribute information, port information, effective / invalidation, MSU ID number, and preferably, the type of user to which the MSU belongs User identification information to which the MSU belongs.
- Data pointer types are divided into global data area pointers, heap area pointers, and stack area pointers. All pointer operations must specify their pointer types.
- E-B1-3 Generate instructions related to MSU access, including:
- the call / return between MSUs uses the call / return instruction between MSUs. Between MSUs, indirect transfers by calling instructions are not allowed.
- the call / return in MSU uses the call / return instruction in MSU.
- a preferred solution is to use a call / return instruction under the existing system.
- Accessing shared data MSU uses shared data MSU access instructions.
- the user identification information of the MSU and the user type information of the MSU in the MSU attribute in the MSU descriptor table are set.
- the current MSU is automatically switched to the MSU where the interrupt response function is located.
- you stop saving the site you also need to save the ID of the MSU at that time.
- you resume the site you switch back to the current MSU.
- the newly added hardware mode may be a continuous storage area or a page as an access control unit.
- an MSU manufacturing method using a continuous storage area as an access control unit :
- This method is implemented on the basis of the foregoing method for manufacturing a memory system device in a new hardware manner, and further includes:
- F-A1 the production of memory system devices, including:
- the description unit of the boundary information of the MSU is an address boundary value of a continuous storage unit.
- the MSU access control mechanism is controlled by hardware, including:
- the access control judgment is performed according to the type of the instruction.
- the hardware When the instruction is executed, the hardware performs MSU boundary, attribute, and port checks by comparing the MSU information contained in the instruction with the information in the MSU descriptor to implement access control on the MSU.
- the MSU information is searched through two registers, which are a register for recording the position of the MSU descriptor table and a register for recording the current MSU descriptor.
- Access control application methods for manufacturing methods of such memory system devices include:
- This method is implemented on the basis of the aforementioned universal access control application mode of the memory system device, and further includes:
- F-B1 compile the source program containing MSU, including:
- F-B1-1 Extract MSU information, including:
- F-B1-3 Generate instructions related to MSU access, including:
- an MSU manufacturing method using a page as an access control unit :
- This method is implemented on the basis of the foregoing method for manufacturing a memory system device in a new hardware manner, and further includes:
- G-A1 the production of memory system devices, including:
- a data structure corresponding to the existing page table is established, each entry corresponds to a linear page, and the ID of the MSU to which the corresponding page belongs is recorded in the entry.
- the page on which the data structure is located is closely aligned with the page on which the page table is located. After finding the first address of the page on which the page table is located, offset one page away from the high address end to find the first address of the page on which the data structure is located.
- the MSU access control mechanism is controlled by hardware, including:
- a page (here page refers to a linear page) can only belong to one MSU;
- the hardware When cross-page access occurs, the hardware implements MSU access control by comparing the MSU information contained in the instruction with the information in the corresponding MSU description table of the page, and performing MSU boundary, attribute, and port checks.
- Access control application methods for manufacturing methods of such memory system devices include:
- This method is implemented on the basis of the aforementioned universal access control application mode of the memory system device, and further includes:
- G-B1 compile the source program containing MSU, including:
- G-B1-1 Extract MSU information, including:
- G-B1-3 Generate instructions related to MSU access, including:
- data structure information corresponding to the page table needs to be filled. That is, when the content in the MSU is loaded, the page on which the content is located needs to be mapped into the linear address space through the page table.
- a data structure corresponding to the page table is added to save the ID number of the MSU to which the page belongs. . For this page number, you can find the corresponding MSU boundary by mapping the linear address value, and then determine the MSU to which it belongs, and write its ID number into this data structure. This ID number is the MSU descriptor in the MSU descriptor table. Item number.
- a method for using a memory system device includes: using a memory system device to prevent an attack from taking effect because authorization information is directly modified.
- a method for using a memory system device includes: using a memory system device to prevent an attack execution order branch from being generated due to a modified return address.
- the ordinary MSU is used to protect the return address and related information.
- call the port function A in the ordinary MSU and the function stores the data to be saved in Ordinary MSU; when it needs to be retrieved, the port function B in the ordinary MSU is called, and this function retrieves the data from the ordinary MSU.
- each process state information management structure including the value of each register used to record the running state of the process, in particular, including the target address value needed to switch to the process execution
- the process switching program including only for Save the current process status information and set the relevant program of each register with the target process status information
- the protection feature of the safe MSU is used to save the function return address and interrupt scene information (including the interrupt return address) in the safe MSU, and when the function returns and interrupt returns, it is taken out for use.
- the calling information stack in step A is only used to store data related to the protection of the transfer site; in terms of function or space, this MSU is independent of the stack that has been allocated for storing code, global data, and stack data.
- the CPU When the CPU needs to save the current state information, it includes a function call or when an interrupt occurs; when the CPU needs to fetch the saved data, it includes a function call or an interrupt return.
- the call information stack is used to store a return address, and is set in a stack manner in the memory, one for each privilege level.
- the original stack is called the data stack and is used to store parameters and local variables.
- Add ass register and aesp register which are used to save the segment selector of the call information stack and the top pointer of the call information stack, respectively.
- the step B further includes: when writing the data to be saved into the call information stack, the value of the aesp register is automatically decremented, and the decrement value is the total length of the written data;
- the step C further includes: when data is taken from the call information stack, the value of the aesp register is automatically accumulated, and the accumulated value is the sum of the length of the popped data;
- pushadr and popadr instructions where the pushadr instruction is used to push an address into the call information stack, and aesp automatically points to the top of the new stack; the popadr instruction is used to pop an address from the call information stack, and aesp automatically points to the new The top of the stack.
- the call instruction is modified.
- the modified call instruction pushes the return address into the call information stack, and the parameters and local variables are stored in the data stack.
- the modified call instruction pushes the return address into the call information stack, and the parameters, local variables, and return address are stored on the data stack.
- the ret instruction is modified, and the modified ret instruction pops a return address from the call information stack and modifies the value of aesp.
- the steps of writing the data to be saved into the call information stack include:
- Step B1.1 further includes:
- the processor obtains the segment selector and stack pointer of the data stack and call information stack from the tss of the current task.
- the data stack of the interrupt routine and the stack segment selector and call pointer of the call information stack are pushed into the new call information stack, namely ss0, esp0 and ass0, aesp0;
- the processor then saves the current values of the EFLAGS register, CS register, and EIP register into the new call information stack;
- Step B1.2 further includes:
- the processor saves the current EFLAGS register, CS register and EIP register values in the current call information stack;
- the step of fetching data from the call information stack includes:
- step C1 is performed in step C, which specifically includes:
- step C2 is performed in step C, which specifically includes:
- a new MSU attribute is set for saving the call information stack. Only the call instruction, mcall instruction, pushardr instruction, popadr instruction, and information to be saved when executing the interrupt gate can be written to the MSU, and other instructions cannot access the MSU.
- a method for using a memory system device includes: using a memory system device to prevent an attack execution order branch due to a function pointer being modified.
- the program for checking, the aforementioned data structure, and the program for calling the hook function need to be packaged in an MSU.
- An implementation method for preventing an attack execution order branch from being generated due to modification of condition selection data includes: performing a consistency comparison between a current system call number and an executed function, determining whether the execution order is legal, and making corresponding processing.
- a method for using a memory system device includes: preventing an attacker from directly modifying an attacked person's code through the memory system device, thereby generating an execution order that is favorable to the attack.
- the attacker does not have the ability to change the read-only attribute of the page, and thus has no ability to rewrite the code of the attacked.
- a method for using a memory system device includes: using a memory system device to prevent an attacker from arbitrarily specifying an executable area, and having the opportunity to introduce an execution order that is beneficial to the attack.
- a method for dynamically loading a program for running in a memory system device when the program is running is running.
- dynamically loaded programs and MSU information may be stored in memory or in files, such as dynamic link library files.
- a method for loading an executable program for running in a memory system device includes: storing MSU information in the executable program; when loading, the loader reads the MSU information therein and loads the program into the program according to its specified boundary information Data and code are loaded into memory space.
- the method further includes: the executable program contains the MSU description information of the program, and after the kernel loader reads the information, it loads the code and data of the program according to its designated MSU boundary, and writes the MSU information into the MSU descriptor table.
- the kernel allocates stack space for the process, sets the MSU corresponding to the stack space to a shared MSU, and sets its boundary information according to the boundary value of the actual stack.
- a method of using a memory system device includes: using a memory system device to prevent an attacker from directly initiating an attack and then directly executing the attack code in an attack code prepared in a process space.
- a method for using a memory system device includes isolating programs in the same privileged memory through the memory system device to make unevenness.
- the method further includes: storing the programs in the same privilege level in multiple MSUs, and controlling the access of the MSUs according to the access control rules of the MSUs.
- the programs in the same privilege level are encapsulated in different MSUs, so that the programs in each MSU can only complete a specific function.
- a method for using a memory system device includes checking access between MSUs through the memory system device.
- a method for using a memory system device includes: preventing an attacker from directly operating user data in a peripheral device to make an attack effective through the memory system device.
- a program for mapping the register port in the peripheral to the data area of the MSU, and in particular, including the I / O instruction is encapsulated in the MSU. This guarantees that only the program in this MSU can map the register port and the memory data area.
- the program that interacts with the peripherals in particular, the program that issues the interactive instructions to the peripherals, is encapsulated in the terminal MSU to ensure that the programs in the I / O instruction MSU only map the register ports in the peripherals to this Data area of class terminal MSU. In this way, only this MSU can interact with peripherals.
- the program functions in the I / O instruction MSU and the terminal MSU are single and there are no loopholes.
- a method for using a memory system device includes: preventing an attacker from directly manipulating user data in a memory to make the attack effective through the memory system device.
- a method for using a memory system device includes: transmitting data between MSUs.
- the method further includes: sharing a physical page between MSUs, and transmitting data through the shared physical page.
- a method for using a memory system device includes: specifying an MSU stack bottom address value.
- a computing device is characterized in that it includes an MSU descriptor, and the MSU descriptor is recorded in the MSU descriptor table.
- the information recorded in the MSU descriptor includes: MSU identification information, MSU boundary information, and MSU attribute information. , MSU port information.
- a reserved bit is set in the MSU descriptor. Further, the validity / invalidation information of the MSU and / or the user ID and user type information of the MSU may be set in the MSU descriptor.
- the MSU boundary information includes: boundary address information of all linear address segments in the MSU, where all the address information is a linear address.
- the address in the port information is preferably a logical address.
- the MSU attribute information may be one of ordinary MSU, inspection MSU, terminal MSU, shared data MSU, empty port MSU, and safe MSU.
- the MSU port information includes: entry information and / or exit information and / or port matching information; the entry information includes: entry number, entry address, and ID of the MSU to which it belongs; the exit information includes: exit number, exit address, ID of the MSU to which it belongs; the port matching information refers to: one exit information and one entry information.
- Registers and setting instructions for adding system call numbers This instruction can only be executed at 0 privilege level.
- the computing device further includes an MSU-based access control function, and the access control includes:
- the processor intercepts it; if the inter-MSU transfer instruction is used to perform the inter-MSU transfer, the attribute and port matching check is performed If the check passes, the processor supports transfer, otherwise the processor reports an exception.
- the attribute and port matching check rule is based on the rule described in the aforementioned "a general manufacturing method of a memory system device".
- a computing device is characterized in that a register is added to load status information, and the status information is dedicated to provide a basis for currently selecting a correct branch direction.
- the status information is a calling number of a current system call, and a specific instruction is added to set the register.
- a computing device is characterized by adding a register or a register group for loading an address of a data structure containing MSU information.
- the data structure containing MSU information is an MSU descriptor table.
- a computing device is characterized in that a register or a register group is added to load an address of a data structure containing MSU information currently being executed.
- a computing device is characterized in that: a register is added to carry the value of the bottom address of the stack that contains the currently executing MSU in the stack.
- the present invention also establishes an access control mechanism, which is characterized by using MSU.
- a secure operating system is characterized by using MSU.
- a code and data isolation technology which is characterized by using MSU to isolate code and data.
- the MSU refers to a collection of codes and data. One MSU cannot access the data of another MSU.
- MSU internal functions are divided into ordinary functions and port functions. Functions of one MSU cannot directly call ordinary functions of another MSU. MSU has special port functions, which can call port functions of other MSUs, and can also be called by other MSU port functions. MSU's normal functions cannot call other MSU functions, nor can they be called by other MSU functions.
- the data exchange between MSUs is performed through the port functions of the MSU.
- the functions and data of a program must belong to a certain MSU. A function or a data can only belong to one MSU.
- a code and data isolation technology which is characterized by: further including implementing cross-MSU access control at runtime, and preventing illegal access when illegal cross-MSU access occurs;
- the cross-MSU access control at runtime refers to judging whether the access to a data exceeds the boundary of the MSU at runtime, and determining whether an execution order jump illegally crossed the boundary of the MSU.
- the basis of the authorization check is power information, not data in the functional process. Power information is not derived from data in the functional process. Avoid external logic to interfere with or overwrite the inspection basis, resulting in inspection failure.
- checking MSU When there is a mechanism for checking MSU, it can ensure that the calls between MSUs must be made by checking MSU, so as not to let developers forget or intentionally skip checking MSU.
- the checking MSU can check and monitor the overall execution sequence during the calling process.
- a task related to power is completed by at least one MSU, ensuring that there is at least one MSU call and at least one inspection of the MSU.
- MSUs can only be called through matching ports, ensuring that even if the execution order is illegally changed, it is impossible to jump directly from one MSU to another MSU, which guarantees that it is almost difficult for an attacker to jump. Go to your expected execution order.
- the target that can be jumped can only be in this MSU.
- the single function of the MSU ensures that even if the execution order is changed in this MSU, a complete attack target cannot be completed.
- FIG 1 Schematic diagram of MSU accessible stack space
- Figure 2 Schematic diagram of the data structure corresponding to MSU information
- Add MSU descriptor table which includes boundary information, attribute information, and port information of all MSUs; add special registers to record the location of MSU descriptors, and the processor identifies MSUs through the registers.
- a special transfer instruction for access between MSUs has been added.
- the processor intercepts any cross-MSU actions during execution of other instructions. When this instruction is executed, if the attribute and port match, it will be allowed to execute, otherwise it will be intercepted.
- MSU access control is not restricted by privilege levels.
- the production of S-C-A1 memory system device includes:
- S-C-A1-1 make MSU information recording unit:
- the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
- the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
- the MSU port information includes: MSU exit information and MSU entry letter;
- the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs;
- the entry information of the MSU includes the ID, entry number, and entry address value of the MSU to which it belongs;
- the port matching table includes a pair of exits and entries having a calling relationship between MSUs.
- each MSU In the data area of each MSU, set: a pointer variable pointing to the MSU control comparison table; a pointer variable pointing to the port matching table; a variable that records the address value of the bottom of the MSU stack.
- a space is reserved in a page-aligned manner, and the space size is an integer multiple of the page size.
- the control lookup table is set therein, and other data is not stored therein.
- MSU access control logic is controlled by software instructions, which specifically include:
- the logic of adding instructions is: before the parameter transfer instruction called between MSUs, obtain the top address of the stack and push this address value into the stack, this address value is used as the bottom MSU address value; At the beginning of its instruction, the above address value passed in the stack is obtained and saved to a variable used to record the current address value of the bottom of the MSU stack.
- non-pointer variables can be explicitly accessed at the compilation stage, a preferred solution is that they no longer perform boundary judgment on the runtime, and only need to perform a boundary check on the data pointer.
- the specific method is to access the corresponding data pointer. Before the instruction, add judgment logic to check the boundary of the access, including:
- Step SC-A1-2-A1 If the final destination address accessed is in the global data area of the current MSU, or in the heap area, or in the area corresponding to the current MSU in the stack area, skip to step 2, otherwise skip to step 3;
- Step S-C-A1-2-A2 execute the data access instruction, and go to step 4;
- Step S-C-A1-2-A3 Enter the exception processing flow
- Step S-C-A1-2-A4 Execute the next instruction
- Step S-C-A1-2-B1 If the final destination address of the access is in the instruction area of the current MSU, skip to step 2; otherwise, skip to step 3;
- Step S-C-A1-2-B2 execute the indirect transfer instruction in the MSU, and go to step 4;
- Step S-C-A1-2-B3 Enter the exception processing flow
- Step S-C-A1-2-B4 Execute the next instruction
- the address information and target address information of the call instructions between MSUs are recorded and reflected in the check instructions.
- the purpose of the port check is to check whether the current MSU call and return are consistent with the expected inter-MSU call and return to prevent changing the execution order between MSUs.
- the specific method is: 1. Before calling between MSUs, check whether the address value of the current calling instruction and the target address are recorded in the port matching table. 2. When returning between MSUs, one return instruction may correspond to multiple legal return addresses. If the entry and exit match check is performed, execution efficiency may be reduced. A preferred solution is to check only the return instruction when returning. For legal export.
- non-branch instructions they can be determined to be within the MSU area by compiling.
- the target address can also be ensured to be within the MSU area during the compilation phase.
- By setting the page where the instruction area is set to read-only it can be guaranteed that the instruction will not be changed at runtime.
- a preferred solution is to rely on the compilation stage to ensure its correctness, and no longer modify it at runtime. Check.
- This operation is required whether the IO instructions are advanced code generation or directly embedded assembly, to ensure that all IO instructions in the executable program include this check logic before.
- the IO instruction is a special instruction that directly reads and writes to peripheral devices.
- the IO instructions of CPUs in different systems are different, and the actual conditions prevail, such as the in and out instructions under the INTEL system.
- the MSU access control logic is implemented by executing instructions for the MSU access control logic in the executable program. For specific instructions, refer to “Making a Memory System Device” in this embodiment.
- Access control application methods for manufacturing methods of such memory system devices include:
- S-C-B1 compiles the source program containing MSU, including:
- Extract MSU information including:
- S-C-B1-1-1 Write and compile source programs containing MSU information:
- this rule adds the following grammar rules based on the C language:
- the MSU type represents the attributes of MSU: common_msu represents ordinary MSU, check_msu represents check MSU, terminal_msu represents terminal MSU, nothing_msu represents empty port MSU, and share_msu represents shared data MSU.
- common_msu represents ordinary MSU
- check_msu represents check MSU
- terminal_msu represents terminal MSU
- nothing_msu represents empty port MSU
- share_msu represents shared data MSU.
- the MSU name represents the identification information of the MSU; the data and functions in a pair of ⁇ belong to the same MSU.
- the function identified by the inner access identifier is the MSU empty port function
- the function identified by the port access identifier is an MSU port function
- Validation / deactivation bit which records whether the MSU is available. 1 means valid, 0 means invalid.
- Pointer area type The pointer identified by data is the global data area pointer; the pointer identified by stack is the pointer of the stack area; the pointer identified by heap is the pointer of the heap area; if the pointer area type identifier is not added before the pointer definition, the default pointer is global data Area pointer.
- a case program implemented by adding grammatical rules is:
- the compiler recognizes the MSU information retained in the program by adding syntax rules and saves the information in the syntax tree. For subsequent steps.
- the compiler When the compiler performs parsing, it must analyze not only the program file, but also the configuration file.
- the configuration information is used to identify the information related to the MSU in the program file.
- the processing rules of MSU information are consistent, and a syntax tree can be generated. For subsequent steps.
- the additional configuration information rules are:
- the role of each keyword is consistent with the role of keywords in the previously added grammar rule in this case.
- stack * p1; // p1 is a global pointer variable that points to the stack data area
- stack add1 * p1; // p1 is a local pointer variable in the function add, which points to the stack data area
- a specific function nomenclature is used to identify this function as an MSU empty port function or port function.
- a function whose first 5 characters are _PORT is a port function
- a function whose first 6 characters are _INNER The function is an empty port function
- the first 5 characters of the pointer name are pointers to the global data area
- the first 6 characters of the pointer name are pointers to the _stack pointer to the stack area
- the first 5 characters of the pointer name are pointers to the stack area
- a pointer of _heap is a pointer to the heap area
- the compiler When the compiler performs syntax analysis, the above three rules can be used to identify the information related to the MSU in the program, and finally generate a syntax tree and save the MSU information.
- the compiling technology of the remaining syntax is the same as the existing technology.
- S-C-B1-1-2 Memory layout and addressing method
- Instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area. All MSUs are uniformly addressed with the same base address in the same linear address space.
- the ID of the current MSU stores the ID value of the currently running MSU, and is used to find information of the currently running MSU in the MSU control comparison table.
- the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
- MSU ID number MSU ID number
- MSU boundary information attribute information
- port information port information
- validity / invalidation information Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
- the MSU ID number is generated by different MSU names stored in the syntax tree
- the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
- the instruction area boundary information and global data area boundary information can be determined by statistically compiling the generated instructions and the global data footprint.
- For heap area boundary information because the size of the heap area that needs to be established cannot be determined at compile time, you can reserve an entry in the comparison table and temporarily add information when the heap area is needed at runtime;
- the MSU attribute information may be set according to the MSU type information recorded in the syntax tree;
- the MSU port information includes: MSU exit information and MSU entry letter;
- the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs; where the exit number is a unique number for each exit, and the exit address value is the address value where the MSU call / return instruction is located;
- the MSU entry information includes the ID, entry number, and entry address value of the MSU to which it belongs; where the entry number is a unique number for each entry, and the entry address value is the next instruction address value of the call instruction between MSUs, and The address value of the first instruction of the port function;
- the validity / invalidation information is set by the validity / invalidation flag recorded in the syntax tree node.
- the port matching table is a set of call relationships for the MSU to call other MSUs.
- One of the entries includes a pair of exits and entries that have a call relationship between MSUs.
- the pointer variable pointing to the MSU control comparison table is used to access the MSU control comparison table in the inspection instruction.
- the pointer variable pointing to the port matching table is used to access the port matching table in a check instruction.
- the variable used to record the address value of the bottom of the MSU stack is used to control the access boundary of the stack area of the current MSU in the check instruction.
- the initial value of this variable is the stack bottom address value of the corresponding privileged stack.
- each MSU data area a piece of space is reserved in page alignment.
- the size of the space is an integer multiple of the page size.
- the control table is set in it, and other data cannot be stored in it. Within the execution file.
- the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
- S-C-B1-3 generates instructions related to MSU access:
- the inter-MSU call access transfer instruction is: call target address value.
- indirect transfer by call instruction is not allowed.
- the inter-MSU return access transfer instruction is: ret.
- the instructions for accessing global MSU and heap data are consistent with the instructions for accessing stack data.
- the operating system allocates a stack area for the process.
- a preferred solution is to set the size of the stack to the actual applicable size, rather than the size of the entire linear address space.
- the boundary of the shared data MSU representing the stack is set to Same boundary as the stack.
- the program in the MSU When the program in the MSU is executed, if it needs to request / release heap space, it enters the kernel through a dedicated system call, and the dedicated program in the kernel requests / releases heap space for it, and the heap area boundary value in the MSU control comparison table is modified accordingly.
- An MSU making method using segment mechanism for access control is a MSU making method using segment mechanism for access control
- S-D-A1-1 make MSU information recording unit:
- the following data is created for each MSU and stored in the data area of the MSU: the current MSU ID; the MSU control comparison table; the port matching table; the pointer variable to the MSU control comparison table; the pointer variable to the port matching table; used to record the MSU Variable with the address value at the bottom of the stack.
- the information of the MSU control comparison table includes: MSU information of all MSUs.
- the information of each MSU includes: the ID number of the MSU, a mapping table of the MSU and its segment descriptors, attribute information, port information, and validity / invalidation information.
- the mapping table between the MSU and a segment descriptor belonging to the MSU includes: a correspondence between the MSU and the corresponding segment descriptor in the GDT table.
- the content involved in the MSU ID number, the MSU attribute information, the MSU port information, and the validation / invalidation information is consistent with the corresponding content in Embodiment 2.
- MSU boundary access control is controlled by the segment mechanism.
- Other access controls include:
- the logic of adding instructions is consistent with the corresponding content in the second embodiment.
- the logic of adding instructions is consistent with the corresponding content in the second embodiment.
- the logic of adding instructions is consistent with the corresponding content in the second embodiment.
- the logic of adding instructions is consistent with the corresponding content in the second embodiment.
- the region boundary control of the segment is used to implement the region boundary control of the MSU.
- Access control to the MSU is implemented by executing the attribute and port matching check instructions in the executable program.
- Access control application methods for manufacturing methods of such memory system devices include:
- S-D-B1 compiles the source program containing MSU, including:
- S-D-B1-1-1 Write and compile source programs containing MSU information:
- An important feature of this embodiment is that a segment is used to describe the continuous storage area of the MSU, and the boundary information of the continuous storage area is finally stored in the GDT table in the form of a segment descriptor.
- instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area.
- all MSUs are in the same linear address space, and each continuous storage area of each MSU is individually addressed. Its base address is written into the segment base address of the corresponding segment, and its length is written into the segment limit length of the corresponding segment.
- the instruction area boundary information and global data area boundary information of the GDT table can be determined by statistically compiling the instructions generated by the compilation and the size of the global data occupation space.
