CN112199681B - Code injection type attack protection method and device based on multi-coding mode CPU - Google Patents
Code injection type attack protection method and device based on multi-coding mode CPU Download PDFInfo
- Publication number
- CN112199681B CN112199681B CN202011141356.9A CN202011141356A CN112199681B CN 112199681 B CN112199681 B CN 112199681B CN 202011141356 A CN202011141356 A CN 202011141356A CN 112199681 B CN112199681 B CN 112199681B
- Authority
- CN
- China
- Prior art keywords
- code
- cpu
- instruction
- coding mode
- mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000002347 injection Methods 0.000 title claims abstract description 45
- 239000007924 injection Substances 0.000 title claims abstract description 45
- 230000008569 process Effects 0.000 claims abstract description 23
- 230000005856 abnormality Effects 0.000 claims abstract description 14
- 230000007246 mechanism Effects 0.000 claims description 28
- 238000006243 chemical reaction Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 17
- 238000013507 mapping Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013461 design Methods 0.000 claims description 9
- 238000012937 correction Methods 0.000 claims description 4
- 230000002441 reversible effect Effects 0.000 claims description 4
- 230000002618 waking effect Effects 0.000 claims description 3
- 230000003111 delayed effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 239000002131 composite material Substances 0.000 description 5
- 230000006872 improvement Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a code injection type attack protection method based on a multi-coding mode CPU, which loads a software execution body containing code subsections of a plurality of instruction coding modes through an operating system; in the execution process of the software execution body, the CPU core detects the appointed abnormality/interrupt, if the appointed abnormality/interrupt is detected, the decoder of the CPU core is controlled to switch the random coding mode, and the code sub-section corresponding to the instruction coding mode in the software execution body is decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent into the CPU core to be executed, the execution failure is caused because the attack code cannot be matched with the decoder. The invention realizes the high entropy randomization of the instruction codes executed by the computer in a mode of combining software and hardware, so that an attacker cannot implement expected attacks by injecting a pre-designed code sequence, thereby effectively protecting the attacks of code injection.
Description
Technical Field
The invention relates to a computer security technology, in particular to a code injection type attack protection method and device based on a multi-coding mode CPU.
Background
In a von neumann architecture computer, instruction codes and data are stored together in a memory area such as RAM (Random Access Memory random access memory), and a CPU (Central Processing Unit central processing unit) fetches instructions from the RAM and executes them, thereby completing various programs, which is a well-known stored program computer principle. The design method can not directly distinguish the data and the codes from the binary form of the memory, thereby giving the opportunity for executing the codes contained in the user data, and being an essential cause for the existence of a plurality of loopholes in the current computer system.
The code injection type attack (Code Injection Attack) is the most common and very destructive attack at present, an attacker injects malicious codes into a process of a user through a certain method, and changes the normal control flow of the program through means such as overflow and the like, so that the program executes the malicious codes, thereby realizing a certain attack purpose. The nature of the injection is that the data entered by the user is executed as code, where there are two key conditions, the first being that the user can control the input; the second is the code to be executed by the original program, and the data input by the user are spliced.
An example of a simple code injection type attack is shown in fig. 1. Below fig. 1 is a buffer of application of a function, and above fig. 1 is a stack of the function. Since the stack is low address direction growing, the pointer to the local array buffer is below the buffer. When data is copied into a buffer, the high address part data exceeding the buffer area can "drown" other original stack frame data. An attacker injects an attack code (shellcode) at the bottom of the buffer and fills in a new address pointing to the start address of the injected shellcode at the position in the stack where the original return address of the function is located. Thus, when the function returns, the injected attack code shellcode is executed by the CPU.
Code injection protection methods that have been proposed at present can be largely divided into two categories: (1) static solution: eliminating the hazard of code injection attacks from the source code level through the use of secure programming languages, static checks on the source code, enhancements to compilers, the use of special security function libraries, etc.; (2) run-time solution): this type of scheme can effectively block code injection attacks with very low probability of false alarms by using local or global sand boxes or virtual machines, instruction randomization (randomized instruction set emulation, RISE for short) and address space randomization (address space layout randomization, ASLR for short), without the need to rewrite the recompilated source code. However, in general, these approaches have various limitations. Firstly, the performance loss is large; secondly, the protection object is limited, and the protection range is small; thirdly, the protection capability is insufficient (leakage protection); fourth, the source code needs to be modified.
Disclosure of Invention
The invention aims to solve the technical problems: aiming at the problems in the prior art, the invention provides a code injection type attack protection method based on a multi-coding mode CPU.
In order to solve the technical problems, the invention adopts the following technical scheme:
a code injection type attack protection method based on a multi-coding mode CPU comprises the following steps:
1) The operating system loads a software executable body containing code sub-segments of a plurality of instruction coding modes;
2) In the execution process of the software execution body, the CPU core detects the appointed abnormality/interrupt, and jumps to execute the next step if the appointed abnormality/interrupt is detected;
3) The decoder of the CPU core is controlled to switch the random coding mode, and the code sub-section corresponding to the instruction coding mode in the software execution body is decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent into the CPU core to be executed, the execution failure is caused because the attack code cannot be matched with the decoder.
