[go: up one dir, main page]

WO2020057603A1 - Method and apparatus for detecting that return address in stack has been tampered with - Google Patents

Method and apparatus for detecting that return address in stack has been tampered with Download PDF

Info

Publication number
WO2020057603A1
WO2020057603A1 PCT/CN2019/106686 CN2019106686W WO2020057603A1 WO 2020057603 A1 WO2020057603 A1 WO 2020057603A1 CN 2019106686 W CN2019106686 W CN 2019106686W WO 2020057603 A1 WO2020057603 A1 WO 2020057603A1
Authority
WO
WIPO (PCT)
Prior art keywords
hash value
stack
return address
verified
frame
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2019/106686
Other languages
French (fr)
Chinese (zh)
Inventor
孟丹
陈李维
李锦峰
史岗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Publication of WO2020057603A1 publication Critical patent/WO2020057603A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present disclosure relates to the field of computer technology, and more particularly, to a method and device for detecting that a return address in a stack has been tampered with.
  • the stack overflow vulnerability is an extremely serious system security vulnerability. It writes excessively long data into a limited memory space, destroying the system's memory space, causing the system to run abnormally, freeze, or restart.
  • using the address of the attack code to overwrite the function pointer can allow an attacker to gain control of some or all of the system, which is a very threatening security risk.
  • the main prevention and defense method for stack overflow attacks is to ensure that the return address cannot be maliciously tampered with through the shadow stack and stack protection technology.
  • the security of the shadow stack and stack protection is not enough, and the attacker can still find some ways to bypass the above two defense technologies to attack.
  • embodiments of the present disclosure provide a method and device for detecting that a return address in a stack is tampered with, or at least partially solving the above problems.
  • a method for detecting tampering of a return address in a stack including:
  • the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames.
  • the corresponding return address and the hash value corresponding to the return address wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i ⁇ 1, where j is the sequence number of the top frame of the stack;
  • the hash value to be verified is different from the correct hash value generated in advance, it is confirmed that the return address to be verified is tampered; wherein the correct hash value is based on the untampered return address and the untampered frame top frame of the stack
  • the hash value corresponding to the return address of is obtained based on any one of the hash value generation algorithms.
  • the processor for executing the method for detecting that the return address in the stack is tampered with further includes a Top register, and the correct hash value stored in the Top register can only be modified by a preset instruction.
  • the processor for executing the method for detecting that the return address in the stack is tampered with further includes a hash calculation module for executing any one of the hash value generation algorithms.
  • any return address in the stack and the hash value corresponding to any of the return addresses are separately stored in different positions in the same stack frame in the stack.
  • S2 also includes:
  • the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with.
  • a device for detecting that a return address in a stack is tampered including:
  • the hash value calculation module is configured to obtain an hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack in the stack;
  • the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames.
  • the corresponding return address and the hash value corresponding to the return address wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i ⁇ 1, where j is the sequence number of the top frame of the stack;
  • a verification module configured to determine that if the hash value to be verified is different from the pre-generated correct hash value, to confirm that the return address to be verified has been tampered with; the correct hash value is based on the untampered return address of the top frame of the stack in the stack in advance; The hash value corresponding to the return address that has not been tampered with is obtained based on any one of the hash value generation algorithms.
  • Top register is further included, the Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction.
  • a hash calculation module for executing any one of the hash value generation algorithms is further included.
  • any return address in the stack and the hash value corresponding to any of the return addresses are separately stored in different positions in the same stack frame in the stack.
  • the verification module is further configured to determine that if the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with.
  • the above embodiments of the present disclosure provide a method and a device for detecting a tampered return address in a stack.
  • the present disclosure stores and verifies both the return address and the hash value through a chain structure.
  • the embodiments of the present disclosure have high security and performance. Beneficial effects such as low loss and low design complexity.
  • FIG. 1 is a schematic flowchart of a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure
  • FIG. 2 is a schematic diagram of a hash chain structure stack in a method for detecting a tampered return address in a stack according to an embodiment of the present disclosure
  • FIG. 3 is a schematic structural diagram of a hash chain structure stack in a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure
  • FIG. 4 is a schematic structural diagram of a stack in the prior art according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram illustrating a difference between a call instruction execution and a prior art call instruction in a method for detecting a tampered return address in a stack according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram illustrating a difference between execution of a return instruction and a return instruction in the prior art in a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram of an uncompressed structure and a compressed storage structure in a method for detecting that a return address in a stack is tampered with, according to an embodiment of the present disclosure
  • FIG. 8 is a schematic diagram of an overall structure of a device for detecting a tampered return address in a stack according to an embodiment of the present disclosure.
  • Memory Vulnerability refers to the programmer's mistakes in the design of time or space in the operation of the memory during the software writing process, causing problems that may cause the program to violate the design of the program itself. Attackers can use the program's memory leaks to construct various attacks and perform malicious behaviors.
  • Buffer overflow It is the most common memory leak. Copying data that exceeds the length of a buffer into a buffer will cause a buffer overflow, thereby overwriting other data outside the buffer.
  • the stack overflow vulnerability is the most common type of buffer overflow vulnerability, that is, copying an excessively long data into the stack, causing the buffer data on the stack to overflow, thereby overwriting other key data on the stack.
  • Stack Also known as stack, it is a linear table with limited operations. The limitation is that insert and delete operations are allowed on only one end of the table. This end is called the top of the stack, and the other end is called the bottom of the stack. Inserting a new element into a stack is also called pushing, stacking, or pushing the stack. It is to place a new element on top of the stack and make it a new top element. Removing an element from a stack is also called popping or Unstacking is to delete the top element of the stack so that its adjacent elements become the new top element.
  • Stack overflow It is a kind of buffer overflow. Rewriting of useful memory cells due to buffer overflows often leads to unpredictable consequences.
  • some memory space is generally allocated, and these spaces are usually called buffers. If data longer than its own length is written to the buffer so that the buffer cannot accommodate it, it will cause the storage unit outside the buffer to be rewritten. This phenomenon is called buffer overflow.
  • the buffer length is generally related to the type of the buffer variable defined by the user.
  • Function call When the computer is compiled or run, a function is used to complete the related command.
  • a call instruction such as a Call instruction
  • the return instruction reads the return address stored in the stack, jumps to the original call function location according to the return address, and continues to execute.
  • the most common method for exploiting a stack overflow vulnerability is to use stack overflow to cover the return address and change the return address to an address set by the attacker. When the function returns, it will jump to the location set by the attacker and execute the code the attacker wants to execute.
  • ROP attack A classic technique that uses memory vulnerabilities to construct attacks. Because of the popularity of non-executable bit technologies (DEP or NX), it becomes difficult to directly inject code to perform malicious attacks, while ROP attacks can use the code of the program itself. Using the return address as a connection, an attack is constructed. The principle of the ROP attack is mainly to use code fragments (becoming accessories) that end with return instructions (such as the Return instruction) in the code of the program, and cooperate with the control of the stack space to continuously make the program run these accessories. When the program executes a Return, the CPU fetches an address from the current stack and jumps to the code pointed to by this address to start running. The attacker puts the address of a series of accessories into the stack first.
  • the key point of attacks such as ROP attacks is tampering with the return address.
  • some existing technologies also prevent these attacks by protecting the return address.
  • the main related work is the shadow stack (stack) and stack protection (stack cookie, also called stack canary).
  • the shadow stack uses a different implementation to store a backup of the return address in the stack in another area of memory (the memory area is called the shadow stack), and compare the address with the backup before the return address in the stack is used If the addresses are different, it means that the addresses in the stack have been tampered with. To put it simply, the essence of the shadow stack is to store a copy of the return address in another place, so that there is no worry that the attacker will modify the return address in the stack.
  • Intel Corporation proposed CET technology (Control-flow Enforcement Technology) in 2016, which mainly contains two technologies, one of which is the shadow stack.
  • Stack protection is a practical technique used in many major compilers, such as the gcc compiler.
  • the return address is stored on the stack, and a canary is inserted before the return address (canary, that is, the guard value, is a random number). If an attacker wants to use a stack overflow to overwrite the return address, it will necessarily overwrite the protection value.
  • the protection value is a random number and cannot be known by the attacker, so the protection value will also change.
  • the function checks if the protection value has been changed, and you can find out whether the return address has been tampered with maliciously.
  • the backup in the shadow stack must be absolutely secure, which is very difficult in actual implementation.
  • Intel's CET technology proposes that a new page attribute is used to mark individual pages as "shadow stack" pages for protection.
  • this page property can be changed, which has precedent in previous examples of bypassing DEP in actual attacks. Therefore, it is insufficient to protect the security in a certain area on the memory. If an attacker can modify the shadow stack and the return address on the stack at the same time, the protection of the shadow stack can be broken.
  • the backup in the shadow stack needs a separate page to store, so it will increase memory access, reduce performance, and increase memory overhead.
  • the stack protection needs to insert a protection value (random number) before the return address. Once the attacker knows the protection value, he can easily overwrite the return address and protection value, while ensuring that the protection value does not change.
  • Stack protection can only prevent stack overflow from overwriting the return address, but not other attacks. For example, use any address to write and directly modify the return address point-to-point.
  • the shadow stack and stack protection are not secure enough, and the attacker can still find some ways to bypass it.
  • a specific embodiment of the present disclosure provides a method for detecting that a return address in a stack has been tampered with.
  • a schematic flowchart of a method for detecting that a return address in a stack is tampered includes:
  • the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames.
  • the corresponding return address and the hash value corresponding to the return address wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i ⁇ 1, where j is the sequence number of the top frame of the stack;
  • the hash value to be verified is different from the correct hash value generated in advance, it is confirmed that the return address to be verified is tampered; wherein the correct hash value is based on the untampered return address and the untampered of the top frame of the stack in the stack in advance.
  • the hash value corresponding to the return address of is obtained based on any one of the hash value generation algorithms.
  • the embodiments of the present disclosure utilize a main hash algorithm to protect the return address.
  • the hash algorithm has some unique advantages. For example, it is difficult to reverse the input of the hash through the output of the hash. It is also difficult for an attacker to control the input to output a desired output value.
  • the present disclosure proposes to maintain both the return address and the hash value through a chain structure. As shown in Figure 2, the latest hash value is calculated based on the latest (stored in the top frame of the stack) return address and the previous (stored in the top frame of the stack) hash value. The hash value in the top frame of the stack is calculated based on the return address and hash value stored in the previous frame. Therefore, the return address and hash value in each frame in the stack form a chain.
  • FIG. 3 illustrates a stack structure according to an embodiment of the present disclosure.
  • the stack structure of the embodiment of the present disclosure stores the return address and its corresponding hash value in the same frame.