- For heap area boundary information since the size of the heap area that needs to be established cannot be determined at compile time, an entry can be reserved in the comparison table, and information is temporarily added when the heap area is needed at runtime.
- the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
- S-D-B1-3 generates instructions related to MSU access, including:
- the inter-MSU call access transfer instruction is: the call target segment selects the sub-target address value.
- indirect transfer by call instruction is not allowed.
- the operating system collects MSU boundary information from the information table required by the GDT and loads the GDT table.
- each MSU descriptor is recorded in the MSU descriptor table. See Table 1 for the format of an MSU descriptor.
- N in the table represents a natural number, and its value ultimately depends on the maximum space required to store the content.
- the MSU ID number is the entry number of the MSU descriptor in the MSU descriptor table.
- FIG. 2 shows a specific implementation manner, in which the MSDTR register points to the first address of the MSU descriptor table, and the CMSDTR register stores the current MSU ID, which represents the serial number of the current MSU in the MSU descriptor table.
- the current MSU ID represents the serial number of the current MSU in the MSU descriptor table.
- Each MSU descriptor contains information such as MSU attributes, code area boundaries, and global data area boundaries.
- the exit descriptor table can be found by the first address of the exit descriptor table and the entry descriptor table.
- Each exit descriptor in the exit descriptor table includes an exit address, a target MSU number, a target entry number, a target entry address, and a return address.
- the instruction area boundary information and global data area boundary information of the MSU descriptor table may be determined by statistically compiling the instructions generated by the compilation and the size of the global data occupation space. For heap area boundary information, since the size of the heap area that needs to be established cannot be determined at compile time, an entry can be reserved in the comparison table, and information is temporarily added when the heap area is needed at runtime.
- registers and instructions include:
- Add MSDTR register load instruction LOAD MSDTR address value Used to store the first address of the MSU descriptor table into MSDTR. This instruction is a privileged execution, which can only be executed at 0 privilege level;
- This instruction is a privileged execution and can only be executed at 0 privilege level.
- a special register is set to store the current bottom address value of the MSU: a CMSEBP register is added to record the current MSU bottom address value.
- a register is set up to hold the ID number of the shared data MSU corresponding to the stack: an SMSUR register is added to record the ID number of the shared data MSU corresponding to the stack.
- MSDTR and CMSDTR registers find the current MSU descriptor in the MSU descriptor table and obtain the boundary information.
- the target address of the data access is from the bottom of the stack of the MSU to the top of the entire stack space.
- the bottom of the stack of the MSU is obtained from the CMSEBP register and the top of the stack.
- the location of the MSU descriptor table is pointed by the MSDTR register.
- the MSU data access instruction When the MSU data access instruction is executed, it is determined whether the target address of the data access exceeds the boundary of the data area of the MSU.
- the boundary of the data area of the MSU is known by the CMSDTR and the MSU descriptor table.
- the position of the MSU descriptor table is pointed by the MSDTR register. .
- the mcall instruction is a call instruction between MSUs; the mret instruction is a return instruction between MSUs.
- the processor When the mcall instruction and mret instruction are executed, the processor first checks the validity of the call / return according to the MSU access rule. If the MSU access rule is met, the instruction is allowed to be executed further, otherwise, an exception is reported.
- Figure 4 shows a specific way for the MCALL instruction to obtain MSU attributes.
- the processor obtains the attribute information from the attribute fields in the current MSU descriptor and the target MSU descriptor, and performs an attribute matching check between MSUs. If the attribute matches the MSU attribute matching rules recorded in the content of the invention, the port matching check is performed, otherwise , Report exception.
- Figure 5-7 shows a specific way for the MCALL instruction to obtain the exit address, the target MSU number, and the target entry number.
- the shared data MSU access instruction When accessing the shared data MSU, the shared data MSU access instruction must be used; otherwise, an exception is reported; if the shared data MSU access instruction accesses the non-shared data MSU, an exception is reported.
- Specific methods include:
- the MSU number specified in the mmov instruction is the MSU number of the MSU where the stack is located, determine whether the target address is less than the current MSU stack bottom value recorded in the CMSEBP register. If it is less than that, the execution is allowed, otherwise an exception is reported. The MSU number is not the MSU number of the MSU where the stack is located, and an exception is reported.
- Access control application methods for manufacturing methods of such memory system devices include:
- instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area.
- all MSUs are in the same linear address space, and each continuous storage area of each MSU is individually addressed, and its base address and length are written into the corresponding MSU descriptor.
- one MSU descriptor table is established for all MSUs, and the MSU descriptor tables in various types of memory system devices are as described above.
- the instruction area boundary information and global data area boundary information are determined by statistically compiling the generated instructions and the size of the global data footprint. For heap area boundary information, since the size of the heap area that needs to be established cannot be determined at compile time, an entry can be reserved in the comparison table, and information is temporarily added when the heap area is needed at runtime.
- the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
- the instructions for accessing the global and heap data of this MSU are consistent with the existing system.
- the process loads, according to the user ID and user role type of the process, set the MSU user ID information and MSU user type information in the MSU attribute, the operating system applies for a separate page, and the MSU is found at the agreed location of the executable file by the loader.
- the descriptor table and the exit and entry descriptor tables corresponding to each descriptor are loaded, and the first address of the MSU descriptor table is recorded in the MSDTR register by the instruction LOAD and the MSDTR address value.
- the instruction LOAD, CMSDTR, and the ID number of the MSU the current MSU entry number in the MSU descriptor table is set.
- the operating system allocates a stack area for the process.
- a preferred solution is that the size of the stack is set to a practically applicable size, rather than the size of the entire linear address space.
- a program in the MSU When a program in the MSU is executed, if it needs to request / release heap space, it enters the kernel through a dedicated system call, and the dedicated program in the kernel requests / releases heap space for it, and the heap area boundary value in the MSU descriptor table is modified accordingly.
- the program in the MSU When the program in the MSU is executed, if it is necessary to add / remove the MSU, it enters the kernel through a dedicated system call, and the dedicated program in the kernel adds / removes the MSU for it, and modifies the MSU descriptor table.
- the contents of the interrupt scene are saved, and the current MSU ID number recorded in the CMSDTR register and the current MSU stack bottom address value recorded in the CMSUR are also included.
- the interrupt response function use the ID number of the MSU corresponding to the interrupt response function in the IDT table to set the CMSDTR register.
- the interrupt returns restore the contents of the scene, including saving the MSU ID number when the interrupt occurs, and setting the CMSDTR register; Save the address value of the bottom of the MSU and set the CMSUR register.
- a page (here page refers to a linear page) can only belong to one MSU.
- a corresponding data structure is established, each of which corresponds to a page table entry, and the structure records the ID number of the MSU to which the page table entry corresponds.
- the processor finds the corresponding entry in the MSU descriptor table by the ID number of the MSU to which the page belongs, and each entry corresponds to an MSU descriptor.
- This structure is reflected in the TLB of the processor.
- the added new hardware is the same as the added hardware in Embodiment 4 except that the CMSDTR register and the corresponding load instruction described in Embodiment 4 are no longer added.
- the processor checks the call access according to the MSU access rules. If the access rules are met, execution is allowed, otherwise, an exception is reported.
- the specific inspection method is based on the inspection method in Embodiment 4, and the current MSU descriptor is found in the MSU descriptor table through the MSDTR and CMSDTR registers, and is changed to: the MSU through the MSDTR register and the page where the current instruction belongs ID number, find the current MSU descriptor in the MSU descriptor table; delete the action of setting the CMSDTR register in the execution effect of the mcall and mret instructions.
- the control method when accessing the shared data MSU is the same as the method for accessing the shared data MSU in the fourth embodiment.
- the control method for the interruption is consistent with the control method for the interruption in the fourth embodiment.
- the attribute checking method of the MSU to which the IO instruction belongs is consistent with the attribute checking method of the IO instruction in Embodiment 4.
- the current MSU stack bottom address value setting method is set, which is consistent with the setting method of setting the current MSU stack bottom address value after calling between MSUs in Embodiment 4.
- Access control application methods for manufacturing methods of such memory system devices include:
- S-G-B1 compile the source program containing MSU, including:
- Extract MSU information including:
- the implementation method is consistent with the method of writing and compiling a source program containing MSU information in Embodiment 2.
- Instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area. All MSUs are uniformly addressed in the same linear address space with linear address 0 as the base address.
- the instruction area boundary information and global data area boundary information of the MSU descriptor table may be determined by statistically compiling the instructions generated by the compilation and the size of the global data occupation space. For heap area boundary information, since the size of the heap area that needs to be established cannot be determined at compile time, an entry can be reserved in the comparison table, and information is temporarily added when the heap area is needed at runtime.
- the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
- the process loads, according to the user ID and user role type of the process, set the user identification information of the MSU and the user type information of the MSU in the MSU attribute.
- the operating system applies for a separate page, and the loader finds the MSU descriptor table at the agreed-upon location of the executable file, as well as the exit and entry descriptor tables corresponding to each descriptor, loads them into the page, and uses the instruction LOAD MSDTR address value , Record the first address of the MSU descriptor table in the MSDTR register.
- the page where the content is located needs to be mapped into the linear address space through the page table.
- a data structure corresponding to the page table is added to save the ID number of the MSU to which the page belongs. For this page number, you can find the corresponding MSU boundary by mapping the linear address value, and then determine the MSU to which it belongs, and write its ID number into this data structure.
- This ID number is the MSU descriptor in the MSU descriptor table. Item number.
- the linear address of this page is fixedly allocated after the corresponding page table so that the CPU can find it through the page table. Its page table entry setting is consistent with the corresponding page table. After the corresponding page table entry is found, the address of the page table entry is shifted backward by one page, and the MSU information item corresponding to the page table entry can be found.
- the operating system allocates a stack area for the process.
- a preferred solution is that the size of the stack is set to a practically applicable size, rather than the size of the entire linear address space.
- the program in the MSU When the program in the MSU is executed, if it needs to request / release heap space, it enters the kernel through a dedicated system call, and the dedicated program in the kernel requests / releases heap space for it, and the corresponding page has a data structure corresponding to its page table. , Add / delete the MSU ID number.
- the program in the MSU When the program in the MSU is executed, if it is necessary to add / remove the MSU, it enters the kernel through a dedicated system call, and the dedicated program in the kernel adds / removes the MSU for it, and modifies the MSU descriptor table.
- the content of the interruption site is saved, and the ID number of the MSU to which the current page belongs (obtained from the data structure corresponding to the page table one-to-one), and the current stack address value recorded in the CMSUR are also recorded.
- the interrupt response function use the ID number of the MSU corresponding to the interrupt response function in the IDT table to set the CMSDTR register.
- the interrupt returns, restore the contents of the scene. It also includes saving the bottom address of the MSU when the interrupt occurs and setting the CMSUR. register.
- the authorization information includes direct authorization information, such as the range of files that users can access, and includes indirect authorization information, such as page table information. Further, this method can also protect other important data, such as the interrupt descriptor table.
- a method that utilizes the protection features of MSU to prevent the call instruction return address and / or the field information (including the interrupt return address) from being modified when an interrupt occurs including:
- a dedicated state information saving function is set to save the state information; a dedicated state information reading function is set to read the saved state information.
- a preferred state information access method is: The status information is accessed in the form of a stack. A special data variable is set in the MSU to record the top position of the stack. When the status information is stored, the value of the top position is decremented. The decrement size is the size of the space occupied by the storage status information. At the time of information, the stack top position value is accumulated, and the accumulated size is the size of the space occupied by the read status information.
- the CPU wants to save the current state information, in particular, after the function call is generated (including the function call in MSU and the port function call between MSU), the return address is set, and / or, after the interrupt is generated, the field information (including the interrupt return address) ), Save it to the dedicated MSU, the specific way is to call the dedicated MSU port function, and pass the information to be saved to the dedicated MSU in the form of parameters, and then the dedicated MSU is responsible for saving the state information function, and the information to be saved is stored in the dedicated MSU.
- the function call including the function call in MSU and the port function call between MSU
- the return address is set, and / or, after the interrupt is generated, the field information (including the interrupt return address)
- Save it to the dedicated MSU the specific way is to call the dedicated MSU port function, and pass the information to be saved to the dedicated MSU in the form of parameters, and then the dedicated MSU is responsible for saving the state information function, and the information to be saved is stored in the dedicated MSU.
- the CPU When the CPU wants to retrieve the saved status information, in particular, before the function returns, and / or, the interrupt returns, it first calls the port function of the dedicated MSU to enter the dedicated MSU, and then the function responsible for reading the status information sets the return address, and / Or, the scene information is taken out, and then a function return is performed according to the taken out information, and / or, the interrupted scene is resumed.
- An implementation manner of preventing the execution execution branch of the attack due to the return address being modified through the memory system device is:
- An implementation method that utilizes the features of the safe MSU, the protection function return address, and interrupt scene information (including the interrupt return address) is:
- a data protection method comprising:
- call information stack A new stack independent of the existing stack, hereinafter called the call information stack
- the calling information stack in step A is only used to store data related to the protection of the transfer site; in terms of function or space, this MSU is independent of the stack that has been allocated for storing code, global data, and stack data.
- the CPU When the CPU needs to save the current state information, it includes a function call or when an interrupt occurs; when the CPU needs to fetch the saved state information, it includes a function return or an interrupt return.
- the call information stack is used to store the return address, and is set in a stack manner in the memory. One is set for each privilege level when the process is created.
- the original stack is called the data stack and is used to store parameters and local variables.
- Add ass register and aesp register which are used to save the segment selector of the call information stack and the top pointer of the call information stack, respectively.
- the step C further includes: when data is taken from the call information stack, the value of the aesp register is automatically accumulated, and the accumulated value is the sum of the length of the popped data;
- the ret instruction is modified, and the modified ret instruction pops a return address from the call information stack and modifies the value of aesp.
- the modified mret instruction pops up "CMSEBP" from the call information stack, pops up the "current exit number in the mcall instruction", calculates the return address and assigns it to eip, pops CMSDTR, and modifies the value of aesp.
- the steps of writing the data to be saved into the call information stack include:
- Step B1.1 further includes:
- Step B1.2 further includes:
- the processor saves the current EFLAGS register, CS register and EIP register values in the current call information stack;
- the step of fetching data from the call information stack includes:
- step C2 is performed in step C, which specifically includes:
- a new MSU attribute is set for saving the call information stack. Only the call instruction, mcall instruction, pushadr instruction, popadr instruction, ret instruction, mret instruction, iret instruction, and interrupt gate can be accessed when executing the interrupt gate. Other instructions cannot access the MSU.
- An implementation manner of preventing an execution execution branch of an attack due to a function pointer being modified through a memory system device is:
- Maliciously modifying the address value of a hook is a common means of attack. By ensuring that the use of the hook is in accordance with the original intention of the software system designer, you can defend against attacks against the hook.
- Our defense method is divided into two steps. The first step is to determine whether the called hook value is in the address of all hook functions corresponding to this hook. (This step can intercept the value of the function address beyond this hook may call, but it cannot distinguish. Which hook function should be called specifically); the second step is to determine whether the called hook function meets the design willingness.
- the second step is to determine whether the called hook function meets the design willingness.
- the hook corresponds to two or more hook functions being adjusted, it actually constitutes an execution order branch determined by the hook value.
- the specific method of the second step is to establish a dedicated data structure (a preferred solution is to set a dedicated register), and store the condition data in a specified position in the data structure , And record the condition information input by the program in the specified position, and add a judgment instruction at the execution entrance of each hook function corresponding to this hook, and determine whether it should be executed according to the condition information recorded in the specified position of the data structure.
- a read system call For read and write file operations, it is to add register setting instructions at the entry of the read and write system calls. If a read system call is performed, add an instruction at the entry of the read system call to record the information of the read operating system in the register. Specify the location (for example, set the first bit to 0). If a write system call is performed, add an instruction at the entry of the write system call and record the information of the write operating system at the specified location of the register (for example, set the first bit to 1) ). Add an instruction at the entry of the hook function of the read operation, and judge that if the specified position (first bit) of the register is 0, execution is allowed, otherwise an exception is reported. Write operation is the same.
- the saving and switching of the design intent information register is synchronized with the saving and switching of process site information.
- the function body of the hook function cannot be placed in this MSU.
- One method of processing is to place the content of the function body of the hook function in another A regular MSU.
- the biggest advantage of this method is that it prevents the attacker from maliciously modifying the hook, while retaining the flexibility of using the hook completely.
- the current system call number is recorded through a special register, and compared at a specific position in the program execution sequence. If the execution sequence matches the value in the register, execution is allowed; otherwise, the exception processing flow is entered.
- the specific position refers to a position where a branch is generated.
- Method 1 For example, in the DirtyCow case, most of the code of the sys_write system call and the sys_read system call are coincident. Among them, the do_read_fault function is executed from the sys_read system call, and the do_cow_fault function is executed from the sys_write system call. The function matches the system call, and if it finds a mismatch, it enters the exception processing flow, and does not continue the wrong execution order. You can add the comparison logic after calling the if statements before the do_read_fault function and do_cow_fault function, including: from The current system call number is obtained in the SCG register.
- the do_read_fault function branch if the do_read_fault function branch is entered, the function matches the system call and execution is allowed. If the do_cow_fault function branch is entered, the function and system call do not match. Enter the exception processing flow; if the call number corresponds to sys_write, then if it has entered. The do_cow_fault function branch indicates that the function matches the system call and is allowed to execute. If the do_read_fault function branch is entered, it indicates that the function and the system call do not match and an exception is entered.
- An implementation manner of preventing an attacker from directly modifying an attacked person's code through a memory system device is:
- the data includes: page directory table and page table related data;
- the code includes: port functions to set page table and page directory table, set the page table entry corresponding to the page where other MSU code is located as read-only, other MSU cannot directly modify The read-only setting of the page table entry in this terminal MSU cannot modify the code of the attacker.
- An implementation manner that prevents an attacker from arbitrarily specifying an executable area through a memory system device and has an opportunity to introduce an execution order conducive to the attack is:
- Function parameters increase the number of MSUs; pointer to the MSU information array to be added.
- the information of each MSU is a data structure, such as:
- the kernel obtains the MSU information to be allocated and the instructions and data that each MSU needs to store according to the MSU information list. Allocate a linear address space area for the new MSU based on the information in it, and backfill the information that needs to be relocated in the MSU, such as the function address, global variable address, port list, and function address values in the port match list, and fill it with the actual information of the MSU Information in the MSU descriptor table in the operating system.
- This system call can add the new execution order and data to the existing process according to the agreed MSU format.
- the newly added execution sequence is isolated and protected from the existing execution sequence and data.
- the new MSU and the original MSU must visit each other in accordance with the rules for access between MSUs.
- the kernel allocates such memory pages, it will add attributes to its page table, indicating that the page is used for Store the above MSU information and content.
- the kernel will determine whether the parameter pointer in the above system call for adding a new MSU points to the page that is specifically used to save the information and content of the MSU. If so, a new MSU can be created normally. If not, an error is returned.
- the attack program can be given an arbitrary memory address and store the MSU information and content, and the content stored in the address can be changed into a new MSU.
- An implementation manner of loading a dynamic link library according to an access control rule of a memory system device is:
- the program needs to be dynamically loaded, such as loading the dynamic link library.
- a method is set to load the dynamic link library under the MSU mechanism to make it
- the newly added instructions and data are stored in the MSU area and accept the MSU access control rules:
- the file format of the dynamic link library must be in an agreed form with the operating system.
- the library file must contain the MSU information table of the dynamic link library.
- the MSU information table is read out, and the code and data in it are loaded according to the MSU attribute rules agreed in the information table. All loaded MSUs are new MSUs.
- the operating system actually allocates a reasonable MSU linear address area for the dynamic link library according to the memory allocation of the existing process, and performs address relocation on the functions and global data in it.
- the operating system rewrites its MSU information description table, port list, and port matching table to add new MSU information.
- the new MSU contained in the dynamic link library can be added to the linear address space of the existing process. It exchanges with the original MSU in the process according to the MSU access rules, which can realize the isolation and protection of the original process and the newly added library.
- An implementation manner of loading an executable program for running on a memory system device is:
- the MSU information is stored in the executable program.
- the kernel's loader reads the information, writes the code and data of its loader according to its designated MSU boundary, and writes the MSU information into the MSU descriptor table.
- the kernel allocates stack space for the process, sets the MSU corresponding to the stack space to a shared MSU, and sets its boundary information according to the boundary value of the actual stack.
- An implementation manner of preventing an attacker from directly jumping to an attack code prepared in a process space by an attacker through a memory system device is:
- the in-process program is encapsulated in MSU, and the feature of access between MSUs must be through the port, which can be achieved even if the execution order is changed in the kernel.
- the execution order is changed to jump to the process space, due to the process
- the target address of the space and the location where the jump is executed are not legal, matching entries and exits, resulting in the jump being illegally intercepted.
- the data and operation procedures related to user rights in the database are stored in MSU-A, and the operation procedures for querying user data and related data are stored in MSU-B.
- the program in MSU-B responds to the user request to query the data for the user. If an attack occurs during the execution, the value of the return address of a function is modified, and it is changed to the first address of the function in MSU-A. According to the characteristics of the MSU, the target address of the transfer instruction within the MSU must not cross the MSU boundary. This will cause an exception when the function returns the instruction and enters the exception processing flow, thereby ensuring that the power data in MSU-A is not changed and the impact of the attack is affected. Limited to MSU-B.
- An implementation manner of checking access between MSUs through a memory system device is:
- the inspection MSU can also check other important data that the designer considers, and make corresponding treatments.
- the program for mapping the register port in the peripheral to the data area of the MSU, in particular, including the I / O instruction is encapsulated in this MSU. This guarantees that only the program in this MSU can map the register port and the memory data area.
- the program that interacts with the peripherals in particular, the program that issues the interactive instructions to the peripherals, is encapsulated in the terminal MSU to ensure that the programs in the I / O instruction MSU only map the register ports in the peripherals to this Data area of class terminal MSU. In this way, only this MSU can interact with peripherals.
- the program functions in the I / O instruction MSU and the terminal MSU are single and there are no loopholes.
- a specific implementation manner of establishing a terminal MSU for user data interaction between the buffer and the process space is:
- This terminal MSU only includes programs for the buffer to interact with the process space, including: the physical page number corresponding to the address where the data is stored in user space, the offset of the copy target address within the page, and the buffer block corresponding Parameters such as the physical page number and the number of bytes copied, determine the location of the data to be interacted with, and select a temporary address in the terminal MSU, map the two physical pages to the selected address, and then copy the data. After the copy is complete To release the temporary mapping relationship. If other MSUs in the kernel need to perform data interaction with the process space, the terminal MSU is called through the port function to ensure that other MSUs in the kernel can only interact with user space through the terminal MSU.
- MSU-A needs to write data to the page corresponding to MSU-B.
- the physical page corresponding to the linear address specified in MSU-B is temporarily mapped to the page frame of MSU-A, the data is written to the page, and then the temporary mapping relationship is released. So MSU-B can get this data.
- MSU-A locks this page when operating this page, so that when the program in MSU-A operates this page, MSU-B has no chance to operate this page.
- An implementation manner of specifying the address value of the bottom of the MSU so as to set the private stack space of each MSU is:
- the MSU descriptor table records the descriptor of each MSU. See Table 4 for a preferred format of the MSU descriptor.
- N in the table represents a natural number, and its value ultimately depends on the maximum space required to store the content.
- the MSU ID number is the entry number of the MSU descriptor in the MSU descriptor table.
- Each MSU descriptor is provided with an exit descriptor table and an entry descriptor table.
- the exit descriptor table is used to record the exit information of each MSU and the matching information between the exit and other MSU entries. It consists of exit descriptors.
- Each MSU descriptor corresponds to an exit descriptor table, and the exit number of each exit represents the entry number of the exit descriptor in the exit descriptor table.
- the entry descriptor table entry descriptor table Used to record the entry information of each MSU.
- the entry descriptor table consists of entry descriptors. Each MSU descriptor corresponds to an entry descriptor table.
- the entry number of each entry represents the entry number of the entry descriptor in the entry descriptor table.
- Add MSDTR register load instruction LOAD MSDTR address value Used to store the first address of the MSU descriptor table into MSDTR. This instruction is a privileged execution and can only be executed at 0 privilege level.
- This instruction is a privileged execution and can only be executed at 0 privilege level.
- a register is set up to hold the ID of the shared data MSU corresponding to the stack:
- Add the current role ID register CPR add a special instruction to set CPR: LOAD CPR role ID number, this instruction is a privileged execution, and can only be executed at 0 privilege level.
- the function is: the processor finds the destination address in the exit descriptor table corresponding to the current MSU descriptor according to the current exit number, the target MSU ID number, and the target MSU entry number in the mcall instruction, and first the current MSU ID number Push the stack with the current exit number, and then jump to the target address.
- the function is: the processor finds the original MSU descriptor and its corresponding exit in the MSU descriptor table according to the original MSU ID number and the original exit number stored in the call stack, and then finds the corresponding return address of the exit. Jump to the return address.
- the current exit number is used for matching checks.
- the instructions for accessing the global and heap data of this MSU are consistent with the existing system.
- a continuous storage area is used as an access control unit to implement access control.