Optionally, the step of loading the software executable containing the code sub-segments of the plurality of instruction encoding modes by the operating system in step 1) includes: preparing code sub-segments of a software execution body containing multiple instruction coding modes into corresponding coded code segment memory copies and providing a mechanism support for operation switching, so that when a CPU decoding rule is switched, the operation environment of the CPU can be switched to hardware execution environments corresponding to different code segment copies, wherein the hardware execution environments comprise a general register, a state and control register, a stack register and an instruction register; and the operating system adopts unique memory copies for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when a plurality of decoding rules are switched, the data content in the other sections can be used for the switched code sub-sections without correction.
Optionally, the step of providing mechanism support for operation switching includes: the virtual memory superposition management mechanism is implemented by superposing page table entries of code sub-segments of various instruction coding modes of a software execution body on the same page directory entry, when the CPU is in random coding mode switching, the execution body site is only needed to be paused, then the code sub-segments of different instruction coding modes can be replaced by changing the value in the page directory entry, and the content of a bypass conversion buffer TLB is flushed to disable the original virtual address mapping.
Optionally, step 1) is preceded by compiling a software execution body that generates code subsections including multiple instruction encoding modes, and when compiling the software execution body, generating multiple corresponding code subsections by the code subsections of the software execution body according to the specified instruction encoding mode types, wherein each instruction among the multiple code subsections is only a one-to-one mapping for replacing the instruction set encoding, so that the address layout design, the register content accessed by the corresponding instruction and the memory virtual address are identical among the multiple code subsections.
Optionally, the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers thereof, where each front-end decoding unit is configured to perform decoding in a preset random encoding mode when the configuration is valid in the corresponding configuration register.
Optionally, the front end of the decoder of the CPU core is provided with a code buffer, a key register and a conversion operation unit, the key register includes key codes corresponding to multiple instruction coding modes one by one, and the conversion operation unit is used for performing specified reversible operation processing on the instruction codes taken out from the code buffer and the key codes taken out from the key register and corresponding to the instruction coding modes, so as to obtain the true input code of the decoder.
Optionally, the exception/interrupt designated in step 2) is a random trigger, where the random trigger includes a random number generator and a timer, where the random number generated by the random number generator is used as a trigger delay of the timer from the current time, and when the timer triggers, on one hand, a designated exception/interrupt notification CPU core is generated, and on the other hand, the random delay of the next timer is generated by starting the random number generator, and when the CPU core starts to switch the random encoding mode after receiving the designated exception/interrupt, the designated instruction encoding mode is determined by accessing the random number generator.
Optionally, the plurality of instruction coding modes include a primitive coding mode, wherein the primitive coding mode is a coding mode of instruction decoding executed when the CPU is reset and started; the step 1) is preceded by the step of operating system initialization:
s1) after power-on, all CPU cores are automatically in a primitive instruction decoding rule state;
s2) the firmware is basically initialized, and a system image is loaded from a memory or a disk and transferred to a kernel for execution;
s3) all CPU cores perform master-slave judgment, a main CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes initialization codes from the code sub-segments of the original coding mode coded by the kernel of the operating system, and initializes the system through the operation steps basically same as the traditional operating system, wherein the executed operations comprise: initializing an exception handling vector, enabling a cache, establishing a basic page table, enabling virtual address mapping, initializing a bus/UI (user interface) device/storage device, and waking all slave cores; executing a local core initialization code of a sub-section of the original coding mode after the slave core is awakened; the kernel enters a normal running state.
In addition, the invention also provides a code injection type attack protection device based on the multi-coding mode CPU, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the steps of the code injection type attack protection method based on the multi-coding mode CPU, or a computer program programmed or configured to execute the code injection type attack protection method based on the multi-coding mode CPU is stored in the memory.
In addition, the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program programmed or configured to execute the code injection type attack protection method based on the multi-coding mode CPU.
Compared with the prior art, the invention has the following advantages: the method loads a software executable body containing code subsections of various instruction coding modes through an operating system; in the execution process of the software execution body, the CPU core detects the appointed abnormality/interrupt, if the appointed abnormality/interrupt is detected, the decoder of the CPU core is controlled to switch the random coding mode, and the code sub-section corresponding to the instruction coding mode in the software execution body is decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent into the CPU core to be executed, the execution failure is caused because the attack code cannot be matched with the decoder. The invention realizes the high entropy randomization of the instruction codes executed by the computer in a mode of combining software and hardware, so that an attacker cannot implement expected attacks by injecting a pre-designed code sequence, thereby effectively protecting the attacks of code injection. Moreover, the invention can protect any code injection attack directly injecting CPU instruction sequences, is not only suitable for protecting the code injection attack aiming at user programs, but also suitable for protecting the code injection attack aiming at operating systems and kernel programs, and does not need to acquire and modify program source codes.