  • the hash value and return address stored in the same frame are staggered, that is, the first return address (Address 1) and a random number (RAND) are stored together; the first hash value (Hash 1) Calculated according to the first return address and a random number, stored with the second return address; and so on, the second hash value exists with the third return address; and the latest hash value (Hash 3) is stored in A special register (called the Top register).
  • the random number RAND is the initial value of the Top register.
  • FIG. 5 shows a special process different from the normal execution process of the call instruction in the present disclosure
  • FIG. 6 shows this
  • the return instruction is a special procedure that is different from the normal execution procedure.
  • the normal call instruction (Call instruction) is executed: 1) the return address is pushed onto the stack, and 2) the target address of the call instruction (Call instruction) is stored in the PC (equivalent to jumping to the target address for execution).
  • the normal return instruction (return instruction) is executed: 1) the return address is popped from the stack, and 2) the return address is stored in the PC (equivalent to jumping to the return address for execution).
  • the calling instruction (Call instruction) of the present disclosure is executed: 1) pushing the hash value in the Top register together with the return address (the untampered return address of the top frame of the stack), 2) pushing the pushed data (that is, the first Step hash value and return address) as the input of the hash function, calculate the new hash value (correct hash value), store the new hash value in the Top register, 3) the target address of the call instruction (Call instruction) Save to PC.
  • the return instruction (return instruction) of the embodiment of the present disclosure is executed: 1) The hash value and the return address (the return address to be verified) are popped from the top frame of the stack, and the hash value and the return address (the return address to be verified) of the stack are calculated. The hash value (the hash value to be verified), 2) comparing the calculated hash value (the hash value to be verified) with the hash value (the correct hash value) stored in the Top register. If the two are not equal, it means that an abnormality has occurred, the alarm should be issued and the program running should be interrupted. If they are equal, it is normal and execution continues. 3) Store the popped hash value in the Top register (the popped hash value, not the hash value to be verified). 4) When the hash value to be verified is equal to the correct hash value, the return address to be verified is stored in the PC; when the hash value to be verified is not equal to the correct hash value, an exception occurs and the program is interrupted.
  • a method for detecting a tampered return address in a stack is provided.
  • a processor for executing the method for detecting a tampered return address in a stack further includes a Top register, where: The Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction.
  • a method for detecting tampering with a return address in a stack is provided.
  • the processor for executing the method for detecting tampering with a return address in a stack further includes a Salt register for: A challenge value is stored as another input of the hash function, and the challenge value can only be modified by a preset instruction.
  • At least one register including at least a Top register, and possibly a Salt register, to a processor executing a method for detecting a return address in a stack in the embodiment of the present disclosure.
  • the Top register is used to store the latest hash value.
  • the challenge value stored in the Salt register is another input to the hash function. It is generally a random value or other types of values, which further increases the difficulty of guessing and cracking the hash function. .
  • the Top register and the Salt register are set to random numbers or non-random numbers generated by other methods, among which random numbers are the most preferred.
  • the hardware should ensure that the correct hash value stored in the Top register and the challenge value stored in the Salt register can only be modified by preset instructions, otherwise the disclosure will lose its defensive effect. It is easy to protect several special registers from being modified by an attacker. Even if the attacker reads the Salt register, this disclosure can still guarantee that the attacker cannot easily tamper with the return address, and still has high security.
  • the hardware does not need to ensure that the Top register is not read by an attacker. Whether an attacker can read the Top register has no impact on the security of this disclosure.
  • a method for detecting that a return address in a stack is tampered with is provided.
  • the challenge value stored in the Salt register and the correct hash value stored in the Top register cannot pass the pre-defined privilege instruction. Specify read.
  • the hardware should try to ensure that the Salt register is not read by an attacker, which is also relatively easy to implement technically.
  • the disclosure can still guarantee that the attacker cannot easily tamper with the return address, and still has high security.
  • a method for detecting tampering with a return address in a stack is provided.
  • the processor for executing the method for detecting tampering with a return address in a stack further includes a method for executing the method.
  • the embodiment of the present disclosure does not have too many requirements on the selection of the hash algorithm. Any hash algorithm may be used, and even other encryption and decryption algorithms may be used.
  • a method for detecting that a return address in a stack is tampered with is provided. Any return address in the stack and a hash value corresponding to any of the return addresses are separately stored in all locations. It is described in different positions in the same stack frame in the stack. As shown in FIG. 7, in a specific embodiment of the present disclosure, storing a return address and a hash value at different locations for storage is called an uncompressed structure (or a normal structure).
  • a method for detecting that a return address in a stack is tampered with is provided.
  • any return address in the stack is normally stored in any position in the stack.
  • the hash value corresponding to any one of the return addresses is stored in a high-order space of any one of the positions.
  • the return address occupies 64 bits, but the actual return address is actually not so long, generally only more than 40 bits. Therefore, the upper 64 bits are free. Therefore, it is possible to save the hash value to the upper bit of 64 bits.
  • This storage structure is called a compressed structure, as shown in Figure 7.
  • the difference between the compressed structure and the original stack structure is only the value of the return address in the stack (and the layout is completely consistent). This brings a major beneficial effect is that it can be compatible with the previous binary, because most programs follow the following rules: (1) the call instruction and the return instruction match; (2) only the call instruction and the return instruction use the return address , Other instructions are not used; (3) other values in the stack are determined based on the offset.
  • the supporting operations are as follows: the operations required to achieve this goal are: replacing all (or matching parts) call instructions and return instructions in the original program with the Invoke and return instructions, and use compressed structures.
  • the use of a compressed structure also has the beneficial effect of saving space compared to an uncompressed structure.
  • some data may be stored in the upper 64 bits, such as the ASLR random number. However, in any case, these data have not used up all the 64-bit space. Often, more than 20 bits of free space can be left, which is sufficient for storing hash values.
  • a method for detecting that a return address in a stack is tampered is provided. After S2, the method further includes: interrupting a program running and storing a hash value corresponding to the return address to be verified in a Top register.
  • a method for detecting that a return address in a stack is tampered with is provided. If the hash value to be verified is the same as a pre-generated correct hash value, it is confirmed that the return address to be verified has not been tampered with.
  • a processor for executing the method for detecting a tampered return address in a stack further includes a counter for When the stack executes a call instruction (such as a Call instruction), the count increases by one, and when the stack executes a return instruction (such as a return instruction), the count decreases by one; when the process ends, if the counter count is not 0 or Top If the correct hash value in the register is modified, an error is reported.
  • a call instruction such as a Call instruction
  • return instruction such as a return instruction
  • the specific embodiment of the present disclosure considers that it is assumed that the attacker's ability is extremely strong and has unlimited computing power. Then, the attacker may forcibly tamper with the return address through hash collision and construct the same hash value. For this extreme case, the embodiments of the present disclosure still have a way to discover that the attacker cannot control the value of the Top register and cannot guarantee that the value of the Top register after the attack is the same as the initial value, leaving traces of the attack. .
  • a Number counter is further added to record the execution times of the call instruction and the return instruction to ensure that the number of the call instruction and the return instruction is the same.
  • the Number counter is initialized to 0; a call instruction is executed to increment the count number by one; a return instruction is executed to decrement the count number by one; if the process ends, the number should be 0, otherwise an error is reported and the program is terminated.
  • the value of the Top register should be equal to the initial value of the Top register at the beginning of the process, otherwise it is considered that an attack has occurred, an error is reported, and the operation is terminated.
  • FIG. 8 a schematic diagram of an overall framework of a device for detecting tampering of a return address in a stack according to the present disclosure is shown.
  • the device includes:
  • a hash value calculation module A1 is configured to obtain a hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the verification return address and the verification return address stored in the top frame of the stack in the stack;
  • the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames.
  • the corresponding return address and the hash value corresponding to the return address wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i ⁇ 1, where j is the sequence number of the top frame of the stack;
  • the verification module A2 is configured to confirm that the return address to be verified is tampered if the hash value to be verified is different from the correct hash value generated in advance; wherein the correct hash value is based on the untampered return address of the top frame of the stack in the stack in advance
  • the hash value corresponding to the return address that has not been tampered with is obtained based on any one of the hash value generation algorithms.
  • a device for detecting tampering with a return address in a stack is provided.
  • the processor for executing the method for detecting tampering with a return address in a stack further includes a Top register and A Salt register:
  • the Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction;
  • the Salt register is used to store a challenge value, which is used as another input of a hash function, and the challenge value can only be modified by a preset instruction.
  • the compiler needs to know the specific layout of the 64-bit return address, which bits are the return address, and which bits are the hash value, so that the compiler can add special processing code to the program. If the compiler has sufficient support, the present disclosure can also be implemented using a compiler (without requiring hardware support). However, the efficiency of this implementation is lower than that of hardware-only implementation, and the performance loss is about 3%.
  • the present disclosure is highly flexible and compatible. For example, a multi-chain structure is adopted, and every certain number of return addresses are protected by different chains; some addresses are protected, and some addresses are not protected. This makes it more difficult for attackers to crack.
  • This disclosure is not in conflict with other defense methods, and can be used in combination.
  • the above-mentioned embodiments of the present disclosure are superior to existing methods in terms of security, performance, design complexity, compatibility, practicality, and the like. Compared with a specific technology, the present disclosure is better in some aspects, while other aspects can ensure that it is not worse than the technology.
  • the present disclosure can strictly guarantee that the return address cannot be maliciously tampered with, and the security is higher than other methods.
  • the shadow stack cannot prevent the backup data of the shadow stack from being modified, and stack protection cannot prevent the leakage of protection values.
  • the present disclosure only needs to add a few registers and a hash operation module, the design complexity is very low, and it is easy to implement. While other methods, such as shadow stacks, may require modification of the page table management mechanism, the complexity is much higher than this disclosure.
  • the present disclosure is highly versatile and can be used in any mainstream computer system.
  • Function calls and returns are the most basic program functions supported by all computers, and the present disclosure can be used for all computer systems that support function calls and returns.
  • the disclosure has high compatibility, and small changes to the system, and can be well incorporated into existing computer systems.
  • the present disclosure is a very practical technology that can be easily applied to real systems.
  • the present disclosure has some unique advantages. For example, once an attack is successful, none of the existing defense methods can be found. Even if this disclosure is really cracked by an attacker, the attacker will inevitably leave traces of the attack, and thus will be found.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A method and apparatus for detecting that a return address in a stack has been tampered with. A return address and a hash value are both stored and verified by means of a chain structure. The method and the apparatus have the beneficial effects of high security, low performance loss, low design complexity, etc.