- the MSU access rules on which access control is based include:
- the processor When the instruction is executed, the processor first checks the validity of the call / return according to the MSU access rule. If the MSU access rule is met, the instruction is allowed to be executed further, otherwise, an exception is reported.
- the specific contents of the check include: MSU descriptor validation / invalidation check, MSU attribute matching check, and MSU port matching check.
- the ID number of the target MSU is obtained from the operand carried in the mcall instruction; when the mret instruction is executed, the ID number of the target MSU is obtained from the information saved on the top of the stack when the mcall was executed in the original MSU.
- the processor obtains the attribute information from the attribute fields in the current MSU descriptor and the target MSU descriptor, and performs an attribute matching check between MSUs. If the attribute matches the MSU attribute matching rules recorded in the content of the invention, the port matching check is performed, otherwise , Report exception.
- the exit descriptor table is found based on the first address of the exit descriptor table stored in the current MSU descriptor.
- the current exit number obtained in mcall is used to find the corresponding entry in the exit descriptor table to determine the exit descriptor.
- the address of the mcall instruction and the exit address in the exit descriptor the ID number of the target MSU carried in the mcall instruction and the ID number of the target MSU carried in the exit descriptor, the target MSU entry number and the outlet description carried in the mcall instruction.
- the target MSU entry number corresponding to the symbol is compared with these three items. If one item is inconsistent, an exception is reported. If all items match, the mcall instruction is further executed.
- the processor When the mret instruction is executed, the processor performs a port matching check:
- the exit descriptor table is found from the first address of the exit descriptor table stored in the current MSU descriptor, and the current exit number obtained in mret is used to find the corresponding entry in the exit descriptor table to determine the exit descriptor. If the address of the mret instruction is inconsistent with the above exit address, an exception is reported; otherwise, the mret instruction is further executed.
- the shared data MSU access instruction When accessing the shared data MSU, the shared data MSU access instruction must be used; otherwise, an exception is reported; if the shared data MSU access instruction accesses the non-shared data MSU, an exception is reported.
- Specific methods include:
- the MSU number specified in the mmov instruction is the MSU number of the MSU where the stack is located, determine whether the target address is less than
- the current MSU stack address value recorded in the CMSEBP register is allowed to execute if it is less than, otherwise an exception is reported; if the MSU number specified in the mmov instruction is not the MSU number of the MSU where the stack is located, an exception is reported.
- the CUR and CPR registers are automatically set using the ID values in the "MSU slave user” and "USB slave role” in the descriptor table of the target MSU. Based on this, the user and role to which the target MSU belongs are identified as the current user and current role.
- a page (here page refers to a linear page) can only belong to one MSU.
- a corresponding data structure is established.
- the page on which the data structure is located is closely aligned with the page table. After finding the first address of the page on which the page table is located, it is shifted by one page to the high address end. You can find the first address of the page where the data structure is located.
- Each entry in the data structure corresponds to an entry in the page table, and each entry records the ID number of the MSU to which the corresponding page table entry corresponds to the page.
- the processor finds the corresponding entry in the MSU descriptor table by the ID number of the MSU to which the page belongs, and each entry corresponds to an MSU descriptor.
- This structure is reflected in the TLB of the processor.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Virology (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种运行时访问控制方法及计算装置,其通过内存系统装置实现,其中某个具体单元可以称作内存系统单元MSU,所述内存系统装置是指特定访问控制的集合及其控制的访问区域,所述区域,包括:由一组边界包围而成的CPU可寻址存储空间,区域必须由访问控制集合认定,所述认定是指将区域的信息记录在MSU信息中。所述访问控制集合,包括:MSU信息,对区域进行访问的允许机制,和/或对区域进行访问的禁止机制。应用本发明提供的方案,能够有效实现运行时访问控制隔离,防止攻击。
Description
本申请涉及信息技术领域,特别涉及一种运行时隔离方法,以及一种运行时访问控制方法及计算装置。
现有技术中,特别是现有操作系统和CPU体系架构技术中,对于内存及其使用的设计更多的考虑是紧凑、方便、高效,这样的设计使得各个功能的代码之间有着错综复杂的相互联系,数据几乎没有任何封装,或者仅在高级语言的语法编译阶段具有有限的封装,而在运行时实际上可以不受任何检查的随意访问。
具体的,对语法的检查只能保证源码中不包含语法所不允许的非法访问,但在运行时,攻击者有可能通过某种手段改变程序的执行序或者是数据访问对象,从而打破语法规则的封装。比如,C++语言规定了类中的私有成员不可被其他类对象访问,但是如果程序被攻击,攻击者在运行时改变了函数的跳转目标,就可以打破这种保护。
特别是对于操作系统内核而言,现有技术的上述缺陷,实质上导致内核空间是平坦的,一旦攻击者借助如果攻击者借助用户态和内核态之间的数据传输,利用内核态代码在传输、处理数据中的设计缺陷,就能够用攻击者准备好的数据几乎任意修改内核的数据、代码,进而发起攻击。
其中最危险的是攻击导致超越授权,例如:
1、超越授权读取用户数据(包括内存和外设的数据)。
2、超越授权写入(包括篡改、删除)用户数据。
3、超越授权执行系统调用。
4、超越授权执行应用程序。
一旦攻击者完成了上述动作,同时由于现有操作系统中仅有极为有限的检查机制,攻击者实质上就获得了对计算机任意访问的权限。
发明内容
针对现有技术不能在运行时对访问行为进行有效控制的缺陷,特别是无法对可能涉及超越授权的访问行为进行运行时控制的缺陷,本发明公开了一种运行时访问控制方法及其对应的计算装置。
为达到上述目的,本发明公开了一种内存系统装置,所述内存系统装置中的某个具体单元可以称作内存系统单元(Memory System Unit),所述内存系统单元称作MSU,所述内存系统装置是指特定访问控制的集合及其控制的访问区域。
除非特别指明,本发明中MSU这一缩写对应的就是内存系统单元(Memory System Unit)。
所述区域,包括:由一组边界包围而成的CPU可寻址存储空间,区域必须由访问控制集合认定,所述认定是指将区域的信息记录在MSU信息中。所述访问控制集合,包括:MSU信息,对区域进行访问的允许机制,和/或对区域进行访问的禁止机制。所述可寻址存储空间可以存放数据和/或指令。优选的,全部软件的数据、代码都按设计要求分别放入指定的MSU之中,即没有代码、数据放在MSU之外。
所述CPU是指中央处理器。
进一步,区域由同一个线性地址空间中的一个或多个连续存储区组成,每个连续存储区由两端的地址标识界定,所有前述的地址标识的集合构成区域的边界。对于由多个连续存储区组成的区域的优选方案是区域中的连续存储区之间互不相交。其中存储数据、代码的存储区分别被称作数据区、指令区。不同MSU的区域互不相交。
进一步的,所述MSU信息包括:MSU边界信息、MSU端口信息、MSU属性信息。作为一种可选的实现方式,可以设置空端口MSU,所述空端口MSU其MSU端口信息为空,仍具有MSU边界信息、MSU属性信息。
优选的,所述MSU信息进一步包括:MSU用户信息。
进一步的,所述允许机制包括:允许区域内的非转移指令、中断指令及目标地址在当前区域内(不超越当前区域)的转移指令执行,允许区域内的指令访问当前区域内的数据。进一步的,允许机制包括:允许区域间,不论是区域内到区域外或区域外到区域内,通过传参的方式传递数据;允许区域间通过共享物理内存的方式传递数据,优选的,传递大量的数据时采用共享物理内存的方式;对区域间,即超出或进入本区域,进行访问的允许机制,进一步包括:MSU间必须经过端口执行转移指令,并且属性信息、端口信息必须匹配。
所述禁止机制包括,禁止在区域中的数据区执行指令。除允许机制之外,对一切由区域内向区域外或由区域外向区域内的跨区域执行指令(包括非转移指令、转移指令及不匹配情形),跨区域操作访问数据都产生异常。
一个特例是共享数据MSU,其特征是只包含被其他MSU共享的数据,没有指令;允许其他MSU通过约定的指令操作数据。
在本发明的一种具体实现方式中,将内核栈和/或用户栈置于共享数据MSU中,栈所属的MSU必须为共享数据MSU,其他MSU通过约定的指令操作栈中的数据。
所述MSU边界信息包括:由访问控制集合认定的区域中,所有连续存储区的边界信息构成的集合。存储上述信息的数据结构简称边界数据,所述边界数据的地址被关联到内存系统装置中并为其可识别。当需要查找区域的边界时,所述装置可以根据边界数据的地址找到数据结构,即可获得所有的边界信息。
所述MSU端口信息包括入口和/或出口。在访问控制集合认定的区域范围内的指令地址区域中指定有限个指令地址为入口或出口,其中每一个指令地址为一个入口或出口。可选的入口为:区域中MSU间转移指令的目标地址;可选的出口为:MSU间转移指令的所在地址。
所述MSU属性信息包括:MSU标识信息,MSU类型信息。所述MSU标识信息是指区别于其它MSU的唯一标识。所述MSU的类型信息可以是普通MSU、共享数据MSU中的一种。
优选的,所述MSU属性信息还可包括:MSU所属用户类型信息,MSU所属用户标识信息。所述MSU所属用户类型信息是指这个MSU所属用户的类型,在一些应用场景中,用户类型即为用户角色,所述MSU所属用户标识信息是指MSU所属用户的唯一标识。
优选的,可以将前述的边界信息和/或属性信息和/或MSU端口信息合成为一个更方便使用的、完整的数据结构。
所述MSU端口信息匹配、所述MSU属性信息匹配是指:在程序初始化阶段,将转移指令执行所需MSU的出口、入口、边界、标识信息、类型信息记录在MSU描述符表中,在程序运行时,将转移指令包含的信息,分别与MSU描述符表中的端口信息、属性信息做对比,如果结果匹配,视为合法,允许转移指令执行,反之,视为非法,报异常。
进一步的,在MSU类型信息中增加一种检查MSU。类型信息被标记为“检查MSU”的MSU被视为检查MSU。当所述装置包含检查MSU时,不允许非检查MSU直接调用另外一个非检查MSU,必须由源MSU先调用检查MSU,再由检查MSU调用目标MSU;目标MSU返回时,先返回到检查MSU,再由检查MSU返回到源MSU。所述非检查MSU指除了检查MSU外的任何其它类型的MSU。
进一步的,在MSU类型信息中增加一种终端MSU。类型信息标记为“终端MSU”的MSU只可被其它MSU调用,不可调用其它MSU。
进一步的,在MSU类型信息中增加一种空端口MSU。类型信息被标记为“空端口MSU”的MSU没有端口,其它MSU可以通过端口调用任意空端口MSU的函数,但不可直接访问 空端口MSU的数据。空端口MSU调用其它MSU必须通过其端口进入该MSU。不同的空端口MSU之间可以任意进行函数调用,但不可访问数据。当终端MSU存在时,空端口MSU不可调用终端MSU。
进一步的,在MSU类型信息中增加一种保险箱MSU。此类MSU不允许包含指令区。只有某些需要保存状态信息的操作,才可访问该MSU。优选的,所述状态信息可以是返回地址、中断现场等。
进一步的,在MSU类型信息中增加一种IO指令MSU。当所述装置包含IO指令MSU时,仅允许这类MSU内执行IO操作相关的特殊指令。此类MSU的属性匹配检查规则与终端MSU相同。
在装置中,可不支持检查MSU、终端MSU、空端口MSU、保险箱MSU、IO指令MSU的实现,也可支持其中的一种或几种。
一种内存系统装置的制作方式及基于该制作方式的访问控制方法:
所述内存系统装置的制作,包括:制作MSU信息记录单元和MSU访问控制机制单元。所述信息记录单元是指在内存系统装置中记录和识别MSU信息;所述访问控制单元是指根据具体的运行时信息和信息记录单元中的MSU信息,依据所述允许机制和所述禁止机制对区域的访问进行控制。
所述内存系统装置信息包括MSU区域信息、MSU属性信息、MSU端口信息、MSU用户信息;
所述允许机制包括:允许MSU之间通过符合匹配规范的端口转移;允许其它MSU通过特定指令访问共享数据MSU的数据;
所述禁止机制包括:禁止所有不经过端口直接跨越边界的指令,禁止MSU之间虽然通过端口但不符合匹配规范的相互访问,禁止MSU访问除自身和共享MSU之外的其他MSU的数据;
所述对MSU的访问进行控制包括:符合允许机制的的,通过;属于禁止机制的,报异常。
所述基于该内存系统装置制作方式的访问控制应用方式,包括:增加语法规则和/或利用已有语法规则和/或利用配置信息,编写符合MSU规则的源代码,在编译、链接的过程中提取、记录MSU信息,将MSU访问动作生成为对应的指令,按照内存系统装置的特征分配页面布局及确定编址方式,按照内存系统装置的要求生成可执行程序,加载该程序时,将MSU信息载入上述内存系统装置中的信息记录单元,并执行该程序。其中提取、记录的MSU信息的具体格式依赖于内存系统装置的信息记录单元特性。
在本发明的一种具体实现方式中,所述内存系统装置的通用制作方法,包括:
A1、内存系统装置的制作,具体包括:
A1-1、制作MSU信息记录单元,进一步包括:
将前述MSU信息保存为MSU控制对照表。使内存系统装置可找到所述MSU控制对照表。
保存当前MSU标识信息,使内存系统装置可获知当前MSU。
优选的,记录当前MSU可访问的栈底位置。优选的,所述当前MSU的栈底位置为:整个栈区的栈底位置值,或调用它的MSU在传参之前的栈顶位置。
A1-2、制作MSU访问控制机制单元,进一步包括:
所述访问控制机制单元依据MSU的访问控制规则生成;
作为一种具体的实现方式,所述访问控制规则包括:
对于MSU访问控制:非转移指令的下一条指令地址、以及MSU内转移指令的目标地址、数据访问指令的目标地址,只要不超过MSU边界,一律允许执行,否则报异常;
MSU间区域的调用指令的目标必须是入口;进一步的,MSU间的调用及返回指令所在位置必须是出口;进一步的,出口和入口的对应关系必须事先指定,MSU间调用时需符合预设的对应关系;
特例是,当目标为空端口MSU时,不需对入口进行匹配;当主调方为空端口MSU时,不需对出口进行匹配;
MSU中的指令可以访问本MSU中的数据,其中,特定指令可访问共享数据MSU的数据;
进一步的,在栈区中,为每个MSU划分只属于自己的空间,具体是指:本MSU的栈底位置至整个栈空间的栈顶位置,所述本MSU的栈底位置为:调用它的MSU在传参之前的栈顶位置或整个栈区的栈底位置值;
进一步的,不允许某个MSU访问其它MSU的栈空间。
图1表示了在运行过程中,随着MSU的调用,栈中可被当前MSU访问的区域也在发生变化:
系统最初始时,设当前MSU为A,A可访问整个栈区间;A调用了MSU B,A在给B传实参之前标记了栈顶位置,执行到B时,B的可访问栈区间为标记的位置到整个栈区间的 栈顶方向边界;B又调用了MSU C,同样才传实参之前标记当前栈顶位置,C的可访问栈区间为刚才标记的位置到整个栈区间的栈顶方向边界;当C返回到B时,B可访问的栈区间与未调用C时相同。
MSU间的调用的访问控制规则为:
除共享数据MSU之外:
对于只包括属性为普通MSU的访问控制规则是:仅允许普通MSU间执行调用指令、返回指令;
对于只包括属性为普通MSU、检查MSU的访问控制规则:仅允许普通MSU与检查MSU间执行调用指令、返回指令;
对于只包括属性为普通MSU、终端MSU的访问控制规则:仅允许:普通MSU间调用、返回;普通MSU到终端MSU执行调用指令;终端MSU到普通MSU执行返回指令;
对于只包括属性为普通MSU、检查MSU、终端MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;检查MSU到终端MSU执行调用指令;终端MSU到检查MSU执行返回指令;
对于只包括属性为普通MSU、空端口MSU的访问控制规则:仅允许:普通MSU间执行调用指令、返回指令;空端口MSU间执行调用指令、返回指令;普通MSU与空端口MSU间执行调用指令、返回指令;
对于只包括属性为普通MSU、检查MSU、空端口MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;空端口MSU与检查MSU间执行调用指令、返回指令;
对于只包括属性为普通MSU、终端MSU、空端口MSU的访问控制规则:仅允许:普通MSU间执行调用指令、返回指令;空端口MSU间执行调用指令、返回指令;普通MSU与空端口间执行调用指令、返回指令;普通MSU到终端MSU执行调用指令;终端MSU到普通MSU执行返回指令;
对于只包括属性为普通MSU、检查MSU、终端MSU、空端口MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;空端口MSU与检查MSU间执行调用指令、返回指令;检查MSU到终端MSU执行调用指令;终端MSU到检查MSU执行返回指令;
IO指令MSU的调用、返回访问控制规则与终端MSU相同。
A2、运行时阶段对MSU信息的比对
用指令中携带的信息和数据结构中记载的MSU信息作对比,如果比对结果符合MSU访问规则,则放行,否则拦截。
基于该内存系统装置制作方式的访问控制方法,包括:
B1、编译包含MSU的源程序,具体包括:
B1-1、提取MSU信息,具体包括:
通过新语法规则或已有语法规则或配置信息的支持,使编程阶段能够完整准确的表达并保留程序设计中的MSU信息,进一步包括:
通过新语法规则或已有语法规则或配置信息,指定函数、数据所属的MSU;MSU的类型和标识;函数中哪些是MSU内部函数,哪些是端口函数,以及哪些端口函数间存在着调用关系;
编译器把提取的信息以语法树的形式记载下来;
根据语法树的信息,确立程序的内存布局,对指令和数据进行编址,并提取边界信息、端口信息的地址;
根据语法树的信息,提取属性信息、MSU生效/失效、MSU的ID号;
编译器将MSU信息保存为符合内存系统装置中的MSU控制对照表的结构。
B1-2、限定MSU语法访问规则:
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序。
所述MSU访问规则,包括:
在MSU内部,函数之间可以互相调用、可以访问属于本MSU的全局数据;在MSU之间,仅允许MSU的函数调用其它MSU的端口函数;不允许通过函数指针的方式进行调用;进一步的,仅允许MSU的端口函数调用其它MSU的端口函数;进一步的,仅允许IO指令MSU使用特定的IO指令,例如INTEL体系下的in、out指令;MSU的代码不可访问除共享数据MSU外的其它MSU的数据;一个特例是,允许其他类型的MSU调用空端口MSU的任意函数。
进一步的,可以对不同属性的MSU,对MSU间调用、返回的语法规则进一步限定,具体包括:
除共享数据MSU之外:
对于只包括属性为普通MSU的语法规则是:仅允许普通MSU间调用、返回;
对于只包括属性为普通MSU、检查MSU的语法规则:仅允许普通MSU与检查MSU间调用、返回;
对于只包括属性为普通MSU、终端MSU的语法规则:仅允许:普通MSU间调用、返回;普通MSU调用终端MSU;终端MSU返回到普通MSU;
对于只包括属性为普通MSU、检查MSU、终端MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;检查MSU调用终端MSU;终端MSU返回到检查MSU;
对于只包括属性为普通MSU、空端口MSU的语法规则:仅允许:普通MSU间调用、返回;空端口MSU间调用、返回;普通MSU与空端口MSU间调用、返回;
对于只包括属性为普通MSU、检查MSU、空端口MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;空端口MSU与检查MSU间调用、返回;
对于只包括属性为普通MSU、终端MSU、空端口MSU的语法规则:仅允许:普通MSU间调用、返回;空端口MSU间调用、返回;普通MSU与空端口间调用、返回;普通MSU调用终端MSU;终端MSU返回到普通MSU;
对于只包括属性为普通MSU、检查MSU、终端MSU、空端口MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;空端口MSU与检查MSU间调用、返回;检查MSU调用终端MSU;终端MSU返回到检查MSU;
IO指令MSU的调用、返回规则与终端MSU相同。
B1-3、生成与MSU访问相关的指令,具体包括:
将MSU的访问信息,保存成处理器可识别的指令。
B2、运行时阶段对MSU信息的处理
从可执行程序中约定的位置读取MSU控制对照表,并加载到内存中;
将只有在运行时才能确认的信息(如栈区边界信息,堆区边界信息,用户信息等)提取出来,并保存在MSU控制对照表中;
加载进程时,为每个特权级建立一个栈,将该特权级的栈的区域,设置为该共享数据MSU的区域,以实现不同的MSU都可以访问栈中的数据;