Drawings
Fig. 1 shows an example of a conventional code injection type attack.
Fig. 2 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
FIG. 3 is a schematic diagram of an improvement of an existing computer system according to an embodiment of the present invention.
Fig. 4 shows a decoder-related structure of a conventional CPU by comparison in an embodiment of the present invention.
Fig. 5 is a modified decoder according to an embodiment of the present invention.
Fig. 6 shows another modification of the decoder according to the embodiment of the present invention.
Fig. 7 is a schematic diagram of a random trigger according to an embodiment of the invention.
Fig. 8 is a schematic block diagram of an operating system according to an embodiment of the invention.
FIG. 9 is an example of a software executable including code sub-sections of two instruction encoding modes in an embodiment of the invention.
Fig. 10 is a diagram illustrating an embodiment of virtual memory overlay memory management and switching of code sub-segments according to an embodiment of the present invention.
FIG. 11 is a flowchart illustrating a start-up and run flow implementation in an embodiment of the present invention.
Detailed Description
As shown in fig. 2, the code injection type attack protection method based on the multi-coding mode CPU of the present embodiment includes:
1) The operating system loads a software executable body containing code sub-segments of a plurality of instruction coding modes;
2) In the execution process of the software execution body, the CPU core detects the appointed abnormality/interrupt, and jumps to execute the next step if the appointed abnormality/interrupt is detected;
3) The decoder of the CPU core is controlled to switch the random coding mode, and the code sub-section corresponding to the instruction coding mode in the software execution body is decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent into the CPU core to be executed, the execution failure is caused because the attack code cannot be matched with the decoder.
When implementing a code injection attack, the code injected by an attacker is generally hard-coded matching with the instruction code of the CPU, and the purpose of this embodiment is to randomize the code coding form in the code sequence sent to the CPU during the running of the computer, but keep the semantics unchanged, so that the deterministic code sequence injected by the attacker in advance cannot be executed normally. According to the code injection type attack protection method based on the multi-coding mode CPU, the code injection type attack protection method is randomly transformed at high frequency through the decoding rules of the decoding part of the CPU core, the operating system selects the program binary codes of the corresponding rules according to the corresponding decoding rules to switch and execute, and if the code injected by an attacker is sent into the CPU core to execute, the execution fails because the code cannot be matched with the decoder.
As an optional implementation manner, the code injection type attack protection method based on the multi-coding mode CPU of the present embodiment adopts a mode of improving and combining a hardware part and a software part to implement the foregoing method. As shown in fig. 3, the hardware part and the software part improvement include: (1) hardware expansion of a CPU multi-mode decoding unit; (2) random trigger support of hardware; (3) multiple coding modes program support of the operating system; (4) software code fast handoff support for operating systems.
(1) Hardware expansion of CPU multi-mode decoding unit.
In order to enable a CPU to decode multiple instruction encoding modes and switch between modes, the present embodiment proposes hardware extension of a CPU multi-mode decoding unit, where a decoder of a CPU core is required to support multiple encoding rules of the same set of instruction sets, and instruction encoding under different encoding rules has the same length and is in one-to-one correspondence, components of the CPU outside the decoder are compatible with a conventional CPU and have the same operation and use modes, and a special register is provided on the CPU core for configuring and indicating the current decoding rule of the CPU. In order to realize hardware expansion of the multi-mode decoding unit of the CPU, the decoder structure of the CPU needs to be improved. Fig. 4 shows a conventional CPU structure, which includes a main unit such as a memory control unit, a front-end decoding unit, and an execution unit. The instruction execution flow is that the instruction is sent to the front end decoding unit by the instruction fetching component through the storage control unit, and the front end decoding unit sends out control signals after decoding and the execution unit performs data operation, data transmission and other operations.
Fig. 5 is a modified form of the decoder structure of the CPU capable of decoding the code in the form of the double instruction codes in the present embodiment. Referring to fig. 5, the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers thereof, each of the front-end decoding units being configured to perform decoding of a predetermined random encoding mode when the configuration is valid in the corresponding configuration register. The improvement mode is that a front end decoding unit is added on the basis of the conventional CPU structure shown in fig. 3, and the front end decoding unit 1 and the front end decoding unit 2 can respectively decode codes of two different instruction coding modes and can select the coding modes through a control register. Through the improvement of the composition and design of the CPU, the CPU can decode multiple coding forms of the same instruction set, and can control and switch which coding form is used for decoding.
Fig. 6 is a modification of the decoder structure of the CPU that selectively decodes any multiple encoded version of an instruction set in this embodiment. Referring to fig. 6, the front end of the decoder of the CPU core is provided with a code buffer, a key register and a conversion operation unit, wherein the key register includes key codes corresponding to various instruction coding modes one by one, and the conversion operation unit is used for performing specified reversible operation processing on the instruction codes taken out from the code buffer and the key codes taken out from the key register and corresponding to the instruction coding modes, so as to obtain the true input code of the decoder. The design adds a code conversion process in the front end decoding unit, and the process generates the true input code of the decoder by carrying out certain reversible operation on the key code in the same key register as the fetched instruction code, and then carries out normal decoding and executing operation.