Description

检测堆栈中返回地址被篡改的方法及装置Method and device for detecting tampered return address in stack

相关申请的交叉引用Cross-reference to related applications

本申请要求于2018年9月21日提交的申请号为2018111095662,发明名称为“检测堆栈中返回地址被篡改的方法及装置”的中国专利申请的优先权,其通过引用方式全部并入本公开。This application claims the priority of a Chinese patent application filed on September 21, 2018 with the application number 2018111095662 and the invention name "Method and Device for Detecting Tampered Return Address in the Stack", which is incorporated by reference in its entirety. .

技术领域Technical field

本公开涉及计算机技术领域,更具体地,涉及检测堆栈中返回地址被篡改的方法及装置。The present disclosure relates to the field of computer technology, and more particularly, to a method and device for detecting that a return address in a stack has been tampered with.

背景技术Background technique

计算机技术和互联网的建设和发展,对整个社会的经济、文化、科技等各方面带来了巨大的推动和冲击,大量电信、电子商务、金融网络等信息化系统已经成为国家和政府的关键基础设施,因此如何确保计算机系统的安全已成为摆在我们面前迫切需要解决的难题。The construction and development of computer technology and the Internet have brought tremendous impetus and impact to the economy, culture, technology and other aspects of the entire society. A large number of information systems such as telecommunications, e-commerce, and financial networks have become the key foundations of the country and government. Facilities, so how to ensure the security of computer systems has become an urgent problem that needs to be solved before us.

堆栈溢出漏洞是一个极其严重的系统安全漏洞,它是通过向一个有限的内存空间写入过长的数据,破坏系统的内存空间,导致系统运行异常、死机或重启。通过堆栈溢出攻击,使用攻击代码的地址覆盖函数指针,可以让攻击者获取部分或全部的系统控制权,这是一种极具威胁的安全隐患。The stack overflow vulnerability is an extremely serious system security vulnerability. It writes excessively long data into a limited memory space, destroying the system's memory space, causing the system to run abnormally, freeze, or restart. Through a stack overflow attack, using the address of the attack code to overwrite the function pointer can allow an attacker to gain control of some or all of the system, which is a very threatening security risk.

现有技术中,对于堆栈溢出攻击主要的阻止和防御方式为通过影子栈和栈保护技术,保证返回地址不被恶意篡改。但影子栈和栈保护的安全性都不够,攻击者仍能找到一些办法来绕过上述两种防御技术进行攻击。In the prior art, the main prevention and defense method for stack overflow attacks is to ensure that the return address cannot be maliciously tampered with through the shadow stack and stack protection technology. However, the security of the shadow stack and stack protection is not enough, and the attacker can still find some ways to bypass the above two defense technologies to attack.

所以,亟待提出一种能够有效监测返回地址不被恶意篡改的方法及装置。Therefore, it is urgent to propose a method and device capable of effectively monitoring that the return address is not tampered with maliciously.

发明内容Summary of the Invention

为了解决上述问题,本公开实施例提供一种克服上述问题或者至少部分地解决上述问题的一种检测堆栈中返回地址被篡改的方法及装置。In order to solve the above problems, embodiments of the present disclosure provide a method and device for detecting that a return address in a stack is tampered with, or at least partially solving the above problems.

根据本公开实施例的第一方面,提供了一种检测堆栈中返回地址被篡改的方法,包括:According to a first aspect of the embodiments of the present disclosure, a method for detecting tampering of a return address in a stack is provided, including:

S1,根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址所对应的hash值,基于任一hash值生成算法,获得待验证hash值;S1. Obtain a hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack;

其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值;其中,返回地址所对应的hash值根据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address; wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack;

S2,若待验证hash值与预先生成的正确hash值不同,则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。S2. If the hash value to be verified is different from the correct hash value generated in advance, it is confirmed that the return address to be verified is tampered; wherein the correct hash value is based on the untampered return address and the untampered frame top frame of the stack The hash value corresponding to the return address of is obtained based on any one of the hash value generation algorithms.

进一步,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个Top寄存器,所述Top寄存器中所存储的正确hash值只能通过预设指令修改。Further, the processor for executing the method for detecting that the return address in the stack is tampered with further includes a Top register, and the correct hash value stored in the Top register can only be modified by a preset instruction.

进一步,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个用于执行所述任一hash值生成算法的hash计算模块。Further, the processor for executing the method for detecting that the return address in the stack is tampered with, further includes a hash calculation module for executing any one of the hash value generation algorithms.

进一步,所述堆栈中任一返回地址,和与所述任一返回地址所对应的hash值分别单独保存在所述堆栈中同一栈帧内的不同位置上。Further, any return address in the stack and the hash value corresponding to any of the return addresses are separately stored in different positions in the same stack frame in the stack.

进一步,S2还包括:Further, S2 also includes:

若待验证hash值与预先生成的正确hash值相同,则确认待验证返回地址没有被篡改。If the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with.

根据本公开实施例的另一个方面,提供一种检测堆栈中返回地址被篡改的装置,包括:According to another aspect of the embodiments of the present disclosure, there is provided a device for detecting that a return address in a stack is tampered, including:

hash值计算模块,用于根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址所对应的hash值,基于任一hash值生成算法,获得待验证hash值;The hash value calculation module is configured to obtain an hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack in the stack;

其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值;其中,返回地址所对应的hash值根 据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address; wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack;

验证模块,用于判断若待验证hash值与预先生成的正确hash值不同,则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。A verification module, configured to determine that if the hash value to be verified is different from the pre-generated correct hash value, to confirm that the return address to be verified has been tampered with; the correct hash value is based on the untampered return address of the top frame of the stack in the stack in advance; The hash value corresponding to the return address that has not been tampered with is obtained based on any one of the hash value generation algorithms.

进一步,还包括一个Top寄存器,所述Top寄存器用于存储所述正确hash值,且Top寄存器中所存储的正确hash值只能通过预设指令修改。Further, a Top register is further included, the Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction.

进一步,还包括一个用于执行所述任一hash值生成算法的hash计算模块。Further, a hash calculation module for executing any one of the hash value generation algorithms is further included.

进一步,所述堆栈中任一返回地址,和与所述任一返回地址所对应的hash值分别单独保存在所述堆栈中同一栈帧内的不同位置上。Further, any return address in the stack and the hash value corresponding to any of the return addresses are separately stored in different positions in the same stack frame in the stack.

进一步,所述验证模块还用于判断若待验证hash值与预先生成的正确hash值相同,则确认待验证返回地址没有被篡改。Further, the verification module is further configured to determine that if the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with.

本公开上述实施例提供一种检测堆栈中返回地址被篡改的方法及装置,本公开将返回地址和哈希值都通过一个链式结构来存储并验证,本公开实施例具有安全性高、性能损耗小、设计复杂度低等有益效果。The above embodiments of the present disclosure provide a method and a device for detecting a tampered return address in a stack. The present disclosure stores and verifies both the return address and the hash value through a chain structure. The embodiments of the present disclosure have high security and performance. Beneficial effects such as low loss and low design complexity.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本公开实施例的一种检测堆栈中返回地址被篡改的方法的整体流程示意图;1 is a schematic flowchart of a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure;

图2为本公开实施例的一种检测堆栈中返回地址被篡改的方法中哈希链结构堆栈的示意图;2 is a schematic diagram of a hash chain structure stack in a method for detecting a tampered return address in a stack according to an embodiment of the present disclosure;

图3为本公开实施例的一种检测堆栈中返回地址被篡改的方法中哈希链结构堆栈的结构示意图;3 is a schematic structural diagram of a hash chain structure stack in a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure;

图4为本公开实施例的现有技术中堆栈的结构示意图;4 is a schematic structural diagram of a stack in the prior art according to an embodiment of the present disclosure;

图5为本公开实施例的一种检测堆栈中返回地址被篡改的方法中调用指令执行与现有技术调用指令的区别示意图;5 is a schematic diagram illustrating a difference between a call instruction execution and a prior art call instruction in a method for detecting a tampered return address in a stack according to an embodiment of the present disclosure;

图6为本公开实施例的一种检测堆栈中返回地址被篡改的方法中返回指令执行与现有技术返回指令的区别示意图;6 is a schematic diagram illustrating a difference between execution of a return instruction and a return instruction in the prior art in a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure;

图7为本公开实施例的一种检测堆栈中返回地址被篡改的方法中非压缩结构和压缩存储结构的示意图;7 is a schematic diagram of an uncompressed structure and a compressed storage structure in a method for detecting that a return address in a stack is tampered with, according to an embodiment of the present disclosure;

图8为本公开实施例的一种检测堆栈中返回地址被篡改的装置整体结构示意图。FIG. 8 is a schematic diagram of an overall structure of a device for detecting a tampered return address in a stack according to an embodiment of the present disclosure.