当MSU信息在运行时发生变化或添加新的MSU时,在MSU控制对照表中修改相应信息。
根据不同硬件体系的特征,以及本领域技术人员在软件和/或硬件基础上,可以采取的具体的,效果相同但形式有所差异的MSU信息标记方式、拦截方式,可以有多种具体方式实 现所述内存系统装置,为了进一步充分说明本发明的技术方案,以下描述三种典型的具体方式。需要指出的是,所描述的三种典型的具体方式,仅仅是一部分可选的具体方式,而不是全部。基于本发明中已公开的实现方式,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施方式,都属于本发明保护的范围。针对不同的内存系统装置的制作方式,设置不同的访问控制应用方式。
所述典型的具体方式包括:
一种通过软件方式进行内存系统装置制作方法,包括:在现有体系下通过软件指令来进行MSU的信息访问以及根据MSU信息进行访问控制。
一种利用段机制进行的内存系统装置制作方法,包括:在INTEL 32位体系下,用段来描述MSU,依靠段的边界访问控制机制来实现MSU的边界访问控制机制,依靠软件指令来实现属性、端口的检查和判断。
一种通过新增硬件机制的方式进行内存系统装置制作方法,包括:根据MSU信息读取和访问控制的需求,增设部分硬件,依靠增设的硬件来完成对MSU信息的读取,以及根据MSU信息进行的访问控制。
以下分别进行说明。
一种通过软件方式进行内存系统装置的制作方法:
本方法在前述内存系统装置的通用制作方法的基础上实现,进一步包括:
C-A1、内存系统装置的制作,具体包括:
制作MSU信息记录单元:
为每个MSU建立自己的控制对照表,具体信息包含:MSU的边界信息、属性信息、端口信息、生效/失效、MSU的ID号,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。将控制对照表设置于其所属MSU的数据区域中。
所有MSU的边界信息为逻辑地址,端口信息中的函数地址为逻辑地址。
在每个MSU的数据区保存其对照表的首地址,使该MSU的指令可访问其对照表。
制作访问控制单元
MSU访问控制逻辑靠软件指令进行控制,具体包括:
对于无法在编译时确认目标地址的数据访问指令,在其前面添加判断指令,用于判断该目标地址是否属于当前MSU的数据区或栈中可访问的区域,如不属于,则进入异常处理流程,如属于,该访问指令可正常执行;
对于MSU内间接转移指令,在其前面添加判断指令,用以判断转移目标地址是否属于当前MSU的指令区,如不属于,则进入异常处理流程,如属于,该转移指令可正常执行;
在MSU间调用/返回前,添加属性、端口匹配检查指令,以判断是否符合MSU访问控制规则,如不符合,则进入异常处理流程,如符合,可正常执行调用/返回动作。
一种优选的方案是,在编译时,识别出需要添加这些指令的位置,由编译器生成这些指令,并保存到可执行程序中。
C-A2、运行时阶段对MSU信息的比对
通过执行可执行程序中用于MSU访问控制逻辑的指令,来实现对MSU的访问控制。具体指令参见本方法中“MSU访问控制逻辑的生成”。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
本方法在前述内存系统装置的通用访问控制应用方式的基础上实现,进一步包括:
C-B1、编译包含MSU的源程序,具体包括:
C-B1-1、提取MSU信息,具体包括:
待提取的信息包含:MSU的边界信息、属性信息、端口信息、生效/失效、MSU的ID号,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。将控制对照表设置于其所属MSU的数据区域中。
链接时,将所有MSU在同一线性地址空间内,以同一个基址进行统一编址。
在每个MSU内设计一个数据指针指向上述控制对照表。
C-B1-2、限定MSU语法访问规则:
与前述的内存系统装置的限定MSU语法访问规则一致。
C-B1-3、生成与MSU访问相关的指令,具体包括:
MSU间的调用/返回指令与MSU内的调用/返回指令一致。MSU间,不允许通过调用指令进行间接转移。访问本MSU全局数据、堆数据的指令与访问栈数据的指令一致。
C-B2、运行时阶段对MSU信息的处理
加载程序时,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息。
将MSU的控制对照表保存在独立的页面中,将页面设为只读。
一种利用段机制进行的内存系统装置制作方法:
本方法在前述内存系统装置的通用制作方法的基础上实现,进一步包括:
D-A1、内存系统装置的制作,具体包括:
制作MSU信息记录单元:
用段来描述MSU的独立存储区,独立存储区的边界信息最终以段描述符的形式存储在GDT表中;
为每个MSU建立自己的控制对照表,具体信息包含:MSU属性信息、端口信息、生效/失效、MSU的ID号、MSU和属于它的段描述符的映射表,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。将控制对照表设置于其所属MSU的数据区域中;
MSU端口信息中的函数地址为逻辑地址。
在每个MSU的数据区保存其对照表的首地址,使该MSU的指令可访问其对照表。
制作访问控制单元:
MSU访问控制逻辑靠软件指令和段机制联合进行控制,具体包括:
利用段的区域边界控制,来实现MSU的区域边界控制;
在MSU间调用/返回前,添加属性、端口匹配检查指令,以判断是否符合MSU访问控制规则,如不符合,则进入异常处理流程,如符合,可正常执行调用/返回动作。
一种优选的方案是,在编译时,识别出需要添加这些指令的位置,由编译器生成这些指令,并保存到可执行程序中。
D-A2、运行时阶段对MSU信息的比对
根据已经载入GDT表的MSU的边界信息,利用段的区域边界控制,来实现MSU的区域边界控制。
通过执行可执行程序中用于属性、端口匹配检查指令,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
本方法在前述内存系统装置的通用访问控制应用方式的基础上实现,进一步包括:
D-B1、编译包含MSU的源程序,具体包括:
D-B1-1、提取MSU信息,具体包括:
在前述内存系统装置的通用制作方法的基础上,进一步包括:
为每个MSU建立自己的控制对照表,具体信息包含:MSU属性信息、端口信息、生效/失效、MSU的ID号、MSU和属于它的段描述符的映射表,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。将控制对照表设置于其所属MSU的数据区域中;
所有MSU在同一线性地址空间内,各个MSU的指令区和数据区,各自进行编址,其基址写入对应段的段基址,其长度写入对应段的段限长;
将数据指针类型分为:全局数据区指针、堆区指针、栈区指针,所有的指针操作,必须指定其指针类型。
D-B1-2、限定MSU语法访问规则:
与前述内存系统装置的限定MSU语法访问规则方法一致。
D-B1-3、生成与MSU访问相关的指令,具体包括:
MSU间的调用/返回指令使用段间调用/返回指令。MSU间,不允许通过调用指令进行间接转移。
MSU内的调用/返回指令使用段内调用/返回指令。
访问本MSU全局数据、堆数据、栈数据的指令,必须指定其对应的段选择子。
D-B2、运行时阶段对MSU信息的处理
加载程序时,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息。
将MSU的控制对照表保存在独立的页面中,将页面设为只读。
将MSU的边界信息载入GDT表。
一种通过新增硬件机制的方式进行内存系统装置制作方法:
E-A1、内存系统装置的制作,具体包括:
制作MSU信息记录单元:
建立控制对照表,具体信息包含:MSU边界信息、MSU属性信息、端口信息、生效/失效、MSU的ID号,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。将控制对照表设置于其所属MSU的数据区域中;
MSU的边界信息为线性地址;端口信息中的函数地址为逻辑地址。
使内存系统装置可以自动读取到上述控制对照表。
制作访问控制单元:
MSU访问控制逻辑靠硬件进行控制,具体包括:
为MSU访问控制增设新硬件:用于记录MSU描述符表位置的寄存器和用于记录当前MSU描述符的寄存器;
增设指令,将MSU描述符表的位置赋值给用于记录MSU描述符表位置的寄存器,所述位置用线性地址描述;
增设指令,将当前MSU描述符识别信息,赋值给用于记录当前MSU描述符的寄存器;
当CPU需要MSU信息以进行访问控制的时候,根据用于记录MSU描述符表位置的寄存器、用于记录当前MSU描述符的寄存器,找到当前MSU描述符,进行MSU边界、属性、端口检查。
增设硬件机制,判断非转移指令的下一条地址,及MSU内转移指令的目标地址,是否超越当前MSU边界,如果超越边界,报异常,否则,允许执行。
增设硬件机制,判断数据访问指令中的目标地址,是否属于当前数据区或栈区,如果不属于,报异常,如果属于,允许访问。
增设硬件机制,在MSU间调用/返回时,先进行属性、端口匹配检查,如果符合MSU属性、端口匹配规则,允许执行,否则,报异常。
增设硬件机制,访问共享数据MSU时,必须使用共享数据MSU访问指令,否则,报异常;如果共享数据MSU访问指令访问了非共享数据MSU,报异常。
增设硬件机制,在IDT表中设置中断响应函数所在MSU。执行响应函数时,自动切换当前MSU为中断响应函数所在MSU。中断保存现场时,还要保存当时MSU的ID,恢复现场时,一并恢复。
为实现对当前用户、当前角色的控制:
在非0特权级下,当MSU切换时,自动用目标MSU的描述符表中“MSU所属用户标识信息”、“MSU所属用户类型信息”两项中的值,设置为当前用户、当前角色。
E-A2、运行时阶段对MSU信息的比对
硬件通过指令携带的MSU信息和MSU描述符中信息的比对,进行MSU边界、属性、端口检查,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式:
本方法在前述内存系统装置的通用访问控制应用方式的基础上实现,进一步包括:
E-B1、编译包含MSU的源程序,具体包括:
E-B1-1、提取MSU信息,具体包括:
在前述内存系统装置的通用访问控制应用方式的基础上,进一步包括:
设置MSU描述符表,表中包括每个MSU的描述符,具体信息包含:MSU边界信息、属性信息、端口信息、生效/失效、MSU的ID号,优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。
所有MSU在同一线性地址空间内,以同一个基址进行统一编址;
将数据指针类型分为:全局数据区指针、堆区指针、栈区指针,所有的指针操作,必须指定其指针类型。
E-B1-2、限定MSU语法访问规则:
与前述内存系统装置的限定MSU语法访问规则一致。
E-B1-3、生成与MSU访问相关的指令,具体包括:
MSU间的调用/返回使用MSU间调用/返回指令。MSU间,不允许通过调用指令进行间接转移。
MSU内的调用/返回使用MSU内调用/返回指令。为了兼容,一种优选的方案是:使用现有体系下调用/返回指令。
访问共享数据MSU使用共享数据MSU访问指令。
E-B2、运行时阶段对MSU信息的处理
加载程序时,根据进程的用户ID、用户角色类型,设置MSU描述符表中MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息。
将MSU描述符表保存在独立的页面中,将页面设为只读。
执行响应函数时,先自动切换当前MSU为中断响应函数所在MSU。中断保存现场时,还要保存当时MSU的ID,恢复现场时,切换回当时的MSU。
进一步的,所述新增硬件方式可以连续存储区或页为访问控制单元。
作为本发明的一种具体实现方式,一种以连续存储区为访问控制单元的MSU制作方法:
本方法在前述新增硬件方式内存系统装置制作方法的基础上实现,进一步包括:
F-A1、内存系统装置的制作,具体包括:
制作MSU信息记录单元:
在前述新增硬件方式的内存系统装置制作方法的基础上,进一步的,MSU的边界信息的描述单位为连续存储单元的地址边界值。
制作访问控制单元:
MSU访问控制机制靠硬件进行控制,具体包括:
根据用于记录MSU描述符表位置的寄存器、用于记录当前MSU描述符的寄存器,以MSU为单位查找MSU信息;
在指令执行时,根据指令的种类,进行访问控制判断。
F-A2、运行时阶段对MSU信息的比对
在指令执行时,硬件通过指令包含的MSU信息和MSU描述符中信息的比对,进行MSU边界、属性、端口检查,来实现对MSU的访问控制。通过用于记录MSU描述符表位置的寄存器、用于记录当前MSU描述符的寄存器这两个寄存器对MSU信息进行查找。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
本方法在前述内存系统装置的通用访问控制应用方式的基础上实现,进一步包括:
F-B1、编译包含MSU的源程序,具体包括:
F-B1-1、提取MSU信息,具体包括:
与前述新增硬件方式内存系统装置制作方法一致。
F-B1-2、限定MSU语法访问规则:
与前述新增硬件方式限定MSU语法访问规则方法一致。
F-B1-3、生成与MSU访问相关的指令,具体包括:
与前述新增硬件方式内存系统装置制作方法一致。
F-B2、运行时阶段对MSU信息的处理
与前述硬件方式内存系统装置制作方法一致。
作为本发明的一种具体实现方式,一种以页为访问控制单元的MSU制作方法:
本方法在前述新增硬件方式内存系统装置制作方法的基础上实现,进一步包括:
G-A1、内存系统装置的制作,具体包括:
制作MSU信息记录单元:
建立与现有页表对应的数据结构,每个表项对应一个线性的页面,表项中记录其对应页所属MSU的ID。
该数据结构所在页面和页表所在页面紧密排列,找到页表所在页面首地址后,向高地址端偏移一个页面的距离,就可以找到该数据结构所在页面的首地址。
制作访问控制单元:
MSU访问控制机制靠硬件进行控制,具体包括:
一个页面(此处页面指线性页面)只能属于一个MSU;
建立MSU描述符表及端口描述符表,内容与前述以连续存储区为访问控制单元的MSU制作方法中相应的表的内容一致;
根据线性地址,在页面MSU描述表中找到该地址对应的页表项,通过页表项中记录的MSU的ID,在MSU描述符表中查找MSU信息;
当发生跨页面访问时,根据执行的指令的种类,进行访问控制判断。
G-A2、运行时阶段对MSU信息的比对
当发生跨页面访问时,硬件通过指令包含的MSU信息和页面对应MSU描述表中信息的比对,进行MSU边界、属性、端口检查,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
本方法在前述内存系统装置的通用访问控制应用方式的基础上实现,进一步包括:
G-B1、编译包含MSU的源程序,具体包括:
G-B1-1、提取MSU信息,具体包括:
与前述新增硬件方式内存系统装置制作方法一致。
G-B1-2、限定MSU语法访问规则:
与前述新增硬件方式限定MSU语法访问规则方法一致。
G-B1-3、生成与MSU访问相关的指令,具体包括:
与前述新增硬件方式内存系统装置制作方法一致。
G-B2、运行时阶段对MSU信息的处理
在新增硬件方式内存系统装置制作方法的基础上,需要填充与页表对应的数据结构信息。即MSU中内容加载时,需要将内容所在页面,通过页表映射到线性地址空间中,在进行映射的过程中,增设与页表一一对应的数据结构,用以保存页面所属MSU的ID号。此页面号,可以通过映射的线性地址值,找到其对应的MSU边界,进而确定其所属的MSU,将其ID号写入此数据结构中,此ID号为MSU描述符在MSU描述符表中的项号。
基于上述任一种MSU,本领域技术人员可以在此基础上,利用MSU所提供的机制,提出针对某种具体问题的具体使用方式,为了进一步充分说明本发明的技术方案,以下描述几种具体使用方式。需要指出的是,基于本发明中已公开的技术方案,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施方式,都属于本发明保护的范围。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止由于授权信息直接被修改而使攻击生效。
进一步包括:将授权信息及相应的维护程序,封装在一个MSU中,其它MSU中程序不能直接修改其数据,同时,确保此MSU中除了授权信息及相应的维护程序外,不再包含其它内容,以实现逻辑简单,功能单一,通过形式化验证和穷举测试,保证其没有漏洞。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止由于返回地址被修改而产生攻击执行序分支。
进一步包括:需要保存返回地址时,将返回地址保存在MSU中,需要使用返回地址时,再从MSU中把返回地址取出使用。利用MSU中数据不可被其它MSU任意访问的特性,确保返回地址信息在从保存到取出的过程中,不会被更改,进而确保不会由于返回地址被修改而产生攻击执行序分支。
优选的:通过普通MSU来保护返回地址及相关信息,当需要保存函数返回地址、中断现场信息(包括中断返回地址)时,调用普通MSU中端口函数A,由此函数把需要保存的数据存储在普通MSU中;当需要取出时,调用普通MSU中端口函数B,由此函数把数据从普通MSU中取出。
优选的:将每个进程状态信息管理结构(包括用于记录进程运行时状态的各个寄存器值,特别的,包括切换到进程执行时需要使用的目标地址值)及进程切换程序(只包括用于保存当前进程状态信息以及用目标进程状态信息设置各个寄存器的相关程序),保存在终端MSU中,系统中任何进程切换的最后阶段,即切换进程状态信息的工作,都要在此MSU中完成。
优选的:利用保险箱MSU的保护特性,在需要保存函数返回地址、中断现场信息(包括中断返回地址)时,将其保存在保险箱MSU中,函数返回、中断返回时,再将其取出使用。具体包括:
F1-A.增设独立于现有栈的新栈,以下称为调用信息栈;
F1-B.当CPU需要保存当前状态信息时,将需要保存的数据写入所述调用信息栈;
F1-C.当CPU需要取出所述保存的数据时,从所述调用信息栈中取出数据。
F1-D.设置新的MSU属性,用于保存调用信息栈,特设可以访问此类MSU的指令。
所述A步骤中调用信息栈仅用于存储与转移现场保护相关的数据;在功能或空间上,此MSU与已经被分配用于存储代码、全局数据、栈数据的栈独立。
所述CPU需要保存当前状态信息时包括函数调用或发生中断时;所述CPU需要取出所述保存的数据时包括函数调用或中断返回时。
所述调用信息栈用于存储返回地址,在内存中以栈的方式设置,为每个特权级设置一个。原有栈称为数据栈,用于保存参数和局部变量。增设ass寄存器和aesp寄存器,分别用于保存调用信息栈的段选择子和调用信息栈的栈顶指针。
所述步骤B进一步包括:将需要保存的数据写入调用信息栈时,aesp寄存器的值自动递减,递减值为写入数据的长度总和;
所述步骤C进一步包括:从所述调用信息栈中取出数据时,aesp寄存器的值自动累加,累加值为弹出数据的长度总和;
进一步的,增设pushadr和popadr指令,其中pushadr指令用于向调用信息栈内压入一个地址,aesp自动指向新的栈顶;popadr指令用于从调用信息栈内弹出一个地址,aesp自动指向新的栈顶。
进一步的,对call指令进行修改,修改后的call指令将返回地址压入调用信息栈,参数和局部变量保存在数据栈。优选的,为了更好的兼容现有的程序,修改后的call指令将返回地址压入调用信息栈,参数、局部变量和返回地址保存在数据栈。
进一步的,对ret指令进行修改,修改后的ret指令从调用信息栈弹出返回地址,并修改aesp的值。
当由于发生中断而导致CPU需要保存当前状态信息时,将需要保存的数据写入调用信息栈的步骤包括:
比较将要执行的处理例程特权级与当前特权级,若将要执行的处理例程的特权级小于当前特权级,执行步骤B1.1,若相同,执行步骤B1.2;
步骤B1.1进一步包括:
a.处理器从当前任务的tss中获得数据栈和调用信息栈的段选择子和栈指针。依次把中断例程的数据栈和调用信息栈的栈段选择子和栈指针压入新的调用信息栈,即ss0,esp0和 ass0,aesp0;
b.处理器随后把EFLAGS寄存器、CS寄存器、EIP寄存器的当前值保存进新调用信息栈中;
c.如果异常同时产生了一个错误码,则把它压入数据栈中。
步骤B1.2进一步包括:
d.处理器在当前调用信息栈中保存当前EFLAGS寄存器、CS寄存器和EIP寄存器的值;
e.如果异常的错误码需要保存,则把它保存在当前的数据栈中。
当由于中断返回而导致CPU需要取出所述保存的数据时,从所述调用信息栈取出数据的步骤包括:
对iret指令进行修改:
如果在写入调用信息栈时选择执行步骤B1.1,则在步骤C中执行步骤C1,具体包括:
把新调用信息栈中保存的EFLAGS寄存器、CS寄存器、EIP寄存器的值,回传给EFLAGS寄存器、CS寄存器、EIP寄存器,把新调用信息栈中保存的ss0,esp0的值,回传给ss寄存器和esp寄存器,保存的ass0,aesp0的值,回传给ass寄存器和aesp寄存器;
如果在写入调用信息栈时选择执行步骤B1.2,则在步骤C中执行步骤C2,具体包括:
把新调用信息栈中保存的EFLAGS寄存器、CS寄存器、EIP寄存器的值,回传给EFLAGS寄存器、CS寄存器、EIP寄存器。
进一步的,设置一种新的MSU属性用于保存调用信息栈。只有call指令、mcall指令、pushadr指令、popadr指令、执行中断门时写入要保存的信息可写入该MSU,其他指令不可访问该MSU。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止由于函数指针被修改而产生攻击执行序分支。
进一步包括:在调用钩子函数前,检查程序执行过程中传递的钩子值是否处于可能调用的所有钩子函数的地址值范围内,如果不超出范围,调用钩子函数,否则,进入异常处理流程;在钩子函数的起始位置,判断被调用的钩子函数是否符合设计愿意,如果符合,继续执行钩子函数,否则进入异常处理流程。
优选的:为确保对钩子检查本身的可靠性,需要把用以检查的程序、前述的数据结构、调用钩子函数的程序,封装在一个MSU内。
一种防止由于条件选择数据被修改而产生攻击执行序分支的实现方法,包括:通过当前系统调用号和执行的函数做一致性比对,决定执行序是否合法,并作出相应处理。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止攻击者直接修改被攻击者代码,以此产生有利于攻击的执行序。
进一步包括:将代码所在页面的属性信息设置为只读,并将此属性信息保存在特定MSU内,攻击者没有能力更改页面的只读属性,也就没有能力改写被攻击者的代码。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止攻击者通过任意指定可执行区域,有机会引入有利于攻击的执行序。
进一步包括:攻击者不能自己指定可执行区域,而只能按照符合MSU管控规则的格式提出申请,由内核根据申请,为他指定可执行区域,并将申请的内容保存在新增的MSU中。
一种程序运行时动态加载程序供其运行在内存系统装置的方法。
进一步包括:当进程中需要动态加载程序时,通过特定系统调用,将所需代码相关信息传递给内核,由内核为其创建新MSU,并将代码载入到新MSU中,以此实现新MSU中内容与进程原有内容的隔离,新MSU和进程原有MSU间必须按照MSU间访问的规则互访。
进一步包括:动态加载的程序及MSU信息可能保存在内存中,也可能保存在文件中,如动态链接库文件。
一种加载可执行程序供其运行在内存系统装置的方法,包括:将MSU信息存储在可执行程序中,加载时,加载程序读取其中的MSU信息,并按照其指定的边界信息将程序中的数据和代码加载进内存空间。
进一步包括:可执行程序中包含程序的MSU描述信息,内核的加载程序读取该信息后,按照其指定的MSU边界为其加载程序的代码和数据,并将MSU信息写入MSU描述符表。内核为进程分配栈空间,并将栈空间对应的MSU设置为共享MSU,根据实际栈的边界值设置其边界信息。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止攻击发起后,直接跳转到攻击者在进程空间预先准备好的攻击代码处执行。
进一步包括:利用MSU间访问必须通过端口的特性,可以实现,即使在内核中发生了执行序被改变的情况,当执行序被改变为跳转至用户进程空间时,由于用户空间的目标地址与执行跳转的位置不是合法的、匹配的入口与出口,从而导致该跳转不合法被拦截。
一种内存系统装置的使用方法,包括:通过内存系统装置,将同一特权内存中的程序进行隔离,制造不平坦。
进一步包括:将同一特权级中的程序,分别存储在多个MSU中,并根据MSU的访问控制规则,对MSU的访问进行控制。
优选的:按照功能单一的原则,将同一特权级中的程序,封装在不同的MSU中,使每个MSU中的程序,只能完成某个特定的功能。
一种内存系统装置的使用方法,包括:通过内存系统装置,对在MSU间的访问进行检查。
进一步包括:确保被攻击者所有的程序都封装在MSU中,利用检查MSU的特性,其它MSU通过端口进行转移时,必须经过检查MSU进行检查,如果检查通过,支持转移,否则拦截。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止攻击者直接操作外设中用户数据而使攻击生效。
进一步包括:利用I/O指令MSU的特性,把用于将外设中寄存器端口映射到MSU的数据区的程序,特别的,包括I/O指令,封装在此MSU中。以此保证,只有此MSU中程序,才能进行寄存器端口和内存数据区的映射。同时,把与外设进行交互的程序,特别的,把给外设下达交互指令的程序,封装在终端MSU中,确保I/O指令MSU中的程序,只把外设中寄存器端口映射到了此类终端MSU的数据区。这样只有此MSU才能与外设进行交互,同时,通过形式化验证和穷举测试,确保I/O指令MSU和终端MSU中程序功能单一,不存在漏洞。
一种内存系统装置的使用方法,包括:通过内存系统装置,防止攻击者直接操作内存中用户数据而使攻击生效。
进一步包括:将内核与进程进行用户数据交互的程序封装在终端MSU,并通过程序设计,确保内核中其它MSU只有通过此终端MSU才能与进程空间进行用户数据交互,同时,通过形式化验证和穷举测试,确保此MSU中程序功能单一,不存在漏洞。
一种内存系统装置的使用方法,包括:在MSU之间进行数据传递。
进一步包括:使MSU之间共享物理页面,通过共享的物理页面传递数据。
一种内存系统装置的使用方法,包括:指定MSU栈底地址值。
进一步包括:MSU间调用时,认定源MSU参数传递前的栈顶地址值,为目标MSU的栈底地址值。
一种计算装置,其特征在于:包括MSU描述符,MSU描述符记录在所述MSU描述符表中,所述MSU描述符中记录的信息包括:MSU的标识信息、MSU边界信息、MSU属性信息、MSU端口信息。
进一步的:在MSU描述符中设置预留位。进一步的,可以在MSU描述符中设置MSU的生效/失效信息和/或MSU所属用户ID及用户类型信息。
所述MSU边界信息包括:MSU中所有线性地址段的边界地址信息,其中,所有地址信息均为线性地址。所述端口信息中的地址,优选的,为逻辑地址。
所述MSU属性信息:可以是普通MSU、检查MSU、终端MSU、共享数据MSU、空端口MSU、保险箱MSU中的一种。
所述MSU端口信息包括:入口信息和/或出口信息和/或端口匹配信息;所述入口信息包括:入口号、入口地址、所属MSU的ID;所述出口信息包括:出口号、出口地址、所属MSU的ID;所述端口匹配信息是指:一个出口信息和一个入口信息。
增加一组用以记录MSU描述符所在位置的寄存器以及将它们与MSU描述符位置相关联的指令组,具体包括:
增设MSU描述符表寄存器、当前MSU描述符寄存器、当前栈对应的共享MSU描述符寄存器,并增设操作这些寄存器的指令,用MSU描述符表首地址、当前MSU描述符索引值、当前栈对应的共享MSU描述符索引值分别设置这些寄存器。增设的指令只能在0特权级下执行。
增加系统调用号的寄存器及设置指令。此指令只能在0特权级下执行。
增加一种MSU间转移指令。
增加一种MSU间数据访问指令。
增设记录当前MSU在栈中的栈底地址值寄存器。
所述计算装置还包括基于MSU的访问控制的功能,所述的访问控制包括:
如果不是通过MSU间转移指令或MSU间数据访问指令,进行MSU间转移或对共享数据MSU进行访问,处理器予以拦截;如果通过MSU间转移指令进行MSU间转移,则进行属性、端口匹配检查,如果检查通过,处理器支持转移,反之处理器报异常。
所述属性、端口匹配检查规则,依据前述“一种内存系统装置的通用制作方法”所述规则。
增设页表项,通过页表项中记录信息,找到该页所属MSU的MSU访问控制信息。
一种计算装置,其特征在于:增设寄存器,装载状态信息,所述状态信息专用于为当前选择正确的分支方向提供依据。
所述状态信息是当前系统调用的调用号,且增设特定指令用于设置所述寄存器。
一种计算装置,其特征在于:增设寄存器或寄存器组,用于装载包含MSU信息的数据结构的地址。
优选的,所述的包含MSU信息的数据结构是MSU描述符表。
一种计算装置,其特征在于:增设寄存器或寄存器组,用于装载包含当前正在执行的MSU信息的数据结构的地址。
一种计算装置,其特征在于:增设寄存器,用于承载包含当前正在执行的MSU在栈中的栈底地址值。
进一步的,本发明还建立了一种访问控制机制,其特征在于:使用MSU。
进一步的,一种安全操作系统,其特征在于:使用MSU。
一种代码与数据隔离技术,其特征在于:用MSU隔离代码与数据。
所述MSU是指代码和数据的集合。一个MSU不可访问另一个MSU的数据。
为了解决MSU间数据交互的问题,MSU内部函数分为普通函数和端口函数,一个MSU的函数不可直接调用另一个MSU的普通函数。MSU有专门的端口函数,可以调用其它MSU的端口函数,也可被其他MSU的端口函数调用。MSU的普通函数不可调用其它MSU的函数,也不可被其他MSU的函数调用。MSU之间的数据交互通过MSU的端口函数进行。一个程序的函数和数据必须归属于某一个MSU。一个函数或一个数据,只能属于一个MSU。
一种代码与数据隔离技术,其特征在于:进一步包括在运行时实现跨MSU访问控制,当非法跨MSU访问发生时,阻止该非法访问;
所述运行时跨MSU访问控制是指在运行时判断对一个数据的访问是否超越了本MSU的边界,判断一个执行序的跳转是否非法跨越了MSU的边界。
通过上述方式,可以实现以下技术效果:
1.将源代码分割为多个MSU可以使程序的各个组织部分的功能单一、彼此隔离。保护 各个MSU的数据不受不相干代码的修改,使一个独立的功能尽量在一个MSU内部完成。
2.检查MSU独立于程序的功能MSU,而所有的外部操作和具体动作直接操作和影响的是功能MSU,检查MSU不受外部操作的直接控制。降低了检查MSU被直接攻击的可能性。授权检查的依据是权力信息,而不是功能流程里的数据,权力信息不来源于功能流程里的数据,避免外部逻辑干扰或者覆盖检查依据,造成检查失效。
3.当存在检查MSU的机制时,能确保MSU之间的调用必须通过检查MSU进行,以免开发人员忘记或者故意跳过检查MSU。检查MSU能在调用过程中对整体执行序进行检查和监控。
4.一个与权力相关的任务,至少由一个以上的MSU协作完整,保证至少有一次MSU调用,至少经过一次检查MSU。
5.将程序分为多个MSU的协作,可以使程序的逻辑流程更为简洁,产生的效果通过输入输出数据可描述。程序的逻辑越清晰、简单,检查MSU就越容易写的清晰简单,能够通过形式化验证,保证检查MSU的可信。
6.MSU之间只能通过匹配的端口进行调用,保证了即使执行序被非法改变,想要从一个MSU中直接跳转到另外的MSU也是无法实现的,这就保证了攻击者几乎难以跳转到自己预期的执行序去,可跳转的目标只能在本MSU中,MSU的功能单一保证了即使执行序在本MSU中改变也无法完成一个完整的攻击目标。
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1:MSU可访问的栈空间示意图
图2:MSU信息对应的数据结构示意图
图3:MCALL指令对失效位检查示意图
图4:MCALL指令属性匹配检查示意图
图5:MCALL指令出口地址正确性检查示意图
图6:MCALL指令目标MSU号正确性检查示意图
图7:MCALL指令目标入口号正确性检查示意图
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明 中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
以下通过具体实施方式来具体说明本发明的技术方案。
实施例1
增设MSU描述符表,其内容包括,所有MSU的边界信息、属性信息、端口信息;增设专用寄存器,记录MSU描述符的位置,处理器通过寄存器来认定MSU。
增设MSU间访问专用转移指令,除了此指令之外,其它指令执行时如果产生跨MSU动作,处理器予以拦截。此指令执行时,如果属性、端口匹配,则允许其执行,否则予以拦截。
MSU的访问控制不受特权级的限制。
实施例2:
一种现有体系下通过软件指令进行访问控制的MSU制作方法及针对该方法的访问控制应用方式:
S-C-A1 内存系统装置的制作,具体包括:
S-C-A1-1制作MSU信息记录单元:
建立以下数据:
当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
所述MSU控制对照表的信息包括:所有MSU的信息,具体包括:MSU的ID号、MSU的边界信息、属性信息、端口信息、生效/失效信息。优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。
所述MSU边界信息,包括:指令区边界信息、全局数据区边界信息、堆区边界信息。
所述MSU端口信息包括:MSU的出口信息和MSU的入口信;
所述MSU的出口信息,包括:其所属的MSU的ID、出口号、出口地址值;
所述MSU的入口信息,包括:其所属的MSU的ID、入口号、入口地址值;
所述端口匹配表,包括:一对有MSU间调用关系的出口和入口。
在每个MSU的数据区,设置:指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;记录MSU栈底地址值的变量。
在每个MSU数据区的线性地址空间中,以页对齐的方式预留一段空间,空间大小为页大小的整数倍,将控制对照表设置于其中,其它数据不存入其中。
S-C-A1-2制作访问控制单元
在本制作方法中:MSU访问控制逻辑靠软件指令进行控制,具体包括:
● 获取当前MSU栈底地址值:
添加指令的逻辑是:在MSU间调用的参数传递指令前,获取栈顶地址值,并将此地址值 压入栈中,此地址值作为目标MSU的栈底地址值;调用进目标MSU后,在其指令的起始位置,获取栈中传递的上述地址值,保存到用于记录当前MSU栈底地址值的变量中。
● 添加检查指令用以判定数据访问是否超出MSU边界:
由于对于非指针变量,可以在编译阶段明确访问地址,所以一种优选的方案是,运行时不再对它们进行边界判断,只需对数据指针进行边界检查,具体方式:在访问数据指针对应的指令之前,添加判断逻辑,来进行访问的边界检查,具体包括:
步骤S-C-A1-2-A1:如果访问的最终目标地址处于当前MSU的全局数据区,或堆区,或处于栈区中当前MSU对应的区域内,跳转到步骤2,否则跳转到步骤3;
步骤S-C-A1-2-A2:执行数据访问指令,跳转到步骤4;
步骤S-C-A1-2-A3:进入异常处理流程;
步骤S-C-A1-2-A4:执行下一条指令
● 添加检查指令用以判断MSU内间接转移指令的目标地址是否超出MSU边界:
由于对于MSU内的直接转移指令,可以在编译阶段明确转移目标地址,所以一种优选的方案是,运行时不再对它们进行边界判断,只需对MSU内间接转移指令的目标地址进行边界检查,具体方式:在MSU内间接转移指令之前,添加判断逻辑,来进行访问的边界检查,具体包括:
步骤S-C-A1-2-B1:如果访问的最终目标地址处于当前MSU的指令区内,跳转到步骤2,否则跳转到步骤3;
步骤S-C-A1-2-B2:执行MSU内间接转移指令,跳转到步骤4;
步骤S-C-A1-2-B3:进入异常处理流程;
步骤S-C-A1-2-B4:执行下一条指令
● MSU属性匹配检查:
根据编译器和链接器,将MSU间调用指令所在地址信息和目标地址信息予以记载,并体现到检查指令中。
根据MSU间调用指令的目标地址值和所有MSU的边界信息,确定目标MSU,并进一步用当前MSU的属性和目标MSU的属性做比对,如果属性匹配符合发明内容中记载的MSU属性匹配规则,再进行端口匹配检查,否则,进入异常处理流程。
● MSU端口匹配检查:
端口检查的目的是:检查当前MSU调用、返回是否与预期的MSU间调用、返回一致,防止改变MSU间执行序。具体方式是:1,在MSU间调用前,检查当前调用指令的地址值与目标地址是否记录在端口匹配表中。2,在MSU间返回时,一个返回指令,可能对应多个合法的返回地址,如果进行出入口的匹配检查,可能导致执行效率降低,一种优选的方案是:在返回时,仅检查返回指令是否为合法的出口。
在MSU间调用指令前添加逻辑如下:
通过MSU间调用指令所在地址值,在端口匹配表中找到相应的出口,通过此出口,确定其匹配的入口;再判断MSU间调用指令目标地址值,是否与该入口地址值一致,如果一 致,允许MSU间调用指令执行,否则,进入异常处理流程。
在MSU间返回指令前添加逻辑如下:通过MSU间返回指令所在地址值,在当MSU控制对照表中找相应的出口,如果能够找到,说明这是一个合法的出口,允许MSU间返回指令执行,否则,进入异常处理流程。
● 对MSU中非转移指令和内部直接转移指令的检查:
对于非转移指令,可通过编译确定其在所属MSU的区域范围内;对于内部直接转移指令,也可在编译阶段确保其目标地址在MSU的区域范围内。通过将指令区所在页面设置为只读,可保证指令在运行时不会被更改,为了提高执行效率,一种优选的方案是:依靠编译阶段保证其正确性,在运行时阶段不再对其进行检查。
● 对IO指令的检查:
从语法树生成汇编指令时,在所有指定的IO指令前增加判断逻辑:判断当前MSU的类型是否为IO指令类型的MSU,如是,可继续执行,如不是,则报出异常。
不论IO指令是高级代码生成还是直接嵌入的汇编,都需进行此操作,确保可执行程序中所有的IO指令前都包含此检查逻辑。
所述IO指令为直接对外设进行读写的特殊指令,不同体系的CPU的IO指令各不相同,以实际为准,如INTEL体系下in、out指令。
S-C-A1运行时阶段对MSU信息的比对:
通过执行可执行程序中用于MSU访问控制逻辑的指令,来实现对MSU的访问控制。具体指令参见本实施例中“内存系统装置的制作”。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
S-C-B1编译包含MSU的源程序,具体包括:
S-C-B1-1、提取MSU信息,具体包括:
S-C-B1-1-1:编写、编译包含MSU信息的源程序:
● 一种增设语法规则的方式表达MSU信息
增设语法规则,使编程阶段完成准确保留程序设计中MSU信息,为了兼容性,本规则在C语言的基础上,增设如下语法规则:
MSU声明:
MSU类型 MSU名 生效/失效位
{
数据声明
访问标识符:函数声明
};
访问标识符:
inner
port
MSU类型:
common_msu
check_msu
terminal_msu
nothing_msu
share_msu
MSU空端口函数声明:
返回值类型 MSU名 函数名 形式参数类型列表;
MSU空端口函数定义:
返回值类型 MSU名 函数名 形式参数类型列表 复合语句
端口函数声明:
端口标识符 声明表 MSU名 函数名 形式参数类型列表;
端口函数定义:
声明表 MSU名 函数名 形式参数类型列表 复合语句
端口函数调用:
函数名 参数列表
指针区域类型 指针定义
指针区域类型:
data
stack
heap
其中MSU类型代表MSU的属性:common_msu代表普通MSU、check_msu代表检查MSU、terminal_msu代表终端MSU、nothing_msu代表空端口MSU、share_msu代表共享数据MSU。当MSU类型为空端口MSU时,不需要定义函数的访问标识符。
MSU名代表MSU的标识信息;一对{}里面的数据和函数,从属于同一个MSU。
由inner这个访问标识符标识的函数为MSU空端口函数;
由port这个访问标识符标识的函数为MSU端口函数;
生效/失效位,记录着MSU是否可用,1代表生效,0代表失效。
共享数据MSU中只允许定义数据。
指针区域类型:data标识的指针为全局数据区指针;stack标识的指针为栈区指针;heap标识的指针为堆区指针;如果指针定义前不添加指针区域类型标识符,则默认指针为全局数据区指针。
通过增设语法规则实现的一个案例程序是:
编译器通过增设语法规则,识别出程序中保留的MSU信息,把信息保存在语法树上。供后续步骤使用。
● 通过配置信息表达MSU信息
增设配置信息,能够使编程阶段完成准确保留程序设计中MSU信息:
把MSU的信息记录在配置文件中,编译器进行语法分析时,不仅要分析程序文件,还要分析配置文件,通过配置信息来认定程序文件中与MSU相关的信息,最终的信息要符合编译阶段对MSU信息的处理规则,符合,可生成语法树。供后续步骤使用。
增设的配置信息规则是:
MSU类型 MSU名:
数据名
访问标识符:函数名
为源代码中定义的每一个数据指针指定其区域类型,如不指定,默认是MSU的全局数据区指针。
访问标识符:
inner
port
MSU类型:
common_msu
check_msu
terminal_msu
nothing_msu
share_msu
各个关键字作用与本案例前述增设语法规则中关键字作用一致。
用增设配置信息体现MSU信息的一种实施方式是:
MSU类型A:
n;
data*p;//p为一个全局指针变量,指向全局数据区
stack*p1;//p1为一个全局指针变量,指向栈数据区
inner:
add1;
sub1;
port:
SetData1;
GetData1;
stack add1:*p1;//p1为函数add中的局部指针变量,指向栈数据区
MSU类型B:
a;
inner:
add2;
sub2;
port:
SetData2;
● 利用C语言语法规则
利用C语言语法规则,使编程阶段完成准确保留程序设计中MSU信息的方法是:
通过现有语法规则保留MSU信息的一种方法是:
定义在同一个.c文件中的数据、函数,默认属于同一个MSU;
通过特定的函数命名法,来标识此函数是MSU的空端口函数或端口函数,如:函数名字最开始5个字符为_PORT的函数为端口函数;函数名字最开始6个字符为_INNER的函数为空端口函数;指针名字最开始5个字符为_data的指针为指向全局数据区的指针;指针名字最开始6个字符为_stack的指针为指向栈区的指针;指针名字最开始5个字符为_heap的指针为指向堆区的指针;
通过宏定义的方式认定MSU属性;
编译器进行语法分析时,可通过上述三种规则分别认定程序中与MSU相关的信息,最终生成语法树、保存MSU信息,其余语法的编译技术与现有技术相同。
S-C-B1-1-2:内存布局及编址方式
把属于同一MSU的指令和数据,以页对齐的形式,分别密排链接,指令保存在指令区、数据保存在数据区。所有MSU在同一线性地址空间内,以同一个基址进行统一编址。
S-C-B1-1-3:提取并保存MSU信息:
在编译链接阶段,为每个MSU建立以下数据,存储在MSU的数据区:
当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
所述当前MSU的ID,保存当前MSU正在运行的MSU的ID值,用以在MSU控制对照表中找到当前正在运行的MSU的信息。
所述MSU控制对照表的信息包括:所有MSU的信息,具体包括:MSU的ID号、MSU的边界信息、属性信息、端口信息、生效/失效信息。优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。表中:
所述MSU的ID号,通过语法树中保存的不同MSU名生成;
所述MSU边界信息,包括:指令区边界信息、全局数据区边界信息、堆区边界信息。对于指令区边界信息、全局数据区边界信息,可以通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息;
所述MSU属性信息,可以根据语法树中记录的MSU类型信息来设定;
所述MSU端口信息包括:MSU的出口信息和MSU的入口信;
所述MSU的出口信息,包括:其所属的MSU的ID、出口号、出口地址值;其中出口号 为每一个出口的唯一编号,出口地址值为MSU间调用/返回指令所在地址值;
所述MSU的入口信息,包括:其所属的MSU的ID、入口号、入口地址值;其中入口号为每一个入口的唯一编号,入口地址值为MSU间调用指令的下一条指令地址值,以及端口函数的第一条指令的地址值;
所述生效/失效信息,通过语法树节点中记录的生效/失效标记设置。
所述端口匹配表,为本MSU调用其它MSU的调用关系集合。其中一个表项,包括:一对有MSU间调用关系的出口和入口。
所述指向MSU控制对照表的指针变量,用于在检查指令中,访问MSU控制对照表。
所述指向端口匹配表的指针变量,用于在检查指令中,访问端口匹配表。
所述用以记录MSU栈底地址值的变量,用于在检查指令中,控制当前MSU的栈区访问边界。此变量的初始值为对应特权级的栈的栈底地址值。
在每个MSU数据区的线性地址空间中,以页对齐的方式预留一段空间,空间大小为页大小的整数倍,将控制对照表设置于其中,其它数据不可存入其中,并保存到可执行文件内。
S-C-B1-2 限定MSU语法访问规则:
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序,如符合,进入后续的生成汇编代码、链接的流程。
S-C-B1-3 生成与MSU访问相关的指令:
生成的MSU间调用访问转移指令为:call目标地址值。MSU间调用时,不允许通过call指令进行间接转移。
生成的MSU间返回访问转移指令为:ret。
访问本MSU全局数据、堆数据的指令与访问栈数据的指令一致。
S-C-B2 运行时阶段对MSU信息的处理
创建进程时,为每个MSU申请独立的页面,用以加载上述用于边界访问控制的数据,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息,页面中不能存在其它内容,为了保证数据的安全,一种优选的方案是:加载后将页面设置为只读,在需要修改这些数据时,关闭只读,修改完成后,再重新设置为只读。
创建进程时,由操作系统为进程分配栈区域,一种优选的方案是:栈的大小被设置为实际适用的大小,而非整个线性地址空间的大小,代表栈的共享数据MSU的边界设置为与栈的边界相同。
如果操作系统加载程序时,MSU的内存分配布局,与编译链接时,确定的用于边界访问控制的数据不同,则需将该数据改为与实际相符。
MSU中程序执行时,如果需要申请/释放堆空间,则通过专用系统调用进入内核,由内核中专用程序为其申请/释放堆空间,并相应修改MSU控制对照表中堆区域边界值。
MSU中程序执行时,如果需要添加/删除MSU,则通过专用系统调用进入内核,由内核 中专用程序为其添加/删除MSU,并修改相应用于边界访问控制的数据。
实施例3:
一种利用段机制进行访问控制的MSU制作方法:
S-D-A1、内存系统装置的制作:
S-D-A1-1制作MSU信息记录单元:
为每个MSU建立以下数据,存储在MSU的数据区:当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
其中当前MSU的ID、端口匹配表、指向MSU控制对照表的指针变量、指向端口匹配表的指针变量、用以记录MSU栈底地址值的变量所涉及的内容,与实施例2中相应的内容一致。
所述MSU控制对照表的信息包括:所有MSU的MSU信息。
每个MSU的信息包括:MSU的ID号、MSU和属于它的段描述符的映射表、属性信息、端口信息、生效/失效信息。
所述MSU和属于它的段描述符的映射表,包括:MSU与GDT表中与其对应的段描述符的对应关系。
其中MSU的ID号、所述MSU属性信息、所述MSU端口信息、所述生效/失效信息所涉及的内容与实施例2中相应的内容一致。
S-D-A1-2制作访问控制单元
MSU访问控制逻辑的生成:
在本制作方法中:MSU边界访问控制靠段机制进行控制,其它访问控制具体包括:
● 获取当前MSU栈底地址值
添加指令的逻辑与实施例2中相应的内容一致。
● MSU属性匹配检查
添加指令的逻辑与实施例2中相应的内容一致。
● MSU端口匹配检查
添加指令的逻辑与实施例2中相应的内容一致。
● IO指令所在MSU的属性检查
添加指令的逻辑与实施例2中相应的内容一致。
S-D-A2运行时阶段对MSU信息的比对
根据已经载入GDT表的MSU的边界信息,利用段的区域边界控制,来实现MSU的区域边界控制。
通过执行可执行程序中用于属性、端口匹配检查指令,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
S-D-B1编译包含MSU的源程序,具体包括:
S-D-B1-1、提取MSU信息
S-D-B1-1-1:编写、编译包含MSU信息的源程序:
编写、编译包含MSU信息的源程序的方式与实施例2中的一致。
S-D-B1-1-2、内存布局及编址方式:
本实施例的一个重要特征为:用段来描述MSU的连续存储区,连续存储区的边界信息最终以段描述符的形式存储在GDT表中。
在编译链接阶段,把属于同一MSU的指令和数据,以页对齐的形式,分别密排链接,指令保存在指令区、数据保存在数据区。
在编译链接阶段,所有MSU在同一线性地址空间内,各个MSU的各个连续存储区,各自进行编址,其基址写入对应段的段基址,其长度写入对应段的段限长。
S-D-B1-1-3、提取并保存MSU信息:
在编译链接阶段,按GDT表所需的格式,建立一张GDT所需信息表,将所有MSU的边界信息存入其中,并确定段选择子的顺序,供操作系统加载程序填充GDT表使用,GDT表中段选择子的顺序需与指定的选择子顺序填充。
在编译链接阶段,为每个MSU建立以下数据,存储在MSU的数据区:当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
其中当前MSU的ID、端口匹配表、指向MSU控制对照表的指针变量、指向端口匹配表的指针变量、用以记录MSU栈底地址值的变量所涉及的内容,与实施例2中相应的内容一致。
所述MSU控制对照表的信息包括:所有MSU的MSU信息。
每个MSU的信息包括:MSU的ID号、MSU和属于它的段描述符的映射表、属性信息、端口信息、生效/失效信息。
所述MSU和属于它的段描述符的映射表,包括:MSU与GDT表中与其对应的段描述符的对应关系。
其中MSU的ID号、所述MSU属性信息、所述MSU端口信息、所述生效/失效信息所涉及的内容与实施例2中相应的内容一致。
所述GDT表的指令区边界信息、全局数据区边界信息,可以通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息。
在每个MSU数据区的线性地址空间中,以页对齐的方式预留一段空间,空间大小为页 大小的整数倍,将用于边界访问控制的数据(除GDT表相关信息之外)置于其中,其它数据不可存入其中,并保存到可执行文件内。
GDT表相关信息在整个程序中保留一份即可,与操作系统约定好其在可执行文件中的位置。
S-D-B1-2限定MSU语法访问规则:
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序,如符合,进入后续的生成汇编代码、链接的流程。
S-D-B1-3生成与MSU访问相关的指令,具体包括:
生成的MSU间调用访问转移指令为:call目标段选择子目标地址值。MSU间调用时,不允许通过call指令进行间接转移。
生成的MSU间返回访问转移指令为:retf。
访问本MSU全局数据、堆数据的指令与访问栈数据的指令一致。要求在指令中指定段选择子。
S-D-B2运行时阶段对MSU信息的处理
创建进程时,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息,为每个MSU申请独立的页面,用以加载上述用于边界访问控制的数据(除了GDT表),页面中不能存在其它内容,为了保证数据的安全,一种优选的方案是:加载后将页面设置为只读,在需要修改这些数据时,关闭只读,修改完成后,再重新设置为只读。
创建进程时,由操作系统为进程分配栈区域,一种优选的方案是:栈的大小被设置为实际适用的大小,而非整个线性地址空间的大小,按现有方式设置栈段描述符。
如果操作系统加载程序时,实际分配的MSU的内存分配布局与编译链接时确定的布局不同,则需将该数据改为与实际相符。
MSU中程序执行时,如果需要申请/释放堆空间,则通过专用系统调用进入内核,由内核中专用程序为其申请/释放堆空间,并相应修改GDT表中堆区域边界值。
MSU中程序执行时,如果需要添加/删除MSU,则通过专用系统调用进入内核,由内核中专用程序为其添加/删除MSU,并修改相应用于边界访问控制的数据及GDT表。
操作系统从GDT所需信息表中收集MSU边界信息,加载GDT表。
实施例4:
一种增设硬件并以连续存储区为访问控制单元来进行访问控制的内存系统单元的制作方法:
S-F-A1、内存系统装置的制作
S-F-A1-1 制作MSU信息记录单元:
建立一个MSU描述符表;MSU描述符表中记录着每个MSU的描述符,一种MSU描述符 的格式参见表1。
表1一种MSU描述符格式
表中N代表一个自然数,其取值最终取决于存储内容所需的最大空间。MSU的ID号为MSU描述符在MSU描述符表中的项号。为每个MSU描述符配一个出口描述符表和入口描述符表;
所述出口描述符表,用以记录每个MSU的出口信息以及出口与其它MSU入口的匹配信息,由出口描述符组成,每个MSU描述符对应一个出口描述符表,每个出口的出口号,代表着该出口描述符在出口描述符表中的项号。
一种优选的出口描述符格式参见表2。
表2一种出口描述符格式
所述入口描述符表,用以记录每个MSU的入口信息,由入口描述符组成,每个MSU描述符对应一个入口描述符表,每个入口的入口号,代表着该入口描述符在入口描述符表中的项号。
一种优选的入口描述符格式参见表3。
表3一种入口描述符格式
存储内容 | 字节数 | 描述 |
入口地址 | N | 表示MSU中入口的地址值 |
图2表示了一种具体的实施方式,其中,MSDTR寄存器指向MSU描述符表的首地址,CMSDTR寄存器中存放的是当前MSU ID,其代表的含义是当前MSU在MSU描述符表中的序号,能够在MSU描述符表中索引到当前的MSU描述符。每一个MSU描述符中包含MSU 属性、代码区边界、全局数据区边界等信息,其中,通过出口描述符表首地址能够找到出口描述符表,通过入口描述符表。出口描述符表中的每一个出口描述符中包含出口地址、目标MSU号、目标入口号、目标入口地址和返回地址。
所述MSU描述符表的指令区边界信息、全局数据区边界信息,可以通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息。
增设新硬件1:
在访问控制过程中,处理器需要能够识别到上述用于MSU访问控制的数据结构。增设寄存器,以便处理器找到这些数据;为了保证这些数据只能在可控的条件下被更改,特设专用寄存器访问指令,限制其只能在0特权级下被使用。处理器对它们的访问,不受当前MSU区域边界限制。所述寄存器和指令包括:
增设MSDTR寄存器,用以记录MSU描述符表首地址,该地址为线性地址;
增设MSDTR寄存器的加载指令LOAD MSDTR地址值。用以将MSU描述符表首地址存储进MSDTR。此指令为特权执行,只能在0特权级下执行;
增设CMSDTR寄存器,用以记录当前MSU的ID号,即在MSU描述符表中的项号;
增设CMSDTR寄存器的加载指令LOAD CMSDTR MSU的ID号。用以将当前MSU描述符在MSDT中的索引值(即MSU号),存储进CMSDTR。此指令为特权执行,只能在0特权级下执行。
为了保证每个MSU在栈中只能访问属于自己的区域,特设一个寄存器,保存当前MSU的栈底地址值:增设CMSEBP寄存器,用以记录当前MSU栈底地址值。
为了保证处理器能够时时确定栈对应的共享数据MSU,特设一个寄存器,保存栈对应的共享数据MSU的ID号:增设SMSUR寄存器,用以记录栈对应的共享数据MSU的ID号。
增设当前用户ID寄存器CUR;
增设当前角色ID寄存器CPR;
增设当前系统调用号寄存器SCG;
增设专用指令设置CUR:LOAD CUR 用户ID号;
增设专用指令设置CPR:LOAD CPR 角色ID号;
增设专用指令设置CUR:LOAD SCG 系统调用号;
这些指令为特权执行,只能在0特权级下执行。
通过MSDTR和CMSDTR寄存器,在MSU描述符表中找到当前MSU描述符,获取边界信息。
S-F-A1-1 MSU访问控制逻辑的生成:
在本制作方法中:MSU访问控制靠硬件机制进行控制,具体包括:
判断非转移指令的下一条地址及MSU内转移指令的目标地址,是否超越当前MSU边界
分别在非转移指令中进行指令计算器累加时,和MSU内转移获得目标地址时,判断非 上述地址是否超越当前MSU边界,如果超越边界,报异常,否则,允许执行。
判断访问的数据是否超越当前MSU边界或栈边界
执行共享数据区专用指令时,判断数据访问的目标地址是否在本MSU的栈底位置至整个栈空间的栈顶位置,本MSU的栈底位置从CMSEBP寄存器中获得,整个栈空间的栈顶位置由SMSUR和MSU描述符表共同获知,MSU描述符表的位置由MSDTR寄存器指向。
执行本MSU数据访问指令时,判断数据访问的目标地址是否超越了本MSU的数据区边界,本MSU的数据区边界由CMSDTR和MSU描述符表共同获知,MSU描述符表的位置由MSDTR寄存器指向。
增设MSU间调用和返回指令
mcall指令为MSU间调用指令;mret指令为MSU间返回指令。
mcall指令和mret指令执行时,处理器先根据MSU访问规则对调用/返回的合法性进行检查,如果符合MSU访问规则,允许指令进一步执行,否则,报异常。
检查的具体内容包括:MSU描述符生效/失效检查,MSU属性匹配检查,MSU端口匹配检查,具体为:
● MSU描述符的生效/失效检查
图3表示了MCALL指令获取失效位信息的一种具体方式。
先通过MSDTR、CMSDTR寄存器,在MSU描述符表中,找到当前MSU描述符;再通过目标MSU的ID号,在MSU描述符表中,找到目标MSU描述符,只要两个MSU描述符中有一个生效/失效位为0,说明描述符无效,报异常;如果都为1,再进行属性匹配检查。
其中,执行mcall指令时,目标MSU的ID号从mcall指令中携带的操作数中获取;执行mret指令时,目标MSU的ID号从原MSU中mcall执行时保存在栈顶的信息中获取。
● MSU属性匹配检查
图4表示了MCALL指令获取MSU属性的一种具体方式。
处理器通过当前MSU描述符和目标MSU描述符中属性字段中,获取属性信息,并进行MSU间属性匹配检查,如果属性匹配符合发明内容中记载的MSU属性匹配规则,再进行端口匹配检查,否则,报异常。
● 当mcall指令执行时,处理器进行端口匹配检查的方式
图5-7分别表示了MCALL指令获取出口地址、目标MSU号和目标入口号的一种具体方式。
通过当前MSU描述符中保存的出口描述符表首地址,找到出口描述符表,用在mcall中获取的当前出口号,在出口描述符表中找到对应的表项,确定出口描述符。之后,分别对:mcall指令所在地址与出口描述符中出口地址、mcall指令中携带的目标MSU的ID号与出口描述符中目标MSU的ID号、mcall指令中携带的目标MSU入口号与出口描述符中对应的目标MSU入口号,这三项进行比对,如果有一项不一致,报异常,如果全部匹配,进一步执行mcall指令。
● 当mret指令执行时,处理器进行端口匹配检查的方式
通过当前MSU描述符中保存的出口描述符表首地址,找到出口描述符表,用在mret中获取的当前出口号,在出口描述符表中找到对应的表项,确定出口描述符。如果mret指令所在地址与上述出口地址不一致,报异常;反之,进一步执行mret指令。
● 检查通过后mcall指令进一步执行的动作
将CMSDTR寄存器中的值、mcall指令中记录的当前出口号、CMSEBP寄存器的值压入栈中;将CMSDTR寄存器的值设置为mcall指令中的MSU的ID号;用出口描述符中存储的目标地址,设置EIP寄存器。
● 检查通过后mret指令进一步执行的动作
用原MSU中mcall执行时保存在栈顶的原MSU的ID号设置CMSDTR;通过MSU的ID号找到原MSU描述符,找到它对应的出口描述符表,用mcall执行时保存在栈顶的原MSU出口号,在出口描述符表中找到对应的出口描述符,用描述符中记录的返回地址值,设置EIP寄存器;用mcall执行时保存在栈顶的原MSU栈顶地址值设置CMSEBP寄存器。
共享数据区的访问
访问共享数据MSU时,必须使用共享数据MSU访问指令,否则,报异常;如果共享数据MSU访问指令访问了非共享数据MSU,报异常。具体方法包括:
如果mmov指令中指定的MSU号为栈所在MSU的MSU号,判断目标地址是否小于CMSEBP寄存器中记录的当前MSU栈底地址值,如果小于,则允许执行,否则报异常;如果mmov指令中指定的MSU号不是栈所在MSU的MSU号,报异常。
IO指令的执行
当装置支持IO指令MSU这一属性时,仅允许在此类MSU中执行特定的IO指令,如INTEL体系下的in、out指令。执行这类执行时,判断当前MSU的类型是否为IO指令MSU,如不是,报出异常,如是,允许执行。
中断响应时,切换当前MSU
在IDT表中设置中断响应函数所在MSU的ID号。执行响应函数时,自动切换当前MSU为中断响应函数所在MSU。中断保存现场时,还要保存中断产生时MSU的ID号、MSU的栈底地址值,恢复现场时,一并恢复。
为保证当前MSU栈底地址值的正确,需对应的在软件中增加的处理:
MSU间调用后,需在程序中显示得设定当前MSU栈底地址值,添加指令的逻辑是:
在MSU间调用的参数传递指令前,获取栈顶地址值,并将此地址值压入栈中,此地址值作为目标MSU的栈底地址值;调用进目标MSU后,在其指令的起始位置,获取栈中传递的上述地址值,保存到寄存器CMSEBP中。
为实现对当前用户、当前角色的控制:
在非0特权级下,当MSU切换时,自动用目标MSU的描述符表中“MSU所属用户类 型”,“MSU所属用户标识”两项中的ID值,设置CUR、CPR寄存器。以此认定目标MSU所属用户、角色,为当前用户、当前角色。
S-F-A2、运行时阶段对MSU信息的比对
通过本实施例前述增设硬件以及增设硬件机制,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
S-F-B1、编译包含MSU的源程序:
S-F-B1-1、提取MSU信息
S-F-B1-1-1、编写、编译包含MSU信息的源程序:
与实施例2中编写、编译包含MSU信息的源程序的方式一致。
S-F-B1-1-2、内存布局及编址方式:
在编译链接阶段,把属于同一MSU的指令和数据,以页对齐的形式,分别密排链接,指令保存在指令区、数据保存在数据区。
在编译链接阶段,所有MSU在同一线性地址空间内,各个MSU的各个连续存储区,各自进行编址,其基址和长度写入对应的MSU描述符。
S-F-B1-1-3、提取并保存MSU信息:
在编译链接阶段,为所有的MSU建立一个MSU描述符表,各式如前述的内存系统装置中的MSU描述符表。其中的指令区边界信息、全局数据区边界信息,通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息。
把MSU描述符表保存到可执行文件内,并与操作系统约定在可执行文件中的位置,供加载时使用。
S-F-B1-2、限定MSU语法访问规则
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序,如符合,进入后续的生成汇编代码、链接的流程。
S-F-B1-3、生成与MSU访问相关的指令
为了进行MSU间的调用和返回,增设专用的调用和返回指令。
增设MSU间调用指令,格式是:
mcall 当前出口号 目标MSU的ID号 目标MSU的入口号
增设MSU间返回指令,格式是:
mret 当前出口号
访问本MSU全局数据、堆数据的指令与现有体系一致。
为访问栈数据,增设指令mmov,指令格式为:
mmov 寄存器 MSU号 地址值
mmov 寄存器 MSU号 [地址值]
mmov MSU号 地址值 寄存器
mmov MSU号 [地址值] 寄存器
为了兼容性,除以上特殊指令外,其余指令与现有体系保持一致。
S-F-B2、运行时阶段对MSU信息的处理:
进程加载时,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息,操作系统申请独立的页面,通过加载程序在可执行文件约定位置处找到MSU描述符表,以及每个描述符对应的出口、入口描述符表,将其载入,并通过指令LOAD MSDTR地址值,将MSU描述符表首地址记录在MSDTR寄存器中。通过指令LOAD CMSDTR MSU的ID号,设置当前MSU在MSU描述符表中的项号。
创建进程时,由操作系统为进程分配栈区域,一种优选的方案是:栈的大小被设置为实际适用的大小,而非整个线性地址空间的大小。用栈对应的共享数据MSU的ID号,设置SMSUR寄存器。
如果操作系统加载程序时,MSU的内存分配布局,与编译链接时确定的用于边界访问控制的数据不同,则需将该数据改为与实际相符。
MSU中程序执行时,如果需要申请/释放堆空间,则通过专用系统调用进入内核,由内核中专用程序为其申请/释放堆空间,并相应修改MSU描述符表中堆区域边界值。
MSU中程序执行时,如果需要添加/删除MSU,则通过专用系统调用进入内核,由内核中专用程序为其添加/删除MSU,并修改MSU描述符表。
中断产生后,保存中断现场的内容,还要包括CMSDTR寄存器中记录的当前MSU的ID号,CMSUR中记录的当前MSU的栈底地址值。执行中断响应函数时,用IDT表中与中断响应函数对应的MSU的ID号,设置CMSDTR寄存器,中断返回时,恢复现场的内容,还包括用中断产生时保存MSU的ID号,设置CMSDTR寄存器;保存MSU的栈底地址值,设置CMSUR寄存器。
实施例5:
一种增设硬件并以页为访问控制单元来进行访问控制的内存系统单元的制作方法:
S-G-A1、内存系统装置的制作:
S-G-A1-1、制作MSU信息记录单元:
一个页面(此处页面指线性页面)只能属于一个MSU。
在现有页表结构的基础上,建立与其对应的数据结构,其中的每一项都对应一个页表项,结构中记录该页表项对应页面所属MSU的ID号。处理器通过页面所属MSU的ID号,在 MSU描述符表中找到对应的表项,每个表项对应一个MSU描述符。
将此结构体现在处理器的TLB中。
为MSU访问控制增设新硬件1:
增设的新硬件,除了不再增设实施例4中所述CMSDTR寄存器以及相应加载指令,其余与实施例4中增设硬件一致。
S-G-A1-2、制作访问控制单元:
● 增设硬件机制2
当非转移指令的下一条地址,及MSU内转移指令的目标地址超出当前页面时,判断目标页面所属MSU的ID号是否与指令所在当前页面所属MSU的ID号一致,如果一致,视为没有超于当前MSU边界,允许执行,否则,报异常。
● 增设硬件机制3
数据访问指令执行时,如果数据访问指令中的目标地址所在页面所属的MSU的ID号,与数据访问指令所在页面所属的MSU的ID号一致,或与栈对应MSU的ID号一致,允许执行,否则,报异常。
增设硬件机制4
在MSU间调用返回时,由处理器根据MSU访问规则对调用访问进行检查,如果符合访问规则,允许执行,否则,报异常。
具体检查方法,在实施例4中检查方法的基础上,把通过MSDTR、CMSDTR寄存器,在MSU描述符表中,找到当前MSU描述符,改为:通过MSDTR寄存器和当前指令所在页面所属的MSU的ID号,在MSU描述符表中,找到当前MSU描述符;并将mcall、mret指令执行效果中,设置CMSDTR寄存器的动作删除。
● 增设硬件机制5
访问共享数据MSU时的控制方式,与实施例4中对访问共享数据MSU方式一致。
● 增设硬件机制6
对中断的控制方式,与实施例4中对中断的控制方式一致。
● 增设硬件机制7
对IO指令所属MSU的属性检查方式,与实施例4中对IO指令的属性检查方式一致。
● MSU间调用后,设定当前MSU栈底地址值
MSU间调用后,设定当前MSU栈底地址值设定方式,与实施例4中在MSU间调用后,设定当前MSU栈底地址值的设定方式一致。
● 为实现对当前用户、当前角色的控制:
与实施例4中对当前用户、当前角色的控制方式一致
S-G-A2、运行时阶段对MSU信息的比对
通过本实施例前述增设硬件以及增设硬件机制,来实现对MSU的访问控制。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
S-G-B1、编译包含MSU的源程序,具体包括:
S-G-B1-1、提取MSU信息,具体包括:
S-G-B1-1-1、编写、编译包含MSU信息的源程序:
实现方法与实施例2中编写、编译包含MSU信息的源程序的方法一致。
S-G-B1-1-2、内存布局及编址方式:
把属于同一MSU的指令和数据,以页对齐的形式,分别密排链接,指令保存在指令区、数据保存在数据区。所有MSU在同一线性地址空间内,以线性地址0为基址进行统一编址。
S-G-B1-1-3、提取并保存MSU信息::
在编译链接阶段,需要建立的数据是:
为所有的MSU建立一个MSU描述符表,以及为表中每个描述符配一个出口描述符表和入口描述符表,表的格式和实施例4中所述相应内容一致;
所述MSU描述符表的指令区边界信息、全局数据区边界信息,可以通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息。
把MSU描述符表保存到可执行文件内,并与操作系统约定在可执行文件中的位置。
S-G-B1-2、限定MSU语法访问规则:
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序,如符合,进入后续的生成汇编代码、链接的流程。
S-G-B1-3、生成与MSU访问相关的指令
生成的指令与实施例4中生成指令一致。
S-G-B2、运行时阶段对MSU信息的处理
进程加载时,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息。操作系统申请独立的页面,通过加载程序在可执行文件约定位置处找到MSU描述符表,以及每个描述符对应的出口、入口描述符表,将它们载入页面,并通过指令LOAD MSDTR地址值,将MSU描述符表首地址记录在MSDTR寄存器中。
MSU中内容加载时,需要将内容所在页面,通过页表映射到线性地址空间中,在进行映射的过程中,增设与页表对应的数据结构,用以保存页面所属MSU的ID号。此页面号,可以通过映射的线性地址值,找到其对应的MSU边界,进而确定其所属的MSU,将其ID号写入此数据结构中,此ID号为MSU描述符在MSU描述符表中的项号。此页面的线性地址被固定的分配在对应页表之后,以便CPU通过页表可找到它。它的页表项设置与对应页表一致。找到对应页表项之后,页表项的地址向后偏移一个页面,即可找到该页表项对应的MSU信息项。
创建进程时,由操作系统为进程分配栈区域,一种优选的方案是:栈的大小被设置为实际适用的大小,而非整个线性地址空间的大小。用栈对应的共享数据MSU的ID号,设置SMSUR寄存器。
如果操作系统加载程序时,MSU的内存分配布局,与编译链接时确定的用于边界访问控制的数据不同,则需将该数据改为与实际相符。
MSU中程序执行时,如果需要申请/释放堆空间,则通过专用系统调用进入内核,由内核中专用程序为其申请/释放堆空间,并在相应页面的,与其页表一一对应的数据结构上,增添/删除MSU的ID号。
MSU中程序执行时,如果需要添加/删除MSU,则通过专用系统调用进入内核,由内核中专用程序为其添加/删除MSU,并修改MSU描述符表。
中断产生后,保存中断现场的内容,还要包括当前页面所属MSU的ID号(从与页表一一对应的数据结构中获取),CMSUR中记录的当前MSU的栈底地址值。执行中断响应函数时,用IDT表中与中断响应函数对应的MSU的ID号,设置CMSDTR寄存器,中断返回时,恢复现场的内容,还包括用中断产生时保存MSU的栈底地址值,设置CMSUR寄存器。
实施例6
通过内存系统装置,防止由于授权信息直接被修改而使攻击生效的一种实施方式是:
将授权信息及相应的维护程序,封装在一个终端MSU中,根据MSU间的访问控制规则,其它MSU中程序不能直接修改其数据,同时,确保此终端MSU中除了授权信息及相应的维护程序外,不再包含其它内容,以实现逻辑简单,功能单一,通过形式化验证和穷举测试,保证其没有漏洞,自身执行时不会产生攻击。其中授权信息包括直接的授权信息,如用户可访问的文件范围等;包括间接的授权信息,如页表信息等。进一步的,本方式还可以保护其它的重要数据,如中断描述符表等。
实施例7
通过内存系统装置,防止由于返回地址被修改而产生攻击执行序分支的一种实施方式是:
一种利用MSU的保护特性,防止call指令返回地址和/或中断产生时现场信息(包括中断返回地址)被修改的方法,具体包括:
A.设立专用的MSU;
B.当CPU需要保存当前状态信息时,将其写入专用MSU;
C.当CPU需要取出所述保存的状态信息时,再从专用MSU中取出。
一种优选的实施方式是:
在专用MSU中,设定专用的状态信息保存函数,用以保存状态信息;设定专用的状态信息读取函数,用以读取保存的状态信息,一种优选的状态信息存取方式为:以栈的形式存取状态信息,MSU中设定专门的数据变量来记录栈顶位置,当存储状态信息时,栈顶位置值递减,递减大小为存储状态信息占用空间的大小,当读取状态信息时,栈顶位置值累加,累 加大小为读取状态信息占用空间大小。
当CPU要保存当前状态信息时,特别的,在函数调用产生后(包括MSU内函数调用和MSU间端口函数调用)把返回地址,和/或,中断产生后,把现场信息(包括中断返回地址),保存进专用MSU,具体方式为调用专用MSU端口函数,并把要保存的信息以参数形式传递给专用MSU,之后由专用MSU中负责保存状态信息的函数,把要保存的信息存储在专用MSU中。
当CPU要取出保存状态信息时,特别的,在函数返回,和/或,中断返回前,先调用专用MSU的端口函数进入专用MSU,再由负责读取状态信息的函数,把返回地址,和/或,现场信息取出,之后根据取出的信息进行函数返回,和/或,恢复中断现场。
实施例8
通过内存系统装置,防止由于返回地址被修改而产生攻击执行序分支的一种实施方式是:
一种通过终端MSU,保护进程切换信息(包括进程地址信息)的方法,具体包括:
将每个进程状态信息管理结构(包括用于记录进程运行时状态的各个寄存器值tss)及进程切换程序(只包括用于保存当前进程状态信息以及用目标进程状态信息设置各个寄存器的相关程序),保存在终端MSU中,系统中任何进程切换的最后阶段,即切换进程状态信息的工作,都要在此MSU中完成,它里面不再包含其它内容,以此保证其逻辑简单且功能单一,通过形式化验证和穷举测试,可以保证其没有漏洞,自身执行时不会破坏进程状态信息;同时,基于MSU的保护特性,其它MSU只能通过指定的端口与此MSU进行交互,无法直接更改进程状态信息,这样就从内外两方面保证了进程状态信息的绝对安全。
实施例9
通过内存系统装置,防止由于返回地址被修改而产生攻击执行序分支的一种实施方式是:
一种利用保险箱MSU的特性,保护函数返回地址、中断现场信息(包括中断返回地址)的实现方式是:
利用保险箱MSU的特性,即其只可被特定的指令访问,用于对返回地址进行保护,防止产生新的执行序。
一种数据保护方法,其特征在于,包括:
A.增设独立于现有栈的新栈,以下称为调用信息栈;
B.当CPU需要保存当前状态信息时,将需要保存的数据写入所述调用信息栈;
C.当CPU需要取出所述保存的状态信息时,从所述调用信息栈中取出。
D.设置新的MSU属性,用于保存调用信息栈,特设可以访问此类MSU的指令。
所述A步骤中调用信息栈仅用于存储与转移现场保护相关的数据;在功能或空间上,此MSU与已经被分配用于存储代码、全局数据、栈数据的栈独立。
所述CPU需要保存当前状态信息时包括函数调用或发生中断时;所述CPU需要取出所 述保存的状态信息时包括函数返回或中断返回时。
所述调用信息栈用于存储返回地址,在内存中以栈的方式设置,在进程创建时为每个特权级设置一个。原有栈称为数据栈,用于保存参数和局部变量。增设ass寄存器和aesp寄存器,分别用于保存调用信息栈的段选择子和调用信息栈的栈顶指针。
所述步骤B进一步包括:将需要保存的数据写入调用信息栈时,aesp寄存器的值自动递减,递减值为写入数据的长度总和;
所述步骤C进一步包括:从所述调用信息栈中取出数据时,aesp寄存器的值自动累加,累加值为弹出数据的长度总和;
进一步的,增设pushadr和popadr指令,其中pushadr指令用于向调用信息栈内压入一个地址,aesp自动指向新的栈顶;popadr指令用于从调用信息栈内弹出一个地址,aesp自动指向新的栈顶。
进一步的,对call指令进行修改,修改后的call指令将返回地址压入调用信息栈,参数和局部变量保存在数据栈。优选的,为了更好的兼容现有的程序,修改后的call指令将返回地址压入调用信息栈,参数、局部变量和返回地址保存在数据栈。
进一步的,对ret指令进行修改,修改后的ret指令从调用信息栈弹出返回地址,并修改aesp的值。
进一步的,对mcall指令进行修改,修改后的指令将“CMSDTR、mcall指令中的当前出口号、CMSEBP”压入调用信息栈,参数和局部变量保存在数据栈。
进一步的,对mret指令进行修改,修改后的mret指令从调用信息栈弹出“CMSEBP”,弹出“mcall指令中的当前出口号”算出返回地址赋给eip,弹出CMSDTR,修改aesp的值。
当由于发生中断而导致CPU需要保存当前状态信息时,将需要保存的数据写入调用信息栈的步骤包括:
比较将要执行的处理例程特权级与当前特权级,若将要执行的处理例程的特权级小于当前特权级,执行步骤B1.1,若相同,执行步骤B1.2;
步骤B1.1进一步包括:
a.处理器从当前任务的tss中获得数据栈和调用信息栈的段选择子和栈指针。依次把中断例程的数据栈和调用信息栈的栈段选择子和栈指针压入新的调用信息栈,即ss0,esp0和ass0,aesp0;
b.处理器随后把EFLAGS寄存器、CS寄存器、EIP寄存器的当前值保存进新调用信息栈中;
c.如果异常同时产生了一个错误码,则把它压入数据栈中。
步骤B1.2进一步包括:
d.处理器在当前调用信息栈中保存当前EFLAGS寄存器、CS寄存器和EIP寄存器的值;
e.如果异常的错误码需要保存,则把它保存在当前的数据栈中。
当由于中断返回而导致CPU需要取出所述保存的数据时,从所述调用信息栈取出数据的步骤包括:
对iret指令进行修改:
如果在写入调用信息栈时选择执行步骤B1.1,则在步骤C中执行步骤C1,具体包括:
把新调用信息栈中保存的EFLAGS寄存器、CS寄存器、EIP寄存器的值,回传给EFLAGS寄存器、CS寄存器、EIP寄存器,把新调用信息栈中保存的ss0,esp0的值,回传给ss寄存器和esp寄存器,保存的ass0,aesp0的值,回传给ass寄存器和aesp寄存器;
如果在写入调用信息栈时选择执行步骤B1.2,则在步骤C中执行步骤C2,具体包括:
把新调用信息栈中保存的EFLAGS寄存器、CS寄存器、EIP寄存器的值,回传给EFLAGS寄存器、CS寄存器、EIP寄存器。
进一步的,设置一种新的MSU属性用于保存调用信息栈。只有call指令、mcall指令、pushadr指令、popadr指令、ret指令、mret指令、iret指令、执行中断门时可对该MSU进行访问,其他指令不可访问该MSU。
实施例10
一种通过内存系统装置,防止由于函数指针被修改而产生攻击执行序分支的实施方式是:
恶意修改钩子的地址值是攻击的常用手段。确保钩子的使用符合软件系统设计者的原意,就可以抵御对钩子的攻击。我们的防御方法分为两个步骤,第一步,判断调用的钩子值是否在这个钩子所对应的所有钩子函数的地址中(这一步能够拦截超出这个钩子可能调用的函数地址值,但不能区分具体应该调用哪一个钩子函数);第二步,判断被调用的钩子函数是否符合设计愿意。
第一步,为了确保程序执行过程中传递的钩子值是否是通过这个钩子可能调用的所有钩子函数的地址值。建立一个数据结构(可以是数组或链表……),用以保存通过这个钩子可能调用的所有钩子函数的地址值,同时,建立对数据结构中的钩子函数地址值进行添加、删除、排序、比较的程序。在调用钩子函数前,先通过比较程序,检查传递下来的钩子值是否属于数据结构中记录的钩子函数地址值范围内,如果属于,调用钩子函数,否则进入异常处理流程。
第二步,判断被调用的钩子函数是否符合设计愿意。
对于钩子对应两个以上被调钩子函数的复杂情形,实际上构成了一个由钩子值决定的执行序分支。
虽然A、B两个函数都是设计者设计的,但攻击者仍可以在特定条件下选择对其有利的函数。如操作系统中文件读写的绝大部分代码是一样的,只是在最后阶段通过钩子选择是执行读、还是执行写操作。攻击者可以在写文件系统调用的代码中,干扰钩子值,造成选择读 文件的钩子函数,进而获得只读文件的指针,得到写只读文件的能力。
这显然不是操作系统设计者的愿意。为了确保调用的钩子函数,符合程序设计者原意。
由于一个选择分支在确定的条件下会选择执行确定的分支,第二步的具体方法是建立一个专用数据结构(一个优选的方案是设置专用寄存器),将条件数据存储在数据结构中的指定位置,并将程序输入的条件信息记录在指定位置,并在这个钩子对应的每一个钩子函数的执行入口处添加判断指令,根据加载在数据结构指定位置记录的条件信息判断是否应该被执行。
对于读写文件操作而言,就是在读写系统调用的入口处增加设置寄存器指令,如果执行的是读系统调用,就在读系统调用的入口处增加指令,将读操作系统的信息记录在寄存器的指定位置(如将第一位置0),如果执行的是写系统调用,就在写系统调用的入口处增加指令,将写操作系统的信息记录在寄存器的指定位置(如将第一位设置1)。在读操作的钩子函数的入口处增加指令,判断如果寄存器的指定位置(第一位)是0,则允许执行,反之报异常。写操作同理。
一个系统调用使用的钩子通常不止一个,解决的方法是依照上述过程,将不同钩子的条件数据记录在专用数据结构中指定的不同位置,并在对应的钩子函数中增加判断指令,根据专用数据结构中指定位置的条件数据函数是否应该执行。
为确保对钩子检查本身的可靠性,需要把用以检查的程序、前述的数据结构、调用钩子函数的程序,封装在一个MSU内,此MSU内除此之外不包括其它信息,以此确保其逻辑简单,功能单一,指针执行时不会产生攻击,也不受其它MSU执行时的干扰。
在进程切换时,保存设计原意信息寄存器的保存和切换,与进程现场信息的保存和切换同步。
另外,为了确保钩子专用MSU中逻辑简单、功能单一、特别是灵活性,不能把钩子函数的函数体置于此MSU中,一种处理的方法是:把钩子函数的函数体内容,置于另一个普通MSU中。
本方法的最大优势是:在防止攻击程序恶意修改钩子的同时,完全保留了钩子使用的灵活性。
实施例11
一种防止由于条件选择数据被修改而产生攻击执行序分支的实施方式是:
通过专用寄存器记录当前系统调用号,在程序执行序中特定位置处,与之进行比对,如果执行序与寄存器中数值匹配,允许执行,否则,进入异常处理流程。
所述特定位置是指:产生分支的位置。
一种优选的实施方式是:
1)通过SCG寄存器记录当前系统调用号:
每个系统调用对应一个系统调用号。进入系统调用后,先通过“LOAD SCG系统调用号”指令,将系统调用号保存在SCG寄存器中,记为当前系统调用。当进程切换时,保存当前系统调用号,用目标进程系统调用号设置SCG寄存器,。
2)针对当前系统调用进行一致性检查
方式1:例如,在DirtyCow案例中,sys_write系统调用与sys_read系统调用大部分代码是重合的,其中从sys_read系统调用执行下来会执行do_read_fault函数,从sys_write系统调用执行下来会执行do_cow_fault函数,为了判断执行的函数与系统调用相匹配,以及如果发现不匹配则进入异常处理流程,而不再延续错误的执行序,可以在调用do_read_fault函数、do_cow_fault函数前的if语句后,添加比对逻辑,包括:从SCG寄存器中获取当前系统调用号,如果调用号对应的是sys_read,则如果进入了do_read_fault函数分支,说明函数和系统调用匹配,允许执行,如果进入了do_cow_fault函数分支,说明函数和系统调用不匹配,进入异常处理流程;如果调用号对应的是sys_write,则如果进入了。do_cow_fault函数分支,说明函数和系统调用匹配,允许执行,如果进入了do_read_fault函数分支,说明函数和系统调用不匹配,进入异常。
方式2:把方式1中的比对逻辑,相应添加在do_read_fault函数和do_cow_fault函数指令的最开始部分。
实施例12
一种通过内存系统装置,防止攻击者直接修改被攻击者代码的实施方式是:
将操作系统中用以页表管理的代码和数据,存储在一个终端MSU中。数据包括:页目录表、页表的相关数据;代码包括:对页表和页目录表进行设置的端口函数,将其它MSU代码所在页面对应的页表项设置为只读,其它MSU不能直接修改此终端MSU中页表项的只读设置,也就无法修改被攻击者的代码。
实施例13
一种通过内存系统装置,防止攻击者通过任意指定可执行区域,有机会引入有利于攻击的执行序的实施方式是:
程序在运行过程中,可执行的指令和数据除了从源文件中获得之外,还有将内存中一段指定的信息设置为可执行的指令及其需要的数据。为了使动态增加的指令和数据也受到MSU的保护和控制,设置一种在MSU机制下将新增的指令和数据按MSU区域保存并接受MSU访问控制规则的方式:
具体方案:
操作系统新增以下系统调用:添加新MSU。该系统调用一次可增加多个MSU,MSU的个数在参数中指定。不支持将新增的执行序添加在一个进程现有的MSU中。
函数参数:增加MSU个数;待增加的MSU的信息数组指针。
函数返回值:当增加成功,返回增加的个数;当增加不成功,返回失败信息
每个MSU的信息为一个数据结构,如:
MSU信息
{
MSU名;
MSU属性;
端口列表;
端口匹配列表;
全局数据存储地址;
全局数据长度;
指令存储地址;
指令存储长度;
MSU重定位表地址
};
功能说明:
内核根据MSU信息列表获得待分配的MSU信息,以及各个MSU需要存储的指令和数据。根据其中的信息为新MSU分配线性地址空间区域,并回填MSU中需要重定位的信息,如函数地址、全局变量地址,端口列表、端口匹配列表中的函数地址值,并根据MSU的实际信息填充在操作系统中的MSU描述符表中的信息。
操作系统完成上述工作之后,返回系统调用。
该系统调用可实现将新增的执行序和数据按照约定的MSU格式添加到现有的进程中。并将新增执行序与现有的执行序和数据进行隔离保护,新增的MSU和原有的MSU必须按照MSU间访问的规则互访。
进一步的,为了避免攻击者将一块自己精心准备好的内存变为可执行,增加以下功能:
增加系统调用,用于向内核申请一块内存,这块内存将用于保存新增MSU的信息和内容,内核在分配这类内存页面时,会在其页表中增添属性,标明该页面用于存储上述MSU信息和内容。当新增MSU时,内核会判断上述添加新MSU的系统调用中,参数指针是否指向上述特别用于保存MSU的信息和内容的页面,如是,可正常新建MSU,如不是,则报错返回。
通过以上功能,能保证用户进程想要动态得将一块内存空间的内容指定为新MSU时,必须首先向内核申请一块特定页面,内核只会将这类页面的内容转化为新的MSU。这样就能避免攻击程序任意给定一个内存地址并存储MSU信息和内容,就可将该地址中存储的内容变为新的MSU。
实施例14
一种根据根据内存系统装置的访问控制规则加载动态链接库的实施方式是:
程序在运行过程中,需要动态加载程序,如加载动态链接库,为了使来自动态链接库中 的指令和数据也受到MSU的保护和控制,设置一种在MSU机制下加载动态链接库,使其新增的指令和数据按MSU区域保存并接受MSU访问控制规则的方式:
具体方案:
新增系统调用,完成动态链接库的加载
函数参数:动态链接库的路径
返回值:加载成功\加载失败
动态链接库的文件格式需与操作系统以约定的形式进行,库文件中需包含动态链接库的MSU信息表。
当操作系统加载库文件时,读出MSU信息表,将其中的代码和数据以信息表约定的MSU属性规则进行加载。所有加载的MSU,都为新增MSU。
操作系统根据现有进程的内存分配情况,为动态链接库实际分配合理的MSU线性地址区域,并对其中的函数和全局数据进行地址重定位。
根据MSU的实际加载情况,操作系统改写其保存的MSU信息描述表及端口列表和端口匹配表,以增加新的MSU信息。
通过该系统调用,可实现在现有进程的线性地址空间中增加动态链接库中包含的新MSU。其与进程中原有MSU按照MSU访问规则进行互访,可实现对原有进程与新增库的隔离保护。
实施例15
一种加载可执行程序供其运行在内存系统装置的实施方式是:
将MSU信息存储在可执行程序中,加载时,内核的加载程序读取该信息后,按照其指定的MSU边界为其加载程序的代码和数据,并将MSU信息写入MSU描述符表。内核为进程分配栈空间,并将栈空间对应的MSU设置为共享MSU,根据实际栈的边界值设置其边界信息。
实施例16
一种通过内存系统装置,防止攻击发起后,直接跳转到攻击者在进程空间预先准备好的攻击代码处执行的实施方式是:
将进程中程序封装在MSU中,利用MSU间访问必须通过端口的特性,可以实现,即使在内核中发生了执行序被改变的情况,当执行序被改变为跳转至进程空间时,由于进程空间的目标地址与执行跳转的位置不是合法的、匹配的入口与出口,从而导致该跳转不合法被拦截。
实施例17
一种按照功能单一的原则,将同一特权级中的程序,封装在不同的MSU中,使每个MSU中的程序,只能完成某个特定的功能的实施方式是:
以操作系统为例,将文件操作管理、缓冲区管理、请求项管理、页面管理、进程管理等只能完成特定功能的代码和数据,分别封装在不同的MSU中,其中任何一个MSU中产生攻击,也不会直接影响到其它MSU中的程序。
以应用程序为例,如数据库,将数据库中与用户权力相关的数据及操作程序存储在MSU-A中,将对用户数据查询的操作程序及相关数据存储在MSU-B中。当用户远程访问数据库时,MSU-B中程序响应用户请求,为用户查询数据,如果执行过程中产生了攻击,某函数返回地址值被修改了,而且正好改为MSU-A中函数首地址,根据MSU的特性,MSU内转移指令的目标地址不得跨越MSU边界,这样函数返回指令执行时会产生异常,并进入异常处理流程,从而保证MSU-A中权力数据不被更改,攻击的影响力被限制在MSU-B范围内。
实施例18
一种通过内存系统装置,对在MSU间的访问进行检查的实施方式是:
确保同一特权级内的所有程序都封装在MSU中,利用检查MSU的特性,当其它MSU需要通过端口进行转移时,先转移到检查MSU,并将携带的数据也传递给检查MSU,检查MSU对数据中与权力有关的内容进行检查,如果超出权力许可范围,予以拦截,否则,由检查MSU转移到目标MSU执行。
进一步的,检查MSU除了可以检查与权力有关的数据,还可以检查设计者认为的其它重要数据,并做出相应处理。
实施例19
一种通过内存系统装置,防止攻击者直接操作外设中用户数据而使攻击生效的实施方式是:
利用I/O指令MSU的特性,把用于将外设中寄存器端口映射到MSU的数据区的程序,特别的,包括I/O指令,封装在此MSU中。以此保证,只有此MSU中程序,才能进行寄存器端口和内存数据区的映射。同时,把与外设进行交互的程序,特别的,把给外设下达交互指令的程序,封装在终端MSU中,确保I/O指令MSU中的程序,只把外设中寄存器端口映射到了此类终端MSU的数据区。这样只有此MSU才能与外设进行交互,同时,通过形式化验证和穷举测试,确保I/O指令MSU和终端MSU中程序功能单一,不存在漏洞。
实施例20
一种通过内存系统装置,防止攻击者直接操作内存中用户数据而使攻击生效的实施方式是:
设立一种用于缓冲区与进程空间进行用户数据交互的终端MSU的具体实施方式是:
此终端MSU中,只包括用于缓冲区与进程空间进行交互的程序,具体包括:通过用户 空间存储数据的地址对应的物理页面号、拷贝目标地址在页内的偏移量、缓冲块对应的物理页面号、拷贝字节数等参数,确定需要交互的数据位置,并在此终端MSU中选定临时地址,将两个物理页面映射到选定的地址处,之后进行数据拷贝,拷贝完毕后,解除临时映射关系。内核中其它MSU如有与进程空间进行数据交互的需求,则通过端口函数,调用此终端MSU,以此保证内核中其它MSU只有通过此终端MSU才能与进程空间进行用户数据交互。
实施例21
不同MSU之间通过共享物理页面进行数据交互的实施方式是:
假设MSU-A需要往MSU-B对应的页面中写入数据。把MSU-B中指定的线性地址对应的物理页面,临时映射到MSU-A的页框中,把数据写入到页面上,之后再解除临时的映射关系。这样MSU-B就可得到此数据了。MSU-A操作此页面时将此页面加锁,使MSU-A中程序操作此页面时,MSU-B没有机会操作此页面。
实施例22
一种指定MSU栈底地址值从而使设定每个MSU的私有栈空间的实施方式是:
在MSU间调用的参数传递指令前,获取栈顶地址值,并将此地址值压入栈中,此地址值作为目标MSU的栈底地址值;调用进目标MSU后,在其指令的起始位置,添加指令,获取栈中传递的上述地址值,认定它为当前MSU栈底地址值。
实施例23:
MSU描述符表中记录着每个MSU的描述符,一种优选的MSU描述符的格式参见表4。
表4一种优选的MSU描述符格式
表中N代表一个自然数,其取值最终取决于存储内容所需的最大空间。
MSU的ID号为MSU描述符在MSU描述符表中的项号。
为每个MSU描述符配一个出口描述符表和入口描述符表;所述出口描述符表,用以记录每个MSU的出口信息以及出口与其它MSU入口的匹配信息,由出口描述符组成,每个MSU描述符对应一个出口描述符表,每个出口的出口号,代表着该出口描述符在出口描述符表中的项号。
一种优选的出口描述符格式参见表5。
表5一种优选的出口描述符格式
所述入口描述符表入口描述符表。用以记录每个MSU的入口信息。入口描述符表由入口描述符组成,每个MSU描述符对应一个入口描述符表,每个入口的入口号,代表着该入口描述符在入口描述符表中的项号。
一种优选的入口描述符格式参见表6。
表6一种优选的入口描述符格式
存储内容 | 字节数 | 描述 |
入口地址 | N | 表示MSU中入口的地址值 |
实施例24:
增设MSDTR寄存器,用以记录MSU描述符表首地址,该地址为线性地址。
增设MSDTR寄存器的加载指令LOAD MSDTR地址值。用以将MSU描述符表首地址存储进MSDTR。此指令为特权执行,只能在0特权级下执行。
增设CMSDTR寄存器,用以记录当前MSU的ID号,即在MSU描述符表中的项号。
增设CMSDTR寄存器的加载指令LOAD CMSDTR MSU的ID号。用以将当前MSU描述符在MSDT中的索引值(即MSU号),存储进CMSDTR。此指令为特权执行,只能在0特权级下执行。
增设CMSEBP寄存器,用以记录当前MSU栈底地址值。
为了保证处理器能够时时确定栈对应的共享数据MSU,特设一个寄存器,保存栈对应的共享数据MSU的ID号:
增设SMSUR寄存器,用以记录栈对应的共享数据MSU的ID号。
增设当前用户ID寄存器CUR;增设专用指令设置CUR:LOAD CUR 用户ID号,此指令为特权执行,只能在0特权级下执行。
增设当前角色ID寄存器CPR;增设专用指令设置CPR:LOAD CPR 角色ID号,此指令为特权执行,只能在0特权级下执行。
增设当前系统调用号寄存器SCG;增设专用指令设置CUR:LOAD SCG 系统调用号,此指令为特权执行,只能在0特权级下执行。
实施例25:
为了进行MSU间的调用和返回,增设专用的调用和返回指令。
增设MSU间调用指令,格式是:
mcall 当前出口号 目标MSU的ID号 目标MSU的入口号
功能为:处理器依据mcall指令中的当前出口号、目标MSU的ID号、目标MSU的入口号,在当前MSU描述符对应的出口描述符表中,找到目标地址,先将当前MSU的ID号和当前出口号压栈,之后跳转到目标地址。
增设MSU间返回指令,格式是:
mret 当前出口号
功能为:处理器依据调用时栈中保存的原MSU的ID号和原出口号,在MSU描述符表中,找到原MSU描述符,及其对应的出口,进而找到出口对应的返回地址,之后跳转到返回地址。当前出口号用于匹配检查。
访问本MSU全局数据、堆数据的指令与现有体系一致。
为访问栈数据,增设指令mmov,指令格式为:
mmov 寄存器 MSU号 地址值
mmov 寄存器 MSU号 [地址值]
mmov MSU号 地址值 寄存器
mmov MSU号 [地址值] 寄存器
实施例26:
作为一种增设硬件,以连续存储区为访问控制单元实现访问控制的具体实施方式。
访问控制所依据的MSU访问规则具体包括:
增设硬件机制1:
判断非转移指令的下一条地址,及MSU内转移指令的目标地址,是否超越当前MSU边界,如果超越边界,报异常,否则,允许执行。
增设硬件机制2:
判断数据访问指令中的目标地址,是否属于当前数据区或栈区,如果不属于,报异常, 如果属于,允许访问。
mcall和mret的逻辑:
指令执行时,处理器先根据MSU访问规则对调用/返回的合法性进行检查,如果符合MSU访问规则,允许指令进一步执行,否则,报异常。
检查的具体内容包括:MSU描述符生效/失效检查,MSU属性匹配检查,MSU端口匹配检查。
MSU描述符生效/失效检查:
先通过MSDTR、CMSDTR寄存器,在MSU描述符表中,找到当前MSU描述符;再通过目标MSU的ID号,在MSU描述符表中,找到目标MSU描述符,只要两个MSU描述符中有一个生效/失效位为0,说明描述符无效,报异常;如果都为1,再进行属性匹配检查。
其中,执行mcall指令时,目标MSU的ID号从mcall指令中携带的操作数中获取;执行mret指令时,目标MSU的ID号从原MSU中mcall执行时保存在栈顶的信息中获取。
MSU属性匹配检查:
处理器通过当前MSU描述符和目标MSU描述符中属性字段中,获取属性信息,并进行MSU间属性匹配检查,如果属性匹配符合发明内容中记载的MSU属性匹配规则,再进行端口匹配检查,否则,报异常。
当mcall指令执行时,处理器进行端口匹配检查的方式:
通过当前MSU描述符中保存的出口描述符表首地址,找到出口描述符表,用在mcall中获取的当前出口号,在出口描述符表中找到对应的表项,确定出口描述符。之后,分别对:mcall指令所在地址与出口描述符中出口地址、mcall指令中携带的目标MSU的ID号与出口描述符中目标MSU的ID号、mcall指令中携带的目标MSU入口号与出口描述符中对应的目标MSU入口号,这三项进行比对,如果有一项不一致,报异常,如果全部匹配,进一步执行mcall指令。
当mret指令执行时,处理器进行端口匹配检查的方式:
通过当前MSU描述符中保存的出口描述符表首地址,找到出口描述符表,用在mret中获取的当前出口号,在出口描述符表中找到对应的表项,确定出口描述符。如果mret指令所在地址与上述出口地址不一致,报异常;反之,进一步执行mret指令。
检查通过后mcall指令进一步执行的动作:
将CMSDTR寄存器中的值、mcall指令中记录的当前出口号、CMSEBP寄存器的值压入栈中;将CMSDTR寄存器的值设置为mcall指令中的MSU的ID号;用出口描述符中存储的目标地址,设置EIP寄存器。
检查通过后mret指令进一步执行的动作:
用原MSU中mcall执行时保存在栈顶的原MSU的ID号设置CMSDTR;通过MSU的ID号找到原MSU描述符,找到它对应的出口描述符表,用mcall执行时保存在栈顶的原MSU出口号,在出口描述符表中找到对应的出口描述符,用描述符中记录的返回地址值,设置EIP 寄存器;用mcall执行时保存在栈顶的原MSU栈顶地址值设置CMSEBP寄存器。
增设硬件机制3:
访问共享数据MSU时,必须使用共享数据MSU访问指令,否则,报异常;如果共享数据MSU访问指令访问了非共享数据MSU,报异常。具体方法包括:
如果mmov指令中指定的MSU号为栈所在MSU的MSU号,判断目标地址是否小于
CMSEBP寄存器中记录的当前MSU栈底地址值,如果小于,则允许执行,否则报异常;如果mmov指令中指定的MSU号不是栈所在MSU的MSU号,报异常。
增设硬件机制4:
在IDT表中设置中断响应函数所在MSU的ID号。执行响应函数时,自动切换当前MSU为中断响应函数所在MSU。中断保存现场时,还要保存中断产生时MSU的ID号、MSU的栈底地址值,恢复现场时,一并恢复。
为实现对当前用户、当前角色的控制:
在非0特权级下,当MSU切换时,自动用目标MSU的描述符表中“MSU从属用户”、“USB从属角色”两项中的ID值,设置CUR、CPR寄存器。以此认定目标MSU所属用户、角色,为当前用户、当前角色。
实施例27:
作为一种增设硬件,以页为单位实现访问控制的方式的具体实施方式。
增设硬件机制:
一个页面(此处页面指线性页面)只能属于一个MSU。
在现有页表结构的基础上,建立与其对应的数据结构,该数据结构所在页面和页表所在页面紧密排列,找到页表所在页面首地址后,向高地址端偏移一个页面的距离,就可以找到该数据结构所在页面的首地址。
数据结构中每一项对应页表中的一项,每个表项记录相应页表项对应页面所属MSU的ID号。处理器通过页面所属MSU的ID号,在MSU描述符表中找到对应的表项,每个表项对应一个MSU描述符。
将此结构体现在处理器的TLB中。
以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。
Claims (79)
- 一种内存系统装置,其特征在于:所述内存系统装置中的某个具体单元称作内存系统单元,所述内存系统单元称作MSU,所述内存系统装置是指特定访问控制的集合及其控制的访问区域;所述区域包括由访问控制集合认定的由一组边界包围而成的CPU可寻址存储空间;所述访问控制集合包括:MSU信息,对区域进行访问的允许机制,和/或对区域进行访问的禁止机制。
- 根据权利要求1所述的装置,其特征在于:所述区域由同一个线性地址空间中的一个或多个连续存储区组成,每个连续存储区由两端的地址标识界定,所有前述的地址标识的集合构成区域的边界。
- 根据权利要求2所述的装置,其特征在于:存储数据、代码的所属存储区分别被称作数据区、代码区;不同MSU的区域互不相交。
- 根据权利要求1-3之一所述的装置,其特征在于:所述MSU信息包括:MSU边界信息、MSU端口信息、MSU属性信息。
- 根据权利要求4所述的装置,其特征在于:设置空端口MSU,所述空端口MSU其MSU端口信息为空,仍具有MSU边界信息、MSU属性信息。
- 根据权利要求1所述的装置,其特征在于:所述允许机制包括:允许区域内的非转移指令、中断指令及目标地址在当前区域内的转移指令执行,允许区域内的指令访问当前区域内的数据;允许区域间,不论是区域内到区域外或区域外到区域内,通过传参的方式传递数据。
- 根据权利要求6所述的装置,其特征在于:对区域间,即超出或进入本区域,进行访问的允许机制,进一步包括:MSU间必须经过端口执行转移指令,并且属性信息、端口信息必须匹配。
- 根据权利要求1所述的装置,其特征在于:所述禁止机制包括:禁止在区域中的数据区执行指令,除允许机制之外,对一切由区域内向区域外或由区域外向区域内的跨区域执行指令,跨区域操作访问数据都产生异常。
- 根据权利要求8所述的装置,其特征在于:所述产生异常的允许机制之外的跨区域执行指令包括非转移指令、转移指令及MSU信息不匹配。
- 根据权利要求6所述的装置,其特征在于:所述允许机制进一步包括共享数据MSU,其只包含被其他MSU共享的数据,没有指令;允许其他MSU通过约定的指令操作共享数据MSU中的数据。
- 根据权利要求10所述的装置,其特征在于:将内核栈和/或用户栈置于共享数据MSU中,栈所属的MSU必须为共享数据MSU,其他MSU通过约定的指令操作栈中的数据。
- 根据权利要求1-11之一所述的装置,其特征在于:所述MSU边界信息包括:由所述访问控制集合认定的区域中,所有连续存储区的边界信息构成的集合;存储上述信息的数据结构简称边界数据,所述边界数据的地址被关联到所述内存系统装置中并为其可识别;当需要查找区域的边界时,所述装置可以根据边界数据的地址找到数据结构,即可获得所有的边界信息。
- 根据权利要求1-11之一所述的装置,其特征在于:所述MSU端口信息包括入口和/或出口;在访问控制集合认定的区域范围内的指令地址区域中指定有限个指令地址为入口或出口,其中每一个指令地址为一个入口或出口。
- 根据权利要求13所述的装置,其特征在于:所述入口为:区域中MSU间转移指令的目标地址;所述出口为:MSU间转移指令所在地址。
- 根据权利要求1-11之一所述的装置,其特征在于:所述MSU属性信息包括:MSU标识信息,MSU类型信息;所述MSU标识信息是指区别于其它MSU的唯一标识。
- 根据权利要求15所述的装置,其特征在于:所述MSU属性信息进一步包括:MSU所属用户类型信息,MSU所属用户标识信息;所述MSU所属用户类型信息是指这个MSU所属用户的类型,所述MSU所属用户标识信息是指MSU所属用户的唯一标识。
- 根据权利要求1-11之一所述的装置,其特征在于:所述MSU端口信息匹配、所述MSU属性信息匹配是指:在程序初始化阶段,将转移指令执行所需MSU的出口、入口、边界、标识信息、类型信息记录在MSU描述符表中,在程序运行时,将转移指令包含的信息,分别与MSU描述符表中的端口信息、属性信息做对比,如果结果匹配,视为合法,允许转移指令执行,反之,视为非法,报异常。
- 根据权利要求15所述的装置,其特征在于:所述MSU类型信息可以是普通MSU、共享数据MSU中的一种。
- 根据权利要求18所述的装置,其特征在于:所述装置还包括检查MSU,类型信息被标记为“检查MSU”的MSU被视为检查MSU;当所述装置包含检查MSU时,不允许普通MSU直接调用另外一个普通MSU,必须由源MSU先调用检查MSU,再由检查MSU调用目标MSU;目标MSU返回时,先返回到检查MSU,再由检查MSU返回到源MSU。
- 根据权利要求18-19之一所述的装置,其特征在于:所述装置还包括终端MSU,类型信息标记为“终端MSU”的MSU只可被其它MSU调用,不可调用其它MSU。
- 根据权利要求18-20之一所述的装置,其特征在于:所述装置还包括空端口MSU,类型信息被标记为“空端口MSU”的MSU没有端口,其它MSU可以任意调用空端口MSU的函数,但不可直接访问空端口MSU的数据;空端 口MSU调用其它MSU必须通过其端口进入该MSU;不同的空端口MSU之间可以任意进行函数调用,但不可访问数据;当终端MSU存在时,空端口MSU不可调用终端MSU。
- 根据权利要求18-21之一所述的装置,其特征在于:在MSU类型信息中增加一种保险箱MSU和/或IO指令MSU;所述保险箱MSU不允许包含指令区;只有某些需要保存状态信息的操作,才可访问该MSU;当所述装置包含IO指令MSU时,仅允许这类MSU内执行IO操作相关的特殊指令;所述IO指令MSU的属性匹配检查规则与终端MSU相同。
- 根据权利要求1-22之一所述的装置,其特征在于:所述边界数据的地址被关联到MSU中并为MSU可识别,可选的方式包括:方式一:将内存中的边界信息数据结构的首地址记录在专用寄存器中,计算装置依据该专用寄存器自动获取边界信息数据结构,上述首地址的专用寄存器的赋值指令设置为特殊指令,控制其使用权限;或方式二:对于Intel体系架构,使用保护模式的段,或对于其他体系结构,使用具有类似段的效果的方式来实现区域标记边界信息;或方式三:将边界信息数据结构的首地址记录在专用数据中,计算装置依据该专用数据自动获取边界信息数据结构,在软件指令中获取该数据供访问控制使用。
- 根据权利要求23所述的装置,其特征在于:所述计算装置是指CPU。
- 一种权利要求1-24之一所述的内存系统装置的制作及基于该内存系统 装置制作方式的访问控制方法,其特征在于:所述内存系统装置的制作,包括:制作信息记录单元和访问控制机制单元;所述信息记录单元是指在内存系统装置中记录和识别MSU信息;所述访问控制单元是指根据具体的运行时信息和信息记录单元中的MSU信息,依据所述允许机制和所述禁止机制对区域的访问进行控制。
- 根据权利要求25所述的方法,其特征在于:所述内存系统装置信息包括MSU区域信息、MSU属性信息、MSU端口信息、MSU用户信息。
- 根据权利要求25所述的方法,其特征在于:所述允许机制包括:允许MSU之间通过符合匹配规范的端口转移;允许其它MSU通过特定指令访问共享数据MSU的数据;所述禁止机制包括:禁止所有不经过端口直接跨越边界的指令,禁止MSU之间虽然通过端口但不符合匹配规范的相互访问,禁止MSU访问除自身和共享MSU之外的其他MSU的数据。
- 根据权利要求27所述的方法,其特征在于:所述对MSU的访问进行控制包括:符合允许机制的,通过;属于禁止机制的,报异常。
- 根据权利要求25-28之一所述的方法,其特征在于:所述基于该制作方式的访问控制方法,包括:增加语法规则和/或利用已有语法规则和/或利用配置信息,编写符合MSU规则的源代码,在编译、链接的过程中提取、记录MSU信息,将MSU访问动作生成为对应的指令,按照内存系统装置的特征分配页面布局及确定编址方式,按照内存系统装置的要求生成可执行程序,加载该程序时,将MSU信息载入上述内存系统装置中的信息记录单元,并执行该程序。
- 根据权利要求25-29之一所述的方法,其特征在于:所述制作MSU信息记录单元包括:将前述MSU信息保存为MSU控制对照表,使内存系统装置可找到所述MSU控制对照表;保存当前MSU标识信息,使内存系统装置可获知当前MSU。
- 根据权利要求30所述的方法,其特征在于:进一步在MSU信息记录单元中记录当前MSU可访问的栈底位置。
- 根据权利要求25-31之一所述的方法,其特征在于:所述制作MSU访问控制机制单元包括:所述访问控制机制单元依据MSU的访问控制规则生成。
- 根据权利要求32所述的方法,其特征在于:MSU中的指令可以访问本MSU中的数据,其中,特定指令可访问共享数据MSU的数据。
- 根据权利要求33所述的方法,其特征在于:在栈区中,为每个MSU划分只属于自己的空间,具体是指:本MSU的栈底位置至整个栈空间的栈顶位置,所述本MSU的栈底位置为:调用它的MSU在传参之前的栈顶位置或整个栈区的栈底位置值;不允许某个MSU访问其它MSU的栈空间。
- 根据权利要求32所述的方法,其特征在于:所述MSU间的调用的访问控制规则包括:除共享数据MSU之外:对于只包括属性为普通MSU的访问控制规则是:仅允许普通MSU间执行调用指令、返回指令;对于只包括属性为普通MSU、检查MSU的访问控制规则:仅允许普通MSU与检查MSU间执行调用指令、返回指令;对于只包括属性为普通MSU、终端MSU的访问控制规则:仅允许:普通MSU间调用、返回;普通MSU到终端MSU执行调用指令;终端MSU到普通 MSU执行返回指令;对于只包括属性为普通MSU、检查MSU、终端MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;检查MSU到终端MSU执行调用指令;终端MSU到检查MSU执行返回指令;对于只包括属性为普通MSU、空端口MSU的访问控制规则:仅允许:普通MSU间执行调用指令、返回指令;空端口MSU间执行调用指令、返回指令;普通MSU与空端口MSU间执行调用指令、返回指令;对于只包括属性为普通MSU、检查MSU、空端口MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;空端口MSU与检查MSU间执行调用指令、返回指令;对于只包括属性为普通MSU、终端MSU、空端口MSU的访问控制规则:仅允许:普通MSU间执行调用指令、返回指令;空端口MSU间执行调用指令、返回指令;普通MSU与空端口间执行调用指令、返回指令;普通MSU到终端MSU执行调用指令;终端MSU到普通MSU执行返回指令;对于只包括属性为普通MSU、检查MSU、终端MSU、空端口MSU的访问控制规则:仅允许:普通MSU与检查MSU间执行调用指令、返回指令;空端口MSU与检查MSU间执行调用指令、返回指令;检查MSU到终端MSU执行调用指令;终端MSU到检查MSU执行返回指令;IO指令MSU的调用、返回访问控制规则与终端MSU相同。
- 根据权利要求25-35之一所述的方法,其特征在于:基于该内存系统装置制作方式的访问控制方法,步骤包括:B1、编译包含MSU的源程序,具体包括:B1-1、提取MSU信息;B1-2、限定MSU语法访问规则;B1-3、生成与MSU访问相关的指令;B2、运行时阶段对MSU信息的处理。
- 根据权利要求36所述的方法,其特征在于:所述步骤B1-1具体包括:通过新语法规则或已有语法规则或配置信息的支持,使编程阶段能够完整准确的表达并保留程序设计中的MSU信息,进一步包括:通过新语法规则或已有语法规则或配置信息,指定函数、数据所属的MSU;MSU的类型和标识;函数中哪些是MSU内部函数,哪些是端口函数,以及哪些端口函数间存在着调用关系;编译器把提取的信息以语法树的形式记载下来;根据语法树的信息,确立程序的内存布局,对指令和数据进行编址,并提取边界信息、端口信息的地址;根据语法树的信息,提取属性信息、MSU生效/失效、MSU的ID号;编译器将MSU信息保存为符合内存系统装置中的MSU控制对照表的结构。
- 根据权利要求36所述的方法,其特征在于:所述步骤B1-2包括:编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序;所述MSU访问规则,包括:在MSU内部,函数之间可以互相调用、可以访问属于本MSU的全局数据;在MSU之间,仅允许MSU的函数调用其它MSU的端口函数;不允许通过函数指针的方式进行调用;进一步的,仅允许MSU的端口函数调用其它MSU的端口函数;进一步的,仅允许IO指令MSU使用特定的IO指令;MSU的代码不可访问除共享数据MSU外的其它MSU的数据;一个特例是,允许其他类型 的MSU调用空端口MSU的任意函数;进一步的,可以对不同属性的MSU,对MSU间调用、返回的语法规则进一步限定,具体包括:除共享数据MSU之外:对于只包括属性为普通MSU的语法规则是:仅允许普通MSU间调用、返回;对于只包括属性为普通MSU、检查MSU的语法规则:仅允许普通MSU与检查MSU间调用、返回;对于只包括属性为普通MSU、终端MSU的语法规则:仅允许:普通MSU间调用、返回;普通MSU调用终端MSU;终端MSU返回到普通MSU;对于只包括属性为普通MSU、检查MSU、终端MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;检查MSU调用终端MSU;终端MSU返回到检查MSU;对于只包括属性为普通MSU、空端口MSU的语法规则:仅允许:普通MSU间调用、返回;空端口MSU间调用、返回;普通MSU与空端口MSU间调用、返回;对于只包括属性为普通MSU、检查MSU、空端口MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;空端口MSU与检查MSU间调用、返回;对于只包括属性为普通MSU、终端MSU、空端口MSU的语法规则:仅允许:普通MSU间调用、返回;空端口MSU间调用、返回;普通MSU与空端口间调用、返回;普通MSU调用终端MSU;终端MSU返回到普通MSU;对于只包括属性为普通MSU、检查MSU、终端MSU、空端口MSU的语法规则:仅允许:普通MSU与检查MSU间调用、返回;空端口MSU与检查MSU间调用、返回;检查MSU调用终端MSU;终端MSU返回到检查MSU;IO指令MSU的调用、返回规则与终端MSU相同。
- 根据权利要求36所述的方法,其特征在于:所述步骤B2包括:从可执行程序中约定的位置读取MSU控制对照表,并加载到内存中;将只有在运行时才能确认的信息提取出来,并保存在MSU控制对照表中;加载进程时,为每个特权级建立一个栈,将该特权级的栈的区域,设置为该共享数据MSU的区域,以实现不同的MSU都可以访问栈中的数据;当MSU信息在运行时发生变化或添加新的MSU时,在MSU控制对照表中修改相应信息。
- 根据权利要求25-39之一所述的方法,其特征在于:可以选择方法一、方法二或方法三实现,其中:方法一:在现有体系下通过软件指令来进行MSU的信息访问以及根据MSU信息进行访问控制;方法二:在INTEL 32位体系下,用段来描述MSU的边界,依靠段的边界访问控制机制来实现MSU的边界访问控制机制,依靠软件指令来实现属性、端口的检查和判断;方法三:根据MSU信息读取和访问控制的需求,增设部分硬件,依靠增设的硬件来完成对MSU信息的读取,以及根据MSU信息进行的访问控制;保存一份MSU信息的数据结构,并设置硬件机制指向该数据结构,使装置可以自动读取MSU数据结构。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存 系统装置,防止由于授权信息直接被修改而使攻击生效。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止由于返回地址被修改而产生攻击执行序分支。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止由于函数指针被修改而产生攻击执行序分支。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止攻击者直接修改被攻击者代码,以此产生有利于攻击的执行序。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止攻击者通过任意指定可执行区域,有机会引入有利于攻击的执行序。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止攻击发起后,直接跳转到攻击者在进程空间预先准备好的攻击代码处执行。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,将同一特权内存中的程序进行隔离,制造不平坦。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,对在MSU间的访问进行检查。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止攻击者直接操作外设中用户数据而使攻击生效。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:通过内存系统装置,防止攻击者直接操作内存中用户数据而使攻击生效。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:在MSU之间进行数据传递。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:指定MSU栈底地址值。
- 一种防止由于条件选择数据被修改而产生攻击执行序分支的方法,其特征在于,包括:通过当前系统调用号和执行的函数做一致性比对,决定执行序是否合法,并作出相应处理。
- 一种程序运行时动态加载程序供其运行在权利要求1-24之一所述的内存系统装置的方法,其特征在于,包括:当进程中需要动态加载程序时,通过特定系统调用,将所需代码相关信息传递给内核,由内核为其创建新MSU,并将代码载入到新MSU中,以此实现新MSU中内容与进程原有内容的隔离,新MSU和进程原有MSU间必须按照MSU间访问的规则互访。
- 一种加载可执行程序供其运行在权利要求1-24之一所述的内存系统装置的方法,包括:将MSU信息存储在可执行程序中,加载时,加载程序读取其中的MSU信息,并按照其指定的边界信息将程序中的数据和代码加载进内存空间。
- 一种内存非平坦化的方法,其特征在于:使用权利要求1-24之一所述装置。
- 一种访问控制机制,其特征在于:使用权利要求1-24之一所述装置。
- 一种安全操作系统,其特征在于:使用权利要求1-24之一所述装置。
- 一种代码与数据隔离方法,其特征在于:使用权利要求1-24之一所述装置隔离代码与数据。
- 一种计算装置,其特征在于:包括MSU描述符,MSU描述符记录在所述MSU描述符表中,所述MSU描述符中记录的信息包括:MSU的标识信息、MSU边界信息、MSU属性信息、MSU端口信息。
- 根据权利要求60所述的计算装置,其特征在于:在MSU描述符中设置MSU的生效/失效信息和/或MSU所属用户ID及用户类型信息。
- 根据权利要求60所述的计算装置,其特征在于:所述MSU边界信息包括:MSU中所有线性地址段的边界地址信息,其中,所有地址信息均为线性地址。
- 根据权利要求60-62之一所述的计算装置,其特征在于:所述MSU属性信息,包括:普通MSU、检查MSU、终端MSU、共享数据MSU、空端口MSU、保险箱MSU中的一种。
- 根据权利要求60-63之一所述的计算装置,其特征在于:所述MSU端口信息包括:入口信息和/或出口信息和/或端口匹配信息;所述入口信息包括:入口号、入口地址、所属MSU的ID;所述出口信息包括:出口号、出口地址、所属MSU的ID;所述端口匹配信息是指:一个出口信息和一个入口信息。
- 根据权利要求60-64之一所述的计算装置,其特征在于:增加一组用以记录MSU描述符所在位置的寄存器以及将它们与MSU描述符位置相关联的指令组,具体包括:增设MSU描述符表寄存器、当前MSU描述符寄存器、当前栈对应的共享MSU描述符寄存器,并增设操作这些寄存器的指令,用MSU描述符表首地址、当前MSU描述符索引值、当前栈对应的共享MSU描述符索引值分别设置这些寄存器。
- 根据权利要求60-65之一所述的计算装置,其特征在于:增加系统调用号的寄存器及设置指令。
- 根据权利要求60-66之一所述的计算装置,其特征在于:增加一种MSU间转移指令。
- 根据权利要求60-67之一所述的计算装置,其特征在于:增加一种MSU间数据访问指令。
- 根据权利要求60-68之一所述的计算装置,其特征在于:增设记录当前MSU在栈中的栈底地址值寄存器。
- 根据权利要求60-69之一所述的计算装置,其特征在于:还包括基于MSU的访问控制的功能,所述的访问控制包括:如果不是通过MSU间转移指令或MSU间数据访问指令,进行MSU间转移或对共享数据MSU进行访问,处理器予以拦截;如果通过MSU间转移指令进行MSU间转移,则进行属性、端口匹配检查,如果检查通过,处理器支持转移,反之处理器报异常。
- 根据权利要求70所述的计算装置,其特征在于:所述属性、端口匹配检查规则依据权利要求17所述的规则进行。
- 根据权利要求70所述的计算装置,其特征在于:增设页表项,通过页表项中记录信息,找到该页所属MSU的MSU访问控制信息。
- 一种计算装置,其特征在于:增设寄存器,装载状态信息,所述状态信息专用于为当前选择正确的分支方向提供依据。
- 根据权利要求73所述的计算装置,其特征在于:所述状态信息是当前系统调用的调用号,且增设特定指令用于设置所述寄存器。
- 一种计算装置,其特征在于:增设寄存器或寄存器组,用于装载包含MSU信息的数据结构的地址。
- 根据权利要求75所述的计算装置,其特征在于:所述的包含MSU信息的数据结构是MSU描述符表。
- 一种计算装置,其特征在于:增设寄存器或寄存器组,用于装载包含 当前正在执行的MSU信息的数据结构的地址。
- 一种计算装置,其特征在于:增设寄存器,用于承载包含当前正在执行的MSU在栈中的栈底地址值。
- 一种权利要求1-24之一所述装置的使用方法,其特征在于:将内核与进程空间进行数据交互的程序封装在终端MSU,并通过程序设计,确保内核中其它MSU只有通过此终端MSU才能与进程空间进行数据交互。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810599751.8A CN110598405B (zh) | 2018-06-12 | 2018-06-12 | 一种运行时访问控制方法及计算装置 |
CN201810599751.8 | 2018-06-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019237866A1 true WO2019237866A1 (zh) | 2019-12-19 |
Family
ID=68842779
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/086498 WO2019237866A1 (zh) | 2018-06-12 | 2019-05-11 | 一种运行时访问控制方法及计算装置 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110598405B (zh) |
WO (1) | WO2019237866A1 (zh) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111290952A (zh) * | 2020-01-22 | 2020-06-16 | 北京深之度科技有限公司 | 一种动态链接库函数的跟踪方法及装置 |
CN111737166A (zh) * | 2020-05-15 | 2020-10-02 | 完美世界(北京)软件科技发展有限公司 | 数据对象的处理方法、装置及设备 |
CN112491813A (zh) * | 2020-11-10 | 2021-03-12 | 深圳市中博科创信息技术有限公司 | 指令的传输控制方法、装置及计算机可读存储介质 |
CN114168936A (zh) * | 2021-11-24 | 2022-03-11 | 浙江大学 | 一种基于Intel MPK与单步模式的Enclave沙盒系统 |
CN114339756A (zh) * | 2021-12-17 | 2022-04-12 | 北京北信源软件股份有限公司 | 无线设备的准入和访问策略控制方法、装置及系统 |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117688552B (zh) * | 2024-01-30 | 2024-04-12 | 龙芯中科技术股份有限公司 | 栈空间防护方法、电子设备、存储介质及计算机程序产品 |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1392980A (zh) * | 2000-09-27 | 2003-01-22 | 格姆普拉斯公司 | 防止对存储器中指令的不正当使用 |
CN1511286A (zh) * | 2001-04-04 | 2004-07-07 | 先进微装置公司 | 内存部分的保密方法及装置 |
CN102375947A (zh) * | 2010-08-16 | 2012-03-14 | 伊姆西公司 | 用于隔离计算环境的方法和系统 |
CN102970414A (zh) * | 2012-10-30 | 2013-03-13 | 广东欧珀移动通信有限公司 | 一种基于Android系统的手机密码保护方法 |
CN103312801A (zh) * | 2013-06-05 | 2013-09-18 | 上海西本网络科技有限公司 | 应用装置、应用装置之间数据交互的方法、系统和服务器 |
US20150324590A1 (en) * | 2012-03-26 | 2015-11-12 | Irdeto Canada Corporation | Method for protecting data |
CN106557699A (zh) * | 2016-11-11 | 2017-04-05 | 大唐高鸿信安(浙江)信息科技有限公司 | 基于权能模块的操作系统安全增强系统 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003006046A (ja) * | 2001-06-25 | 2003-01-10 | Sanyo Electric Co Ltd | メモリプロテクション方法および回路 |
KR100735612B1 (ko) * | 2005-12-22 | 2007-07-04 | 삼성전자주식회사 | 멀티패쓰 억세스블 반도체 메모리 장치 |
CN107220189A (zh) * | 2017-03-14 | 2017-09-29 | 晨星半导体股份有限公司 | 内存空间管理及内存访问控制方法及装置 |
CN107066311B (zh) * | 2017-03-20 | 2020-11-20 | 中国科学院软件研究所 | 一种内核数据访问控制方法与系统 |
-
2018
- 2018-06-12 CN CN201810599751.8A patent/CN110598405B/zh active Active
-
2019
- 2019-05-11 WO PCT/CN2019/086498 patent/WO2019237866A1/zh active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1392980A (zh) * | 2000-09-27 | 2003-01-22 | 格姆普拉斯公司 | 防止对存储器中指令的不正当使用 |
CN1511286A (zh) * | 2001-04-04 | 2004-07-07 | 先进微装置公司 | 内存部分的保密方法及装置 |
CN102375947A (zh) * | 2010-08-16 | 2012-03-14 | 伊姆西公司 | 用于隔离计算环境的方法和系统 |
US20150324590A1 (en) * | 2012-03-26 | 2015-11-12 | Irdeto Canada Corporation | Method for protecting data |
CN102970414A (zh) * | 2012-10-30 | 2013-03-13 | 广东欧珀移动通信有限公司 | 一种基于Android系统的手机密码保护方法 |
CN103312801A (zh) * | 2013-06-05 | 2013-09-18 | 上海西本网络科技有限公司 | 应用装置、应用装置之间数据交互的方法、系统和服务器 |
CN106557699A (zh) * | 2016-11-11 | 2017-04-05 | 大唐高鸿信安(浙江)信息科技有限公司 | 基于权能模块的操作系统安全增强系统 |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111290952A (zh) * | 2020-01-22 | 2020-06-16 | 北京深之度科技有限公司 | 一种动态链接库函数的跟踪方法及装置 |
CN111290952B (zh) * | 2020-01-22 | 2023-04-14 | 北京统信软件技术有限公司 | 一种动态链接库函数的跟踪方法及装置 |
CN111737166A (zh) * | 2020-05-15 | 2020-10-02 | 完美世界(北京)软件科技发展有限公司 | 数据对象的处理方法、装置及设备 |
CN111737166B (zh) * | 2020-05-15 | 2023-04-07 | 完美世界(北京)软件科技发展有限公司 | 数据对象的处理方法、装置及设备 |
CN112491813A (zh) * | 2020-11-10 | 2021-03-12 | 深圳市中博科创信息技术有限公司 | 指令的传输控制方法、装置及计算机可读存储介质 |
CN114168936A (zh) * | 2021-11-24 | 2022-03-11 | 浙江大学 | 一种基于Intel MPK与单步模式的Enclave沙盒系统 |
CN114339756A (zh) * | 2021-12-17 | 2022-04-12 | 北京北信源软件股份有限公司 | 无线设备的准入和访问策略控制方法、装置及系统 |
CN114339756B (zh) * | 2021-12-17 | 2024-04-26 | 北京北信源软件股份有限公司 | 无线设备的准入和访问策略控制方法、装置及系统 |
Also Published As
Publication number | Publication date |
---|---|
CN110598405B (zh) | 2022-05-31 |
CN110598405A (zh) | 2019-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019237866A1 (zh) | 一种运行时访问控制方法及计算装置 | |
Duck et al. | Stack Bounds Protection with Low Fat Pointers. | |
JP4759059B2 (ja) | メモリページをプログラムに対応付けるページカラーリング | |
CN109359487B (zh) | 一种基于硬件隔离的可扩展安全影子存储及标签管理方法 | |
US9430409B2 (en) | Memory protection | |
Kumar et al. | Harbor: software-based memory protection for sensor nodes | |
US11966382B2 (en) | Protecting against invalid memory references | |
CN102930185A (zh) | 运行时程序安全关键数据的完整性验证方法及装置 | |
US9158710B2 (en) | Page coloring with color inheritance for memory pages | |
US20230236925A1 (en) | Tag checking apparatus and method | |
US10303861B2 (en) | Software diversification in external contexts | |
US20220366037A1 (en) | Domain transition disable configuration parameter | |
GB2577947A (en) | Verifying stack pointer | |
US20240231825A1 (en) | Method for control flow isolation with protection keys and indirect branch tracking | |
Arora et al. | Architectural support for run-time validation of program data properties | |
WO2019237864A1 (zh) | 一种安全用户架构及权限控制方法 | |
US20210182175A1 (en) | Compilation scheme for tagged global variables | |
WO2019237867A1 (zh) | 一种将权力信息隔离并依托它进行权力检查的方法及计算装置 | |
US12067400B2 (en) | Intermodal calling branch instruction | |
Zhang et al. | eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense | |
Arora et al. | Enhancing security through hardware-assisted run-time validation of program data properties | |
WO2022128142A1 (en) | Apparatus and method for managing access to data memory by executable codes based on execution context |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19820441 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19820441 Country of ref document: EP Kind code of ref document: A1 |