In order to realize hardware expansion of the CPU multi-mode decoding unit, the functional improvement of the CPU in this embodiment includes: the decoder of the CPU core supports a plurality of coding rules of the same instruction set; the instruction codes under different coding rules have the same length and are in one-to-one correspondence; the components of the CPU outside the decoder are compatible with the traditional CPU and have the same working and using modes; the CPU core is provided with a special register for prescribing and indicating the current decoding rule of the CPU;
(2) Random trigger support for hardware.
The switching of the encoding mode may be accomplished by an interrupt (or exception) mechanism of the CPU. The processing of each interrupt has the expense irrelevant to the switching of the coding mode, so the embodiment recommends (but does not force) that when the interrupt related to each switching comes, the switching of the code sub-segment is carried out, otherwise, the interrupt only causes the saving and recovery of the scene, which is equivalent to one time of redundant operation, and wastes CPU resources. From a security perspective, this embodiment requires that the timing of such interruption to come be random. In view of these considerations, the present embodiment recommends that a configurable hardware approach be used to generate interrupts randomly, thereby randomly inducing a switch in coding mode. It is recommended that a special random trigger can be used to automatically trigger the decoding rule conversion of the instruction set and generate a corresponding exception/interrupt before conversion, for which the CPU has special support.
In the process of executing a program, a CPU automatically executes a next instruction through an instruction fetching unit, and an external mechanism is required to enable the CPU to switch a decoding mode and fetch an instruction from another corresponding code sub-section, where the external mechanism is generally implemented by an interrupt or an exception, and this embodiment is collectively referred to as an exception/interrupt. Since the method of the embodiment needs to perform high-frequency random switching on the instruction coding mode, the overhead caused by interrupt is very remarkable, if only judgment is made in one related interrupt, the actual coding switching is not caused, and the CPU resource consumed by the interrupt processing is completely wasted. For example, a high-precision timer can be used to generate interrupts with fixed frequency, and during each interrupt processing, whether the switching is needed or not is judged by generating a random number, so that the effect of randomly switching the coding mode can be realized, but a great amount of CPU time is wasted during the interrupt processing without switching. To avoid such waste, the present embodiment further requires that the triggering timing of such interrupts itself be random, the intervals between the interrupts be random, and the processing mechanism must trigger the coding mode switch when the interrupt comes. Thus, the exception/interrupt specified in step 2) of this embodiment is from a random trigger.
As shown in fig. 7, the design example of the specific random trigger in this embodiment is shown, where the random trigger includes a random number generator and a timer, where the random number generated by the random number generator is used as a trigger delay of the timer from the current time, and when the timer triggers, on one hand, a designated exception/interrupt notification CPU core (CPU core) is generated, and on the other hand, the random delay of the next timer is generated by starting the random number generator, and when the CPU core starts to switch the random coding mode after receiving the designated exception/interrupt, the designated instruction coding mode is determined by accessing the random number generator. In this embodiment, the timer is a high-precision timer (the precision and the main frequency of the CPU remain one order of magnitude), so that when the CPU core receives a random interrupt and starts to perform the code switching operation, a selection decision of the code mode to be switched can be generated by accessing the random number generator.
(3) Multi-coding mode program support for operating systems
In order to adapt to the convertible operation mechanism of the CPU decoding rule, the operating system needs to prepare the memory copies of the code segments corresponding to the codes operated on the operating system for most of the codes, and provides the mechanism support of the operation switching, so that when the CPU decoding rule is switched, the operation environment of the CPU can be switched to the hardware execution environment corresponding to the copies of the different code segments. Corresponding to the decoding rule of the CPU, the program coding mode executed on the CPU is also correspondingly switched. The program coding mode switching execution working principle is that the system triggers the operation system to execute switching action through a random generation mechanism, and switches the instruction to be fetched into code sub-sections containing different coding modes according to optional rules. Switching of the coding mode causes the coding of the binary code to be performed to lose predictability, and when the granularity of such random switching is sufficiently fine, the code sequence injected by an attacker will necessarily be an illegal code sequence and cause abnormality in the execution, so that the attack cannot be successfully implemented.
The operating system is responsible for providing the necessary support for program execution on the multi-mode instruction encoding CPU and switching of encoding forms. In order to adapt to the convertible operation mechanism of the CPU coding rule, the operating system needs to prepare the memory copies of the code segments corresponding to the codes running on the operating system for the vast majority of codes, and provide the mechanism support of operation switching, so that when the CPU decoding rule is switched, the operation environment of the CPU can be switched to the hardware execution environment (comprising general registers, state and control registers, stack registers and instruction registers) corresponding to the copies of different code segments. For data consistency requirements and performance considerations, the operating system employs unique memory copies for other segments (data segments, stack segments, etc.) of the kernel or out-of-core process. When most decoding rules are switched, the data content in these segments can be used for the switched codes without correction.