具体实施方式detailed description

下面结合附图和实施例,对本公开的具体实施方式作进一步详细描述。以下实施例用于说明本公开,但不用来限制本公开的范围。The specific implementation of the present disclosure will be described in further detail below with reference to the drawings and embodiments. The following examples are used to illustrate the present disclosure, but not to limit the scope of the present disclosure.

下面,本公开说明书首先对各个基本概念和现有技术及缺陷作一个清楚的解释。In the following, the present disclosure first provides a clear explanation of various basic concepts and existing technologies and defects.

内存漏洞:是指程序员在软件编写的过程中,对内存的操作上有时间上或者空间上的设计失误,产生使得程序可能做出违反程序本身设计的行为的问题。攻击者利用程序的内存漏洞,可以构造出各种攻击,执行恶意行为。Memory Vulnerability: refers to the programmer's mistakes in the design of time or space in the operation of the memory during the software writing process, causing problems that may cause the program to violate the design of the program itself. Attackers can use the program's memory leaks to construct various attacks and perform malicious behaviors.

缓冲区溢出:是最为常见的内存漏洞,向一个缓冲区中拷入超过该缓冲区长度的数据,即会产生缓冲区溢出,从而覆盖缓冲区以外的其他数据。而栈溢出漏洞又是缓冲区溢出漏洞中最为常见的一种,即向栈中拷入一个过长的数据,导致栈上的缓冲区数据溢出,从而覆盖栈上其他关键的数据。Buffer overflow: It is the most common memory leak. Copying data that exceeds the length of a buffer into a buffer will cause a buffer overflow, thereby overwriting other data outside the buffer. The stack overflow vulnerability is the most common type of buffer overflow vulnerability, that is, copying an excessively long data into the stack, causing the buffer data on the stack to overflow, thereby overwriting other key data on the stack.

栈(stack):又名堆栈,它是一种运算受限的线性表。其限制是仅允许在表的一端进行插入和删除运算。这一端被称为栈顶,相对地,把另一端称为栈底。向一个栈插入新元素又称作进栈、入栈或压栈,它是把新元素放到栈顶元素的上面,使之成为新的栈顶元素;从一个栈删除元素又称作出栈或退栈,它是把栈顶元素删除掉,使其相邻的元素成为新的栈顶元素。Stack (stack): Also known as stack, it is a linear table with limited operations. The limitation is that insert and delete operations are allowed on only one end of the table. This end is called the top of the stack, and the other end is called the bottom of the stack. Inserting a new element into a stack is also called pushing, stacking, or pushing the stack. It is to place a new element on top of the stack and make it a new top element. Removing an element from a stack is also called popping or Unstacking is to delete the top element of the stack so that its adjacent elements become the new top element.

栈溢出:是缓冲区溢出的一种。由于缓冲区溢出而使得有用的存储单元被改写,往往会引发不可预料的后果。程序在运行过程中,为了临时存取数据的需要,一般都要分配一些内存空间,通常称这些空间为缓冲区。如果向缓冲区中写入超过其本身长度的数据,以致于缓冲区无法容纳,就会造成缓冲区以外的存储单元被改写,这种现象就称为缓冲区溢出。缓冲区长度一般与用户自己定义的缓冲变量的类型有关。Stack overflow: It is a kind of buffer overflow. Rewriting of useful memory cells due to buffer overflows often leads to unpredictable consequences. During the running of the program, in order to temporarily access data, some memory space is generally allocated, and these spaces are usually called buffers. If data longer than its own length is written to the buffer so that the buffer cannot accommodate it, it will cause the storage unit outside the buffer to be rewritten. This phenomenon is called buffer overflow. The buffer length is generally related to the type of the buffer variable defined by the user.

函数调用:计算机编译或运行时,使用某个函数来完成相关命令。Function call: When the computer is compiled or run, a function is used to complete the related command.

返回地址:栈中存储的数据中一个最为重要的数据就是函数返回地址。当调用一个函数时,调用指令(例如Call指令)会将函数返回地址压入栈中。当函数返回时,返回指令(例如Return指令)会读取栈中保存的返回地址,根据返回地址跳转到原来调用函数的位置,继续往下执行。利用栈溢出漏洞进行攻击最常用的方法就是利用栈溢出,覆盖返回地址,将返回地址改为一个攻击者设置的地址。当函数返回时,就会跳转到攻击者设置好的位置,执行攻击者希望执行的代码。Return address: One of the most important data in the data stored in the stack is the function return address. When a function is called, a call instruction (such as a Call instruction) pushes the function return address onto the stack. When the function returns, the return instruction (such as the Return instruction) reads the return address stored in the stack, jumps to the original call function location according to the return address, and continues to execute. The most common method for exploiting a stack overflow vulnerability is to use stack overflow to cover the return address and change the return address to an address set by the attacker. When the function returns, it will jump to the location set by the attacker and execute the code the attacker wants to execute.

ROP攻击:一种经典的利用内存漏洞构造攻击行为的技术,因为不可执行位技术(DEP或NX)的普及,直接注入代码执行恶意攻击变得困难,而ROP攻击则可以利用程序本身的代码,以返回地址作为连接,构造出攻击行为。ROP攻击的原理主要是使用程序本身的代码中以返回指令(例如Return指令)结尾的代码片段(成为配件),配合对栈空间的控制,不断的使程序运行这些配件。当程序执行一次Return时,CPU从当前的栈上取出一个地址,并且跳转到这一地址指向的代码处开始运行。攻击者将一系列配件的地址先放入栈中,CPU运行到Return时,会取出第一个地址并跳转到这个配件开始执行,当第一个配件执行结束时,结尾的返回指令(例如Return指令)会取出第二个地址并跳转到第二个配件开始执行,如此循环,构造出任意恶意行为。ROP attack: A classic technique that uses memory vulnerabilities to construct attacks. Because of the popularity of non-executable bit technologies (DEP or NX), it becomes difficult to directly inject code to perform malicious attacks, while ROP attacks can use the code of the program itself. Using the return address as a connection, an attack is constructed. The principle of the ROP attack is mainly to use code fragments (becoming accessories) that end with return instructions (such as the Return instruction) in the code of the program, and cooperate with the control of the stack space to continuously make the program run these accessories. When the program executes a Return, the CPU fetches an address from the current stack and jumps to the code pointed to by this address to start running. The attacker puts the address of a series of accessories into the stack first. When the CPU runs to Return, it will take the first address and jump to this accessory to start execution. When the execution of the first accessory ends, the ending return instruction (such as The Return instruction) will take the second address and jump to the second accessory to start execution. This loop will construct any malicious behavior.

ROP攻击等攻击的关键点都在于篡改返回地址,目前现有的一些技术也都是通过保护返回地址来阻止这些攻击。主要相关的工作是影子栈(Shadow Stack)和栈保护(stack cookie,也叫stack canary)。The key point of attacks such as ROP attacks is tampering with the return address. At present, some existing technologies also prevent these attacks by protecting the return address. The main related work is the shadow stack (stack) and stack protection (stack cookie, also called stack canary).

影子栈通过不同的实现方式,将栈中的返回地址在内存的另一个区域中存储一个备份(该内存区域就叫影子栈),并在栈中的返回地址被使用前将地址与备份做对比,如果地址不同,则说明栈中的地址被篡改过。简单来说,影子栈的本质就是将返回地址在另外一个地方存一个备份,这样就不担心攻击者修改栈中的返回地址。Intel公司于2016年提出了CET技术(Control-flow Enforcement Technology),主要包含两项技术,其中一项就是影子栈。The shadow stack uses a different implementation to store a backup of the return address in the stack in another area of memory (the memory area is called the shadow stack), and compare the address with the backup before the return address in the stack is used If the addresses are different, it means that the addresses in the stack have been tampered with. To put it simply, the essence of the shadow stack is to store a copy of the return address in another place, so that there is no worry that the attacker will modify the return address in the stack. Intel Corporation proposed CET technology (Control-flow Enforcement Technology) in 2016, which mainly contains two technologies, one of which is the shadow stack.

栈保护是gcc编译器等许多主流编译器中采用的一项实用技术。返回地址保存在栈中,在返回地址的前面插入一个canary(金丝雀,即保护值, 是一个随机数)。如果攻击者想利用栈溢出覆盖返回地址,则必然会覆盖保护值。而保护值是一个随机数,攻击者无法获知,因此保护值也会改变。函数返回时检查一下保护值是否被改变,就可以发现返回地址是否被恶意篡改。Stack protection is a practical technique used in many major compilers, such as the gcc compiler. The return address is stored on the stack, and a canary is inserted before the return address (canary, that is, the guard value, is a random number). If an attacker wants to use a stack overflow to overwrite the return address, it will necessarily overwrite the protection value. The protection value is a random number and cannot be known by the attacker, so the protection value will also change. When the function returns, check if the protection value has been changed, and you can find out whether the return address has been tampered with maliciously.

然后,上述现有技术方法存在以下技术缺陷。Then, the aforementioned prior art method has the following technical defects.

