WO2021000847A1 - Processor and return address processing method - Google Patents

Processor and return address processing method Download PDF

Info

Publication number
WO2021000847A1
WO2021000847A1 PCT/CN2020/099168 CN2020099168W WO2021000847A1 WO 2021000847 A1 WO2021000847 A1 WO 2021000847A1 CN 2020099168 W CN2020099168 W CN 2020099168W WO 2021000847 A1 WO2021000847 A1 WO 2021000847A1
Authority
WO
WIPO (PCT)
Prior art keywords
return address
conversion
register
processor
output
Prior art date
Application number
PCT/CN2020/099168
Other languages
French (fr)
Chinese (zh)
Inventor
钱雅超
章庆隆
汤倩莹
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021000847A1 publication Critical patent/WO2021000847A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30098Register arrangements
    • G06F9/3012Organisation of register space, e.g. banked or distributed register file
    • G06F9/3013Organisation of register space, e.g. banked or distributed register file according to data content, e.g. floating-point registers, address registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/3017Runtime instruction translation, e.g. macros
    • G06F9/30178Runtime instruction translation, e.g. macros of compressed or encrypted instructions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register

Definitions

  • the embodiments of the present application relate to the field of computer technology, and in particular, to a processor and a method for processing a return address.
  • the attacker modifies the normal return address to the malicious return address by modifying the return address of the subprogram, so that the processor jumps to the code segment pointed to by the malicious return address after executing the subprogram code, thereby changing the program control flow
  • the purpose of this is to destroy the control flow integrity (CFI) of the program.
  • the call instruction and the return instruction corresponding to the subroutine are identified, an encryption instruction is inserted before the call instruction, and a decryption instruction is inserted before the return instruction.
  • the return address of the subroutine is encrypted by the encryption instruction, and the obtained encrypted address is pushed onto the stack.
  • the decryption instruction is used to decrypt the encrypted address that was popped out of the stack to obtain the original return address, so that the processor can continue to execute from the return address.
  • the embodiment of the present application provides a processor and a method for processing a return address to protect the control flow integrity of the program without reducing the running performance of the program.
  • an embodiment of the present application provides a processor, including: a processing core and a conversion circuit;
  • the processing core is used to output a return address
  • the conversion circuit is configured to convert the return address output by the processing core to obtain the conversion return address, and output the conversion return address to a stack in the memory;
  • the conversion circuit is also configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address to The processing core.
  • the conversion circuit before the return address is stored in the memory, the conversion circuit performs a conversion on the return address. Therefore, the converted return address is stored in the memory. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow. After the converted return address is popped from the memory, the conversion circuit performs another conversion on the converted return address to obtain the original return address, so that the processing core can execute subsequent instructions according to the original return address, ensuring the program control flow Completeness.
  • the processor further includes a register
  • the conversion circuit is specifically configured to convert the return address output by the processing core to obtain a conversion return address, and output the conversion return address to the register, so that the conversion return address is output to the register via the register Stack in memory;
  • the conversion circuit is also specifically configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address To the register, so that the return address is output to the processing core via the register.
  • a hardware conversion circuit is provided on the write path of the register.
  • the conversion circuit is used to convert the return address of the register, that is, all inputs that need to enter the register will be converted by the conversion circuit first, and then Input the conversion result into the register. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
  • the processor further includes a register
  • the register is used to register the return address output by the processing core
  • the conversion circuit is specifically configured to convert the return address output by the register to obtain a conversion return address, and output the conversion return address to a stack in the memory;
  • the register is also used to register the conversion return address output by the stack;
  • the conversion circuit is further specifically configured to perform the conversion on the conversion return address output by the register to obtain the return address, and output the return address to the processing core.
  • a hardware conversion circuit is provided on the readout path of the register, and the conversion circuit is used to convert the return address output by the register, that is, all the values output from the register will be converted by the conversion circuit first. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
  • the conversion satisfies the following conditions:
  • A is the return address
  • B is the conversion return address
  • IP() is the conversion model used in the conversion.
  • the conversion circuit is specifically used for:
  • At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  • the at least one bit includes the bit corresponding to the change section of the code address of the program and the bit corresponding to the unchanged section;
  • the code address of the program includes the instruction addresses of multiple instructions, and the invariant section is multiple Bits with the same bits in each instruction address, and the change section is bits with different bits in multiple instruction addresses.
  • the attacker cannot obtain these sensitive information, which improves the defense reliability of the program control flow; when the conversion circuit converts at least one bit of the return address, the change section and the Changing the sections at the same time can improve the difficulty of brute force cracking by attackers and ensure the security of program control flow.
  • the conversion circuit is specifically used for:
  • Group at least one bit of the return address to obtain multiple bit groups
  • the conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
  • the conversion return address is obtained.
  • the number of the bit groups is two, wherein one bit group includes bits corresponding to odd-numbered bits of the return address, and the other bit group includes bits corresponding to even-numbered bits of the return address.
  • the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
  • the register is a register for storing the return address.
  • the processor is a processor based on an ARM instruction set, and the register is an LR register.
  • the processor is a processor based on a RISC V instruction set, and the register is an RA register.
  • an embodiment of the present application provides a method for processing a return address, which is applied to a processor, the processor includes a processing core and a conversion circuit, and the method includes:
  • the processing core When the processing core outputs the return address, the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to a stack in the memory;
  • the conversion circuit When the return address needs to be used, the conversion circuit performs the conversion on the converted return address in the stack to obtain the return address, and outputs the return address to the processing core.
  • the processor further includes a register, and the conversion of the return address by the conversion circuit to obtain the conversion return address, and outputting the conversion return address to a stack in the memory includes:
  • the performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
  • the processor further includes a register, the return address is output to the register by the processing core, the return address is converted by the conversion circuit to obtain a converted return address, and the The output of the conversion return address to the stack in memory includes:
  • the performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
  • the conversion circuit performs the conversion on the conversion return address output by the register to obtain the return address, and outputs the return address to the processing core.
  • the conversion satisfies the following conditions:
  • A is the return address
  • B is the conversion return address
  • IP() is the conversion model used in the conversion.
  • the converting the return address to obtain the converted return address includes:
  • At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  • the conversion of at least one bit of the return address using at least one conversion model to obtain the conversion return address includes:
  • Group at least one bit of the return address to obtain multiple bit groups
  • the conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
  • the conversion return address is obtained.
  • the number of the bit groups is two, wherein one bit group includes bits corresponding to odd-numbered bits of the return address, and the other bit group includes bits corresponding to even-numbered bits of the return address.
  • the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
  • the register is a register for storing the return address.
  • the processor is a processor based on an ARM instruction set, and the register is an LR register.
  • the processor is a processor based on a RISC V instruction set, and the register is an RA register.
  • an embodiment of the present application provides an electronic device, including: the processor according to any one of the first aspect.
  • an embodiment of the present application provides a chip, including the processor according to any one of the first aspect.
  • a hardware conversion circuit is set in the processor, and when the return address needs to be saved, the conversion circuit is used to convert the return address, and the obtained converted return address is output to the memory Medium; when the return address needs to be used, the conversion circuit is used to convert the conversion return address in the memory to obtain the return address.
  • the attacker since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from controlling the flow of the program. Malicious changes.
  • FIG. 1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the application.
  • FIG. 2 is a schematic structural diagram of a processor provided by an embodiment of the application.
  • FIG. 3 is a schematic diagram of the processing process of the return address provided by the embodiment of the application.
  • 4A and 4B are schematic diagrams of the processing procedure of the existing return address
  • 5A and 5B are schematic diagrams of the processing process of the return address provided by the embodiment of the application.
  • FIG. 6 is a schematic diagram of a program running process provided by an embodiment of the application.
  • FIGS. 7A and 7B are schematic diagrams of the processing process of the return address provided by an embodiment of the application.
  • FIG. 8 is a schematic flowchart of a method for processing a return address provided by an embodiment of the application.
  • FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the application.
  • the electronic device 10 includes a processor 100 and a memory (memory) 200.
  • the memory 200 is used to store computer programs and data.
  • Main memory is also called “internal memory” or “memory” for short.
  • the memory is used to temporarily store computer programs and data during the operation of the processor.
  • Auxiliary storage is also called “external storage” or “external storage” for short.
  • External storage is used to store computer programs and data that are temporarily not used during the operation of the processor.
  • the processor 100 is configured to execute a computer program stored in the memory 200.
  • the processor is the core device of electronic equipment.
  • the processor usually includes at least one processing core, a cache, and an input and output interface for communicating with other devices of the electronic device.
  • the processing core refers to the processing unit used to perform data processing tasks in the processor.
  • the processing core is the main component responsible for computing in the processor.
  • the processor in this application may be a central processing unit (CPU), a graphics processing unit (GPU), etc.
  • CPU central processing unit
  • GPU graphics processing unit
  • the processor can be used to execute a computer program in an electronic device.
  • the processor can recognize and execute the instructions in the computer program, so that the electronic device can perform a certain function or obtain a certain result.
  • a computer program is a sequence of instructions composed of multiple instructions.
  • the computer program can also call subroutines.
  • Subroutines can also be called “subroutines" or "subfunctions”.
  • a subroutine is composed of one or more instructions, responsible for completing a specific task, and has relative independence.
  • the program containing the calling subroutine is called the main program.
  • the main program and the subprogram are relative.
  • program B is called in program A
  • program C is called in program B.
  • program B is a subprogram
  • program B is the main program.
  • the normal execution flow of a computer program is called program control flow.
  • the processor executes each instruction according to the program control flow.
  • an attacker may maliciously hijack the program control flow.
  • the purpose of these malicious attacks is usually to change the control flow of the program, thereby destroying the Control Flow Integrity (CFI) of the program.
  • CFI Control Flow Integrity
  • a common CFI malicious attack event that destroys programs is a return-oriented programming (ROP) attack.
  • instruction A Assume that the computer program includes: instruction A, instruction B, and instruction C.
  • instruction B is a subroutine call instruction.
  • the address of instruction A is 0x0000
  • the address of instruction B is 0x0004
  • the address of instruction C is 0x0008.
  • the normal program execution flow is to execute instruction A, instruction B, and instruction C in sequence.
  • the normal flow of the processor executing the program is as follows.
  • instruction B is a subroutine call instruction
  • the processor executes instruction B, it will jump to the address of the subroutine corresponding to instruction B.
  • the processor saves the address of instruction C before executing instruction B. which is,
  • the processor writes the address of instruction C into the memory.
  • the address of command C is called the return address.
  • the processor may write the return address to the stack in the memory.
  • the processor executes instruction B, jumps to the address of the subroutine corresponding to instruction B, and executes the subroutine.
  • the attacker When there is a ROP attack, the attacker tampered with the return address stored in the memory.
  • the attacker uses remote software to modify the address (0x0008) of instruction C stored in the memory to a malicious address.
  • the processor After executing the subroutine corresponding to instruction B, the processor reads the malicious address from the memory and jumps to the malicious address for execution.
  • the purpose of destroying the integrity of the program control flow is achieved.
  • the call instruction is a call instruction
  • the return instruction is a ret instruction.
  • the encryption instruction is an instruction to encrypt the return address using a preset key.
  • insert a decryption instruction before the return instruction is an instruction to decrypt the encrypted return address using the same key.
  • the processor After such compilation, in the program running stage, before the processor calls the subroutine, it first executes the encryption instruction to encrypt the return address of the subroutine, and stores the obtained encrypted address in the memory. After the subroutine is executed, the decryption instruction is used to decrypt the encrypted address read from the memory to obtain the original return address, so that the processor can continue to execute from the return address.
  • the specific encryption and decryption method can be to define a special register in the processor, which is specially used for storing the key and cannot be used for other purposes.
  • the original return address is XORed with the key in the special register to obtain the encrypted return address, which is stored in the memory.
  • the encrypted return address read from the memory and the key in the special register are XORed again to get the original return address. That is, both the encryption instruction and the decryption instruction need to perform an exclusive OR operation.
  • the above-mentioned related technologies have at least the following problems: 1) In the program compilation stage, it is necessary to identify the call instruction and the return instruction, and insert multiple additional encryption instructions and decryption instructions into the program, which reduces the running performance of the program. 2) Since the key is stored in the register, and software is used for encryption and decryption, there is a risk of software theft, and the protection security is poor. 3) The exclusive OR operation is used to operate each bit individually, which makes brute force cracking less difficult. Each brute force cracking can make the program jump to the code area, which poses a security risk. 4) Since a special register is needed to store the key, the special register cannot be used by other functions, which limits the application scenarios.
  • an embodiment of the present application provides a processor.
  • a hardware conversion circuit is provided in the processor. When the return address needs to be saved, the conversion circuit is used to convert the return address, and the obtained conversion is returned. The address is output to the memory; when the return address needs to be used, a conversion circuit is used to convert the conversion return address in the memory to obtain the return address.
  • the attacker since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from controlling the flow of the program. Malicious changes.
  • FIG. 2 is a schematic structural diagram of a processor provided by an embodiment of the application. As shown in FIG. 2, the processor 100 of this embodiment includes: a processing core 110 and a conversion circuit 120.
  • the processing core 110 is used to output the return address.
  • the conversion circuit 120 is configured to convert the return address output by the processing core 110 to obtain the conversion return address, and output the conversion return address to the stack in the memory.
  • the conversion circuit 120 is further configured to perform the conversion on the converted return address in the stack when the processing core 110 needs to use the return address to obtain the return address, and output the return address to the processing core 110.
  • the embodiment of the present application does not specifically limit the type of the processor.
  • the processors in the embodiments of the present application may be, but are not limited to, the following types: processors based on the ARM instruction set and processors based on the RISC-V instruction set.
  • the embodiment of the present application does not specifically limit the bit width of the processor.
  • the processor may be a 32-bit processor or a 64-bit processor, of course, it may also be a processor with other bit widths.
  • the number of processing cores in the processor may be one or more.
  • the processing core refers to the processing unit used to perform data processing tasks in the processor. When the number of processing cores is one, the processor is a single-core processor. When the number of processing cores is multiple, the processor is a multi-core processor.
  • the processing core is used to output the return address. The return address is the address of the next instruction to be executed by the processing core.
  • the processing core is any circuit that needs to store the return address in the memory and obtain the return address from the memory.
  • the processing core is a program counter (Program Counter, PC).
  • PC can also be called instruction counter.
  • PC is used to store the address of the next instruction to be executed by the processor.
  • the processor sends the start address of the program, that is, the address of the first instruction of the program into the PC.
  • the processor will automatically modify the value in the PC, that is, every time an instruction is executed, the value in the PC is increased by an amount so that the value in the PC always points to the address of the next instruction to be executed.
  • the conversion circuit is arranged on the data path between the processing core and the memory.
  • the processing of the return address by the conversion circuit is described below in conjunction with FIG. 3.
  • FIG. 3 is a schematic diagram of the processing process of the return address provided by the embodiment of the application.
  • the return address output by the processing core passes through the conversion circuit, and the conversion circuit converts the return address to obtain the conversion return address, and then outputs the conversion return address to the memory In the stack.
  • the converted return address popped from the memory passes through the conversion circuit, and the conversion circuit performs the same conversion on the converted address to obtain the original return address, and then the original return address Output to the processing core.
  • the processing core needs to store the return address in the memory, which may mean that the processing core needs to store the return address corresponding to the call instruction in the memory before executing the call instruction.
  • the processing core needs to use the return address, which may mean that when the processing core returns from the subroutine corresponding to the call instruction, it needs to obtain the return address corresponding to the call instruction from the memory.
  • the conversion circuit may adopt one or more conversion models to convert the return address. This embodiment does not specifically limit this. For several possible conversion modes, refer to the detailed description of the subsequent embodiments.
  • the conversion circuit before the return address is stored in the memory, the conversion circuit performs a conversion on the return address. Therefore, the converted return address is stored in the memory. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
  • the conversion circuit After the converted return address is popped from the memory, the conversion circuit performs another conversion on the converted return address to obtain the original return address, so that the processing core can execute subsequent instructions according to the original return address, ensuring the program control flow Completeness.
  • the processor further includes a control circuit, which can identify whether the address output by the processing core is a return address, and when the control circuit recognizes that the address output by the processing core is a return address, it controls the return address Input the conversion circuit.
  • the conversion circuit obtains the conversion return address after converting the return address, and outputs the conversion return address to the stack in the memory.
  • the control circuit recognizes that the processing core needs to use the return address, under the control of the control circuit, the converted return address popped from the memory is input to the conversion circuit.
  • the conversion circuit converts the conversion return address to obtain the original return address, and outputs the original return address to the processing core.
  • the processor does not perceive the existence of the conversion circuit.
  • the conversion circuit sets the data path between the processing core and the memory, that is, when the return address is transferred from the processing core to the memory and from the memory to the processing core, it will pass through the conversion circuit.
  • This implementation mode only needs to provide a conversion circuit on the data path between the processing core and the memory, without changing the existing control flow of the processor, and is easy to implement.
  • the processor further includes a register, which is a register specially used for storing the return address.
  • the above-mentioned register is the only way between the return address from the processing core to the memory.
  • the processing core first outputs the return address to the aforementioned register, and then the register outputs the return address to the memory.
  • the return address popped from the memory is also output to the aforementioned register first, and then the register outputs the return address to the processing core.
  • the processor is a processor based on an ARM instruction set
  • the register is a link register (LR).
  • the processor is a processor based on a RISC V instruction set
  • the register is a return address (return address, RA) register.
  • FIG. 4A and 4B are schematic diagrams of the conventional return address processing process. Among them, FIG. 4A illustrates a schematic diagram of the process of pushing the return address into the stack, and FIG. 4B illustrates a schematic diagram of the process of popping the return address from the stack.
  • the return address corresponding to the call instruction needs to be stored in the memory.
  • the return address output by the PC enters the LR register. Then, the return address output by the LR register is stored in the memory stack.
  • the processing core When the processing core returns from the subroutine corresponding to the call instruction, it needs to read the return address from the memory. Exemplarily, as shown in FIG. 4B, the return address from the stack from the memory enters the LR register. Then, the LR register outputs the return address to the processing core.
  • the conversion circuit in this embodiment can be set before the above-mentioned register or after the above-mentioned register.
  • the conversion circuit is set before the register means that the conversion circuit is set on the write path of the register, that is, set at the input end of the register.
  • the conversion circuit is set before the register, it means that all return addresses entering the register will pass through the conversion circuit before entering the register.
  • the conversion circuit is arranged after the register, which means that the conversion circuit is arranged on the readout path of the register, that is, arranged at the output terminal of the register. When the conversion circuit is set after the register, it means that all return addresses output from the register will pass through the conversion circuit.
  • FIG. 5A and 5B are schematic diagrams of the processing procedure of the return address provided by the embodiment of the application.
  • the conversion circuit is set on the write path of the LR register.
  • FIG. 5A illustrates the process of pushing the return address into the stack
  • FIG. 5B illustrates the process of popping the return address from the stack.
  • the conversion circuit is specifically configured to convert the return address output by the processing core to obtain a conversion return address, and output the conversion return address to the register, so that the conversion return address is output to the register via the register The stack in memory.
  • the conversion circuit is also specifically configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address To the register, so that the return address is output to the processing core via the register.
  • the conversion circuit since the conversion circuit is arranged on the write path of the register, the return address output by the processing core will pass through the conversion circuit first during the output to the LR register.
  • the conversion circuit converts the return address output by the processing core to obtain the conversion return address, so that what is actually stored in the LR register is the conversion return address.
  • the LR register outputs the conversion return address to the stack in the memory, that is, what is actually pushed onto the stack is the conversion return address. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
  • the conversion circuit when the processing core needs to use the return address, since the conversion circuit is set on the write path of the LR register, the converted return address from the memory stack will pass through the conversion circuit before entering the LR register.
  • the conversion circuit converts the conversion return address to obtain the original return address, so that what is actually stored in the LR register is the original return address. Then, the LR register outputs the original return address to the processing core. So as to ensure the normal control flow of the program.
  • the following takes a processor based on the ARM instruction set as an example, combined with the running process of an actual program, for example.
  • Fig. 6 is a schematic diagram of a program running process provided by an embodiment of the application. As shown in Figure 6, the program includes the following ARM instructions: SUB, STP, ADD, LDP, ADD, and RET.
  • the control flow is ready to enter the subroutine, that is, when the processing core executes the STP instruction, it outputs the return address to the LR (0x30) register.
  • the return address Before the return address enters the LR register, the return address passes through the conversion circuit, and the conversion circuit converts the return address to obtain the conversion return address, so that what actually enters the LR register is the conversion return address. After that, the LR register outputs the converted return address to the stack in the memory.
  • the conversion return address is read from the memory stack.
  • the conversion return address will pass through the conversion circuit before entering the LR (0x30) register, and the conversion circuit will convert the conversion return address again to obtain the original return address.
  • the original return address is stored in the LR register and used when the processing core executes the RET instruction.
  • a hardware conversion circuit is set on the write path of the LR register.
  • the conversion circuit is used to convert the return address entering the LR register, that is, all inputs that need to enter the LR register will pass through the conversion circuit first. Convert, and then enter the conversion result into the LR register. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
  • FIG. 7A and FIG. 7B are schematic diagrams of the processing process of the return address provided by the embodiment of the application.
  • the conversion circuit is arranged on the readout path of the LR register.
  • FIG. 7A illustrates the process of pushing the return address into the stack
  • FIG. 7B illustrates the process of popping the return address from the stack.
  • the register When the processing core outputs the return address, the register is used to register the return address output by the processing core.
  • the conversion circuit is specifically configured to convert the return address output by the register to obtain a conversion return address, and output the conversion return address to a stack in the memory.
  • the register is also used to register the conversion return address output by the stack.
  • the conversion circuit is further specifically configured to perform the conversion on the conversion return address output by the register to obtain the return address, and output the return address to the processing core.
  • the return address output by the processing core is output to the LR register. Since the conversion circuit is arranged on the readout path of the LR register, the LR register will pass through the conversion circuit during the process of outputting the return address to the stack in the memory. The conversion circuit converts the return address output by the LR register to obtain the conversion return address, so that the actual conversion return address is pushed onto the stack. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
  • the converted return address from the memory stack enters the LR register. Since the conversion circuit is arranged on the readout path of the LR register, the conversion circuit will pass through the conversion circuit when the LR register outputs the conversion return address to the processing core. The conversion circuit converts the converted return address to obtain the original return address, so that what is actually input to the processing core is the original return address. So as to ensure the normal control flow of the program.
  • a hardware conversion circuit is set on the readout path of the LR register.
  • the conversion circuit is used to convert the return address output by the LR register, that is, all the values output from the LR register will first pass through the conversion circuit. Conversion. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
  • processors based on an ARM instruction set are taken as an example for description.
  • the processor to which the embodiment of the present application is adapted is not limited to this.
  • the embodiments of the present application are also applicable to processors of other instruction sets, as long as there is a register dedicated to storing the return address in the processor.
  • the conversion performed by the conversion circuit on the return address satisfies the following conditions:
  • A is the return address
  • B is the conversion return address
  • IP() is the conversion model used in the conversion.
  • multiple conversion models are stored in the conversion circuit, and different conversion models correspond to one or more sets of optional conversion parameters.
  • At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  • the at least one bit includes the bit corresponding to the change section of the code address of the program and the bit corresponding to the unchanged section;
  • the code address of the program includes the instruction addresses of multiple instructions, and the invariant section is multiple Bits with the same bits in each instruction address, and the change section is bits with different bits in multiple instruction addresses.
  • the conversion circuit when the conversion circuit converts at least one bit of the return address, it converts the changed section and the unchanged section at the same time, which can increase the difficulty of brute force cracking by an attacker and ensure the security of program control flow.
  • the conversion circuit randomly selects a conversion model and randomly selects a set of conversion parameters to convert the return address during the program operation. If an error occurs in the program operation, that is, in the case of a ROP attack, when re-running the program, change the conversion model and/or conversion parameters, so that the attacker cannot perform multiple attacks on the same conversion model and conversion parameters, and further improve program control Stream security.
  • the processor is a 32-bit processor based on the ARM instruction set
  • the conversion circuit is set on the write path of the LR register
  • the analog multiplication conversion model is adopted in the conversion circuit.
  • the processor's processing of the return address is as follows:
  • the return address is stored in the LR register. Since the conversion circuit is set on the write path of the register, the return address will first be converted by the conversion circuit to obtain the conversion return address, so that what actually enters the LR register is the conversion return address.
  • the return address (that is, the original return address) output by the processing core is recorded as a[31:0].
  • the conversion return address obtained by the conversion circuit (that is, the return address actually entered into the LR register) is recorded as b[31:0].
  • the conversion circuit performs the modular multiplication operation as shown below:
  • p and q are the conversion parameters corresponding to the modular multiplication conversion model. It can be seen from the above formula that the return address a and the parameter q in the conversion circuit are modulo multiplied, the modulus is p, and the output is the conversion return address b. Among them, q and p satisfy the following relationship:
  • q can be selected as any of the following:
  • p should be larger than the maximum code address but not too large to save the chip area of the conversion circuit.
  • the above requirements are always met, but for safety, 1 is not selected for q.
  • the modular multiplication conversion model uses the 32-bit return address a[31:0] to perform the overall operation, that is, the change section and the unchanged section of the code address are operated at the same time, so that the attacker cannot only target the change. Segments perform specific attacks, and attackers cannot guarantee that they can jump to the code area every time brute force cracking, which improves the security of program control flow.
  • p and q are the conversion parameters corresponding to the modular multiplication conversion model, which are the same as the parameters used in the first conversion process described above.
  • the conversion return address b is the input of the conversion model, and the return address a is the output of the conversion model.
  • the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p and q, and cannot construct a legitimate malicious conversion return address. Therefore, after conversion by the conversion circuit, the return address a obtained is Garbled, when the return operation is executed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
  • the processor is a 32-bit processor based on the ARM instruction set
  • the conversion circuit is arranged on the read path of the LR register, and the conversion circuit adopts a modulus addition conversion model.
  • the processor's processing of the return address is as follows:
  • the return address is stored in the LR register.
  • the conversion circuit Since the conversion circuit is set on the readout path of the LR register, the return address output by the LR register will be converted by the conversion circuit first to obtain the conversion return address, so that the actual stack is the conversion return address.
  • the return address (that is, the original return address) output by the LR register is recorded as a[31:0] in this embodiment.
  • the conversion return address obtained by the conversion circuit (that is, the return address actually pushed onto the stack) is recorded as b[31:0].
  • the conversion circuit performs the modulo addition operation as shown in the following equation:
  • p and q are the conversion parameters corresponding to the modular addition conversion model. It can be seen from the above formula that the return address a and the parameter q in the conversion circuit are modulo addition, the modulus is p, and the output is the conversion return address b. Among them, q and p satisfy the following relationship:
  • p should be larger than the maximum code address but not too large to save the chip area of the conversion circuit.
  • the modulus addition conversion model uses the 32-bit return address a[31:0] to perform the overall operation, that is, the change section and the unchanged section of the code address are operated at the same time, so that the attacker cannot only target the change. Segments perform specific attacks, and attackers cannot guarantee that they can jump to the code area every time brute force cracking, which improves the security of program control flow.
  • the conversion circuit Since a conversion circuit is set on the readout path of the LR register, the converted return address from the stack will pass through the conversion circuit first. The conversion circuit performs another conversion on the converted return address to obtain the original return address, and then the original return address is output to the processing core.
  • the conversion circuit performs the same modular addition operation, as follows:
  • p and q are the conversion parameters corresponding to the modular addition conversion model, which are the same as the parameters used in the first conversion process described above.
  • the conversion return address b is the input of the conversion model, and the return address a is the output of the conversion model.
  • the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p and q, and cannot construct a legitimate malicious conversion return address. Therefore, after conversion by the conversion circuit, the return address a obtained is Garbled, when the return operation is executed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
  • the conversion circuit groups at least one bit of the return address to obtain multiple bit groups; and uses the conversion model to convert the bits in each bit group to obtain each bit The conversion result corresponding to the bit group, wherein at least two of the multiple bit groups adopt different conversion models, or the multiple bit groups adopt the same conversion model; then, according to each of the The conversion result corresponding to the bit group obtains the conversion return address.
  • the 32 bits of the return address can be divided into two bit groups or three bit groups, of course, it can also be divided into more bit groups.
  • the first 16 bits when divided into two bit groups, the first 16 bits may be used as a group, and the last 16 bits may be used as a group; the first 8 bits may be used as a group, and the last 24 bits may be used as a group ; It is also possible to use odd-numbered bits as a group and even-numbered bits as a group. It is understandable that there are other grouping methods, which are not listed here.
  • the conversion models adopted by the two bit groups may be the same or different. For example, two bit groups use the modular multiplication conversion model, or both bit groups use the modular addition conversion model, or one bit group uses the modular multiplication conversion model, and one bit group uses the modular addition conversion model.
  • the first 8 bits can be used as a group, the middle 16 bits can be used as a group, and the last 8 bits can be used as a group; the first 10 bits can also be used as a group , Set the middle 8 bits as a group, and the last 14 bits as a group; you can also use the 1, 4, 7, 10, 13, 16, 19, 22, 25, 28, and 31 bits as a group, Set the 2, 5, 8, 11, 14, 17, 20, 23, 26, and 29 bits as a group, and set the 0, 3, 6, 9, 12, 15, 18, 21, 24, 27, 30 Bits as a group. It is understandable that there are other grouping methods, which are not listed here.
  • the conversion models adopted by the three bit groups can be the same or different.
  • the conversion circuit is set on the write path of the LR register.
  • the conversion circuit divides the 32 bits of the return address into two bit groups, one bit group includes the bits corresponding to the odd bits of the return address, and the other bit group includes the bits corresponding to the even bits of the return address .
  • One bit group adopts the modular multiplication conversion model, and the other bit group adopts the modular addition conversion model. Then the processor processes the return address as follows:
  • the return address is stored in the LR register. Since the conversion circuit is set on the write path of the register, the return address will first be converted by the conversion circuit to obtain the conversion return address, so that what actually enters the LR register is the conversion return address.
  • the return address (that is, the original return address) output by the processing core is recorded as a[31:0].
  • the conversion return address (that is, the return address actually entering the LR register) obtained by the conversion of the conversion circuit is recorded as b[31:0].
  • p 1 and q 1 are conversion parameters corresponding to the modular multiplication conversion model
  • p 2 and q 2 are conversion parameters corresponding to the modular addition conversion model. It can be seen from the above formula that a 1 is modulo multiplied with the parameter q 1 in the conversion circuit, the modulus is p 1 , and the output is b 1 . A 2 and the parameter q 2 in the conversion circuit are modulo addition, the modulus is p 2 , and the output is b 2 .
  • q 1 can be selected as any of the following:
  • p 1 and p 2 should be larger than the maximum code address, but should not be too large to save the chip area of the conversion circuit.
  • the 32 bits are divided into two groups according to odd-numbered bits and even-numbered bits.
  • One group adopts a modular multiplication conversion model
  • the other group adopts a modular addition conversion model.
  • p 1 and q 1 are the conversion parameters corresponding to the modular multiplication conversion model, which are the same as the parameters used in the first conversion process described above.
  • p 2 and q 2 are the conversion parameters corresponding to the modulo addition conversion model, which are the same as the parameters used in the first conversion process described above.
  • the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p 1 , q 1 , p 2 and q 2 , and cannot construct a legal malicious conversion return address. Therefore, the conversion circuit is converted After that, the return address a is garbled. When the return operation is performed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
  • FIG. 8 is a schematic flowchart of a method for processing a return address provided by an embodiment of the application.
  • the method in this embodiment is executed by a processor, where the processor includes a processing core and a conversion circuit. As shown in FIG. 8, the method of this embodiment includes:
  • the processor further includes a register, the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to a stack in the memory, include:
  • the performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
  • the processor further includes a register, the return address is output to the register by the processing core, and the return address is converted by the conversion circuit to obtain a converted return address , And output the conversion return address to the stack in the memory, including:
  • the performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
  • the conversion circuit performs the conversion on the conversion return address output by the register to obtain the return address, and outputs the return address to the processing core.
  • the conversion satisfies the following conditions:
  • A is the return address
  • B is the conversion return address
  • IP() is the conversion model used in the conversion.
  • the converting the return address to obtain the converted return address includes:
  • At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  • the using at least one conversion model to convert at least one bit of the return address to obtain the converted return address includes:
  • Group at least one bit of the return address to obtain multiple bit groups
  • the conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
  • the conversion return address is obtained.
  • the number of the bit groups is two, one of the bit groups includes the bits corresponding to the odd bits of the return address, and the other bit group includes the even bits of the return address The corresponding bit.
  • the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
  • the register is a register for storing the return address.
  • the processor is a processor based on an ARM instruction set
  • the register is an LR register.
  • the processor is a processor based on a RISC V instruction set
  • the register is an RA register
  • the method for processing the return address provided in this embodiment can be applied to the processor described in any of the foregoing embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
  • An embodiment of the present application also provides an electronic device, including: a processor, where the processor may adopt the structure of the processor in any of the above embodiments, and its implementation principles and technical effects are similar, and this embodiment will not be repeated here. .
  • An embodiment of the present application also provides a chip, including a processor, and the processor may adopt the structure of the processor in any of the foregoing embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
  • the disclosed device and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the modules is only a logical function division, and there may be other divisions in actual implementation, for example, multiple modules can be combined or integrated. To another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or modules, and may be in electrical, mechanical or other forms.
  • modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional modules in the various embodiments of the present application may be integrated into one processing unit, or each module may exist alone physically, or two or more modules may be integrated into one unit.
  • the units formed by the above-mentioned modules can be realized in the form of hardware, or in the form of hardware plus software functional units.
  • the above-mentioned integrated modules implemented in the form of software function modules may be stored in a computer readable storage medium.
  • the above-mentioned software function module is stored in a storage medium and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor (English: processor) to execute the various embodiments of the present application Part of the method.
  • processor may be a central processing unit (English: Central Processing Unit, abbreviated: CPU), or other general-purpose processors, digital signal processors (English: Digital Signal Processor, abbreviated: DSP), and application-specific integrated circuits (English: Application Specific Integrated Circuit, referred to as ASIC) etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in combination with the application can be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
  • the memory may include a high-speed RAM memory, and may also include a non-volatile storage NVM, such as at least one disk storage, and may also be a U disk, a mobile hard disk, a read-only memory, a magnetic disk, or an optical disk.
  • NVM non-volatile storage
  • the bus can be an Industry Standard Architecture (ISA) bus, Peripheral Component (PCI) bus, or Extended Industry Standard Architecture (EISA) bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into address bus, data bus, control bus, etc.
  • the buses in the drawings of this application are not limited to only one bus or one type of bus.
  • the above-mentioned storage medium can be implemented by any type of volatile or non-volatile storage device or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Except for programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disks or optical disks.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM programmable read only memory
  • PROM programmable read only memory
  • ROM read only memory
  • magnetic memory flash memory
  • flash memory magnetic disks or optical disks.
  • optical disks any available medium that can be accessed by a general-purpose or special-purpose computer.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and can write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in Application Specific Integrated Circuits (ASIC for short).
  • ASIC Application Specific Integrated Circuits
  • the processor and the storage medium may also exist as discrete components in the electronic device or the main control device.

Abstract

Embodiments of the present application provide a processor and a return address processing method. A conversion circuit of hardware is provided in the processor; when a return address needs to be stored, the return address is converted by means of the conversion circuit, and the obtained converted return address is output to a memory; when the return address needs to be used, the converted return address in the memory is converted by means of the conversion circuit to obtain the return address. Because an attacker cannot know the conversion operations carried out by the conversion circuit, the attack is unable to modify the converted return address in the memory as a converted return address corresponding to a malicious instruction, so that a malicious change to a program control flow by an attacker can be prevented. Moreover, because the conversion process is implemented by the conversion circuit of the hardware in a program running process, there is no need to identify an invoking instruction and a return instruction in a compiling stage, and no need to insert an additional encryption instruction and decryption instruction, and the running performance of the processor is prevented from being affected.

Description

处理器及返回地址的处理方法Processing method of processor and return address
本申请要求于2019年07月01日提交中国专利局、申请号为201910586325.5、申请名称为“处理器及返回地址的处理方法”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910586325.5, and the application name is "Processing Method of Processor and Return Address" on July 1, 2019, the entire content of which is incorporated into this application by reference in.
技术领域Technical field
本申请实施例涉及计算机技术领域,尤其涉及一种处理器及返回地址的处理方法。The embodiments of the present application relate to the field of computer technology, and in particular, to a processor and a method for processing a return address.
背景技术Background technique
处理器运行程序的过程中,可能出现攻击者恶意劫持程序控制流的事件。具体的,攻击者通过修改子程序的返回地址,将正常的返回地址修改为恶意返回地址,使得处理器执行完子程序代码后跳转到恶意返回地址所指向的代码段,达到改变程序控制流的目的,从而破坏程序的控制流完整性(Control Flow Integrity,CFI)。While the processor is running the program, an attacker may maliciously hijack the program control flow. Specifically, the attacker modifies the normal return address to the malicious return address by modifying the return address of the subprogram, so that the processor jumps to the code segment pointed to by the malicious return address after executing the subprogram code, thereby changing the program control flow The purpose of this is to destroy the control flow integrity (CFI) of the program.
目前,为了防御程序控制流被恶意改变,通常需要对程序运行时的控制流进行监控,若程序控制流被改变,则发出警报。一种相关技术中,在程序编译阶段,识别出子程序对应的调用指令和返回指令,在调用指令之前插入一个加密指令,并在返回指令之前插入一个解密指令。进而,在程序运行阶段,在处理器调用子程序之前,先利用加密指令对子程序的返回地址进行加密,将得到的加密地址入栈。在子程序执行完毕后,利用解密指令对出栈的加密地址进行解密,得到原始的返回地址,从而处理器能够从返回地址处继续执行。At present, in order to prevent the program control flow from being maliciously changed, it is usually necessary to monitor the control flow of the program when the program is running. If the program control flow is changed, an alarm is issued. In a related technology, in the program compilation stage, the call instruction and the return instruction corresponding to the subroutine are identified, an encryption instruction is inserted before the call instruction, and a decryption instruction is inserted before the return instruction. Furthermore, in the program running stage, before the processor calls the subroutine, the return address of the subroutine is encrypted by the encryption instruction, and the obtained encrypted address is pushed onto the stack. After the subroutine is executed, the decryption instruction is used to decrypt the encrypted address that was popped out of the stack to obtain the original return address, so that the processor can continue to execute from the return address.
采用上述防御技术后,即使攻击者从栈中劫持到加密地址,由于攻击者不知道加密指令采用的密钥,无法将加密地址篡改为加密的恶意地址。也就是说,攻击者劫持程序控制流后仍无法控制程序的跳转位置,因此,能够阻止攻击者对程序控制流进行恶意改变,实现对程序的控制流完整性的保护。After the above defense technology is adopted, even if the attacker hijacks the encrypted address from the stack, because the attacker does not know the key used in the encryption instruction, the encrypted address cannot be tampered with the encrypted malicious address. In other words, the attacker cannot control the jump position of the program after hijacking the program control flow. Therefore, it can prevent the attacker from making malicious changes to the program control flow and realize the protection of the integrity of the program control flow.
然而,上述技术中,需要在程序中插入多个额外指令,使得程序的运行性能降低。However, in the above technology, it is necessary to insert multiple additional instructions into the program, which reduces the running performance of the program.
发明内容Summary of the invention
本申请实施例提供一种处理器及返回地址的处理方法,在不降低程序运行性能的基础上,对程序的控制流完整性进行保护。The embodiment of the present application provides a processor and a method for processing a return address to protect the control flow integrity of the program without reducing the running performance of the program.
第一方面,本申请实施例提供一种处理器,包括:处理核和转换电路;In the first aspect, an embodiment of the present application provides a processor, including: a processing core and a conversion circuit;
所述处理核用于输出返回地址;The processing core is used to output a return address;
所述转换电路用于对所述处理核输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;The conversion circuit is configured to convert the return address output by the processing core to obtain the conversion return address, and output the conversion return address to a stack in the memory;
所述转换电路还用于在所述处理核需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit is also configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address to The processing core.
本实施例中,在返回地址存入内存之前,转换电路对返回地址进行一次转换,因此, 内存中存储的是转换后的返回地址。由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。在转换后的返回地址从内存出栈之后,转换电路对转换后返回地址再进行一次转换,得到原始的返回地址,使得处理核可以根据原始的返回地址进行后续指令的执行,保证了程序控制流的完整性。由于上述转换过程是在程序运行过程中通过硬件的转换电路实现,无需在编译阶段对调用指令和返回指令进行识别,也无需插入额外的加密指令和解密指令,避免了对处理器的运行性能造成影响。同时,还规避了软件窃取风险。In this embodiment, before the return address is stored in the memory, the conversion circuit performs a conversion on the return address. Therefore, the converted return address is stored in the memory. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow. After the converted return address is popped from the memory, the conversion circuit performs another conversion on the converted return address to obtain the original return address, so that the processing core can execute subsequent instructions according to the original return address, ensuring the program control flow Completeness. Since the above conversion process is implemented by the hardware conversion circuit during the program running, there is no need to identify call instructions and return instructions in the compilation stage, and there is no need to insert additional encryption instructions and decryption instructions, thus avoiding the impact on the operating performance of the processor. influences. At the same time, the risk of software theft is also avoided.
可选的,所述处理器还包括寄存器;Optionally, the processor further includes a register;
所述转换电路具体用于对所述处理核输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈;The conversion circuit is specifically configured to convert the return address output by the processing core to obtain a conversion return address, and output the conversion return address to the register, so that the conversion return address is output to the register via the register Stack in memory;
所述转换电路还具体用于在所述处理核需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。The conversion circuit is also specifically configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address To the register, so that the return address is output to the processing core via the register.
本实施例中,在寄存器的写入通路上设置硬件的转换电路,该转换电路用于对进入寄存器的返回地址进行转换,即,所有需要进入寄存器的输入都会先经过该转换电路的转换,然后将转换结果输入至寄存器中。通过该方式,能够自动识别返回地址,无需改变处理器的控制流程,易于实施。In this embodiment, a hardware conversion circuit is provided on the write path of the register. The conversion circuit is used to convert the return address of the register, that is, all inputs that need to enter the register will be converted by the conversion circuit first, and then Input the conversion result into the register. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
可选的,所述处理器还包括寄存器;Optionally, the processor further includes a register;
在所述处理核输出所述返回地址时,所述寄存器用于寄存所述处理核输出的返回地址;When the processing core outputs the return address, the register is used to register the return address output by the processing core;
所述转换电路具体用于对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;The conversion circuit is specifically configured to convert the return address output by the register to obtain a conversion return address, and output the conversion return address to a stack in the memory;
在所述处理核需要使用所述返回地址时,所述寄存器还用于寄存所述栈输出的所述转换返回地址;When the processing core needs to use the return address, the register is also used to register the conversion return address output by the stack;
所述转换电路还具体用于对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit is further specifically configured to perform the conversion on the conversion return address output by the register to obtain the return address, and output the return address to the processing core.
本实施例中,在寄存器的读出通路上设置硬件的转换电路,该转换电路用于对寄存器输出的返回地址进行转换,即,所有从寄存器输出的值都会先经过该转换电路的转换。通过该方式,能够自动识别返回地址,无需改变处理器的控制流程,易于实施。In this embodiment, a hardware conversion circuit is provided on the readout path of the register, and the conversion circuit is used to convert the return address output by the register, that is, all the values output from the register will be converted by the conversion circuit first. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
可选的,所述转换满足如下条件:Optionally, the conversion satisfies the following conditions:
B=IP(A),A=IP(B)B=IP(A), A=IP(B)
其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
可选的,所述转换电路具体用于:Optionally, the conversion circuit is specifically used for:
采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址。At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
其中,所述至少一个比特包括程序的代码地址的变化区段对应的比特和不变区段对应的比特;所述程序的代码地址包括多个指令的指令地址,所述不变区段为多个指令地址中比特相同的比特位,所述变化区段为多个指令地址中比特不同的比特位。Wherein, the at least one bit includes the bit corresponding to the change section of the code address of the program and the bit corresponding to the unchanged section; the code address of the program includes the instruction addresses of multiple instructions, and the invariant section is multiple Bits with the same bits in each instruction address, and the change section is bits with different bits in multiple instruction addresses.
通过将转换模型及转换参数存在硬件电路中,使得攻击者无法获取这些敏感信息,提高了程序控制流的防御可靠性;转换电路对返回地址的至少一个比特进行转换时,对变化区段和不变区段同时进行转换,能够提高攻击者的暴力破解难度,保证程序控制流的安全性。By storing the conversion model and conversion parameters in the hardware circuit, the attacker cannot obtain these sensitive information, which improves the defense reliability of the program control flow; when the conversion circuit converts at least one bit of the return address, the change section and the Changing the sections at the same time can improve the difficulty of brute force cracking by attackers and ensure the security of program control flow.
可选的,所述转换电路具体用于:Optionally, the conversion circuit is specifically used for:
对所述返回地址的至少一个比特进行分组,得到多个比特组;Group at least one bit of the return address to obtain multiple bit groups;
采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;The conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
根据各所述比特组对应的转换结果,得到所述转换返回地址。According to the conversion result corresponding to each bit group, the conversion return address is obtained.
可选的,所述比特组的数量为两个,其中一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。Optionally, the number of the bit groups is two, wherein one bit group includes bits corresponding to odd-numbered bits of the return address, and the other bit group includes bits corresponding to even-numbered bits of the return address.
可选的,所述转换模型的种类包括:模乘法转换模型、模加法转换模型。Optionally, the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
可选的,所述寄存器为用于存储返回地址的寄存器。Optionally, the register is a register for storing the return address.
可选的,所述处理器为基于ARM指令集的处理器,所述寄存器为LR寄存器。Optionally, the processor is a processor based on an ARM instruction set, and the register is an LR register.
可选的,所述处理器为基于RISC V指令集的处理器,所述寄存器为RA寄存器。Optionally, the processor is a processor based on a RISC V instruction set, and the register is an RA register.
第二方面,本申请实施例提供一种返回地址的处理方法,应用于处理器,所述处理器包括:处理核和转换电路,所述方法包括:In the second aspect, an embodiment of the present application provides a method for processing a return address, which is applied to a processor, the processor includes a processing core and a conversion circuit, and the method includes:
在所述处理核输出所述返回地址时,通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;When the processing core outputs the return address, the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to a stack in the memory;
在需要使用所述返回地址时,通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。When the return address needs to be used, the conversion circuit performs the conversion on the converted return address in the stack to obtain the return address, and outputs the return address to the processing core.
可选的,所述处理器还包括寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:Optionally, the processor further includes a register, and the conversion of the return address by the conversion circuit to obtain the conversion return address, and outputting the conversion return address to a stack in the memory includes:
通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈;Converting the return address by the conversion circuit to obtain a conversion return address, and outputting the conversion return address to the register, so that the conversion return address is output to the stack in the memory via the register;
所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。Perform the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and output the return address to the register, so that the return address is output through the register To the processing core.
可选的,所述处理器还包括寄存器,所述返回地址被所述处理核输出至所述寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:Optionally, the processor further includes a register, the return address is output to the register by the processing core, the return address is converted by the conversion circuit to obtain a converted return address, and the The output of the conversion return address to the stack in memory includes:
通过所述转换电路对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;Converting the return address output by the register by the conversion circuit to obtain a conversion return address, and output the conversion return address to a stack in the memory;
所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
通过所述转换电路对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返 回地址,并将所述返回地址输出至所述处理核。The conversion circuit performs the conversion on the conversion return address output by the register to obtain the return address, and outputs the return address to the processing core.
可选的,所述转换满足如下条件:Optionally, the conversion satisfies the following conditions:
B=IP(A),A=IP(B)B=IP(A), A=IP(B)
其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
可选的,所述对所述返回地址进行转换以得到转换返回地址,包括:Optionally, the converting the return address to obtain the converted return address includes:
采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址。At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
可选的,所述采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址,包括:Optionally, the conversion of at least one bit of the return address using at least one conversion model to obtain the conversion return address includes:
对所述返回地址的至少一个比特进行分组,得到多个比特组;Group at least one bit of the return address to obtain multiple bit groups;
采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;The conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
根据各所述比特组对应的转换结果,得到所述转换返回地址。According to the conversion result corresponding to each bit group, the conversion return address is obtained.
可选的,所述比特组的数量为两个,其中一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。Optionally, the number of the bit groups is two, wherein one bit group includes bits corresponding to odd-numbered bits of the return address, and the other bit group includes bits corresponding to even-numbered bits of the return address.
可选的,所述转换模型的种类包括:模乘法转换模型、模加法转换模型。Optionally, the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
可选的,所述寄存器为用于存储返回地址的寄存器。Optionally, the register is a register for storing the return address.
可选的,所述处理器为基于ARM指令集的处理器,所述寄存器为LR寄存器。Optionally, the processor is a processor based on an ARM instruction set, and the register is an LR register.
可选的,所述处理器为基于RISC V指令集的处理器,所述寄存器为RA寄存器。Optionally, the processor is a processor based on a RISC V instruction set, and the register is an RA register.
第三方面,本申请实施例提供一种电子设备,包括:如第一方面任一项所述的处理器。In a third aspect, an embodiment of the present application provides an electronic device, including: the processor according to any one of the first aspect.
第四方面,本申请实施例提供一种芯片,包括:如第一方面任一项所述的处理器。In a fourth aspect, an embodiment of the present application provides a chip, including the processor according to any one of the first aspect.
本申请实施例提供的处理器及返回地址的处理方法,在处理器中设置硬件的转换电路,当需要保存返回地址时,利用转换电路对返回地址进行转换,将得到的转换返回地址输出至内存中;当需要使用返回地址时,利用转换电路对内存中的转换返回地址进行转换,得到该返回地址。本申请实施例中,由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。并且,由于上述转换过程是在程序运行过程中通过硬件的转换电路实现,与上述相关技术相比,无需在编译阶段对调用指令和返回指令进行识别,也无需插入额外的加密指令和解密指令,避免了对处理器的运行性能造成影响。In the processor and return address processing method provided by the embodiments of the application, a hardware conversion circuit is set in the processor, and when the return address needs to be saved, the conversion circuit is used to convert the return address, and the obtained converted return address is output to the memory Medium; when the return address needs to be used, the conversion circuit is used to convert the conversion return address in the memory to obtain the return address. In the embodiment of the present application, since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from controlling the flow of the program. Malicious changes. Moreover, since the above conversion process is implemented by a hardware conversion circuit during the running of the program, compared with the above related technology, there is no need to identify call instructions and return instructions at the compilation stage, and there is no need to insert additional encryption instructions and decryption instructions. Avoid the impact on the operating performance of the processor.
附图说明Description of the drawings
图1为本申请实施例提供的电子设备的结构示意图;FIG. 1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the application;
图2为本申请实施例提供的处理器的结构示意图;2 is a schematic structural diagram of a processor provided by an embodiment of the application;
图3为本申请实施例提供的返回地址的处理过程示意图;FIG. 3 is a schematic diagram of the processing process of the return address provided by the embodiment of the application;
图4A和图4B为现有的返回地址的处理过程示意图;4A and 4B are schematic diagrams of the processing procedure of the existing return address;
图5A和图5B为本申请实施例提供的返回地址的处理过程示意图;5A and 5B are schematic diagrams of the processing process of the return address provided by the embodiment of the application;
图6为本申请实施例提供的程序运行过程的示意图;FIG. 6 is a schematic diagram of a program running process provided by an embodiment of the application;
图7A和图7B为本申请实施例提供的返回地址的处理过程示意图;7A and 7B are schematic diagrams of the processing process of the return address provided by an embodiment of the application;
图8为本申请实施例提供的返回地址的处理方法的流程示意图。FIG. 8 is a schematic flowchart of a method for processing a return address provided by an embodiment of the application.
具体实施方式Detailed ways
为了便于对本申请的理解,首先结合图1,对本申请的处理器所适用的电子设备的结构进行说明。In order to facilitate the understanding of the present application, first, with reference to FIG. 1, the structure of the electronic device to which the processor of the present application is applicable is described.
图1为本申请实施例提供的电子设备的结构示意图。如图1所示,电子设备10中包括处理器100和存储器(memory)200。其中,存储器200用于存储计算机程序和数据。存储器的种类很多,按其用途可以分为主存储器和辅助存储器。主存储器又称为“内存储器”,简称“内存”,内存用于在处理器运行过程中暂时存储计算机程序以及数据。辅助存储器又称为“外存储器”,简称“外存”,外存用于存储处理器运行过程中暂时不用的计算机程序和数据。处理器100用于执行存储器200中存储的计算机程序。FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the application. As shown in FIG. 1, the electronic device 10 includes a processor 100 and a memory (memory) 200. Among them, the memory 200 is used to store computer programs and data. There are many types of storage, which can be divided into main storage and auxiliary storage according to their use. Main memory is also called "internal memory" or "memory" for short. The memory is used to temporarily store computer programs and data during the operation of the processor. Auxiliary storage is also called "external storage" or "external storage" for short. External storage is used to store computer programs and data that are temporarily not used during the operation of the processor. The processor 100 is configured to execute a computer program stored in the memory 200.
其中,处理器是电子设备的核心器件。处理器通常包括至少一个处理核、缓存以及与电子设备的其他器件通信的输入输出接口。其中,处理核是指处理器中用于执行数据处理任务的处理单元。处理核是处理器中负责运算的主要器件。Among them, the processor is the core device of electronic equipment. The processor usually includes at least one processing core, a cache, and an input and output interface for communicating with other devices of the electronic device. Among them, the processing core refers to the processing unit used to perform data processing tasks in the processor. The processing core is the main component responsible for computing in the processor.
本申请中的处理器可以是中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)等。The processor in this application may be a central processing unit (CPU), a graphics processing unit (GPU), etc.
处理器可用于执行电子设备中的计算机程序。处理器能够识别并执行计算机程序中的指令,使得电子设备完成某种功能或得到某种结果。The processor can be used to execute a computer program in an electronic device. The processor can recognize and execute the instructions in the computer program, so that the electronic device can perform a certain function or obtain a certain result.
计算机程序是由多个指令组成的指令序列。计算机程序中还可以调用子程序。子程序也可以称为“子过程”,或者“子函数”。子程序是由一个或者多个指令组成,负责完成某项特定任务,具有相对的独立性。通常,将包含调用子程序的程序称为主程序。主程序和子程序是相对的,例如:程序A中调用了程序B,程序B中又调用了程序C。那么,相对于程序A而言,程序B为子程序,相对于程序C而言,程序B为主程序。A computer program is a sequence of instructions composed of multiple instructions. The computer program can also call subroutines. Subroutines can also be called "subroutines" or "subfunctions". A subroutine is composed of one or more instructions, responsible for completing a specific task, and has relative independence. Usually, the program containing the calling subroutine is called the main program. The main program and the subprogram are relative. For example, program B is called in program A, and program C is called in program B. Then, compared to program A, program B is a subprogram, and compared to program C, program B is the main program.
计算机程序的正常执行流程,称为程序控制流。处理器在执行计算机程序的过程中,按照程序控制流对各个指令进行执行。然而,处理器在执行计算机程序的过程中,可能出现攻击者恶意劫持程序控制流的事件。这些恶意攻击事件的目的通常是改变程序的控制流,从而破坏程序的控制流完整性(Control Flow Integrity,CFI)。示例性的,一种常见的破坏程序的CFI的恶意攻击事件为面向返回地址的编程(return oriented programming,ROP)攻击。The normal execution flow of a computer program is called program control flow. In the process of executing the computer program, the processor executes each instruction according to the program control flow. However, during the execution of the computer program by the processor, an attacker may maliciously hijack the program control flow. The purpose of these malicious attacks is usually to change the control flow of the program, thereby destroying the Control Flow Integrity (CFI) of the program. Exemplarily, a common CFI malicious attack event that destroys programs is a return-oriented programming (ROP) attack.
下面结合一个具体的示例描述正常情况下处理器执行计算机程序的过程,以及ROP攻击情况下处理器执行计算机程序的过程。The following describes the process of the processor executing the computer program under normal conditions with a specific example, and the process of executing the computer program under the ROP attack.
假设计算机程序包括:指令A、指令B和指令C。其中,指令B为子程序调用指令。其中,指令A的地址为0x0000,指令B的地址为0x0004,指令C的地址为0x0008。正常的程序执行流程为依次执行指令A、指令B和指令C。处理器执行该程序的正常流程如下。Assume that the computer program includes: instruction A, instruction B, and instruction C. Among them, instruction B is a subroutine call instruction. Among them, the address of instruction A is 0x0000, the address of instruction B is 0x0004, and the address of instruction C is 0x0008. The normal program execution flow is to execute instruction A, instruction B, and instruction C in sequence. The normal flow of the processor executing the program is as follows.
1)处理器执行指令A。1) The processor executes instruction A.
由于指令B为子程序调用指令,处理器执行指令B时会跳转到指令B对应的子程序的地址。为了保证处理器在执行完指令B对应的子程序后,能够正确返回到指令C的地址,处理器在执行指令B之前,会对指令C的地址进行保存。即,Since instruction B is a subroutine call instruction, when the processor executes instruction B, it will jump to the address of the subroutine corresponding to instruction B. In order to ensure that the processor can correctly return to the address of instruction C after executing the subroutine corresponding to instruction B, the processor saves the address of instruction C before executing instruction B. which is,
2)处理器将指令C的地址写入到内存中。本申请实施例中,将指令C的地址称为返 回地址。2) The processor writes the address of instruction C into the memory. In the embodiment of this application, the address of command C is called the return address.
示例性的,处理器可以将返回地址写入内存中的栈。Exemplarily, the processor may write the return address to the stack in the memory.
3)处理器执行指令B,跳转到指令B对应的子程序的地址,对子程序进行执行。3) The processor executes instruction B, jumps to the address of the subroutine corresponding to instruction B, and executes the subroutine.
4)当子程序执行结束后,从内存中读取返回地址(0x0008),跳转到地址0x0008执行指令C。4) When the execution of the subroutine ends, read the return address (0x0008) from the memory, jump to address 0x0008 and execute instruction C.
当存在ROP攻击时,攻击者对内存中存储的返回地址进行篡改。示例性的,攻击者通过远程软件将内存中存储的指令C的地址(0x0008)修改为恶意地址。使得处理器在执行完指令B对应的子程序后,从内存中读取该恶意地址,并跳转到该恶意地址处执行。从而,达到破坏程序控制流完整性的目的。When there is a ROP attack, the attacker tampered with the return address stored in the memory. Exemplarily, the attacker uses remote software to modify the address (0x0008) of instruction C stored in the memory to a malicious address. After executing the subroutine corresponding to instruction B, the processor reads the malicious address from the memory and jumps to the malicious address for execution. Thus, the purpose of destroying the integrity of the program control flow is achieved.
目前,为了防止程序控制流被恶意改变,通常需要对程序运行时的控制流进行监控,若程序控制流被改变,则发出警报。At present, in order to prevent the program control flow from being maliciously changed, it is usually necessary to monitor the control flow of the program when it is running. If the program control flow is changed, an alarm is issued.
一种相关技术中,采用软件方式对程序控制流的恶意改变进行防御。具体的,在程序编译阶段,首先识别出子程序对应的调用指令和返回指令。示例性的,调用指令为call指令,返回指令为ret指令。然后,在调用指令之前插入一个加密指令。示例性的,加密指令是采用预设的密钥对返回地址进行加密的指令。同时,在返回指令之前插入一个解密指令。示例性的,解密指令是采用相同的密钥对加密后的返回地址进行解密的指令。In a related technology, software is used to defend against malicious changes in program control flow. Specifically, in the program compilation stage, first identify the call instruction and return instruction corresponding to the subroutine. Exemplarily, the call instruction is a call instruction, and the return instruction is a ret instruction. Then, insert an encrypted instruction before the call instruction. Exemplarily, the encryption instruction is an instruction to encrypt the return address using a preset key. At the same time, insert a decryption instruction before the return instruction. Exemplarily, the decryption instruction is an instruction to decrypt the encrypted return address using the same key.
如此编译之后,在程序运行阶段,处理器调用子程序之前,先执行加密指令对子程序的返回地址进行加密,将得到的加密地址存入内存。在子程序执行完毕后,再利用解密指令对从内存中读取的加密地址进行解密,得到原始的返回地址,从而处理器能够从返回地址处继续执行。After such compilation, in the program running stage, before the processor calls the subroutine, it first executes the encryption instruction to encrypt the return address of the subroutine, and stores the obtained encrypted address in the memory. After the subroutine is executed, the decryption instruction is used to decrypt the encrypted address read from the memory to obtain the original return address, so that the processor can continue to execute from the return address.
具体的加解密方式可以为,定义处理器中的特殊寄存器,专门用于存放密钥,而不能用作其他用途。在加密时,将原始的返回地址与特殊寄存器中的密钥进行异或运算,得到加密的返回地址,并存入内存中。在解密时,将从内存中读取的加密的返回地址与特殊寄存器中的密钥再次进行异或运算,得到原始的返回地址。即,加密指令和解密指令均需进行一次异或运算。The specific encryption and decryption method can be to define a special register in the processor, which is specially used for storing the key and cannot be used for other purposes. During encryption, the original return address is XORed with the key in the special register to obtain the encrypted return address, which is stored in the memory. During decryption, the encrypted return address read from the memory and the key in the special register are XORed again to get the original return address. That is, both the encryption instruction and the decryption instruction need to perform an exclusive OR operation.
采用上述防御技术后,即使攻击者从内存中劫持到加密的返回地址,由于攻击者不知道加密指令采用的密钥,无法将加密的返回地址篡改为加密的恶意地址。也就是说,攻击者劫持程序控制流后仍无法控制程序的跳转位置,因此,能够阻止攻击者对程序控制流进行恶意改变,实现对程序的控制流完整性的保护。After adopting the above defense technology, even if the attacker hijacks the encrypted return address from the memory, because the attacker does not know the key used in the encryption instruction, the encrypted return address cannot be tampered with the encrypted malicious address. In other words, the attacker cannot control the jump position of the program after hijacking the program control flow. Therefore, it can prevent the attacker from making malicious changes to the program control flow and realize the protection of the integrity of the program control flow.
然而,上述相关技术中,至少存在如下问题:1)在程序编译阶段需要识别出调用指令和返回指令,并在程序中插入多个额外的加密指令和解密指令,使得程序的运行性能降低。2)由于密钥存在寄存器中,且采用软件方式进行加密和解密,存在软件窃取风险,防护安全性差。3)使用异或运算对每个比特单独操作,使得暴力破解难度低,每次暴力破解都可使程序跳转到代码区,存在安全隐患。4)由于需要特殊寄存器来存储密钥,该特殊寄存器不能被其他功能使用,使得应用场景受限。However, the above-mentioned related technologies have at least the following problems: 1) In the program compilation stage, it is necessary to identify the call instruction and the return instruction, and insert multiple additional encryption instructions and decryption instructions into the program, which reduces the running performance of the program. 2) Since the key is stored in the register, and software is used for encryption and decryption, there is a risk of software theft, and the protection security is poor. 3) The exclusive OR operation is used to operate each bit individually, which makes brute force cracking less difficult. Each brute force cracking can make the program jump to the code area, which poses a security risk. 4) Since a special register is needed to store the key, the special register cannot be used by other functions, which limits the application scenarios.
为了解决上述问题中的至少一个,本申请实施例提供一种处理器,在处理器中设置硬件的转换电路,当需要保存返回地址时,利用转换电路对返回地址进行转换,将得到的转换返回地址输出至内存中;当需要使用返回地址时,利用转换电路对内存中的转换返回地 址进行转换,得到该返回地址。本申请实施例中,由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。并且,由于上述转换过程是在程序运行过程中通过硬件的转换电路实现,与上述相关技术相比,无需在编译阶段对调用指令和返回指令进行识别,也无需插入额外的加密指令和解密指令,避免了对处理器的运行性能造成影响。In order to solve at least one of the above problems, an embodiment of the present application provides a processor. A hardware conversion circuit is provided in the processor. When the return address needs to be saved, the conversion circuit is used to convert the return address, and the obtained conversion is returned. The address is output to the memory; when the return address needs to be used, a conversion circuit is used to convert the conversion return address in the memory to obtain the return address. In the embodiment of the present application, since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from controlling the flow of the program. Malicious changes. Moreover, since the above conversion process is implemented by a hardware conversion circuit during the running of the program, compared with the above related technology, there is no need to identify call instructions and return instructions at the compilation stage, and there is no need to insert additional encryption instructions and decryption instructions. Avoid the impact on the operating performance of the processor.
下面,通过具体实施例,对本申请所示的技术方案进行详细说明。需要说明的是,下面几个实施例可以单独存在,也可以相互结合,对于相同或相似的内容,在不同的实施例中不再重复说明。Hereinafter, the technical solutions shown in this application will be described in detail through specific embodiments. It should be noted that the following embodiments may exist alone or combined with each other, and the same or similar content will not be repeated in different embodiments.
图2为本申请实施例提供的处理器的结构示意图。如图2所示,本实施例的处理器100,包括:处理核110和转换电路120。FIG. 2 is a schematic structural diagram of a processor provided by an embodiment of the application. As shown in FIG. 2, the processor 100 of this embodiment includes: a processing core 110 and a conversion circuit 120.
其中,处理核110用于输出返回地址。Among them, the processing core 110 is used to output the return address.
转换电路120用于对处理核110输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈。The conversion circuit 120 is configured to convert the return address output by the processing core 110 to obtain the conversion return address, and output the conversion return address to the stack in the memory.
转换电路120还用于在处理核110需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至处理核110。The conversion circuit 120 is further configured to perform the conversion on the converted return address in the stack when the processing core 110 needs to use the return address to obtain the return address, and output the return address to the processing core 110.
本申请实施例对于处理器的类型不作具体限定。本申请实施例中的处理器可以为但不限于下述类型:基于ARM指令集的处理器、基于RISC-V指令集的处理器。The embodiment of the present application does not specifically limit the type of the processor. The processors in the embodiments of the present application may be, but are not limited to, the following types: processors based on the ARM instruction set and processors based on the RISC-V instruction set.
本申请实施例对于处理器的位宽不作具体限定。处理器可以为32位处理器,也可以为64位处理器,当然,还可以为其他位宽的处理器。The embodiment of the present application does not specifically limit the bit width of the processor. The processor may be a 32-bit processor or a 64-bit processor, of course, it may also be a processor with other bit widths.
其中,处理器中的处理核的数量可以为一个或者多个。处理核是指处理器中用于执行数据处理任务的处理单元。当处理核的数量为一个时,处理器为单核处理器。当处理核的数量为多个时,处理器为多核处理器。处理核用于输出返回地址。返回地址为处理核下一条待执行指令的地址。The number of processing cores in the processor may be one or more. The processing core refers to the processing unit used to perform data processing tasks in the processor. When the number of processing cores is one, the processor is a single-core processor. When the number of processing cores is multiple, the processor is a multi-core processor. The processing core is used to output the return address. The return address is the address of the next instruction to be executed by the processing core.
本申请中,处理核是需要将返回地址存入内存、以及需要从内存获取返回地址的任一电路。示例性的,处理核为程序计数器(Program Counter,PC)。PC也可称为指令计数器。PC用于存放处理器下一条待执行指令的地址。在程序开始执行前,处理器将程序的起始地址,即程序的第一条指令的地址送入PC。当执行指令时,处理器将自动修改PC中的值,即每执行一条指令,将PC中的值增加一个量,使其PC中的值始终指向待执行的下一条指令的地址。In this application, the processing core is any circuit that needs to store the return address in the memory and obtain the return address from the memory. Exemplarily, the processing core is a program counter (Program Counter, PC). PC can also be called instruction counter. PC is used to store the address of the next instruction to be executed by the processor. Before the program starts to execute, the processor sends the start address of the program, that is, the address of the first instruction of the program into the PC. When an instruction is executed, the processor will automatically modify the value in the PC, that is, every time an instruction is executed, the value in the PC is increased by an amount so that the value in the PC always points to the address of the next instruction to be executed.
本申请中,转换电路设置在处理核和内存之间的数据通路上。下面结合图3描述转换电路对返回地址的处理过程。In this application, the conversion circuit is arranged on the data path between the processing core and the memory. The processing of the return address by the conversion circuit is described below in conjunction with FIG. 3.
图3为本申请实施例提供的返回地址的处理过程示意图。如图3所示,当处理核需要将返回地址存入内存时,处理核输出的返回地址经过转换电路,转换电路对该返回地址进行转换得到转换返回地址,然后将该转换返回地址输出至内存中的栈。当处理核需要使用该返回地址时,从内存中出栈的所述转换返回地址经过转换电路,转换电路对该转换地址进行相同的转换,得到原始的返回地址,然后,将该原始的返回地址输出至处理核。FIG. 3 is a schematic diagram of the processing process of the return address provided by the embodiment of the application. As shown in Figure 3, when the processing core needs to store the return address in the memory, the return address output by the processing core passes through the conversion circuit, and the conversion circuit converts the return address to obtain the conversion return address, and then outputs the conversion return address to the memory In the stack. When the processing core needs to use the return address, the converted return address popped from the memory passes through the conversion circuit, and the conversion circuit performs the same conversion on the converted address to obtain the original return address, and then the original return address Output to the processing core.
其中,处理核需要将返回地址存入内存,可以是指处理核执行调用指令之前,需要将 该调用指令对应的返回地址存入内存。Among them, the processing core needs to store the return address in the memory, which may mean that the processing core needs to store the return address corresponding to the call instruction in the memory before executing the call instruction.
相应的,处理核需要使用返回地址,可以是指处理核从调用指令对应的子程序返回时,需要从内存中获取该调用指令对应的返回地址。Correspondingly, the processing core needs to use the return address, which may mean that when the processing core returns from the subroutine corresponding to the call instruction, it needs to obtain the return address corresponding to the call instruction from the memory.
可以理解的,本申请实施例中,转换电路可以采用一种或者多种转换模型对返回地址进行转换。本实施例对此不作具体限定,几种可能的转换方式可以参见后续实施例的详细描述。It can be understood that, in the embodiment of the present application, the conversion circuit may adopt one or more conversion models to convert the return address. This embodiment does not specifically limit this. For several possible conversion modes, refer to the detailed description of the subsequent embodiments.
本申请中,在返回地址存入内存之前,转换电路对返回地址进行一次转换,因此,内存中存储的是转换后的返回地址。由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。In this application, before the return address is stored in the memory, the conversion circuit performs a conversion on the return address. Therefore, the converted return address is stored in the memory. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
在转换后的返回地址从内存出栈之后,转换电路对转换后返回地址再进行一次转换,得到原始的返回地址,使得处理核可以根据原始的返回地址进行后续指令的执行,保证了程序控制流的完整性。After the converted return address is popped from the memory, the conversion circuit performs another conversion on the converted return address to obtain the original return address, so that the processing core can execute subsequent instructions according to the original return address, ensuring the program control flow Completeness.
本申请中,由于上述转换过程是在程序运行过程中通过硬件的转换电路实现,与上述相关技术相比,无需在编译阶段对调用指令和返回指令进行识别,也无需插入额外的加密指令和解密指令,避免了对处理器的运行性能造成影响。同时,与上述相关技术相比,无需专门的特殊寄存器来存储密钥,规避了软件窃取风险。In this application, since the above conversion process is implemented through a hardware conversion circuit during program operation, compared with the above related technology, there is no need to identify call instructions and return instructions at the compilation stage, and there is no need to insert additional encryption instructions and decryption instructions. Instructions, to avoid the impact on the operating performance of the processor. At the same time, compared with the above-mentioned related technology, no special special register is needed to store the key, which avoids the risk of software theft.
一种可能的实施方式中,处理器中还包括控制电路,控制电路能够识别处理核输出的地址是否为返回地址,当控制电路识别出处理核输出的地址为返回地址时,则控制该返回地址输入转换电路中。转换电路对返回地址进行转换后得到转换返回地址,并将转换返回地址输出至内存中的栈。当控制电路识别出处理核需要使用该返回地址时,在控制电路的控制下,从内存中出栈的转换返回地址被输入转换电路。转换电路对转换返回地址进行转换,得到原始的返回地址,并将原始的返回地址输出至处理核。In a possible implementation manner, the processor further includes a control circuit, which can identify whether the address output by the processing core is a return address, and when the control circuit recognizes that the address output by the processing core is a return address, it controls the return address Input the conversion circuit. The conversion circuit obtains the conversion return address after converting the return address, and outputs the conversion return address to the stack in the memory. When the control circuit recognizes that the processing core needs to use the return address, under the control of the control circuit, the converted return address popped from the memory is input to the conversion circuit. The conversion circuit converts the conversion return address to obtain the original return address, and outputs the original return address to the processing core.
另一种可能的实施方式中,处理器并不感知转换电路的存在。转换电路设置处理核至内存之间的数据通路上,即,当返回地址从处理核传输至内存、以及从内存传输至处理核的过程中,均会经过转换电路。该实施方式仅需要在处理核与内存之间的数据通路上设置转换电路,而无需改变处理器的现有控制流程,易于实施。In another possible implementation manner, the processor does not perceive the existence of the conversion circuit. The conversion circuit sets the data path between the processing core and the memory, that is, when the return address is transferred from the processing core to the memory and from the memory to the processing core, it will pass through the conversion circuit. This implementation mode only needs to provide a conversion circuit on the data path between the processing core and the memory, without changing the existing control flow of the processor, and is easy to implement.
可选的,处理器中还包括寄存器,该寄存器为专门用于存储返回地址的寄存器。Optionally, the processor further includes a register, which is a register specially used for storing the return address.
对于该类处理器,上述寄存器是返回地址从处理核至内存之间的必经之路。示例性的,在需要对子程序的返回地址输出至内存时,处理核首先将返回地址输出至上述寄存器中,然后寄存器将该返回地址输出至内存中。当需要使用该返回地址时,从内存中出栈的返回地址也先输出至上述寄存器中,然后,寄存器再将该返回地址输出至处理核。For this type of processor, the above-mentioned register is the only way between the return address from the processing core to the memory. Exemplarily, when the return address of the subroutine needs to be output to the memory, the processing core first outputs the return address to the aforementioned register, and then the register outputs the return address to the memory. When the return address needs to be used, the return address popped from the memory is also output to the aforementioned register first, and then the register outputs the return address to the processing core.
可以理解的,针对不同指令集的处理器,用于存储返回地址的寄存器可能有所不同。It can be understood that for processors with different instruction sets, the registers used to store the return address may be different.
示例性的,所述处理器为基于ARM指令集的处理器,所述寄存器为连接寄存器(link register,LR)。Exemplarily, the processor is a processor based on an ARM instruction set, and the register is a link register (LR).
示例性的,所述处理器为基于RISC V指令集的处理器,所述寄存器为返回地址(return address,RA)寄存器。Exemplarily, the processor is a processor based on a RISC V instruction set, and the register is a return address (return address, RA) register.
下面以ARM指令集的处理器为例,描述处理器的结构以及返回地址的处理过程。图4A和图4B为现有的返回地址的处理过程示意图。其中,图4A示例的是返回地址入栈的过程示意图,图4B示例的是返回地址出栈的过程示意图。The following takes the processor of the ARM instruction set as an example to describe the structure of the processor and the processing process of the return address. 4A and 4B are schematic diagrams of the conventional return address processing process. Among them, FIG. 4A illustrates a schematic diagram of the process of pushing the return address into the stack, and FIG. 4B illustrates a schematic diagram of the process of popping the return address from the stack.
处理核执行调用指令之前,需要将该调用指令对应的返回地址存入内存。示例性的,如图4A所示,在处理核的控制下,PC输出的返回地址进入LR寄存器。然后,LR寄存器输出的返回地址被存入内存中的栈。Before the processing core executes the call instruction, the return address corresponding to the call instruction needs to be stored in the memory. Exemplarily, as shown in FIG. 4A, under the control of the processing core, the return address output by the PC enters the LR register. Then, the return address output by the LR register is stored in the memory stack.
当处理核从调用指令对应的子程序返回时,需要从内存中读取返回地址。示例性的,如图4B所示,从内存出栈的返回地址进入LR寄存器。然后,LR寄存器将返回地址输出至处理核。When the processing core returns from the subroutine corresponding to the call instruction, it needs to read the return address from the memory. Exemplarily, as shown in FIG. 4B, the return address from the stack from the memory enters the LR register. Then, the LR register outputs the return address to the processing core.
本实施例中的转换电路可以设置在上述寄存器之前,也可以设置在上述寄存器之后。The conversion circuit in this embodiment can be set before the above-mentioned register or after the above-mentioned register.
需要说明的是,本实施例中,转换电路设置在寄存器之前,是指转换电路设置在寄存器的写入通路上,即,设置在寄存器的输入端。转换电路设置在寄存器之前时,意味着进入该寄存器的所有返回地址会先经过转换电路,然后再进入寄存器。本实施例中,转换电路设置在寄存器之后,是指转换电路设置在寄存器的读出通路上,即,设置在寄存器的输出端。转换电路设置在寄存器之后时,意味着从该寄存器输出的所有返回地址均会经过转换电路。It should be noted that, in this embodiment, that the conversion circuit is set before the register means that the conversion circuit is set on the write path of the register, that is, set at the input end of the register. When the conversion circuit is set before the register, it means that all return addresses entering the register will pass through the conversion circuit before entering the register. In this embodiment, the conversion circuit is arranged after the register, which means that the conversion circuit is arranged on the readout path of the register, that is, arranged at the output terminal of the register. When the conversion circuit is set after the register, it means that all return addresses output from the register will pass through the conversion circuit.
下面对上述的两种实施方式分别进行描述。The above two embodiments are described separately below.
图5A和图5B为本申请实施例提供的返回地址的处理过程示意图。本实施例中,将转换电路设置在LR寄存器的写入通路上。其中,图5A示例的是返回地址入栈的过程,图5B示例的是返回地址出栈的过程。5A and 5B are schematic diagrams of the processing procedure of the return address provided by the embodiment of the application. In this embodiment, the conversion circuit is set on the write path of the LR register. Among them, FIG. 5A illustrates the process of pushing the return address into the stack, and FIG. 5B illustrates the process of popping the return address from the stack.
所述转换电路具体用于对所述处理核输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈。The conversion circuit is specifically configured to convert the return address output by the processing core to obtain a conversion return address, and output the conversion return address to the register, so that the conversion return address is output to the register via the register The stack in memory.
所述转换电路还具体用于在所述处理核需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。The conversion circuit is also specifically configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address To the register, so that the return address is output to the processing core via the register.
如图5A所示,由于转换电路设置在寄存器的写入通路上,处理核输出的返回地址在输出至LR寄存器的过程中,会先经过该转换电路。转换电路对处理核输出的返回地址进行转换,得到转换返回地址,使得实际存入LR寄存器的是转换返回地址。然后,LR寄存器将转换返回地址输出至内存中的栈,即实际入栈的是转换返回地址。由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。As shown in FIG. 5A, since the conversion circuit is arranged on the write path of the register, the return address output by the processing core will pass through the conversion circuit first during the output to the LR register. The conversion circuit converts the return address output by the processing core to obtain the conversion return address, so that what is actually stored in the LR register is the conversion return address. Then, the LR register outputs the conversion return address to the stack in the memory, that is, what is actually pushed onto the stack is the conversion return address. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
如图5B所示,当处理核需要使用该返回地址时,由于转换电路设置在LR寄存器的写入通路上,从内存出栈的转换返回地址在进入LR寄存器之前,会先经过转换电路。转换电路对该转换返回地址进行转换,得到原始的返回地址,使得实际存入LR寄存器的是原始的返回地址。然后,LR寄存器将该原始的返回地址输出至处理核。从而保证程序的正常控制流。As shown in Figure 5B, when the processing core needs to use the return address, since the conversion circuit is set on the write path of the LR register, the converted return address from the memory stack will pass through the conversion circuit before entering the LR register. The conversion circuit converts the conversion return address to obtain the original return address, so that what is actually stored in the LR register is the original return address. Then, the LR register outputs the original return address to the processing core. So as to ensure the normal control flow of the program.
下面以基于ARM指令集的处理器为例,结合一段实际程序的运行过程,进行举例说明。The following takes a processor based on the ARM instruction set as an example, combined with the running process of an actual program, for example.
图6为本申请实施例提供的程序运行过程的示意图。如图6所示,该程序包括如下ARM指令:SUB、STP、ADD、LDP、ADD、以及RET。Fig. 6 is a schematic diagram of a program running process provided by an embodiment of the application. As shown in Figure 6, the program includes the following ARM instructions: SUB, STP, ADD, LDP, ADD, and RET.
控制流准备进入子程序,即处理核执行STP指令时,将返回地址输出至LR(0x30)寄存器。在返回地址进入LR寄存器之前,返回地址先经过转换电路,转换电路对该返回地址进行转换,得到转换返回地址,使得实际进入LR寄存器的是转换返回地址。之后,LR寄存器将转换返回地址输出至内存中的栈。The control flow is ready to enter the subroutine, that is, when the processing core executes the STP instruction, it outputs the return address to the LR (0x30) register. Before the return address enters the LR register, the return address passes through the conversion circuit, and the conversion circuit converts the return address to obtain the conversion return address, so that what actually enters the LR register is the conversion return address. After that, the LR register outputs the converted return address to the stack in the memory.
控制流从子程序的结尾返回时,即处理核执行LDP指令时,从内存的栈中读取转换返回地址。该转换返回地址在进入LR(0x30)寄存器之前,会先经过转换电路,转换电路对该转换返回地址再次进行转换,得到原始的返回地址。该原始的返回地址被存入LR寄存器中,并在处理核执行RET指令时使用该返回地址。When the control flow returns from the end of the subroutine, that is, when the processing core executes the LDP instruction, the conversion return address is read from the memory stack. The conversion return address will pass through the conversion circuit before entering the LR (0x30) register, and the conversion circuit will convert the conversion return address again to obtain the original return address. The original return address is stored in the LR register and used when the processing core executes the RET instruction.
本实施例中,在LR寄存器的写入通路上设置硬件的转换电路,该转换电路用于对进入LR寄存器的返回地址进行转换,即,所有需要进入LR寄存器的输入都会先经过该转换电路的转换,然后将转换结果输入至LR寄存器中。通过该方式,能够自动识别返回地址,无需改变处理器的控制流程,易于实施。In this embodiment, a hardware conversion circuit is set on the write path of the LR register. The conversion circuit is used to convert the return address entering the LR register, that is, all inputs that need to enter the LR register will pass through the conversion circuit first. Convert, and then enter the conversion result into the LR register. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
图7A和图7B为本申请实施例提供的返回地址的处理过程示意图。本实施例中,将转换电路设置在LR寄存器的读出通路上。其中,图7A示例的是返回地址入栈的过程,图7B示例的是返回地址出栈的过程。FIG. 7A and FIG. 7B are schematic diagrams of the processing process of the return address provided by the embodiment of the application. In this embodiment, the conversion circuit is arranged on the readout path of the LR register. Among them, FIG. 7A illustrates the process of pushing the return address into the stack, and FIG. 7B illustrates the process of popping the return address from the stack.
在所述处理核输出所述返回地址时,所述寄存器用于寄存所述处理核输出的返回地址。所述转换电路具体用于对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈。When the processing core outputs the return address, the register is used to register the return address output by the processing core. The conversion circuit is specifically configured to convert the return address output by the register to obtain a conversion return address, and output the conversion return address to a stack in the memory.
在所述处理核需要使用所述返回地址时,所述寄存器还用于寄存所述栈输出的所述转换返回地址。所述转换电路还具体用于对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。When the processing core needs to use the return address, the register is also used to register the conversion return address output by the stack. The conversion circuit is further specifically configured to perform the conversion on the conversion return address output by the register to obtain the return address, and output the return address to the processing core.
如图7A所示,处理核输出的返回地址输出至LR寄存器。由于转换电路设置在LR寄存器的读出通路上,在LR寄存器将该返回地址输出至内存中的栈的过程中,会经过该转换电路。转换电路对LR寄存器输出的返回地址进行转换,得到转换返回地址,使得实际入栈的转换返回地址。由于攻击者无法知道转换电路中所作的转换操作,使得攻击者无法将内存中的转换返回地址修改为恶意指令对应的转换返回地址,从而,能够防止攻击者对程序控制流的恶意更改。As shown in Figure 7A, the return address output by the processing core is output to the LR register. Since the conversion circuit is arranged on the readout path of the LR register, the LR register will pass through the conversion circuit during the process of outputting the return address to the stack in the memory. The conversion circuit converts the return address output by the LR register to obtain the conversion return address, so that the actual conversion return address is pushed onto the stack. Since the attacker cannot know the conversion operation performed in the conversion circuit, the attacker cannot modify the conversion return address in the memory to the conversion return address corresponding to the malicious instruction, thereby preventing the attacker from maliciously changing the program control flow.
如图7B所示,当处理核需要使用该返回地址时,从内存出栈的转换返回地址进入LR寄存器。由于转换电路设置在LR寄存器的读出通路上,在LR寄存器将转换返回地址输出至处理核的过程中,会经过转换电路。转换电路对该转换返回地址进行转换,得到原始的返回地址,使得实际输入至处理核的是原始的返回地址。从而保证程序的正常控制流。As shown in FIG. 7B, when the processing core needs to use the return address, the converted return address from the memory stack enters the LR register. Since the conversion circuit is arranged on the readout path of the LR register, the conversion circuit will pass through the conversion circuit when the LR register outputs the conversion return address to the processing core. The conversion circuit converts the converted return address to obtain the original return address, so that what is actually input to the processing core is the original return address. So as to ensure the normal control flow of the program.
本实施例中,在LR寄存器的读出通路上设置硬件的转换电路,该转换电路用于对LR寄存器输出的返回地址进行转换,即,所有从LR寄存器输出的值都会先经过该转换电路的转换。通过该方式,能够自动识别返回地址,无需改变处理器的控制流程,易于实施。In this embodiment, a hardware conversion circuit is set on the readout path of the LR register. The conversion circuit is used to convert the return address output by the LR register, that is, all the values output from the LR register will first pass through the conversion circuit. Conversion. In this way, the return address can be automatically identified without changing the control flow of the processor, which is easy to implement.
需要说明的是,上述实施例中是以基于ARM指令集的处理器为例进行描述。但是本申请实施例所适应的处理器并不限于此。本申请实施例对于其他指令集的处理器同样适用, 只要处理器中存在专门用于存储返回地址的寄存器即可。It should be noted that, in the foregoing embodiment, a processor based on an ARM instruction set is taken as an example for description. However, the processor to which the embodiment of the present application is adapted is not limited to this. The embodiments of the present application are also applicable to processors of other instruction sets, as long as there is a register dedicated to storing the return address in the processor.
需要说明的是,上述各实施例中,对于基于ARM指令集的处理器和基于RISC-V指令集的处理器,如果编译器支持末端分支(leaf subroutine)优化选项(即在leaf subroutine中不将返回地址从LR/RA寄存器保存至内存中的栈,而是将其一直保存在LR/RA寄存器中),则需要关闭此优化功能,保证LR/RA在leaf subroutine中的使用方式与一般分支(subroutine)中没有区别。否则当返回地址从LR/RA寄存器读出时未作解密,会影响子程序的正常返回。It should be noted that in the foregoing embodiments, for processors based on the ARM instruction set and processors based on the RISC-V instruction set, if the compiler supports the leaf subroutine optimization option (that is, the leaf subroutine does not change The return address is saved from the LR/RA register to the stack in the memory, but it is always saved in the LR/RA register), you need to turn off this optimization function to ensure the use of LR/RA in the leaf subroutine and the general branch ( There is no difference in subroutine. Otherwise, the return address is not decrypted when it is read from the LR/RA register, which will affect the normal return of the subroutine.
下面对上述各实施例中的转换电路的具体转换过程进行介绍。The specific conversion process of the conversion circuit in the foregoing embodiments will be introduced below.
本申请实施例中,转换电路对返回地址所进行的转换,满足如下条件:In the embodiment of the present application, the conversion performed by the conversion circuit on the return address satisfies the following conditions:
B=IP(A),A=IP(B)B=IP(A), A=IP(B)
其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
可以理解的,满足上述条件的转换模型可以有多种,包括但不限于:异或转换模型、模乘法转换模型、模加法转换模型。It is understandable that there may be many conversion models that satisfy the above conditions, including but not limited to: exclusive-or conversion model, modular multiplication conversion model, and modular addition conversion model.
一种可能的实施方式中,转换电路中存储有多种转换模型,不同的转换模型对应一组或者多组可选的转换参数。通过将转换模型及转换参数存在硬件电路中,使得攻击者无法获取这些敏感信息,提高了程序控制流的防御可靠性。In a possible implementation manner, multiple conversion models are stored in the conversion circuit, and different conversion models correspond to one or more sets of optional conversion parameters. By storing the conversion model and conversion parameters in the hardware circuit, the attacker cannot obtain this sensitive information, and the reliability of the defense of the program control flow is improved.
转换电路对返回地址进行转换时,采用至少一种转换模型对返回地址的至少一个比特进行转换,得到所述转换返回地址。When the conversion circuit converts the return address, at least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
其中,所述至少一个比特包括程序的代码地址的变化区段对应的比特和不变区段对应的比特;所述程序的代码地址包括多个指令的指令地址,所述不变区段为多个指令地址中比特相同的比特位,所述变化区段为多个指令地址中比特不同的比特位。Wherein, the at least one bit includes the bit corresponding to the change section of the code address of the program and the bit corresponding to the unchanged section; the code address of the program includes the instruction addresses of multiple instructions, and the invariant section is multiple Bits with the same bits in each instruction address, and the change section is bits with different bits in multiple instruction addresses.
示例性的,以libc的代码区为例,由于程序中的指令数量有限,比较程序的代码地址的起始地址和结束地址可以发现,代码地址的几个高位比特、甚至十几或者几十个高位比特是不会变化的。本申请中将这些不会变化的比特位称为代码地址的不变区段。相应的,代码地址会变化的比特位,称为代码地址的变化区段。Exemplarily, taking the code area of libc as an example, due to the limited number of instructions in the program, comparing the start address and end address of the code address of the program, you can find that several high-order bits of the code address, even more than ten or dozens The high-order bits will not change. In this application, these unchanging bits are referred to as the unchanged section of the code address. Correspondingly, the bits where the code address will change are called the change section of the code address.
本申请实施例中,转换电路对返回地址的至少一个比特进行转换时,对变化区段和不变区段同时进行转换,能够提高攻击者的暴力破解难度,保证程序控制流的安全性。In the embodiment of the present application, when the conversion circuit converts at least one bit of the return address, it converts the changed section and the unchanged section at the same time, which can increase the difficulty of brute force cracking by an attacker and ensure the security of program control flow.
示例性的,在运行程序之前,转换电路随机选择一种转换模型,并随机选择一组转换参数,对程序运行过程中的返回地址进行转换。若程序运行发生错误,即出现ROP攻击的情况下,则在重新运行程序时,更换转换模型和/或转换参数,使得攻击者无法针对同一转换模型及转换参数进行多次攻击,进一步提高程序控制流的安全性。Exemplarily, before running the program, the conversion circuit randomly selects a conversion model and randomly selects a set of conversion parameters to convert the return address during the program operation. If an error occurs in the program operation, that is, in the case of a ROP attack, when re-running the program, change the conversion model and/or conversion parameters, so that the attacker cannot perform multiple attacks on the same conversion model and conversion parameters, and further improve program control Stream security.
下面结合几种具体的实施方式,描述处理器对返回地址的处理过程。The following describes the processing process of the return address by the processor in conjunction with several specific implementation manners.
一种可能的实施方式中,假设处理器为32位的基于ARM指令集的处理器,转换电路设置在LR寄存器的写入通路上,转换电路中采用模乘法转换模型。处理器对返回地址的处理过程如下:In a possible implementation manner, it is assumed that the processor is a 32-bit processor based on the ARM instruction set, the conversion circuit is set on the write path of the LR register, and the analog multiplication conversion model is adopted in the conversion circuit. The processor's processing of the return address is as follows:
1)在处理核执行call指令(例如调用func函数)之前,会将返回地址存入LR寄存器 中。由于转换电路设置在寄存器的写入通路上,因此,返回地址会首先经过转换电路的转换,得到转换返回地址,使得实际进入LR寄存器的为转换返回地址。1) Before the processing core executes the call instruction (such as calling the func function), the return address is stored in the LR register. Since the conversion circuit is set on the write path of the register, the return address will first be converted by the conversion circuit to obtain the conversion return address, so that what actually enters the LR register is the conversion return address.
为了表述方便,本实施例中将处理核输出的返回地址(即原始的返回地址)记为a[31:0]。将转换电路转换得到的转换返回地址(即实际进入LR寄存器的返回地址)记为b[31:0]。转换电路进行如下所示的模乘法操作:For the convenience of presentation, in this embodiment, the return address (that is, the original return address) output by the processing core is recorded as a[31:0]. The conversion return address obtained by the conversion circuit (that is, the return address actually entered into the LR register) is recorded as b[31:0]. The conversion circuit performs the modular multiplication operation as shown below:
a×q≡b mod pa×q≡b mod p
其中,p和q为模乘法转换模型对应的转换参数。由上式可知,返回地址a和转换电路中的参数q进行模乘法,模为p,输出为转换返回地址b。其中,q和p满足如下关系:Among them, p and q are the conversion parameters corresponding to the modular multiplication conversion model. It can be seen from the above formula that the return address a and the parameter q in the conversion circuit are modulo multiplied, the modulus is p, and the output is the conversion return address b. Among them, q and p satisfy the following relationship:
q 2≡1 mod p q 2 ≡1 mod p
可以理解的,满足上述关系的p和q可以有多种组合。例如:如果p=2^{32},那么q可选择为下述中的任一:It is understandable that there can be multiple combinations of p and q that satisfy the above relationship. For example: if p=2^{32}, then q can be selected as any of the following:
4294967295,2147483649,21474836474294967295, 2147483649, 2147483647
实际应用中,p应大于最大的代码地址但不宜过大,以节约转换电路的芯片面积。另外,当q=p-1或者q=1时,总是满足上述要求,但为了安全性,q不选择1。In practical applications, p should be larger than the maximum code address but not too large to save the chip area of the conversion circuit. In addition, when q=p-1 or q=1, the above requirements are always met, but for safety, 1 is not selected for q.
本实施例中,由于模乘法转换模型是将32位的返回地址a[31:0]做整体运算,即代码地址的变化区段和不变区段同时进行运算,使得攻击者无法仅针对变化区段进行特定攻击,攻击者无法保证每次暴力破解都能跳转到代码区,提高了程序控制流的安全性。In this embodiment, since the modular multiplication conversion model uses the 32-bit return address a[31:0] to perform the overall operation, that is, the change section and the unchanged section of the code address are operated at the same time, so that the attacker cannot only target the change. Segments perform specific attacks, and attackers cannot guarantee that they can jump to the code area every time brute force cracking, which improves the security of program control flow.
2)将转换返回地址从LR寄存器读出,并存入内存的栈中。2) Read the conversion return address from the LR register and store it in the memory stack.
3)执行函数func。3) Execute the function func.
4)在从函数func返回之前,从内存中读取转换返回地址,将出栈的转换返回地址存入LR寄存器中。由于LR寄存器的写入通路上设置了转换电路,出栈的转换返回地址会先经过转换电路。转换电路对转换返回地址再进行一次转换,得到原始的返回地址,然后原始的返回地址被存入LR寄存器中。转换电路进行同样的模乘法操作,如下:4) Before returning from the function func, read the conversion return address from the memory, and store the popped conversion return address in the LR register. Since a conversion circuit is set on the write path of the LR register, the converted return address from the stack will pass through the conversion circuit first. The conversion circuit performs another conversion on the conversion return address to obtain the original return address, and then the original return address is stored in the LR register. The conversion circuit performs the same modular multiplication operation as follows:
b×q≡a mod pb×q≡a mod p
其中,p和q为模乘法转换模型对应的转换参数,与上述的第一次转换过程采用的参数相同。转换返回地址b为转换模型的输入,返回地址a为转换模型的输出。Among them, p and q are the conversion parameters corresponding to the modular multiplication conversion model, which are the same as the parameters used in the first conversion process described above. The conversion return address b is the input of the conversion model, and the return address a is the output of the conversion model.
由上述两次转换过程可知,返回地址经过两次同样的转换后变回原值。It can be seen from the above two conversion processes that the return address changes back to the original value after the same conversion twice.
5)执行返回操作。5) Perform a return operation.
若转换返回地址b在内存的栈中未被恶意篡改,则经过转换电路的转换后,得到的返回地址a是正确的返回地址,程序正常执行。若转换返回地址b在内存的栈中被恶意篡改,由于攻击者无法知晓敏感信息p和q,无法构造出合法的恶意转换返回地址,因此,经过转换电路的转换后,得到的返回地址a是乱码,执行返回操作时,程序将执行乱码地址处的代码,会大概率产生内存错误。从而,攻击者无法达到更改程序控制流的目的。If the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p and q, and cannot construct a legitimate malicious conversion return address. Therefore, after conversion by the conversion circuit, the return address a obtained is Garbled, when the return operation is executed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
另一种可能的实施方式中,假设处理器为32位的基于ARM指令集的处理器,转换电路设置在LR寄存器的读出通路上,转换电路中采用模加法转换模型。处理器对返回地址的处理过程如下:In another possible implementation manner, it is assumed that the processor is a 32-bit processor based on the ARM instruction set, the conversion circuit is arranged on the read path of the LR register, and the conversion circuit adopts a modulus addition conversion model. The processor's processing of the return address is as follows:
1)在处理核执行call指令(例如调用func函数)之前,将返回地址存入LR寄存器中。1) Before the processing core executes the call instruction (for example, calling the func function), the return address is stored in the LR register.
2)将返回地址从LR寄存器读出,并存入内存的栈中。2) Read the return address from the LR register and store it in the memory stack.
由于转换电路设置在LR寄存器的读出通路上,因此,LR寄存器输出的返回地址会先经过转换电路的转换,得到转换返回地址,使得实际入栈的为转换返回地址。Since the conversion circuit is set on the readout path of the LR register, the return address output by the LR register will be converted by the conversion circuit first to obtain the conversion return address, so that the actual stack is the conversion return address.
为了表述方便,本实施例中将LR寄存器输出的返回地址(即原始的返回地址)记为a[31:0]。将转换电路转换得到的转换返回地址(即实际入栈的返回地址)记为b[31:0]。转换电路进行如下式所示的模加法操作:For the convenience of presentation, the return address (that is, the original return address) output by the LR register is recorded as a[31:0] in this embodiment. The conversion return address obtained by the conversion circuit (that is, the return address actually pushed onto the stack) is recorded as b[31:0]. The conversion circuit performs the modulo addition operation as shown in the following equation:
a+q≡b mod pa+q≡b mod p
其中,p和q为模加法转换模型对应的转换参数。由上式可知,返回地址a和转换电路中的参数q进行模加法,模为p,输出为转换返回地址b。其中,q和p满足如下关系:Among them, p and q are the conversion parameters corresponding to the modular addition conversion model. It can be seen from the above formula that the return address a and the parameter q in the conversion circuit are modulo addition, the modulus is p, and the output is the conversion return address b. Among them, q and p satisfy the following relationship:
q≡p/2q≡p/2
可以理解的,满足上述关系的p和q可以有多种组合。例如:如果p=2^{32}+2,那么q=2^{31}+1。It is understandable that there can be multiple combinations of p and q that satisfy the above relationship. For example: if p=2^{32}+2, then q=2^{31}+1.
实际应用中,p应大于最大的代码地址但不宜过大,以节约转换电路的芯片面积。In practical applications, p should be larger than the maximum code address but not too large to save the chip area of the conversion circuit.
本实施例中,由于模加法转换模型是将32位的返回地址a[31:0]做整体运算,即代码地址的变化区段和不变区段同时进行运算,使得攻击者无法仅针对变化区段进行特定攻击,攻击者无法保证每次暴力破解都能跳转到代码区,提高了程序控制流的安全性。In this embodiment, since the modulus addition conversion model uses the 32-bit return address a[31:0] to perform the overall operation, that is, the change section and the unchanged section of the code address are operated at the same time, so that the attacker cannot only target the change. Segments perform specific attacks, and attackers cannot guarantee that they can jump to the code area every time brute force cracking, which improves the security of program control flow.
3)执行函数func。3) Execute the function func.
4)在从函数func返回之前,从内存中读取转换返回地址,将出栈的转换返回地址存入LR寄存器中。4) Before returning from the function func, read the conversion return address from the memory, and store the popped conversion return address in the LR register.
5)将转换返回地址从LR寄存器中读出,并输出至处理核,执行返回操作。5) Read the conversion return address from the LR register and output it to the processing core to perform the return operation.
由于LR寄存器的读出通路上设置了转换电路,出栈的转换返回地址会先经过转换电路。转换电路对转换返回地址再进行一次转换,得到原始的返回地址,然后原始的返回地址被输出至处理核。转换电路进行同样的模加法操作,如下:Since a conversion circuit is set on the readout path of the LR register, the converted return address from the stack will pass through the conversion circuit first. The conversion circuit performs another conversion on the converted return address to obtain the original return address, and then the original return address is output to the processing core. The conversion circuit performs the same modular addition operation, as follows:
b+q≡a mod pb+q≡a mod p
其中,p和q为模加法转换模型对应的转换参数,与上述的第一次转换过程采用的参数相同。转换返回地址b为转换模型的输入,返回地址a为转换模型的输出。Among them, p and q are the conversion parameters corresponding to the modular addition conversion model, which are the same as the parameters used in the first conversion process described above. The conversion return address b is the input of the conversion model, and the return address a is the output of the conversion model.
由上述两次转换过程可知,返回地址经过两次同样的转换后变回原值。It can be seen from the above two conversion processes that the return address changes back to the original value after the same conversion twice.
若转换返回地址b在内存的栈中未被恶意篡改,则经过转换电路的转换后,得到的返回地址a是正确的返回地址,程序正常执行。若转换返回地址b在内存的栈中被恶意篡改,由于攻击者无法知晓敏感信息p和q,无法构造出合法的恶意转换返回地址,因此,经过转换电路的转换后,得到的返回地址a是乱码,执行返回操作时,程序将执行乱码地址处的代码,会大概率产生内存错误。从而,攻击者无法达到更改程序控制流的目的。If the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p and q, and cannot construct a legitimate malicious conversion return address. Therefore, after conversion by the conversion circuit, the return address a obtained is Garbled, when the return operation is executed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
再一种可能的实施方式中,转换电路对所述返回地址的至少一个比特进行分组,得到多个比特组;采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;然后,根据各所述比特组对应的转换结果,得到所述转换返回地址。In yet another possible implementation manner, the conversion circuit groups at least one bit of the return address to obtain multiple bit groups; and uses the conversion model to convert the bits in each bit group to obtain each bit The conversion result corresponding to the bit group, wherein at least two of the multiple bit groups adopt different conversion models, or the multiple bit groups adopt the same conversion model; then, according to each of the The conversion result corresponding to the bit group obtains the conversion return address.
可以理解的,对返回地址的至少一个比特进行分组的方式可以有多种,本实施例对此不作具体限定。以32位处理器系统为例,可以将返回地址的32个比特分为两个比特组, 还可以分为三个比特组,当然,还可以分为更多个比特组。It is understandable that there may be multiple ways to group at least one bit of the return address, which is not specifically limited in this embodiment. Taking a 32-bit processor system as an example, the 32 bits of the return address can be divided into two bit groups or three bit groups, of course, it can also be divided into more bit groups.
示例性的,当分为两个比特组时,可以将前16个比特作为一组,将后16个比特作为一组;也可以将前8位比特作为一组,将后24位比特作为一组;还可以将奇数比特位作为一组,将偶数比特位作为一组。可以理解的,还存在其他的分组方式,此处不一一列举。当分为两个比特组时,这两个比特组采用的转换模型可以相同,也可以不同。例如:两个比特组均采用模乘法转换模型,或者,两个比特组均采用模加法转换模型,或者,一个比特组采用模乘法转换模型,一个比特组采用模加法转换模型。Exemplarily, when divided into two bit groups, the first 16 bits may be used as a group, and the last 16 bits may be used as a group; the first 8 bits may be used as a group, and the last 24 bits may be used as a group ; It is also possible to use odd-numbered bits as a group and even-numbered bits as a group. It is understandable that there are other grouping methods, which are not listed here. When divided into two bit groups, the conversion models adopted by the two bit groups may be the same or different. For example, two bit groups use the modular multiplication conversion model, or both bit groups use the modular addition conversion model, or one bit group uses the modular multiplication conversion model, and one bit group uses the modular addition conversion model.
示例性的,当分为三个比特组时,可以将前8个比特作为一组,将中间16个比特作为一组,将后8个比特作为一组;也可以将前10个比特作为一组,将中间8个比特作为一组,将后14个比特作为一组;还可以将第1、4、7、10、13、16、19、22、25、28、31个比特作为一组,将第2、5、8、11、14、17、20、23、26、29个比特作为一组,将第0、3、6、9、12、15、18、21、24、27、30个比特作为一组。可以理解的,还存在其他的分组方式,此处不一一列举。当分为三个比特组时,三个比特组所采用的转换模型可以相同,也可以不同。Exemplarily, when divided into three bit groups, the first 8 bits can be used as a group, the middle 16 bits can be used as a group, and the last 8 bits can be used as a group; the first 10 bits can also be used as a group , Set the middle 8 bits as a group, and the last 14 bits as a group; you can also use the 1, 4, 7, 10, 13, 16, 19, 22, 25, 28, and 31 bits as a group, Set the 2, 5, 8, 11, 14, 17, 20, 23, 26, and 29 bits as a group, and set the 0, 3, 6, 9, 12, 15, 18, 21, 24, 27, 30 Bits as a group. It is understandable that there are other grouping methods, which are not listed here. When divided into three bit groups, the conversion models adopted by the three bit groups can be the same or different.
下面结合举例进行说明。The following is a description with examples.
假设处理器为32位的基于ARM指令集的处理器,转换电路设置在LR寄存器的写入通路上。转换电路将返回地址的32个比特划分为两个比特组,一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。其中一个比特组采用模乘法转换模型,另一个比特组采用模加法转换模型。则处理器对返回地址的处理过程如下:Assuming that the processor is a 32-bit processor based on the ARM instruction set, the conversion circuit is set on the write path of the LR register. The conversion circuit divides the 32 bits of the return address into two bit groups, one bit group includes the bits corresponding to the odd bits of the return address, and the other bit group includes the bits corresponding to the even bits of the return address . One bit group adopts the modular multiplication conversion model, and the other bit group adopts the modular addition conversion model. Then the processor processes the return address as follows:
1)在处理核执行call指令(例如调用func函数)之前,会将返回地址存入LR寄存器中。由于转换电路设置在寄存器的写入通路上,因此,返回地址会首先经过转换电路的转换,得到转换返回地址,使得实际进入LR寄存器的为转换返回地址。1) Before the processing core executes the call instruction (such as calling the func function), the return address is stored in the LR register. Since the conversion circuit is set on the write path of the register, the return address will first be converted by the conversion circuit to obtain the conversion return address, so that what actually enters the LR register is the conversion return address.
为了表述方便,本实施例中将处理核输出的返回地址(即原始的返回地址)记为a[31:0]。将a[31:0]划分为两个比特组,分别为a 1[15:0]和a 2[15:0],其中, For the convenience of presentation, in this embodiment, the return address (that is, the original return address) output by the processing core is recorded as a[31:0]. Divide a[31:0] into two bit groups, namely a 1 [15:0] and a 2 [15:0], where,
a 1[15:0]≡{a[31],a[29],a[27],…,a[1]} a 1 [15:0]≡{a[31],a[29],a[27],…,a[1]}
a 2[15:0]≡{a[30],a[28],a[26],…,a[0]} a 2 [15:0]≡{a[30],a[28],a[26],…,a[0]}
相应的,将转换电路转换得到的转换返回地址(即实际进入LR寄存器的返回地址)记为b[31:0]。将b[31:0]划分为两个比特组,分别为b 1[15:0]和b 2[15:0],其中, Correspondingly, the conversion return address (that is, the return address actually entering the LR register) obtained by the conversion of the conversion circuit is recorded as b[31:0]. Divide b[31:0] into two bit groups, b 1 [15:0] and b 2 [15:0], where,
b 1[15:0]≡{b[31],b[29],b[27],…,b[1]} b 1 [15:0]≡{b[31],b[29],b[27],…,b[1]}
b 2[15:0]≡{b[30],b[28],b[26],…,b[0]} b 2 [15:0]≡{b[30],b[28],b[26],…,b[0]}
转换电路在对返回地址进行转换时,对a 1[15:0]采用模乘法转换模型,对a 2[15:0]采用模加法转换模型,如下所示: When converting circuit for converting the return address of a 1 [15: 0] using modular multiplication conversion model, a 2 [15: 0] using modula add transformation model, as follows:
a 1×q 1≡b 1 mod p 1 a 1 ×q 1 ≡b 1 mod p 1
a 2+q 2≡b 2 modp 2 a 2 +q 2 ≡b 2 modp 2
其中,p 1和q 1为模乘法转换模型对应的转换参数,p 2和q 2为模加法转换模型对应的转换参数。由上式可知,a 1和转换电路中的参数q 1进行模乘法,模为p 1,输出为b 1。a 2和转换电路中的参数q 2进行模加法,模为p 2,输出为b 2Among them, p 1 and q 1 are conversion parameters corresponding to the modular multiplication conversion model, and p 2 and q 2 are conversion parameters corresponding to the modular addition conversion model. It can be seen from the above formula that a 1 is modulo multiplied with the parameter q 1 in the conversion circuit, the modulus is p 1 , and the output is b 1 . A 2 and the parameter q 2 in the conversion circuit are modulo addition, the modulus is p 2 , and the output is b 2 .
其中,p 1和q 1满足如下关系: Among them, p 1 and q 1 satisfy the following relationship:
q 1 2≡1 mod p 1 q 1 2 ≡1 mod p 1
可以理解的,满足上述关系的p 1和q 1可以有多种组合。例如:如果p 1=2^{16}+8,那么q 1可选择为下述中的任一: It can be understood that there can be multiple combinations of p 1 and q 1 that satisfy the above relationship. For example: if p 1 =2^{16}+8, then q 1 can be selected as any of the following:
65543,60083,54619,49159,…,546165543, 60083, 54619, 49159,..., 5461
p 2和q 2满足如下关系: p 2 and q 2 satisfy the following relationship:
q 2≡p 2/2 q 2 ≡p 2 /2
可以理解的,满足上述关系的p 2和q 2可以有多种组合。例如:如果p 2=2^{32}+6,那么q 2=2^{31}+3。 It can be understood that there can be multiple combinations of p 2 and q 2 that satisfy the above relationship. For example: if p 2 =2^{32}+6, then q 2 =2^{31}+3.
实际应用中,p 1和p 2应大于最大的代码地址但不宜过大,以节约转换电路的芯片面积。 In practical applications, p 1 and p 2 should be larger than the maximum code address, but should not be too large to save the chip area of the conversion circuit.
本实施例中,针对32位的返回地址a,将32个比特按照奇数比特位和偶数比特位划分为两组,其中一组采用模乘法转换模型,另一组采用模加法转换模型。可见,对代码地址的变化区段和不变区段同时进行运算,使得攻击者无法仅针对变化区段进行特定攻击,攻击者无法保证每次暴力破解都能跳转到代码区,提高了程序控制流的安全性。In this embodiment, for the 32-bit return address a, the 32 bits are divided into two groups according to odd-numbered bits and even-numbered bits. One group adopts a modular multiplication conversion model, and the other group adopts a modular addition conversion model. It can be seen that the simultaneous operation of the change section and the unchanged section of the code address makes it impossible for an attacker to perform a specific attack on the changed section only, and the attacker cannot guarantee that every brute force cracking can jump to the code area, which improves the program Security of control flow.
2)将转换返回地址从LR寄存器读出,并存入内存的栈中。2) Read the conversion return address from the LR register and store it in the memory stack.
3)执行函数func。3) Execute the function func.
4)在从函数func返回之前,从内存中读取转换返回地址,将出栈的转换返回地址存入LR寄存器中。由于LR寄存器的写入通路上设置了转换电路,出栈的转换返回地址会先经过转换电路。转换电路对转换返回地址再进行一次转换,得到原始的返回地址,然后原始的返回地址被存入LR寄存器中。4) Before returning from the function func, read the conversion return address from the memory, and store the popped conversion return address in the LR register. Since a conversion circuit is set on the write path of the LR register, the converted return address from the stack will pass through the conversion circuit first. The conversion circuit performs another conversion on the conversion return address to obtain the original return address, and then the original return address is stored in the LR register.
转换电路在对转换返回地址进行转换时,对b 1[15:0]采用模乘法转换模型,对b 2[15:0]采用模加法转换模型,如下所示: When the return address conversion circuit for converting the conversion of b 1 [15: 0] using modular multiplication conversion model, b 2 [15: 0] using modula add transformation model, as follows:
b 1×q 1≡a 1 mod p 1 b 1 ×q 1 ≡a 1 mod p 1
b 2+q 2≡a 2 mod p 2 b 2 +q 2 ≡a 2 mod p 2
其中,p 1和q 1为模乘法转换模型对应的转换参数,与上述的第一次转换过程采用的参数相同。p 2和q 2为模加法转换模型对应的转换参数,与上述的第一次转换过程采用的参数相同。 Among them, p 1 and q 1 are the conversion parameters corresponding to the modular multiplication conversion model, which are the same as the parameters used in the first conversion process described above. p 2 and q 2 are the conversion parameters corresponding to the modulo addition conversion model, which are the same as the parameters used in the first conversion process described above.
由上述两次转换过程可知,返回地址经过两次同样的转换后变回原值。It can be seen from the above two conversion processes that the return address changes back to the original value after the same conversion twice.
5)执行返回操作。5) Perform a return operation.
若转换返回地址b在内存的栈中未被恶意篡改,则经过转换电路的转换后,得到的返回地址a是正确的返回地址,程序正常执行。若转换返回地址b在内存的栈中被恶意篡改,由于攻击者无法知晓敏感信息p 1、q 1、p 2和q 2,无法构造出合法的恶意转换返回地址,因此,经过转换电路的转换后,得到的返回地址a是乱码,执行返回操作时,程序将执行乱码地址处的代码,会大概率产生内存错误。从而,攻击者无法达到更改程序控制流的目的。 If the conversion return address b is not maliciously tampered with in the memory stack, after conversion by the conversion circuit, the obtained return address a is the correct return address, and the program executes normally. If the conversion return address b is maliciously tampered with in the memory stack, the attacker cannot know the sensitive information p 1 , q 1 , p 2 and q 2 , and cannot construct a legal malicious conversion return address. Therefore, the conversion circuit is converted After that, the return address a is garbled. When the return operation is performed, the program will execute the code at the garbled address, which will cause a memory error with a high probability. Therefore, the attacker cannot achieve the purpose of changing the control flow of the program.
图8为本申请实施例提供的返回地址的处理方法的流程示意图。本实施例的方法由处理器执行,其中,处理器包括:处理核和转换电路。如图8所示,本实施例的方法,包括:FIG. 8 is a schematic flowchart of a method for processing a return address provided by an embodiment of the application. The method in this embodiment is executed by a processor, where the processor includes a processing core and a conversion circuit. As shown in FIG. 8, the method of this embodiment includes:
S801:在所述处理核输出所述返回地址时,通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈。S801: When the processing core outputs the return address, convert the return address through the conversion circuit to obtain a conversion return address, and output the conversion return address to a stack in the memory.
S802:在需要使用所述返回地址时,通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。S802: When the return address needs to be used, perform the conversion on the converted return address in the stack by the conversion circuit to obtain the return address, and output the return address to the processing core .
一种可能的实施方式中,所述处理器还包括寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:In a possible implementation manner, the processor further includes a register, the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to a stack in the memory, include:
通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈;Converting the return address by the conversion circuit to obtain a conversion return address, and outputting the conversion return address to the register, so that the conversion return address is output to the stack in the memory via the register;
所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。Perform the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and output the return address to the register, so that the return address is output through the register To the processing core.
一种可能的实施方式中,所述处理器还包括寄存器,所述返回地址被所述处理核输出至所述寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:In a possible implementation manner, the processor further includes a register, the return address is output to the register by the processing core, and the return address is converted by the conversion circuit to obtain a converted return address , And output the conversion return address to the stack in the memory, including:
通过所述转换电路对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;Converting the return address output by the register by the conversion circuit to obtain a conversion return address, and output the conversion return address to a stack in the memory;
所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
通过所述转换电路对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit performs the conversion on the conversion return address output by the register to obtain the return address, and outputs the return address to the processing core.
一种可能的实施方式中,所述转换满足如下条件:In a possible implementation manner, the conversion satisfies the following conditions:
B=IP(A),A=IP(B)B=IP(A), A=IP(B)
其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
一种可能的实施方式中,所述对所述返回地址进行转换以得到转换返回地址,包括:In a possible implementation manner, the converting the return address to obtain the converted return address includes:
采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址。At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
一种可能的实施方式中,所述采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址,包括:In a possible implementation manner, the using at least one conversion model to convert at least one bit of the return address to obtain the converted return address includes:
对所述返回地址的至少一个比特进行分组,得到多个比特组;Group at least one bit of the return address to obtain multiple bit groups;
采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;The conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
根据各所述比特组对应的转换结果,得到所述转换返回地址。According to the conversion result corresponding to each bit group, the conversion return address is obtained.
一种可能的实施方式中,所述比特组的数量为两个,其中一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。In a possible implementation manner, the number of the bit groups is two, one of the bit groups includes the bits corresponding to the odd bits of the return address, and the other bit group includes the even bits of the return address The corresponding bit.
一种可能的实施方式中,所述转换模型的种类包括:模乘法转换模型、模加法转换模型。In a possible implementation manner, the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
一种可能的实施方式中,所述寄存器为用于存储返回地址的寄存器。In a possible implementation manner, the register is a register for storing the return address.
一种可能的实施方式中,所述处理器为基于ARM指令集的处理器,所述寄存器为LR寄存器。In a possible implementation manner, the processor is a processor based on an ARM instruction set, and the register is an LR register.
一种可能的实施方式中,所述处理器为基于RISC V指令集的处理器,所述寄存器为RA寄存器。In a possible implementation manner, the processor is a processor based on a RISC V instruction set, and the register is an RA register.
本实施例提供的返回地址的处理方法,可应用于上述任一实施例所述的处理器,其实现原理和技术效果类似,此处不再赘述。The method for processing the return address provided in this embodiment can be applied to the processor described in any of the foregoing embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
本申请实施例还提供一种电子设备,包括:处理器,其中,处理器可以采用上述任一实施例中的处理器的结构,其实现原理和技术效果类似,本实施例此处不再赘述。An embodiment of the present application also provides an electronic device, including: a processor, where the processor may adopt the structure of the processor in any of the above embodiments, and its implementation principles and technical effects are similar, and this embodiment will not be repeated here. .
本申请实施例还提供一种芯片,包括:处理器,所述处理器可以采用上述任一实施例中的处理器的结构,其实现原理和技术效果类似,此处不再赘述。An embodiment of the present application also provides a chip, including a processor, and the processor may adopt the structure of the processor in any of the foregoing embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。例如,以上所描述的设备实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed device and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division, and there may be other divisions in actual implementation, for example, multiple modules can be combined or integrated. To another system, or some features can be ignored, or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or modules, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个单元中。上述模块成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the functional modules in the various embodiments of the present application may be integrated into one processing unit, or each module may exist alone physically, or two or more modules may be integrated into one unit. The units formed by the above-mentioned modules can be realized in the form of hardware, or in the form of hardware plus software functional units.
上述以软件功能模块的形式实现的集成的模块,可以存储在一个计算机可读取存储介质中。上述软件功能模块存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(英文:processor)执行本申请各个实施例所述方法的部分步骤。The above-mentioned integrated modules implemented in the form of software function modules may be stored in a computer readable storage medium. The above-mentioned software function module is stored in a storage medium and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor (English: processor) to execute the various embodiments of the present application Part of the method.
应理解,上述处理器可以是中央处理单元(英文:Central Processing Unit,简称:CPU),还可以是其他通用处理器、数字信号处理器(英文:Digital Signal Processor,简称:DSP)、专用集成电路(英文:Application Specific Integrated Circuit,简称:ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合申请所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。It should be understood that the foregoing processor may be a central processing unit (English: Central Processing Unit, abbreviated: CPU), or other general-purpose processors, digital signal processors (English: Digital Signal Processor, abbreviated: DSP), and application-specific integrated circuits (English: Application Specific Integrated Circuit, referred to as ASIC) etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in combination with the application can be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
存储器可能包含高速RAM存储器,也可能还包括非易失性存储NVM,例如至少一个磁盘存储器,还可以为U盘、移动硬盘、只读存储器、磁盘或光盘等。The memory may include a high-speed RAM memory, and may also include a non-volatile storage NVM, such as at least one disk storage, and may also be a U disk, a mobile hard disk, a read-only memory, a magnetic disk, or an optical disk.
总线可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral Component,PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,本申请附图中的总线并不限定仅有一根总线或一种类型的总线。The bus can be an Industry Standard Architecture (ISA) bus, Peripheral Component (PCI) bus, or Extended Industry Standard Architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, the buses in the drawings of this application are not limited to only one bus or one type of bus.
上述存储介质可以是由任何类型的易失性或非易失性存储设备或者它们的组合实现, 如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。存储介质可以是通用或专用计算机能够存取的任何可用介质。The above-mentioned storage medium can be implemented by any type of volatile or non-volatile storage device or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Except for programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disks or optical disks. The storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于专用集成电路(Application Specific Integrated Circuits,简称:ASIC)中。当然,处理器和存储介质也可以作为分立组件存在于电子设备或主控设备中。An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and can write information to the storage medium. Of course, the storage medium may also be an integral part of the processor. The processor and the storage medium may be located in Application Specific Integrated Circuits (ASIC for short). Of course, the processor and the storage medium may also exist as discrete components in the electronic device or the main control device.

Claims (23)

  1. 一种处理器,其特征在于,包括:处理核和转换电路;A processor, characterized by comprising: a processing core and a conversion circuit;
    所述处理核用于输出返回地址;The processing core is used to output a return address;
    所述转换电路用于对所述处理核输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;The conversion circuit is configured to convert the return address output by the processing core to obtain the conversion return address, and output the conversion return address to a stack in the memory;
    所述转换电路还用于在所述处理核需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit is also configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address to The processing core.
  2. 根据权利要求1所述的处理器,其特征在于,还包括寄存器;The processor of claim 1, further comprising a register;
    所述转换电路具体用于对所述处理核输出的返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈;The conversion circuit is specifically configured to convert the return address output by the processing core to obtain a conversion return address, and output the conversion return address to the register, so that the conversion return address is output to the register via the register Stack in memory;
    所述转换电路还具体用于在所述处理核需要使用所述返回地址时,对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。The conversion circuit is also specifically configured to perform the conversion on the converted return address in the stack when the processing core needs to use the return address to obtain the return address, and output the return address To the register, so that the return address is output to the processing core via the register.
  3. 根据权利要求1所述的处理器,其特征在于,还包括寄存器;The processor of claim 1, further comprising a register;
    在所述处理核输出所述返回地址时,所述寄存器用于寄存所述处理核输出的返回地址;When the processing core outputs the return address, the register is used to register the return address output by the processing core;
    所述转换电路具体用于对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;The conversion circuit is specifically configured to convert the return address output by the register to obtain a conversion return address, and output the conversion return address to a stack in the memory;
    在所述处理核需要使用所述返回地址时,所述寄存器还用于寄存所述栈输出的所述转换返回地址;When the processing core needs to use the return address, the register is also used to register the conversion return address output by the stack;
    所述转换电路还具体用于对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit is further specifically configured to perform the conversion on the conversion return address output by the register to obtain the return address, and output the return address to the processing core.
  4. 根据权利要求2或3所述的处理器,其特征在于,所述转换满足如下条件:The processor according to claim 2 or 3, wherein the conversion satisfies the following conditions:
    B=IP(A),A=IP(B)B=IP(A), A=IP(B)
    其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
  5. 根据权利要求4所述的处理器,其特征在于,所述转换电路具体用于:The processor according to claim 4, wherein the conversion circuit is specifically configured to:
    采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址。At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  6. 根据权利要求5所述的处理器,其特征在于,所述转换电路具体用于:The processor according to claim 5, wherein the conversion circuit is specifically configured to:
    对所述返回地址的至少一个比特进行分组,得到多个比特组;Group at least one bit of the return address to obtain multiple bit groups;
    采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;The conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
    根据各所述比特组对应的转换结果,得到所述转换返回地址。According to the conversion result corresponding to each bit group, the conversion return address is obtained.
  7. 根据权利要求6所述的处理器,其特征在于,所述比特组的数量为两个,其中一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。The processor according to claim 6, wherein the number of the bit group is two, wherein one bit group includes the bit corresponding to the odd bit of the return address, and the other bit group includes the bit Returns the bit corresponding to the even bit of the address.
  8. 根据权利要求4至7任一项所述的处理器,其特征在于,所述转换模型的种类包 括:模乘法转换模型、模加法转换模型。The processor according to any one of claims 4 to 7, wherein the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
  9. 根据权利要求2至8任一项所述的处理器,其特征在于,所述寄存器为用于存储返回地址的寄存器。The processor according to any one of claims 2 to 8, wherein the register is a register for storing a return address.
  10. 根据权利要求9所述的处理器,其特征在于,所述处理器为基于ARM指令集的处理器,所述寄存器为LR寄存器。The processor according to claim 9, wherein the processor is a processor based on an ARM instruction set, and the register is an LR register.
  11. 根据权利要求9所述的处理器,其特征在于,所述处理器为基于RISC V指令集的处理器,所述寄存器为RA寄存器。The processor according to claim 9, wherein the processor is a processor based on a RISC V instruction set, and the register is an RA register.
  12. 一种返回地址的处理方法,其特征在于,应用于处理器,所述处理器包括:处理核和转换电路,所述方法包括:A method for processing a return address is characterized by being applied to a processor, the processor comprising: a processing core and a conversion circuit, the method comprising:
    在所述处理核输出所述返回地址时,通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;When the processing core outputs the return address, the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to a stack in the memory;
    在需要使用所述返回地址时,通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。When the return address needs to be used, the conversion circuit performs the conversion on the converted return address in the stack to obtain the return address, and outputs the return address to the processing core.
  13. 根据权利要求12所述的方法,其特征在于,所述处理器还包括寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:The method of claim 12, wherein the processor further comprises a register, and the return address is converted by the conversion circuit to obtain a conversion return address, and the conversion return address is output to The stack in memory, including:
    通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至所述寄存器,以使所述转换返回地址经由所述寄存器输出至内存中的栈;Converting the return address by the conversion circuit to obtain a conversion return address, and outputting the conversion return address to the register, so that the conversion return address is output to the stack in the memory via the register;
    所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
    通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述寄存器,以使所述返回地址经由所述寄存器输出至所述处理核。Perform the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and output the return address to the register, so that the return address is output through the register To the processing core.
  14. 根据权利要求12所述的方法,其特征在于,所述处理器还包括寄存器,所述返回地址被所述处理核输出至所述寄存器,所述通过所述转换电路对所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈,包括:The method according to claim 12, wherein the processor further comprises a register, the return address is output to the register by the processing core, and the return address is converted by the conversion circuit To obtain the conversion return address, and output the conversion return address to the stack in the memory, including:
    通过所述转换电路对所述寄存器输出的所述返回地址进行转换以得到转换返回地址,并将所述转换返回地址输出至内存中的栈;Converting the return address output by the register by the conversion circuit to obtain a conversion return address, and output the conversion return address to a stack in the memory;
    所述通过所述转换电路对所述栈中的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核,包括:The performing the conversion on the conversion return address in the stack by the conversion circuit to obtain the return address, and outputting the return address to the processing core includes:
    通过所述转换电路对所述寄存器输出的所述转换返回地址进行所述转换,得到所述返回地址,并将所述返回地址输出至所述处理核。The conversion circuit performs the conversion on the conversion return address output by the register to obtain the return address, and outputs the return address to the processing core.
  15. 根据权利要求13或14所述的方法,其特征在于,所述转换满足如下条件:The method according to claim 13 or 14, wherein the conversion satisfies the following conditions:
    B=IP(A),A=IP(B)B=IP(A), A=IP(B)
    其中,A为所述返回地址,B为所述转换返回地址,IP()为所述转换所采用的转换模型。Where, A is the return address, B is the conversion return address, and IP() is the conversion model used in the conversion.
  16. 根据权利要求15所述的方法,其特征在于,所述对所述返回地址进行转换以得到转换返回地址,包括:The method according to claim 15, wherein the converting the return address to obtain the converted return address comprises:
    采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址。At least one conversion model is used to convert at least one bit of the return address to obtain the converted return address.
  17. 根据权利要求16所述的方法,其特征在于,所述采用至少一种转换模型对所述返回地址的至少一个比特进行转换,得到所述转换返回地址,包括:The method according to claim 16, wherein the converting at least one bit of the return address by using at least one conversion model to obtain the conversion return address comprises:
    对所述返回地址的至少一个比特进行分组,得到多个比特组;Group at least one bit of the return address to obtain multiple bit groups;
    采用所述转换模型对每个所述比特组中的比特进行转换,得到每个所述比特组对应的转换结果,其中,所述多个比特组中至少存在两个比特组采用的转换模型不同,或者,所述多个比特组采用的转换模型相同;The conversion model is used to convert the bits in each bit group to obtain a conversion result corresponding to each bit group, wherein at least two bit groups in the multiple bit groups have different conversion models , Or, the conversion models adopted by the multiple bit groups are the same;
    根据各所述比特组对应的转换结果,得到所述转换返回地址。According to the conversion result corresponding to each bit group, the conversion return address is obtained.
  18. 根据权利要求17所述的方法,其特征在于,所述比特组的数量为两个,其中一个比特组中包括所述返回地址的奇数比特位对应的比特,另一个比特组中包括所述返回地址的偶数比特位对应的比特。The method according to claim 17, wherein the number of the bit groups is two, wherein one bit group includes the bit corresponding to the odd-numbered bits of the return address, and the other bit group includes the return address. The bits corresponding to the even bits of the address.
  19. 根据权利要求15至18任一项所述的方法,其特征在于,所述转换模型的种类包括:模乘法转换模型、模加法转换模型。The method according to any one of claims 15 to 18, wherein the types of the conversion model include: modular multiplication conversion model and modular addition conversion model.
  20. 根据权利要求13至19任一项所述的方法,其特征在于,所述寄存器为用于存储返回地址的寄存器。The method according to any one of claims 13 to 19, wherein the register is a register for storing a return address.
  21. 根据权利要求20所述的方法,其特征在于,所述处理器为基于ARM指令集的处理器,所述寄存器为LR寄存器。The method according to claim 20, wherein the processor is a processor based on an ARM instruction set, and the register is an LR register.
  22. 根据权利要求20所述的方法,其特征在于,所述处理器为基于RISC V指令集的处理器,所述寄存器为RA寄存器。The method according to claim 20, wherein the processor is a processor based on a RISC V instruction set, and the register is an RA register.
  23. 一种电子设备,其特征在于,包括如权利要求1至11任一项所述的处理器。An electronic device, characterized by comprising the processor according to any one of claims 1 to 11.
PCT/CN2020/099168 2019-07-01 2020-06-30 Processor and return address processing method WO2021000847A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910586325.5A CN112181491A (en) 2019-07-01 2019-07-01 Processor and return address processing method
CN201910586325.5 2019-07-01

Publications (1)

Publication Number Publication Date
WO2021000847A1 true WO2021000847A1 (en) 2021-01-07

Family

ID=73915579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/099168 WO2021000847A1 (en) 2019-07-01 2020-06-30 Processor and return address processing method

Country Status (2)

Country Link
CN (1) CN112181491A (en)
WO (1) WO2021000847A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217277A1 (en) * 2002-05-15 2003-11-20 Nokia, Inc. Preventing stack buffer overflow attacks
US20140173290A1 (en) * 2012-12-17 2014-06-19 Advanced Micro Devices, Inc. Return address tracking mechanism
US20140173293A1 (en) * 2012-12-17 2014-06-19 Advanced Micro Devices, Inc. Hardware Based Return Pointer Encryption
CN106022166A (en) * 2016-06-02 2016-10-12 东北大学 Code reuse attack defense system and method
US20170046280A1 (en) * 2015-08-14 2017-02-16 Infineon Technologies Ag Data processing device and method for protecting a data processing device against attacks
CN109361507A (en) * 2018-10-11 2019-02-19 杭州华澜微电子股份有限公司 A kind of data ciphering method and encryption equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9665374B2 (en) * 2014-12-18 2017-05-30 Intel Corporation Binary translation mechanism
US9477453B1 (en) * 2015-06-24 2016-10-25 Intel Corporation Technologies for shadow stack manipulation for binary translation systems
US20170090927A1 (en) * 2015-09-30 2017-03-30 Paul Caprioli Control transfer instructions indicating intent to call or return
US10289842B2 (en) * 2015-11-12 2019-05-14 Samsung Electronics Co., Ltd. Method and apparatus for protecting kernel control-flow integrity using static binary instrumentation
CN109409085A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The method and device that return address is tampered in processing storehouse
CN109858253B (en) * 2019-01-08 2021-04-20 中国人民解放军战略支援部队信息工程大学 LBR-based stack buffer overflow attack defense method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217277A1 (en) * 2002-05-15 2003-11-20 Nokia, Inc. Preventing stack buffer overflow attacks
US20140173290A1 (en) * 2012-12-17 2014-06-19 Advanced Micro Devices, Inc. Return address tracking mechanism
US20140173293A1 (en) * 2012-12-17 2014-06-19 Advanced Micro Devices, Inc. Hardware Based Return Pointer Encryption
US20170046280A1 (en) * 2015-08-14 2017-02-16 Infineon Technologies Ag Data processing device and method for protecting a data processing device against attacks
CN106022166A (en) * 2016-06-02 2016-10-12 东北大学 Code reuse attack defense system and method
CN109361507A (en) * 2018-10-11 2019-02-19 杭州华澜微电子股份有限公司 A kind of data ciphering method and encryption equipment

Also Published As

Publication number Publication date
CN112181491A (en) 2021-01-05

Similar Documents

Publication Publication Date Title
CN111052115B (en) Data processing apparatus and method of authentication depending on call path
US9165138B2 (en) Mitigation of function pointer overwrite attacks
TWI468980B (en) Dynamic execution prevention to inhibit return-oriented programming
US8826035B2 (en) Cumulative integrity check value (ICV) processor based memory content protection
US8583880B2 (en) Method for secure data reading and data handling system
US20080133858A1 (en) Secure Bit
WO2014042650A1 (en) Methods and apparatus to protect memory regions during low-power states
Nashimoto et al. Buffer overflow attack with multiple fault injection and a proven countermeasure
CN109409086B (en) Device for detecting falsified return address in stack based on newly added instruction
CN109409084B (en) Chain type data storage structure for detecting falsified return address
KR20060009247A (en) Instructions to assist the processing of a cipher message
US10572666B2 (en) Return-oriented programming mitigation
US7774587B2 (en) Dynamic redundancy checker against fault injection
US20070083770A1 (en) System and method for foiling code-injection attacks in a computing device
WO2020057603A1 (en) Method and apparatus for detecting that return address in stack has been tampered with
WO2021000847A1 (en) Processor and return address processing method
EP3454216B1 (en) Method for protecting unauthorized data access from a memory
US8996874B2 (en) Protection of a program waiting to be executed in a memory used by a microprocessor
JP2017526220A (en) Inferential cryptographic processing for out-of-order data
CN109409083B (en) Device for detecting return address tampering in stack
WO2009057095A1 (en) Secure overlay manager protection
CN111898119A (en) Control flow integrity protection method, device, equipment and storage medium
CN112948863A (en) Sensitive data reading method and device, electronic equipment and storage medium
US20230126908A1 (en) Protection against executing injected malicious code
US11677541B2 (en) Method and device for secure code execution from external memory

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20834830

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20834830

Country of ref document: EP

Kind code of ref document: A1