The program code rule switching execution operating principle is that 1) the system triggers the operating system to execute switching action through a random generation mechanism, so that the operating system pauses the current program execution, 2) the instruction to be fetched is switched to the code sub-section containing different coding modes according to the optional rule.
The switching of the coding rules causes the coding of the binary code to be performed to lose predictability, and when the granularity of such random switching is sufficiently fine, the code sequence injected by an attacker will necessarily be an illegal code sequence and generate an abnormality when being performed, so that the attack cannot be successfully implemented. The switching of the program coding rule may include a kernel mode switching or a user process mode switching, and may be implemented separately or only one of them, mainly in that the switching of the instruction coding is accompanied by as few registers or memory contents as possible.
The main difference between the operating system structure supporting random switching in multi-coding mode operation and the conventional operating system is that: (1) Support for multiple coding modes, namely, a program execution body (a kernel, an out-of-core process and the like) for each switchable coding rule establishes multiple copies of the code sub-segments in the memory space of the program execution body; (2) The kernel of the operating system supports the address space assignment and management functions of multiple copies of own code segments and multiple copies of application code segments in the aspect of memory management; (3) The kernel of the operating system supports an interrupt generating and processing mechanism for performing instruction coding switching (namely switching among the code segment copies of the current running program execution body), and the switching of the CPU decoding rules is regarded as a part of a mechanism for forming the switching of the program execution body among the code segment copies of the current running program execution body;
the step of loading the software executable including the code sub-segments of the plurality of instruction encoding modes by the operating system in step 1) of the present embodiment includes: preparing code sub-segments of a software execution body containing multiple instruction coding modes into corresponding coded code segment memory copies and providing a mechanism support for operation switching, so that when a CPU decoding rule is switched, the operation environment of the CPU can be switched to hardware execution environments corresponding to different code segment copies, wherein the hardware execution environments comprise a general register, a state and control register, a stack register and an instruction register; and the operating system adopts unique memory copies for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when a plurality of decoding rules are switched, the data content in the other sections can be used for the switched code sub-sections without correction.
The operation structure of the operating system supporting random switching in the multi-coding mode operation in this embodiment is shown in fig. 8, in which the difference between the operating system and the conventional macro kernel operating system (such as Linux) is mainly highlighted. The user state composite code segment process is a process generated by a software executing body and comprises code subsections of a plurality of instruction coding modes, and each instruction coding mode corresponds to one instruction coding rule; the kernel mode is used for providing a switching mechanism, and besides a conventional kernel function module of a conventional macro kernel operating system (such as Linux), the kernel mode further comprises:
the composite code segment memory management module is used for preparing the code sub-segments of the software executable body containing various instruction coding modes into corresponding coded code segment memory copies;
code switching abnormality management for performing error processing when switching abnormality;
code switching context management for on-site save and restore at the time of switching;
and code switching strategy management for controlling the switching mode.
A significant feature of operating systems that support random switching when multiple coding modes are running of software executives that support composite code segments. The software execution body comprises a user state process and a kernel, namely a software unit which independently has a complete virtual address running space. The operating system supporting random switching in multi-coding mode operation specifically expands the code segments of an executable to support the switching of the coding modes, so that the code segments of the multi-coding modes and the code segments of the multi-addresses coexist and support the dynamic switching operation on a CPU. Fig. 9 illustrates a specific example and design of such a composite code segment. In this example, for two instruction encoding modes (a mode and B mode) provided by the CPU, the composite code segment includes two independent code subsections encoded according to different requirements, which are respectively: an A code sub-segment and a B code sub-segment. The actual system can also support more instruction coding modes, and the randomness of the running time is increased. As shown in fig. 9, the relation between the code sub-segment a and the code sub-segment B is that each instruction of the two sub-segments is only one-to-one mapping for replacing the instruction set codes, and the identical address layout design is used, that is, the register content accessed by the corresponding instruction is identical to the virtual address of the memory.
In this embodiment, step 1) further includes a step of compiling a software execution body that generates code subsections including multiple instruction encoding modes, and when compiling the software execution body, the code subsections of the software execution body generate multiple corresponding code subsections according to the specified instruction encoding mode types, and each instruction among the multiple code subsections is only a one-to-one mapping that encodes an instruction set for replacement, so that the multiple code subsections use the same address layout design, the same register content accessed by the corresponding instruction, and the same virtual memory address.
(4) Software coding fast handoff support for operating systems.
The substantial overhead of the operating system for code switching mainly comprises two aspects, namely saving and recovering the program site and semantic conversion of the program interrupt site during code switching. The embodiment provides a corresponding software and hardware mechanism, on one hand, operations required by saving and recovering a program field are avoided or reduced as much as possible, and on the other hand, by providing a virtual memory management mechanism of a new operating system, the semantic conversion of a program interrupt field in the process of switching the coding mode is kept to be less in cost.