影子栈方法存在若干问题:There are several problems with the shadow stack approach:

1、影子栈中的备份必须绝对安全,这在实际实现中是非常困难的。例如Intel的CET技术就提出,使用了一个新的页属性来标记单独的页为“影子栈”页来保护。但是这个页属性是可以被更改的,这在之前实际攻击中绕过DEP的实例中有过先例。所以在内存上一段区域做保护安全性是不足的。如果攻击者能够同时修改影子栈和栈上的返回地址,就能破解影子栈的保护。1. The backup in the shadow stack must be absolutely secure, which is very difficult in actual implementation. For example, Intel's CET technology proposes that a new page attribute is used to mark individual pages as "shadow stack" pages for protection. However, this page property can be changed, which has precedent in previous examples of bypassing DEP in actual attacks. Therefore, it is insufficient to protect the security in a certain area on the memory. If an attacker can modify the shadow stack and the return address on the stack at the same time, the protection of the shadow stack can be broken.

2、影子栈中的备份需要一个单独的页来存储,因此会增加访存,降低性能,也会增加内存开销。2. The backup in the shadow stack needs a separate page to store, so it will increase memory access, reduce performance, and increase memory overhead.

3、影子栈的实现较为复杂。如果不考虑影子栈本身的安全,可以设计比较简单,但安全性不够。如果考虑影子栈本身的安全,就需要对影子栈所在的内存添加额外的保护机制,大大增加了设计复杂性,导致实用性不高。3. The implementation of the shadow stack is more complicated. If the security of the shadow stack itself is not considered, the design can be simpler, but the security is not enough. If you consider the security of the shadow stack itself, you need to add additional protection mechanisms to the memory where the shadow stack is located, which greatly increases the design complexity and leads to low practicality.

栈保护方法存在若干问题:There are several problems with stack protection methods:

1、栈保护需要在返回地址前插入一个保护值(随机数)。一旦攻击者获知保护值,就能轻易的覆盖返回地址和保护值,同时保证保护值不会发生变化。1. The stack protection needs to insert a protection value (random number) before the return address. Once the attacker knows the protection value, he can easily overwrite the return address and protection value, while ensuring that the protection value does not change.

2、栈保护只能防御栈溢出覆盖返回地址,而不能防御其他攻击。比如,利用任意地址写,直接点对点修改返回地址。2. Stack protection can only prevent stack overflow from overwriting the return address, but not other attacks. For example, use any address to write and directly modify the return address point-to-point.

总之,影子栈和栈保护的安全性都不够,攻击者仍能找到一些办法来绕过。In short, the shadow stack and stack protection are not secure enough, and the attacker can still find some ways to bypass it.

本公开具体实施例提出一种检测堆栈中返回地址被篡改的方法。A specific embodiment of the present disclosure provides a method for detecting that a return address in a stack has been tampered with.

如图1,示出本公开实施例一种检测堆栈中返回地址被篡改的方法总体流程示意图,包括:As shown in FIG. 1, a schematic flowchart of a method for detecting that a return address in a stack is tampered according to an embodiment of the present disclosure includes:

S1,根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址 所对应的hash值,基于任一hash值生成算法,获得待验证hash值;S1. Obtain a hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack;

其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值;其中,返回地址所对应的hash值根据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address; wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack;

S2,若待验证hash值与预先生成的正确hash值不同,则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。S2. If the hash value to be verified is different from the correct hash value generated in advance, it is confirmed that the return address to be verified is tampered; wherein the correct hash value is based on the untampered return address and the untampered of the top frame of the stack in the stack in advance. The hash value corresponding to the return address of is obtained based on any one of the hash value generation algorithms.

具体地,本公开实施例利用主要hash算法来保护返回地址。hash算法具有一些独有的优点,例如很难通过hash的输出反推hash的输入,攻击者也很难通过控制输入来输出一个希望获得的输出值。本公开提出将返回地址和哈希值都通过一个链式结构来维护。如图2所示,最新的Hash值是根据最新的(堆栈中栈顶帧中所存储的)返回地址和前一个(堆栈中栈顶帧中所存储的)hash值计算得到。栈顶帧中的hash值是根据其前一个帧中存储的返回地址和Hash值计算得到。因此,堆栈中各帧中的返回地址和Hash值形成了一条链。Specifically, the embodiments of the present disclosure utilize a main hash algorithm to protect the return address. The hash algorithm has some unique advantages. For example, it is difficult to reverse the input of the hash through the output of the hash. It is also difficult for an attacker to control the input to output a desired output value. The present disclosure proposes to maintain both the return address and the hash value through a chain structure. As shown in Figure 2, the latest hash value is calculated based on the latest (stored in the top frame of the stack) return address and the previous (stored in the top frame of the stack) hash value. The hash value in the top frame of the stack is calculated based on the return address and hash value stored in the previous frame. Therefore, the return address and hash value in each frame in the stack form a chain.

其中,图3展示了本公开实施例的堆栈结构。与图4的正常栈结构相比,本公开实施例的栈结构将返回地址和其所对应的Hash值存储在了同一帧中。值得注意的是,同一帧中所存储的Hash值和返回地址是错开的,即第一个返回地址(Address 1)和一个随机数(RAND)存储在一起;第一个Hash值(Hash 1)根据第一个返回地址和随机数计算得到,和第二个返回地址存储在一起;依次类推,第二个Hash值和第三个返回地址存在一起;而最新的Hash值(Hash 3)保存在一个特殊的寄存器中(称之为Top寄存器)。其中,随机数RAND是Top寄存器的初始值。FIG. 3 illustrates a stack structure according to an embodiment of the present disclosure. Compared with the normal stack structure of FIG. 4, the stack structure of the embodiment of the present disclosure stores the return address and its corresponding hash value in the same frame. It is worth noting that the hash value and return address stored in the same frame are staggered, that is, the first return address (Address 1) and a random number (RAND) are stored together; the first hash value (Hash 1) Calculated according to the first return address and a random number, stored with the second return address; and so on, the second hash value exists with the third return address; and the latest hash value (Hash 3) is stored in A special register (called the Top register). Among them, the random number RAND is the initial value of the Top register.

进一步,介绍本公开实施例中以call和return指令为例介绍调用指令和返回指令的具体执行过程。Further, the specific implementation process of the call instruction and the return instruction is described by taking the call and return instructions as examples in the embodiments of the present disclosure.

首先介绍一下正常调用指令和返回指令的执行过程,然后介绍本公开 中调用指令和返回指令的执行过程,图5展示了本公开中调用指令和正常执行过程不同的特殊过程,图6展示了本公开中返回指令和正常执行过程不同的特殊过程。First introduce the execution process of the normal call instruction and the return instruction, and then introduce the execution process of the call instruction and the return instruction in the present disclosure. FIG. 5 shows a special process different from the normal execution process of the call instruction in the present disclosure, and FIG. 6 shows this The return instruction is a special procedure that is different from the normal execution procedure.

正常调用指令(Call指令)执行:1)将返回地址压栈,2)将调用指令(Call指令)的目标地址存入PC(相当于跳转到目标地址执行)。The normal call instruction (Call instruction) is executed: 1) the return address is pushed onto the stack, and 2) the target address of the call instruction (Call instruction) is stored in the PC (equivalent to jumping to the target address for execution).

正常返回指令(return指令)执行:1)将返回地址出栈,2)将返回地址存入PC(相当于跳转到返回地址执行)。The normal return instruction (return instruction) is executed: 1) the return address is popped from the stack, and 2) the return address is stored in the PC (equivalent to jumping to the return address for execution).

本公开的调用指令(Call指令)执行:1)将Top寄存器中的hash值和返回地址(栈顶帧的未被篡改的返回地址)一起压栈,2)将压栈的数据(即第1步中的hash值和返回地址)当做hash函数的输入,计算得到新的hash值(正确hash值),将新的hash值存入Top寄存器中,3)将调用指令(Call指令)的目标地址存入PC。The calling instruction (Call instruction) of the present disclosure is executed: 1) pushing the hash value in the Top register together with the return address (the untampered return address of the top frame of the stack), 2) pushing the pushed data (that is, the first Step hash value and return address) as the input of the hash function, calculate the new hash value (correct hash value), store the new hash value in the Top register, 3) the target address of the call instruction (Call instruction) Save to PC.

本公开实施例的返回指令(return指令)执行:1)将栈顶帧中的hash值和返回地址(待验证返回地址)出栈,计算出栈的hash值和返回地址(待验证返回地址)的hash值(待验证hash值),2)将计算得到的hash值(待验证hash值),与Top寄存器中保存的hash值(正确hash值)进行对比。如果两者不相等,说明出现异常,应该报警并中断程序运行。如果两者相等,则正常,继续执行。3)将出栈的hash值存入Top寄存器中(出栈的hash值,而不是待验证hash值)。4)当待验证hash值与正确hash值相等时,将待验证返回地址返回地址存入PC;当待验证hash值与正确hash值不相等时,出现异常并中断程序。The return instruction (return instruction) of the embodiment of the present disclosure is executed: 1) The hash value and the return address (the return address to be verified) are popped from the top frame of the stack, and the hash value and the return address (the return address to be verified) of the stack are calculated. The hash value (the hash value to be verified), 2) comparing the calculated hash value (the hash value to be verified) with the hash value (the correct hash value) stored in the Top register. If the two are not equal, it means that an abnormality has occurred, the alarm should be issued and the program running should be interrupted. If they are equal, it is normal and execution continues. 3) Store the popped hash value in the Top register (the popped hash value, not the hash value to be verified). 4) When the hash value to be verified is equal to the correct hash value, the return address to be verified is stored in the PC; when the hash value to be verified is not equal to the correct hash value, an exception occurs and the program is interrupted.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个Top寄存器,其中,所述Top寄存器用于存储所述正确hash值,且Top寄存器中所存储的正确hash值只能通过预设指令修改。In another specific embodiment of the present disclosure, a method for detecting a tampered return address in a stack is provided. A processor for executing the method for detecting a tampered return address in a stack further includes a Top register, where: The Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个Salt寄存器,用于存储一个挑战值,所述挑战值作为哈希函数的另一个输入,所述挑战值只能通过预设指令修改。In another specific embodiment of the present disclosure, a method for detecting tampering with a return address in a stack is provided. The processor for executing the method for detecting tampering with a return address in a stack further includes a Salt register for: A challenge value is stored as another input of the hash function, and the challenge value can only be modified by a preset instruction.