This embodiment requires that the CPU perform the coding mode switching very frequently, so that the execution of the injection code can be effectively "cut off", which places high demands on the speed of the coding mode switching. The substantial overhead of the operating system for code switching mainly comprises two aspects, namely saving and recovering the program field and semantic conversion of the program interrupt field during code switching. The reason for this division of the present embodiment is that conventional process scheduling or switching is mainly saving and recovering in the field, and the semantic conversion in the field becomes an additional step in the present embodiment. The program field generally refers to the CPU register field when the program is interrupted, and the embodiment only switches the coding mode and does not switch the program body, so in order to reduce the saving and restoring expenditure of the field, the register field is preferably kept unchanged, and the operation of saving and restoring the register with the memory is avoided.
This embodiment first illustrates how to avoid doing save and restore operations of registers, and later the memory management section illustrates how to keep the registers unchanged in the field. In general, the CPU is to make calculations and function calls that rely only on (and possibly part of) the general purpose registers and stack pointer registers, and this embodiment requires that the CPU be able to provide additional general purpose registers and stack pointer registers to accomplish these operations needed for the code switching actions, thus avoiding direct register field save and restore operations. If the hardware does not provide an additional register, the present embodiment can also minimize the field of registers that need to be saved and restored by limiting the use of the number of general purpose registers, thereby reducing the save and restore overhead.
In this embodiment, the step of providing the mechanism support for operation switching includes: the virtual memory superposition management mechanism is implemented by superposing page table entries of code sub-segments of various instruction coding modes of a software execution body on the same page directory entry, when the CPU is in random coding mode switching, the execution body site is only needed to be paused, then the code sub-segments of different instruction coding modes can be replaced by changing the value in the page directory entry, and the content of a bypass conversion buffer TLB is flushed to disable the original virtual address mapping. The embodiment provides a virtual memory superposition type management mechanism to realize smaller on-site semantic conversion cost. As shown in fig. 10, taking the switching of two coding modes as an example, the virtual memory superposition management mechanism is implemented by superposing page table entries of two code sub-segments (of different coding modes) on the same page directory entry, when the CPU is in a switching instruction set (but keeps the address layout of the code sub-segments unchanged), the execution body field is only needed to be paused, then the value in the page directory entry is changed to replace the code sub-segment, and at this time, the content of TLB (Translation Lookaside Buffer) should be flushed, so that the original virtual address mapping is disabled. When the virtual memory superposition management enables the CPU to switch instruction sets, the two code sub-sections corresponding to each other can use the same register semantics and memory data value semantics, so that the switching cost is reduced to the greatest extent, and the switching performance is ensured.
In this embodiment, the plurality of instruction encoding modes include a primitive encoding mode, where the primitive encoding mode is an encoding mode of instruction decoding executed when the CPU is reset and started; as shown in sub-graph a in fig. 11, step 1) further includes a step of operating system initialization:
s1) after power-on, all CPU cores are automatically in a primitive instruction decoding rule state;
s2) the firmware is basically initialized, and a system image is loaded from a memory or a disk and transferred to a kernel for execution;
s3) all CPU cores perform master-slave judgment, a main CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes initialization codes from the code sub-segments of the original coding mode coded by the kernel of the operating system, and initializes the system through the operation steps basically same as the traditional operating system, wherein the executed operations comprise: initializing an exception handling vector, enabling a cache, establishing a basic page table, enabling virtual address mapping, initializing a bus/UI (user interface) device/storage device, and waking all slave cores; executing a local core initialization code of a sub-section of the original coding mode after the slave core is awakened; the kernel enters a normal running state.
The kernel then loads the code sub-segments of the other coding modes into memory and creates corresponding virtual memory mapped page table entries that do not establish a connection in the page directory of the current page table, so that they are not actually enabled. At this time, a plurality of kernel code sub-segments, including primitive instruction code sub-segments, primitive instruction code address layout heterogeneous sub-segments, non-primitive instruction code sub-segments, non-primitive instruction address layout heterogeneous sub-segments, etc., are already loaded in the physical memory. The kernel loads and runs the execution body of each application state process in the original instruction mode, and establishes virtual memory mapping for each code sub-segment and each data segment. The kernel selects proper time to enable the random switching interrupt generation source, so that when the random switching interrupt arrives, the interrupt processing mechanism immediately switches the instruction coding mode or the address layout. The timing may be when the initialization of the kernel is completed or when the application state process has been loaded and run, as shown in sub-graph (b) in fig. 11. In view of the specificity of the exception/interrupt mechanism, the processing code is realized and executed by the original instruction code, and the CPU core automatically switches the decoding unit to the original instruction code mode when the interrupt occurs and switches the needed instruction code mode when the kernel or the application state context is restored after the processing is completed.
In addition, the present embodiment also provides a multi-coding mode CPU-based code injection type attack protection device, including a microprocessor and a memory connected to each other, where the microprocessor is programmed or configured to perform the steps of the multi-coding mode CPU-based code injection type attack protection method described above, or where the memory stores a computer program programmed or configured to perform the multi-coding mode CPU-based code injection type attack protection method described above.