其中,为了实现上述具体实施例,实际开发中需要在执行本公开实施 例一种检测堆栈中返回地址被篡改的方法的处理器中增加至少一个寄存器,至少包括Top寄存器,还可能包括Salt寄存器。Top寄存器用于保存最新的hash值,Salt寄存器中所存储的挑战值是hash函数的另一个输入,一般为一个随机值、也可以是其他类型的值,进一步加大hash函数被猜测破解的难度。Among them, in order to implement the above specific embodiment, in the actual development, it is necessary to add at least one register, including at least a Top register, and possibly a Salt register, to a processor executing a method for detecting a return address in a stack in the embodiment of the present disclosure. The Top register is used to store the latest hash value. The challenge value stored in the Salt register is another input to the hash function. It is generally a random value or other types of values, which further increases the difficulty of guessing and cracking the hash function. .

在一个进程最开始,分别将Top寄存器和Salt寄存器设置为随机数或者是通过其他方式生成的非随机数,其中,随机数为最优选的。硬件应该确保Top寄存器中所存储的正确hash值和Salt寄存器中所存储的挑战值只能通过预设指令修改,否则本公开就失去了防御效果。而保护几个特殊的寄存器不被攻击者修改是很容易实现的。就算攻击者读取了Salt寄存器,本公开仍能保证攻击者无法轻易篡改返回地址,仍然具有较高的安全性。At the beginning of a process, the Top register and the Salt register are set to random numbers or non-random numbers generated by other methods, among which random numbers are the most preferred. The hardware should ensure that the correct hash value stored in the Top register and the challenge value stored in the Salt register can only be modified by preset instructions, otherwise the disclosure will lose its defensive effect. It is easy to protect several special registers from being modified by an attacker. Even if the attacker reads the Salt register, this disclosure can still guarantee that the attacker cannot easily tamper with the return address, and still has high security.

硬件无需保证Top寄存器不被攻击者读取。攻击者能否读取Top寄存器,对本公开的安全性没有影响。The hardware does not need to ensure that the Top register is not read by an attacker. Whether an attacker can read the Top register has no impact on the security of this disclosure.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,所述Salt寄存器中存储的挑战值和Top寄存器中所存储的正确hash值无法通过预设特权指令外的指定读取。其中,硬件应该尽量保证Salt寄存器不被攻击者读取,这在技术上也是比较容易实现的。此外,就算攻击者读取了Salt寄存器,本公开仍能保证攻击者无法轻易篡改返回地址,仍然具有较高的安全性。In another specific embodiment of the present disclosure, a method for detecting that a return address in a stack is tampered with is provided. The challenge value stored in the Salt register and the correct hash value stored in the Top register cannot pass the pre-defined privilege instruction. Specify read. Among them, the hardware should try to ensure that the Salt register is not read by an attacker, which is also relatively easy to implement technically. In addition, even if the attacker reads the Salt register, the disclosure can still guarantee that the attacker cannot easily tamper with the return address, and still has high security.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个用于执行所述任一hash值生成算法的hash计算模块。In another specific embodiment of the present disclosure, a method for detecting tampering with a return address in a stack is provided. The processor for executing the method for detecting tampering with a return address in a stack further includes a method for executing the method. A hash calculation module for any hash value generation algorithm.

其中,本公开实施例对hash算法的选择没有太多要求,可以使用任意的hash算法,甚至可以使用其他加解密算法。The embodiment of the present disclosure does not have too many requirements on the selection of the hash algorithm. Any hash algorithm may be used, and even other encryption and decryption algorithms may be used.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,所述堆栈中任一返回地址,和与所述任一返回地址所对应的hash值分别单独保存在所述堆栈中同一栈帧内的不同位置上。如图7所示,在本公开具体实施例中,将返回地址和hash值分开不同位置进行存储称之为非压缩结构(或者正常结构)。In another specific embodiment of the present disclosure, a method for detecting that a return address in a stack is tampered with is provided. Any return address in the stack and a hash value corresponding to any of the return addresses are separately stored in all locations. It is described in different positions in the same stack frame in the stack. As shown in FIG. 7, in a specific embodiment of the present disclosure, storing a return address and a hash value at different locations for storage is called an uncompressed structure (or a normal structure).

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改 的方法,在64位操作系统中,所述堆栈中任一返回地址正常保存在所述堆栈中的任一位置上,与所述任一返回地址所对应的hash值保存在所述任一位置的高位空间中。In another specific embodiment of the present disclosure, a method for detecting that a return address in a stack is tampered with is provided. In a 64-bit operating system, any return address in the stack is normally stored in any position in the stack. The hash value corresponding to any one of the return addresses is stored in a high-order space of any one of the positions.

具体地,发现在64位系统中,返回地址占用了64位,但是实际上真实的返回地址并没有这么长,一般只有40多位。所以,64位的高位是空闲的。因此,可以将hash值保存到64位中的高位。这种存储结构称之为压缩结构,如图7所示。压缩结构相较于原始的栈结构区别只有栈中返回地址的值(而在布局上是完全一致的)。这带来了一个最主要的有益效果是可以兼容之前的二进制,这是因为多数程序遵循下列规律:(1)调用指令和返回指令是匹配的;(2)只有调用指令和返回指令使用返回地址,其他指令不使用;(3)栈中的其他值都是根据偏移来确定位置的,保持布局的话其他栈中数据都能直接被正确使用。相应地,同时为了达到上述有益效果,需要配套的操作为:达到这一目标需要的操作是:将原程序中的所有(或匹配的部分)调用指令和返回指令替换为本公开实施例中的调用指令和返回指令,并使用压缩结构。同时,采用压缩结构相比不压缩结构还具有节省空间的有益效果。Specifically, it is found that in a 64-bit system, the return address occupies 64 bits, but the actual return address is actually not so long, generally only more than 40 bits. Therefore, the upper 64 bits are free. Therefore, it is possible to save the hash value to the upper bit of 64 bits. This storage structure is called a compressed structure, as shown in Figure 7. The difference between the compressed structure and the original stack structure is only the value of the return address in the stack (and the layout is completely consistent). This brings a major beneficial effect is that it can be compatible with the previous binary, because most programs follow the following rules: (1) the call instruction and the return instruction match; (2) only the call instruction and the return instruction use the return address , Other instructions are not used; (3) other values in the stack are determined based on the offset. If the layout is maintained, the data in other stacks can be used directly. Correspondingly, in order to achieve the above-mentioned beneficial effects, the supporting operations are as follows: the operations required to achieve this goal are: replacing all (or matching parts) call instructions and return instructions in the original program with the Invoke and return instructions, and use compressed structures. At the same time, the use of a compressed structure also has the beneficial effect of saving space compared to an uncompressed structure.

当然,除了返回地址,还有一些数据可能保存在64位的高位,比如ASLR的随机数等。但是,无论如何,这些数据都没有将64位的空间全部用完,往往能剩下20多位的空闲空间,足够用于保存hash值。Of course, in addition to the return address, some data may be stored in the upper 64 bits, such as the ASLR random number. However, in any case, these data have not used up all the 64-bit space. Often, more than 20 bits of free space can be left, which is sufficient for storing hash values.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,所述S2之后还包括:中断程序运行并将待验证返回地址所对应的hash值存储在Top寄存器中。In another specific embodiment of the present disclosure, a method for detecting that a return address in a stack is tampered is provided. After S2, the method further includes: interrupting a program running and storing a hash value corresponding to the return address to be verified in a Top register.

如果确认待验证返回地址被篡改,说明出现异常,应该报警并中断程序运行。If it is confirmed that the to-be-returned return address has been tampered with, it indicates that an abnormality has occurred, and an alarm should be issued and the program running interrupted.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,若待验证hash值与预先生成的正确hash值相同,则确认待验证返回地址没有被篡改。In another specific embodiment of the present disclosure, a method for detecting that a return address in a stack is tampered with is provided. If the hash value to be verified is the same as a pre-generated correct hash value, it is confirmed that the return address to be verified has not been tampered with.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的方法,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个计数器,用于对所述堆栈执行一次调用指令(例如Call指令)时 计数加一,对所述堆栈执行一次返回指令(例如return指令)时计数减一;当进程结束时,若计数器的计数数量不为0或Top寄存器中正确hash值被修改,则进行报错。In another specific embodiment of the present disclosure, a method for detecting a tampered return address in a stack is provided. A processor for executing the method for detecting a tampered return address in a stack further includes a counter for When the stack executes a call instruction (such as a Call instruction), the count increases by one, and when the stack executes a return instruction (such as a return instruction), the count decreases by one; when the process ends, if the counter count is not 0 or Top If the correct hash value in the register is modified, an error is reported.

本公开具体实施例考虑到假设攻击者的能力极强,拥有无限的计算能力,那么攻击者可能通过hash碰撞强行篡改返回地址,并且构造相同的hash值。对于这种极端情况,本公开实施例仍然有办法发现,即攻击者无法控制Top寄存器的值,无法保证攻击结束后的Top寄存器的值和初始值是一样的,就必然会留下攻击的痕迹。The specific embodiment of the present disclosure considers that it is assumed that the attacker's ability is extremely strong and has unlimited computing power. Then, the attacker may forcibly tamper with the return address through hash collision and construct the same hash value. For this extreme case, the embodiments of the present disclosure still have a way to discover that the attacker cannot control the value of the Top register and cannot guarantee that the value of the Top register after the attack is the same as the initial value, leaving traces of the attack. .