In addition, the present embodiment also provides a computer-readable storage medium in which a computer program programmed or configured to execute the aforementioned multi-coding mode CPU-based code injection type attack protection method is stored.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is directed to methods, apparatus (systems), and computer program products in accordance with embodiments of the present application, and to apparatus for performing functions specified in a flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above examples, and all technical solutions belonging to the concept of the present invention belong to the protection scope of the present invention. It should be noted that modifications and adaptations to the present invention may occur to one skilled in the art without departing from the principles of the present invention and are intended to be within the scope of the present invention.
Claims (10)
1. A code injection type attack protection method based on a multi-coding mode CPU is characterized by comprising the following steps:
1) The operating system loads a software executable body containing code sub-segments of a plurality of instruction coding modes;
2) In the execution process of the software execution body, the CPU core detects the appointed abnormality/interrupt, and jumps to execute the next step if the appointed abnormality/interrupt is detected;
3) The decoder of the CPU core is controlled to switch the random coding mode, and the code sub-section corresponding to the instruction coding mode in the software execution body is decoded and executed according to the switched coding mode, so that if the attack code injected by an attacker is sent into the CPU core to be executed, the execution failure is caused because the attack code cannot be matched with the decoder.
2. The multi-code mode CPU-based code injection type attack protection method according to claim 1, wherein the step of loading the software executor including the code sub-segments of the plurality of instruction coding modes by the operating system in step 1) includes: preparing code sub-segments of a software execution body containing multiple instruction coding modes into corresponding coded code segment memory copies and providing a mechanism support for operation switching, so that when a CPU decoding rule is switched, the operation environment of the CPU can be switched to hardware execution environments corresponding to different code segment copies, wherein the hardware execution environments comprise a general register, a state and control register, a stack register and an instruction register; and the operating system adopts unique memory copies for other sections including the data section and the stack section of the kernel or the out-of-kernel process, so that when a plurality of decoding rules are switched, the data content in the other sections can be used for the switched code sub-sections without correction.
3. The multi-code mode CPU based code injection type attack protection method according to claim 2, wherein the step of providing a mechanism support for operation switching comprises: the virtual memory superposition management mechanism is implemented by superposing page table entries of code sub-segments of various instruction coding modes of a software execution body on the same page directory entry, when the CPU is in random coding mode switching, the execution body site is only needed to be paused, then the code sub-segments of different instruction coding modes can be replaced by changing the value in the page directory entry, and the content of a bypass conversion buffer TLB is flushed to disable the original virtual address mapping.
4. The code injection type attack protection method based on the multi-code mode CPU according to claim 1, wherein the step 1) is preceded by the step of compiling a software execution body which generates code subsections containing a plurality of instruction coding modes, and generating a plurality of corresponding code subsections for the code sections of the software execution body according to the designated instruction coding mode types when compiling the software execution body, wherein each instruction among the plurality of code subsections is only a one-to-one mapping for replacing the instruction set codes, so that the address layout design is completely the same among the plurality of code subsections, and the register content and the memory virtual address accessed by the corresponding instruction are completely the same.
5. The multi-code mode CPU-based code injection type attack protection method according to claim 1, wherein the decoder of the CPU core includes a plurality of front-end decoding units and corresponding configuration registers, each of the front-end decoding units being configured to perform decoding of a preset random code mode when the configuration in the corresponding configuration register is valid.
6. The code injection type attack protection method based on the multi-code mode CPU according to claim 1, wherein the front end of the decoder of the CPU core is provided with a code buffer, a key register and a conversion operation unit, the key register comprises key codes corresponding to a plurality of instruction code modes one by one, and the conversion operation unit is used for carrying out designated reversible operation processing on the instruction codes taken out from the code buffer and the key codes taken out from the key register and corresponding to the instruction code modes to obtain the true input codes of the decoder.
7. The multi-code pattern CPU-based code injection type attack protection method according to claim 1, wherein the specified exception/interrupt in step 2) is from a random trigger comprising a random number generator and a timer, wherein the random number generated by the random number generator is delayed by the trigger from the current time as a timer, and when the timer triggers, on the one hand, a specified exception/interrupt notification CPU core is generated, and on the other hand, the random delay of the random number generator to generate the next timer is started, and the CPU core determines the specified instruction code pattern by accessing the random number generator when the random code pattern switching is started after the specified exception/interrupt is received.
8. The multi-coding mode CPU-based code injection type attack protection method according to claim 1, wherein the plurality of instruction coding modes includes a primitive coding mode, the primitive coding mode being a coding mode of instruction decoding executed when the CPU is reset and started; the step 1) is preceded by the step of operating system initialization:
s1) after power-on, all CPU cores are automatically in a primitive instruction decoding rule state;
s2) the firmware is basically initialized, and a system image is loaded from a memory or a disk and transferred to a kernel for execution;
s3) all CPU cores perform master-slave judgment, a main CPU core and a slave CPU core are determined, and the slave CPU core goes to sleep;
s4) the main CPU core executes initialization codes from the code sub-segments of the original coding mode coded by the kernel of the operating system, and initializes the system through the operation steps basically same as the traditional operating system, wherein the executed operations comprise: initializing an exception handling vector, enabling a cache, establishing a basic page table, enabling virtual address mapping, initializing a bus/UI (user interface) device/storage device, and waking all slave cores; executing a local core initialization code of a sub-section of the original coding mode after the slave core is awakened; the kernel enters a normal running state.