本公开实施例中再增加一个Number计数器,记录调用指令和返回指令的执行次数,确保调用指令和返回指令的数量是一样的。进程开始,将Number计数器初始化为0;执行一次调用指令,将计数number加一;执行一次返回指令,将计数number减一;如果进程结束,number应该为0,否则报错,终止程序运行。In the embodiment of the present disclosure, a Number counter is further added to record the execution times of the call instruction and the return instruction to ensure that the number of the call instruction and the return instruction is the same. At the beginning of the process, the Number counter is initialized to 0; a call instruction is executed to increment the count number by one; a return instruction is executed to decrement the count number by one; if the process ends, the number should be 0, otherwise an error is reported and the program is terminated.

同样,进程结束退出时,Top寄存器的值应该等于进程最开始时Top寄存器的初始值,否则就认为发生了攻击,报错并终止运行。Similarly, when the process ends and exits, the value of the Top register should be equal to the initial value of the Top register at the beginning of the process, otherwise it is considered that an attack has occurred, an error is reported, and the operation is terminated.

如果考虑到进程可能中途退出,还需要保存并监控Top寄存器和Number寄存器的值,确保中途退出时Top寄存器和Number寄存器的值是匹配的。If you consider that the process may exit halfway, you also need to save and monitor the values of the Top and Number registers to ensure that the values of the Top and Number registers match when exiting halfway.

如图8所示,示出本公开一种检测堆栈中返回地址被篡改的装置的整体框架示意图,总体上,包括:As shown in FIG. 8, a schematic diagram of an overall framework of a device for detecting tampering of a return address in a stack according to the present disclosure is shown. Generally, the device includes:

hash值计算模块A1,用于根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址所对应的hash值,基于任一hash值生成算法,获得待验证hash值;A hash value calculation module A1 is configured to obtain a hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the verification return address and the verification return address stored in the top frame of the stack in the stack;

其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值,其中,返回地址所对应的hash值根据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address, wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack;

验证模块A2,用于若待验证hash值与预先生成的正确hash值不同, 则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。The verification module A2 is configured to confirm that the return address to be verified is tampered if the hash value to be verified is different from the correct hash value generated in advance; wherein the correct hash value is based on the untampered return address of the top frame of the stack in the stack in advance The hash value corresponding to the return address that has not been tampered with is obtained based on any one of the hash value generation algorithms.

在本公开另一个具体实施例中,提供一种检测堆栈中返回地址被篡改的装置,所述用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个Top寄存器和一个Salt寄存器:In another specific embodiment of the present disclosure, a device for detecting tampering with a return address in a stack is provided. The processor for executing the method for detecting tampering with a return address in a stack further includes a Top register and A Salt register:

其中,所述Top寄存器用于存储所述正确hash值,且中所存储的正确hash值只能通过预设指令修改;The Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction;

所述Salt寄存器用于存储一个挑战值,所述挑战值作为哈希函数的另一个输入,所述挑战值只能通过预设指令修改。The Salt register is used to store a challenge value, which is used as another input of a hash function, and the challenge value can only be modified by a preset instruction.

为了让上述本公开真正应用于真实系统,还需要编译器、操作系统等各方面的支持。操作系统需要知道几个特殊寄存器的存在(包括Top寄存器和Salt寄存器等)。在每一个进程开始,初始化这些寄存器的值,设置为随机数。在进程切换时,保存这些寄存器的值,确保每一个进程都有自己的相关信息,不会相互影响。编译器也需要知道这些特殊寄存器。如果是非压缩结构,需要编译器添加一些代码,用于操作使用这些寄存器。如果是压缩结构,编译器需要知道64位返回地址的具体布局,哪些位是返回地址,哪些位是hash值,方便编译器向程序中添加专门的处理代码。如果编译器有足够的支持,本公开也可以使用编译器来实现(而不需要硬件的支持)。但是,这样实现的效率相比单纯硬件实现低,性能损耗约3%。In order for the above disclosure to be truly applied to a real system, support from various aspects such as a compiler, an operating system, and the like is also required. The operating system needs to know the existence of several special registers (including Top and Salt registers, etc.). At the beginning of each process, the values of these registers are initialized and set to random numbers. When the process is switched, the values of these registers are saved to ensure that each process has its own relevant information and will not affect each other. The compiler also needs to know these special registers. If it is an uncompressed structure, the compiler needs to add some code to operate using these registers. If it is a compressed structure, the compiler needs to know the specific layout of the 64-bit return address, which bits are the return address, and which bits are the hash value, so that the compiler can add special processing code to the program. If the compiler has sufficient support, the present disclosure can also be implemented using a compiler (without requiring hardware support). However, the efficiency of this implementation is lower than that of hardware-only implementation, and the performance loss is about 3%.

本公开具有很高的灵活性和兼容性。比如采用多链的结构,每隔一定数量的返回地址采用不同的链来保护;某些地址保护,某些地址不保护。从而加大攻击者破解的难度。本公开和其他防御方法也不冲突,可以联合使用。The present disclosure is highly flexible and compatible. For example, a multi-chain structure is adopted, and every certain number of return addresses are protected by different chains; some addresses are protected, and some addresses are not protected. This makes it more difficult for attackers to crack. This disclosure is not in conflict with other defense methods, and can be used in combination.

和其他技术相比,本上述各具体实施例采用了链式技术,即将返回地址和哈希值作为一个链连起来,是本公开最核心的思想。本公开利用哈希计算来保护返回地址,哈希计算具有独有的一些优点。比如知道最终的哈希值,但很难以此推导原始值。但是,值得注意的是,仍然存在利用其它加解密算法来替代哈希算法的可能性。链式哈希带来了各方面的优点,比如安全性高、性能损耗小、设计复杂度低等。Compared with other technologies, the above specific embodiments adopt a chain technology, that is, linking the return address and the hash value as a chain is the core idea of the present disclosure. This disclosure utilizes hash calculations to protect the return address. Hash calculations have some unique advantages. Such as knowing the final hash value, but it is difficult to derive the original value from this. However, it is worth noting that there is still the possibility of using other encryption and decryption algorithms to replace the hash algorithm. Chained hashing brings various advantages, such as high security, low performance loss, and low design complexity.

同时,本公开上述实施例优于现有方法,从安全性、性能、设计复杂度、兼容性、实用性等各方面。与某一个具体技术相比,本公开在某些方面更好,而其他方面也能确保不差于该技术。At the same time, the above-mentioned embodiments of the present disclosure are superior to existing methods in terms of security, performance, design complexity, compatibility, practicality, and the like. Compared with a specific technology, the present disclosure is better in some aspects, while other aspects can ensure that it is not worse than the technology.

首先,本公开能够严格保证返回地址不会被恶意篡改,安全性比其他方法都高。比如,影子栈无法避免影子栈的备份数据不被修改,而栈保护无法避免保护值的泄露。First, the present disclosure can strictly guarantee that the return address cannot be maliciously tampered with, and the security is higher than other methods. For example, the shadow stack cannot prevent the backup data of the shadow stack from being modified, and stack protection cannot prevent the leakage of protection values.

其次,根据实验,使用硬件支持的本公开的性能损耗只有0.15%,低于现有的各种方法。Secondly, according to experiments, the performance loss of the present disclosure using hardware support is only 0.15%, which is lower than various existing methods.

在硬件上,本公开只需要增加几个寄存器和一个哈希运算模块,设计复杂度很低,容易实现。而其他方法,如影子栈,可能要修改页表管理机制,复杂度比本公开要高很多。In terms of hardware, the present disclosure only needs to add a few registers and a hash operation module, the design complexity is very low, and it is easy to implement. While other methods, such as shadow stacks, may require modification of the page table management mechanism, the complexity is much higher than this disclosure.

本公开通用性高,能用于任何主流的计算机系统。函数调用和返回是最基本的程序功能,所有计算机都支持,而本公开能用于所有支持函数调用和返回的计算机系统。The present disclosure is highly versatile and can be used in any mainstream computer system. Function calls and returns are the most basic program functions supported by all computers, and the present disclosure can be used for all computer systems that support function calls and returns.

本公开兼容性高,对系统的改动很小,能够很好的加入现有的计算机系统。The disclosure has high compatibility, and small changes to the system, and can be well incorporated into existing computer systems.

总之,本公开是一个非常实用的技术,能够非常容易的应用到真实的系统中。In summary, the present disclosure is a very practical technology that can be easily applied to real systems.

此外,本公开还有一些独有的优点。比如,一旦攻击成功,现有的防御方法都无法发现。而本公开就算真的被攻击者破解,但是攻击者必然会留下攻击痕迹,从而必然会被发现。In addition, the present disclosure has some unique advantages. For example, once an attack is successful, none of the existing defense methods can be found. Even if this disclosure is really cracked by an attacker, the attacker will inevitably leave traces of the attack, and thus will be found.

最后,本申请的方法仅为较佳的实施方案,并非用于限定本公开实施例的保护范围。凡在本公开实施例的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开实施例的保护范围之内。Finally, the method of the present application is only a preferred implementation, and is not intended to limit the protection scope of the embodiments of the present disclosure. Any modification, equivalent replacement, or improvement made within the spirit and principle of the embodiments of the present disclosure shall be included in the protection scope of the embodiments of the present disclosure.

Claims (10)

一种检测堆栈中返回地址被篡改的方法,其特征在于,包括:A method for detecting that a return address in a stack has been tampered with is characterized by: S1,根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址所对应的hash值,基于任一hash值生成算法,获得待验证hash值;S1. Obtain a hash value to be verified based on any hash value generation algorithm according to the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack; 其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值;其中,返回地址所对应的hash值根据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address; wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack; S2,若待验证hash值与预先生成的正确hash值不同,则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。S2. If the hash value to be verified is different from the correct hash value generated in advance, it is confirmed that the return address to be verified is tampered; wherein the correct hash value is based on the untampered return address and the untampered frame top frame of the stack The hash value corresponding to the return address of is obtained based on any one of the hash value generation algorithms. 根据权利要求1所述的方法,其特征在于,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个Top寄存器,所述Top寄存器用于存储所述正确hash值,且Top寄存器中所存储的正确hash值只能通过预设指令修改。The method according to claim 1, wherein the processor for executing the method for detecting that a return address in the stack is tampered with further comprises a Top register, wherein the Top register is used to store the correct hash value The correct hash value stored in the Top register can only be modified by a preset instruction. 根据权利要求2所述的方法,其特征在于,用于执行所述检测堆栈中返回地址被篡改的方法的处理器中,还包括一个用于执行所述任一hash值生成算法的hash计算模块。The method according to claim 2, wherein the processor for executing the method for detecting that a return address in the stack is tampered with, further comprises a hash calculation module for executing any one of the hash value generation algorithms . 根据权利要求1所述的方法,其特征在于,所述堆栈中任一返回地址,和与所述任一返回地址所对应的hash值分别单独保存在所述堆栈中同一栈帧内的不同位置上。The method according to claim 1, wherein any return address in the stack and a hash value corresponding to any of the return addresses are separately stored in different positions in a same stack frame in the stack. on. 根据权利要求1所述的方法,其特征在于,S2还包括:The method according to claim 1, wherein S2 further comprises: 若待验证hash值与预先生成的正确hash值相同,则确认待验证返回地址没有被篡改。If the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with. 一种检测堆栈中返回地址被篡改的装置,其特征在于,包括:A device for detecting that a return address in a stack has been tampered with, comprising: hash值计算模块,用于根据堆栈中栈顶帧中所存储的待验证返回地址和待验证返回地址所对应的hash值,基于任一hash值生成算法,获得待 验证hash值;A hash value calculation module is configured to obtain an hash value to be verified based on any hash value generation algorithm based on the hash value corresponding to the return address to be verified and the hash value corresponding to the return address to be verified stored in the top frame of the stack in the stack; 其中,所述堆栈中的第i帧中存储了第i个返回地址和一个随机数;所述堆栈中第i+1帧至栈顶帧中的任一帧中存储了所述任一帧所对应的返回地址和返回地址所对应的hash值;其中,返回地址所对应的hash值根据栈中所述任一帧的前一帧中存储的返回地址和返回地址所对应的hash值,基于所述任一hash值生成算法,获得的hash值;j>i≥1,其中j为栈顶帧的序号;Wherein, the i-th return address and a random number are stored in the i-th frame in the stack, and any one of the frames from the i + 1th frame to the top frame of the stack is stored in any one of the frames. The corresponding return address and the hash value corresponding to the return address; wherein the hash value corresponding to the return address is based on the return address and the hash value corresponding to the return address stored in the previous frame of any frame in the stack, based on the Said any hash value generation algorithm, the hash value obtained; j> i≥1, where j is the sequence number of the top frame of the stack; 验证模块,用于判断若待验证hash值与预先生成的正确hash值不同,则确认待验证返回地址被篡改;其中,所述正确hash值预先根据栈中栈顶帧的未被篡改的返回地址和未被篡改的返回地址所对应的hash值,基于所述任一hash值生成算法获得的。A verification module, configured to determine that if the hash value to be verified is different from the pre-generated correct hash value, to confirm that the return address to be verified has been tampered with; the correct hash value is based on the untampered return address of the top frame of the stack in the stack in advance; The hash value corresponding to the return address that has not been tampered with is obtained based on any one of the hash value generation algorithms. 根据权利要求6所述的装置,其特征在于,还包括一个Top寄存器,所述Top寄存器用于存储所述正确hash值,且Top寄存器中所存储的正确hash值只能通过预设指令修改。The device according to claim 6, further comprising a Top register, wherein the Top register is used to store the correct hash value, and the correct hash value stored in the Top register can only be modified by a preset instruction. 根据权利要求7所述的装置,其特征在于,还包括一个用于执行所述任一hash值生成算法的hash计算模块。The apparatus according to claim 7, further comprising a hash calculation module for executing the any one of the hash value generation algorithms. 根据权利要求6所述的装置,其特征在于,所述堆栈中任一返回地址,和与所述任一返回地址所对应的hash值分别单独保存在所述堆栈中同一栈帧内的不同位置上。The apparatus according to claim 6, wherein any return address in the stack and a hash value corresponding to any of the return addresses are separately stored in different positions in a same stack frame in the stack. on. 根据权利要求6所述的装置,其特征在于,所述验证模块还用于判断若待验证hash值与预先生成的正确hash值相同,则确认待验证返回地址没有被篡改。The device according to claim 6, wherein the verification module is further configured to determine that if the hash value to be verified is the same as the correct hash value generated in advance, it is confirmed that the return address to be verified has not been tampered with.
PCT/CN2019/106686 2018-09-21 2019-09-19 Method and apparatus for detecting that return address in stack has been tampered with Ceased WO2020057603A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811109566.2 2018-09-21
CN201811109566.2A CN109409082A (en) 2018-09-21 2018-09-21 The method and device that return address is tampered in detection storehouse

Publications (1)

Publication Number Publication Date
WO2020057603A1 true WO2020057603A1 (en) 2020-03-26

Family

ID=65466234

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/106686 Ceased WO2020057603A1 (en) 2018-09-21 2019-09-19 Method and apparatus for detecting that return address in stack has been tampered with

Country Status (2)

Country Link
CN (1) CN109409082A (en)
WO (1) WO2020057603A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409082A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The method and device that return address is tampered in detection storehouse
CN110378109A (en) * 2019-06-26 2019-10-25 中国科学院信息工程研究所 Reduce the method and system of chain type Hash stack performance loss
CN112463536B (en) * 2020-11-27 2022-08-05 宁波拓普集团股份有限公司 System and method for monitoring illegal tampering of software stack area
CN112347487B (en) * 2020-11-30 2025-01-17 杭州安恒信息技术股份有限公司 A debugging and analysis method for stack overflow vulnerabilities in MIPS instruction set programs

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101344904A (en) * 2008-09-02 2009-01-14 中国科学院软件研究所 A Dynamic Measurement Method
US8196110B2 (en) * 2007-11-30 2012-06-05 International Business Machines Corporation Method and apparatus for verifying a suspect return pointer in a stack
CN106295322A (en) * 2016-07-26 2017-01-04 北京航空航天大学 A kind of hardware protection model for buffer overflow attack
EP3373178A1 (en) * 2017-03-08 2018-09-12 Secure-IC SAS Comparison of execution context data signatures with references
CN109409082A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The method and device that return address is tampered in detection storehouse

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8705531B2 (en) * 2010-05-18 2014-04-22 Lsi Corporation Multicast address learning in an input/output adapter of a network processor
CN103942152B (en) * 2014-04-28 2017-01-04 中国人民解放军国防科学技术大学 Support the distributed stacked data storage method of SIMD architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8196110B2 (en) * 2007-11-30 2012-06-05 International Business Machines Corporation Method and apparatus for verifying a suspect return pointer in a stack
CN101344904A (en) * 2008-09-02 2009-01-14 中国科学院软件研究所 A Dynamic Measurement Method
CN106295322A (en) * 2016-07-26 2017-01-04 北京航空航天大学 A kind of hardware protection model for buffer overflow attack
EP3373178A1 (en) * 2017-03-08 2018-09-12 Secure-IC SAS Comparison of execution context data signatures with references
CN109409082A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 The method and device that return address is tampered in detection storehouse

Also Published As

Publication number Publication date
CN109409082A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
Strackx et al. Ariadne: A minimal approach to state continuity
Lee et al. Enlisting hardware architecture to thwart malicious code injection
Tuck et al. Hardware and binary modification support for code pointer protection from buffer overflow
Younan et al. PAriCheck: an efficient pointer arithmetic checker for C programs
CN109409084B (en) A chained data storage structure to detect tampered return address
US9390264B2 (en) Hardware-based stack control information protection
WO2020057603A1 (en) Method and apparatus for detecting that return address in stack has been tampered with
CN109858253B (en) LBR-based stack buffer overflow attack defense method
CN109409086B (en) Device for detecting tampered return address in stack based on newly added instruction
US10528729B2 (en) Methods and systems for defending against cyber-attacks
CN112100686B (en) Core code pointer integrity protection method based on ARM pointer verification
CN101866406A (en) A defense method for stack overflow attack
US10572666B2 (en) Return-oriented programming mitigation
CN109409083B (en) Device for detecting return address tampering in stack
CN107545174A (en) A kind of system and method for resisting controlling stream abduction based on LLVM
Ruan et al. Survey of return‐oriented programming defense mechanisms
CN109508537A (en) The method and device that return address is tampered in detection storehouse
CN109409085A (en) The method and device that return address is tampered in processing storehouse
CN109508539A (en) The chained stack structure that return address is tampered in detection storehouse
CN109446797A (en) The device that return address is tampered in detection storehouse
JP5766648B2 (en) Control monitoring device, control monitoring method, and control monitoring program
CN117972799A (en) Pointer protection method and computer system applied to ARM processor
US10776460B2 (en) Proactive security system based on code polymorphism
Co et al. Double helix and raven: a system for cyber fault tolerance and recovery
CN109508538A (en) The stack architecture that return address is tampered in a kind of detection storehouse

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19861558

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19861558

Country of ref document: EP

Kind code of ref document: A1