9. A multi-code mode CPU based code injection type attack protection device comprising a microprocessor and a memory connected to each other, characterized in that the microprocessor is programmed or configured to perform the steps of the multi-code mode CPU based code injection type attack protection method according to any of claims 1 to 8 or that a computer program programmed or configured to perform the multi-code mode CPU based code injection type attack protection method according to any of claims 1 to 8 is stored in the memory.
10. A computer-readable storage medium, wherein the computer-readable storage medium has stored therein a computer program programmed or configured to perform the multi-coding mode CPU-based code injection type attack protection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011141356.9A CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011141356.9A CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112199681A CN112199681A (en) | 2021-01-08 |
| CN112199681B true CN112199681B (en) | 2024-03-26 |
Family
ID=74012458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011141356.9A Active CN112199681B (en) | 2020-10-22 | 2020-10-22 | Code injection type attack protection method and device based on multi-coding mode CPU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112199681B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905998B (en) * | 2021-02-26 | 2023-10-03 | 中国人民解放军国防科技大学 | Address-oriented attack protection method and device based on random switching of code segments |
| CN116112286B (en) * | 2023-04-04 | 2023-06-20 | 井芯微电子技术(天津)有限公司 | Network anomaly detection and recovery method and device |
| CN117521061B (en) * | 2024-01-05 | 2024-03-15 | 南京南自华盾数字技术有限公司 | Timing bypass attack safety protection method based on binary converter |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5781750A (en) * | 1994-01-11 | 1998-07-14 | Exponential Technology, Inc. | Dual-instruction-set architecture CPU with hidden software emulation mode |
| CN107194246A (en) * | 2017-05-19 | 2017-09-22 | 中国人民解放军信息工程大学 | A kind of CPU for being used to realize dynamic instruction sets randomization |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578483B2 (en) * | 2008-07-31 | 2013-11-05 | Carnegie Mellon University | Systems and methods for preventing unauthorized modification of an operating system |
-
2020
- 2020-10-22 CN CN202011141356.9A patent/CN112199681B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5781750A (en) * | 1994-01-11 | 1998-07-14 | Exponential Technology, Inc. | Dual-instruction-set architecture CPU with hidden software emulation mode |
| CN107194246A (en) * | 2017-05-19 | 2017-09-22 | 中国人民解放军信息工程大学 | A kind of CPU for being used to realize dynamic instruction sets randomization |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112199681A (en) | 2021-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112199681B (en) | Code injection type attack protection method and device based on multi-coding mode CPU | |
| JP4938080B2 (en) | Multiprocessor control device, multiprocessor control method, and multiprocessor control circuit | |
| RU2182353C2 (en) | Asynchronous data processing device | |
| JP5813554B2 (en) | Semiconductor device | |
| CN112905998A (en) | Address-oriented attack protection method and device based on code segment random switching | |
| US5617553A (en) | Computer system which switches bus protocols and controls the writing of a dirty page bit of an address translation buffer | |
| US7930443B1 (en) | Router having routing engine software instance and interface controller software instance on a single processor | |
| JP2009054192A (en) | Integrated circuit power saving method | |
| EP0104840B1 (en) | Multiprocessor system including firmware | |
| US11734079B2 (en) | Methods of hardware and software-coordinated opt-in to advanced features on hetero ISA platforms | |
| WO1999028817A2 (en) | An instruction decoder | |
| CN111381894B (en) | Method for realizing rapid starting and simultaneous working of slave system during starting of complex time-sharing operating system | |
| KR20150130353A (en) | Minimizing switchover time during operating system kernel update in a hot swappable program memory | |
| KR0137096B1 (en) | Microprocessor | |
| CN113535215B (en) | Virtual machine hot upgrading method, device, equipment and storage medium | |
| US8135909B2 (en) | System for starting a preload of a second program while a first program is executing | |
| JP4018837B2 (en) | Memory address conversion apparatus and data processing method in data processing system | |
| JP5233078B2 (en) | Processor and processing method thereof | |
| US8356156B2 (en) | Method and system for using external storage to amortize CPU cycle utilization | |
| CN101923482B (en) | Method and device for realizing virtual execution of user mode codes | |
| KR100870175B1 (en) | Context Switching Method in ALM7 Series Microcontrollers | |
| JP7276755B2 (en) | Processing speed matching circuit and microprocessor | |
| JP2003196085A (en) | Information processor | |
| JP4125531B2 (en) | Microprocessor | |
| JP2870405B2 (en) | Information processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |