CN114707143B

CN114707143B - Method and device for monitoring memory data corruption attacks

Info

Publication number: CN114707143B
Application number: CN202210253761.2A
Authority: CN
Inventors: 陈李维; 聂晓帆; 张元瞳; 魏浩来; 史岗; 孟丹
Original assignee: Institute of Information Engineering of CAS
Current assignee: Institute of Information Engineering of CAS
Priority date: 2022-03-15
Filing date: 2022-03-15
Publication date: 2024-08-09
Anticipated expiration: 2042-03-15
Also published as: CN114707143A

Abstract

The present invention provides a method and device for monitoring memory data corruption attacks, the method comprising: statically analyzing memory data to obtain key data; inserting a label check instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and inserting a label setting instruction before a memory write instruction of the memory data, to obtain an executable file of the memory data; executing the executable file, and performing label checks according to the label check instructions of the memory read instruction, the function call instruction, and the function return instruction of the key data. The present invention locks key data in memory data, reduces the amount of protected data, and proposes a data flow integrity defense mechanism based on key data, so that memory data corruption attacks can be more efficiently monitored when the program is running.

Description

Method and device for monitoring memory data corruption attacks

技术领域Technical Field

本发明涉及计算机技术领域，尤其涉及一种内存数据损坏攻击的监测方法和装置。The present invention relates to the field of computer technology, and in particular to a method and device for monitoring memory data corruption attacks.

背景技术Background Art

C/C++语言编写的程序，会存在各种内存漏洞。内存漏洞是指程序员在软件编写的过程中，对内存的操作有时间或空间上的失误，产生使得程序可能做出违反程序本身设计的行为的安全问题。攻击者通过触发这些漏洞，泄露或修改内存数据，进而实施各种攻击，产生严重的危害。Programs written in C/C++ languages may have various memory vulnerabilities. Memory vulnerabilities refer to the time or space errors in the operation of memory by programmers during the software writing process, which may cause the program to behave in a manner that violates the program's design. Attackers trigger these vulnerabilities to leak or modify memory data, and then carry out various attacks, causing serious harm.

常见攻击包括面向返回的编程(Return-oriented programming，ROP)攻击、面向跳转的编程(Jump-oriented programming，JOP)攻击和面向数据的编程(Data-orientedprogramming，DOP)攻击等。ROP攻击者将一系列配件的地址先放入栈中，CPU运行到Return时，会取出第一个地址并跳转到这个配件开始执行，当第一个配件执行结束时，结尾的Return指令会取出第二个地址并跳转到第二个配件开始执行，如此循环，构造出任意恶意行为。JOP攻击是以jump为结尾的代码片段作为配件，并以jump作为不同配件之间的连接。通过栈溢出控制栈上的数据，然后利用pop指令，将栈上的数据弹出到通用寄存器中。通过修改内存数据，利用load指令，将内存数据存入通用寄存器中。DOP攻击通过内存漏洞修改参与运算的数据变量，例如库函数参数，循环参数，条件分支参数等，在不改变控制流的情况下完成恶意攻击。Common attacks include return-oriented programming (ROP) attacks, jump-oriented programming (JOP) attacks, and data-oriented programming (DOP) attacks. ROP attackers put the addresses of a series of accessories into the stack. When the CPU runs to Return, it will take out the first address and jump to this accessory to start execution. When the first accessory is finished executing, the Return instruction at the end will take out the second address and jump to the second accessory to start execution. This cycle is repeated to construct any malicious behavior. JOP attacks use code fragments ending with jump as accessories, and use jump as a connection between different accessories. The data on the stack is controlled through stack overflow, and then the pop instruction is used to pop the data on the stack into the general register. By modifying the memory data, the load instruction is used to store the memory data in the general register. DOP attacks modify the data variables involved in the operation through memory vulnerabilities, such as library function parameters, loop parameters, conditional branch parameters, etc., to complete malicious attacks without changing the control flow.

这些攻击的关键点是在运行时损坏内存数据，对其进行任意读写。目前常采用数据流完整性(Data Flow Integrity，DFI)机制作为主流的技术，通过在运行时保护内存数据，发现程序的异常行为，阻止此类攻击。然而，DFI机制因保护所有内存数据，采用一种过近似的分析过程得到数据的合法写集合。其会存在冗余信息，精确度难易保证，削弱了安全性。在程序运行时，由于标签检查机制的设计，会带来极大的内存开销以及性能损耗。The key point of these attacks is to damage memory data at runtime and read and write it arbitrarily. Currently, the Data Flow Integrity (DFI) mechanism is often used as the mainstream technology to protect memory data at runtime, detect abnormal behavior of the program, and prevent such attacks. However, since the DFI mechanism protects all memory data, it uses an over-approximate analysis process to obtain the legal write set of the data. There will be redundant information, and it is difficult to ensure accuracy, which weakens security. When the program is running, due to the design of the label checking mechanism, it will bring huge memory overhead and performance loss.

发明内容Summary of the invention

本发明提供一种内存数据损坏攻击的监测方法，用以解决现有技术中安全性不足和性能开销巨大的缺陷，实现对内存数据损坏攻击的高效监测。The present invention provides a method for monitoring memory data corruption attacks, which is used to solve the defects of insufficient security and huge performance overhead in the prior art and realize efficient monitoring of memory data corruption attacks.

本发明提供一种内存数据损坏攻击的监测方法，包括：The present invention provides a method for monitoring memory data corruption attacks, comprising:

对内存数据进行静态分析得到关键数据；Perform static analysis on memory data to obtain key data;

在所述内存数据的内存读指令、函数调用指令和函数返回指令前插入标签检查指令，在所述内存数据的内存写指令前插入设置标签的指令，得到所述内存数据的可执行文件；Inserting a label checking instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and inserting a label setting instruction before a memory write instruction of the memory data, to obtain an executable file of the memory data;

执行所述可执行文件，根据所述关键数据的内存读指令、函数调用指令和函数返回指令的标签检查指令进行标签检查。The executable file is executed, and a label check is performed according to the label check instructions of the memory read instruction, the function call instruction and the function return instruction of the key data.

根据本发明提供的一种内存数据损坏攻击的监测方法，所述对内存数据进行静态分析得到关键数据，包括：According to a method for monitoring memory data corruption attacks provided by the present invention, the step of performing static analysis on memory data to obtain key data includes:

对所述内存数据进行数据流分析得到初始关键数据；Performing data flow analysis on the memory data to obtain initial key data;

对所述初始关键数据进行控制流分析和指针分析得到精确关键数据，所述精确关键数据包括所述初始关键数据的控制流信息以及指针指向信息；Performing control flow analysis and pointer analysis on the initial key data to obtain precise key data, wherein the precise key data includes control flow information and pointer pointing information of the initial key data;

根据所述初始关键数据和所述精确关键数据的数据依赖关系进行关键数据传播分析得到所述关键数据。The key data is obtained by performing key data propagation analysis based on the data dependency relationship between the initial key data and the precise key data.

根据本发明提供的一种内存数据损坏攻击的监测方法，所述初始关键数据包括三类，分别为：According to a method for monitoring memory data corruption attacks provided by the present invention, the initial key data includes three categories, namely:

进行过运算操作的指针和易受攻击函数的参数；Pointers that have been operated on and parameters of vulnerable functions;

用户输入和网络应用程序中接收的外部数据；User input and external data received in web applications;

条件分支参数、循环判断参数、库函数参数、系统调用参数、函数指针、间接调用目标地址和返回地址。Conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target address and return address.

根据本发明提供的一种内存数据损坏攻击的监测方法，所述对所述初始关键数据进行控制流分析和指针分析得到精确关键数据，包括：According to a memory data corruption attack monitoring method provided by the present invention, the control flow analysis and pointer analysis of the initial key data are performed to obtain accurate key data, including:

对所述初始关键数据采用控制流分析得到所述控制流信息，所述控制流信息包括过程内程序执行过程和过程间函数跳转过程；The control flow information is obtained by using control flow analysis on the initial key data, wherein the control flow information includes a program execution process within a process and a function jump process between processes;

对所述控制流信息采用指针分析得到所述指针指向信息；Using pointer analysis on the control flow information to obtain the pointer pointing information;

将所述指针指向信息中指向的目标集合替换所述初始关键数据中的指针，得到精确关键数据。The pointer in the initial key data is replaced by the target set pointed to by the pointer pointing information to obtain accurate key data.

根据本发明提供的一种内存数据损坏攻击的监测方法，所述指针分析采用安德森指针分析算法。According to a memory data corruption attack monitoring method provided by the present invention, the pointer analysis adopts the Anderson pointer analysis algorithm.

根据本发明提供的一种内存数据损坏攻击的监测方法，根据所述内存读指令的标签检查指令进行标签检查，包括：According to a memory data corruption attack monitoring method provided by the present invention, a tag check is performed according to a tag check instruction of the memory read instruction, including:

若所述内存读指令的关键数据的运行时标签与合法标签一致，则未发现攻击；若不一致，则发现攻击。If the runtime tag of the key data of the memory read instruction is consistent with the legal tag, no attack is found; if they are inconsistent, an attack is found.

本发明还提供一种内存数据损坏攻击的监测装置，包括：The present invention also provides a monitoring device for memory data corruption attacks, comprising:

静态分析模块，用于对内存数据进行静态分析得到关键数据；Static analysis module, used to perform static analysis on memory data to obtain key data;

代码插桩模块，用于在所述内存数据的内存读指令、函数调用指令和函数返回指令前插入标签检查指令，在所述内存数据的内存写指令前插入设置标签的指令，得到所述内存数据的可执行文件；A code stub module, used for inserting a label check instruction before a memory read instruction, a function call instruction and a function return instruction of the memory data, and inserting a label setting instruction before a memory write instruction of the memory data, so as to obtain an executable file of the memory data;

标签检查模块，用于执行所述可执行文件，根据所述关键数据的内存读指令、函数调用指令和函数返回指令的标签检查指令进行标签检查。The tag checking module is used to execute the executable file and perform tag checking according to the tag checking instructions of the memory read instructions, function call instructions and function return instructions of the key data.

本发明还提供一种电子设备，包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序，所述处理器执行所述程序时实现如上述任一种所述内存数据损坏攻击的监测方法。The present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, a method for monitoring memory data corruption attacks as described in any one of the above is implemented.

本发明还提供一种非暂态计算机可读存储介质，其上存储有计算机程序，该计算机程序被处理器执行时实现如上述任一种所述内存数据损坏攻击的监测方法。The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the method for monitoring memory data corruption attacks as described in any one of the above is implemented.

本发明还提供一种计算机程序产品，包括计算机程序，所述计算机程序被处理器执行时实现如上述任一种所述内存数据损坏攻击的监测方法。The present invention also provides a computer program product, comprising a computer program, wherein when the computer program is executed by a processor, the computer program implements any of the above-mentioned methods for monitoring memory data corruption attacks.

本发明提供的一种内存数据损坏攻击的监测方法及装置，通过在内存数据中锁定关键数据，缩减保护数据量，提出了基于关键数据的数据流完整性防御机制，在程序运行时，更加高效地监测内存数据损坏攻击。The present invention provides a method and device for monitoring memory data corruption attacks, which lock key data in memory data, reduce the amount of protected data, and propose a data flow integrity defense mechanism based on key data, so as to more efficiently monitor memory data corruption attacks when the program is running.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the present invention or the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是本发明提供的内存数据损坏攻击的监测方法的流程示意图之一；FIG1 is a flow chart of a method for monitoring memory data corruption attacks provided by the present invention;

图2是本发明提供的静态分析的流程示意图；FIG2 is a schematic diagram of a static analysis process provided by the present invention;

图3是本发明提供的控制流分析和指针分析的流程示意图；FIG3 is a schematic diagram of the flow of control flow analysis and pointer analysis provided by the present invention;

图4是本发明提供的攻击检测实例示意图FIG. 4 is a schematic diagram of an attack detection example provided by the present invention

图5是本发明提供的内存数据损坏攻击的监测方法的流程示意图之二；FIG5 is a second flow chart of the method for monitoring memory data corruption attacks provided by the present invention;

图6是本发明提供的内存数据损坏攻击的监测装置的结构示意图；6 is a schematic diagram of the structure of a monitoring device for memory data corruption attacks provided by the present invention;

图7是本发明提供的电子设备的结构示意图。FIG. 7 is a schematic diagram of the structure of an electronic device provided by the present invention.

具体实施方式DETAILED DESCRIPTION

为使本发明的目的、技术方案和优点更加清楚，下面将结合本发明中的附图，对本发明中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the present invention clearer, the technical solution of the present invention will be clearly and completely described below in conjunction with the drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

ROP：面向返回的编程是以ret为结尾的代码片段作为配件，结合对栈空间的控制，以ret作为不同配件之间的连接，不断的使程序运行这些配件。当程序执行一次Return时，CPU从当前的栈上取出一个地址，并且跳转到这一地址指向的代码处开始运行。ROP: Return-oriented programming uses code snippets ending with ret as accessories, combined with the control of stack space, using ret as the connection between different accessories, and continuously allowing the program to run these accessories. When the program executes a Return, the CPU takes an address from the current stack and jumps to the code pointed to by this address to start running.

DOP：面向数据编程攻击是通过内存漏洞修改参与运算的数据变量，例如库函数参数，循环参数，条件分支参数等,在不改变控制流的情况下完成恶意攻击。DOP: Data-oriented programming attacks modify data variables involved in operations through memory vulnerabilities, such as library function parameters, loop parameters, conditional branch parameters, etc., to complete malicious attacks without changing the control flow.

JOP：面向跳转的编程是以jump为结尾的代码片段作为配件，并以jump作为不同配件之间的连接。通过栈溢出控制栈上的数据，然后利用pop指令，将栈上的数据弹出到通用寄存器中。通过修改内存数据，利用load指令，将内存数据存入通用寄存器中。JOP: Jump-oriented programming uses code snippets ending with jump as accessories, and uses jump as the connection between different accessories. The data on the stack is controlled by stack overflow, and then the data on the stack is popped into the general register using the pop instruction. The memory data is modified and the load instruction is used to store the memory data into the general register.

DFI：数据流完整性防御机制通过静态分析获取数据的合法写集合，采用代码插桩的方式对数据的内存读写指令进行指令插桩，得到可执行文件。在程序运行时，实时计算内存写指令的标签；遇到内存读指令时，进行标签检查，即检查内存读指令对应的内存写的标签值是否在静态分析得到的合法写集合中，若在，则继续执行；若不在，说明数据被非法损坏，产生异常行为，则终止程序执行。DFI: The data flow integrity defense mechanism obtains the legal write set of data through static analysis, and uses code instrumentation to instrument the memory read and write instructions of the data to obtain an executable file. When the program is running, the label of the memory write instruction is calculated in real time; when encountering a memory read instruction, a label check is performed, that is, checking whether the label value of the memory write corresponding to the memory read instruction is in the legal write set obtained by static analysis. If it is, the execution continues; if not, it means that the data has been illegally damaged and abnormal behavior has occurred, and the program execution is terminated.

数据流完整性防御机制的根本问题是保护的数据过多。对于内存数据损坏攻击而言，有一些数据是攻击所必需的，如果不控制这些数据，攻击就无法进行。所以，只需要保护这些数据不被控制，就能让攻击无法实现。通过对当前内存攻防的研究，本发明明确了内存数据损坏攻击相关的关键数据，仅需保护关键数据即可有效的防御内存数据损坏攻击。The fundamental problem of the data flow integrity defense mechanism is that there is too much data to be protected. For memory data corruption attacks, some data is necessary for the attack. If these data are not controlled, the attack cannot be carried out. Therefore, only by protecting these data from being controlled can the attack be impossible. Through the study of current memory attack and defense, the present invention clarifies the key data related to memory data corruption attacks, and only by protecting the key data can the memory data corruption attacks be effectively defended.

下面结合图1-图3描述本发明的内存数据损坏攻击的监测方法，该方法包括如下步骤：The following describes the memory data corruption attack monitoring method of the present invention in conjunction with FIG. 1 to FIG. 3. The method comprises the following steps:

步骤101、对内存数据进行静态分析得到关键数据；Step 101: Perform static analysis on memory data to obtain key data;

步骤102、在所述内存数据的内存读指令、函数调用指令和函数返回指令前插入标签检查指令，在所述内存数据的内存写指令前插入设置标签的指令，得到所述内存数据的可执行文件；Step 102: insert a label check instruction before a memory read instruction, a function call instruction, and a function return instruction of the memory data, and insert a label setting instruction before a memory write instruction of the memory data, to obtain an executable file of the memory data;

需要说明的是，给内存写指令插桩的设置标签指令是为了获取运行时标签。It should be noted that the purpose of setting the label instruction for the memory write instruction stub is to obtain the runtime label.

步骤103、执行所述可执行文件，根据所述关键数据的内存读指令、函数调用指令和函数返回指令的标签检查指令进行标签检查。Step 103: execute the executable file, and perform label checking according to the label checking instructions of the memory read instructions, function call instructions, and function return instructions of the key data.

需要说明的是，执行标签检查指令的对象，例如易受攻击函数的参数，进行过运算操作的指针，条件分支参数等。It should be noted that the objects of the execution label check instruction are, for example, parameters of vulnerable functions, pointers that have been operated on, conditional branch parameters, etc.

本发明实施例提供的一种内存数据损坏攻击的监测方法，通过在内存数据中锁定关键数据，缩减保护数据量，提出了基于关键数据的数据流完整性防御机制，在程序运行时，更加高效地监测内存数据损坏攻击。A method for monitoring memory data corruption attacks provided by an embodiment of the present invention locks key data in memory data, reduces the amount of protected data, and proposes a data flow integrity defense mechanism based on key data, so as to more efficiently monitor memory data corruption attacks when the program is running.

在本发明的至少一个实施例中，所述根据所述内存读指令的标签检查指令进行标签检查，包括：In at least one embodiment of the present invention, the tag checking according to the tag checking instruction of the memory read instruction includes:

若所述内存读指令的关键数据运行时标签与合法标签一致，则未发现攻击，继续执行；若不一致，则发现攻击，停止执行。If the critical data runtime tag of the memory read instruction is consistent with the legal tag, no attack is found and the execution continues; if they are inconsistent, an attack is found and the execution stops.

在本发明的至少一个实施例中，所述根据所述函数返回指令和函数调用指令的标签检查指令进行标签检查，包括：In at least one embodiment of the present invention, the performing label checking according to the label checking instructions of the function return instruction and the function call instruction comprises:

对于函数返回指令，在函数头添加标签用于保护函数指针，在函数尾添加检查标签的指令，若函数返回指令运行时标签与保护函数指针的标签一致，则未发现攻击；若不一致，则发现攻击。For the function return instruction, a label is added to the function header to protect the function pointer, and an instruction to check the label is added to the end of the function. If the label of the function return instruction is consistent with the label protecting the function pointer when it is executed, no attack is found; if they are inconsistent, an attack is found.

对于函数调用指令，若间接调用指令的函数指针的运行时标签在对应的合法标签中，则未发现攻击；若不在，则发现攻击。For the function call instruction, if the runtime label of the function pointer of the indirect call instruction is in the corresponding legal label, no attack is found; if not, an attack is found.

在本发明的至少一个实施例中，所述对内存数据进行静态分析得到关键数据，包括：In at least one embodiment of the present invention, the step of performing static analysis on the memory data to obtain key data includes:

步骤201、对所述内存数据进行数据流分析得到初始关键数据；Step 201: Perform data flow analysis on the memory data to obtain initial key data;

需要说明的是，在LLVM前端Clang编译器的抽象语法树(Abstract Syntax Tree，AST)层进行数据流分析后，得到的初始关键数据key data。LLVM在编译的语法分析过程中将程序生成一个较完整的抽象语法树，对变量和函数按照类型进行标记，并且对赋值操作进行分析得到对应数据流信息。定义了类Clang Plug in AST Vistor，通过继承类Recursive AST Vistitor递归访问每个结点。通过VisitDecl函数处理每个Decl结点，通过VisitStmt函数处理每个Stmt结点，获取变量信息，数据流传递关系。It should be noted that the initial key data is obtained after data flow analysis is performed at the Abstract Syntax Tree (AST) layer of the LLVM front-end Clang compiler. During the syntax analysis process of compilation, LLVM generates a relatively complete abstract syntax tree for the program, marks variables and functions according to their types, and analyzes the assignment operations to obtain the corresponding data flow information. The class Clang Plug in AST Visitor is defined, and each node is recursively visited by inheriting the class Recursive AST Visitor. Each Decl node is processed by the VisitDecl function, and each Stmt node is processed by the VisitStmt function to obtain variable information and data flow transmission relationships.

步骤202、对所述初始关键数据进行控制流分析和指针分析得到精确关键数据，所述精确关键数据包括所述初始关键数据的控制流信息以及指针指向信息；Step 202: Perform control flow analysis and pointer analysis on the initial key data to obtain precise key data, where the precise key data includes control flow information and pointer pointing information of the initial key data;

需要说明的是，通过控制流分析来确定程序每个函数的执行流程以及过程间调用关系，即得到程序的控制流信息。以基本块为单位进行分析，每个基本块中有若干条指令，从基本块第一条指令连续执行到最后一条指令，基本块以跳转指令或返回指令结尾。通过建立指针与所指向的变量地址关系，得到指针指向的目标集合，用指向的目标替换数据流中的指针，这一步得到的同一指针指向的变量使用相同标签。。It should be noted that the control flow analysis is used to determine the execution flow of each function of the program and the calling relationship between procedures, that is, to obtain the control flow information of the program. The analysis is performed in basic blocks. There are several instructions in each basic block. The basic block is executed continuously from the first instruction to the last instruction. The basic block ends with a jump instruction or a return instruction. By establishing the relationship between the pointer and the address of the variable it points to, the target set pointed by the pointer is obtained, and the pointer in the data flow is replaced with the target pointed to. The variables pointed to by the same pointer in this step use the same label. .

步骤203、根据所述初始关键数据和所述精确关键数据的数据依赖关系进行关键数据传播分析得到所述关键数据。Step 203: Perform key data propagation analysis based on the data dependency relationship between the initial key data and the precise key data to obtain the key data.

需要说明的是，由于数据之间存在依赖关系，对关键数据进行跟踪，检测程序可能的执行路径，识别当前操作的状态。找到影响关键数据的数据并进行扩展，得到最终的关键数据。It should be noted that due to the dependency between data, key data is tracked, possible execution paths of the program are detected, and the status of the current operation is identified. The data that affects the key data is found and expanded to obtain the final key data.

具体的，所述扩展借助LogicBlox模拟程序执行。Specifically, the expansion is performed with the aid of a LogicBlox simulation program.

现有的DFI机制未分析数据之间的依赖关系，未分析程序的控制流，导致指针分析不精确等。而本发明的实施例，由于分析对象仅为关键数据，在不引入更高性能开销的前提下，可以采用更加精确的分析过程，例如完整的控制流分析，以及分析数据之间的依赖关系等。The existing DFI mechanism does not analyze the dependencies between data and the control flow of the program, resulting in inaccurate pointer analysis, etc. However, in the embodiments of the present invention, since the analysis object is only key data, a more accurate analysis process can be adopted without introducing higher performance overhead, such as complete control flow analysis and analysis of dependencies between data.

在本发明的至少一个实施例中，所述初始关键数据包括三类，分别为：In at least one embodiment of the present invention, the initial key data includes three categories, namely:

需要说明的是，本发明实施例中关键数据包括3类11种，如表1所示：It should be noted that the key data in the embodiment of the present invention includes 3 categories and 11 types, as shown in Table 1:

表1Table 1

在本发明的至少一个实施例中，所述对所述内存数据进行数据流分析得到初始关键数据，其中，对每一行源码进行数据流分析包括：In at least one embodiment of the present invention, the performing data flow analysis on the memory data to obtain the initial key data, wherein the performing data flow analysis on each line of source code includes:

如果一个指针变量作为运算的结果，那么标记其为Unsafe data；If a pointer variable is used as the result of an operation, mark it as Unsafe data;

判断函数是否为易受攻击函数集合中的函数，如果是，则将其参数定义为Unsafedata；Determine whether the function is in the vulnerable function set. If so, define its parameter as Unsafedata.

判断函数是否为用户输入函数、网络应用程序中用于接收的外部数据的函数，如果是，则将其参数定义为Input data；Determine whether the function is a user input function or a function used to receive external data in a network application. If so, define its parameters as input data.

通过对函数调用语句的处理，判断其是否为库函数或者系统调用，若是，则将其参数定义为Exploit data；By processing the function call statement, determine whether it is a library function or a system call. If so, define its parameters as Exploit data;

通过对赋值语句左右子树的提取，获得数据流传递关系，得到对变量的读写关系，特别地处理指针、数组、结构体赋值操作。如果是函数指针，则其为Exploit data；By extracting the left and right subtrees of the assignment statement, we can obtain the data flow transfer relationship and the read and write relationship of the variable, especially the pointer, array, and structure assignment operations. If it is a function pointer, it is the Exploit data;

通过对条件分支语句的处理，如果是循环或者判断的条件分支语句的子结点，则该变量为Exploit data。By processing the conditional branch statement, if it is a child node of a loop or judgment conditional branch statement, the variable is the Exploit data.

在本发明的至少一个实施例中，对所述初始关键数据进行控制流分析和指针分析得到精确关键数据，包括：In at least one embodiment of the present invention, performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data includes:

步骤301、对所述初始关键数据采用控制流分析得到所述控制流信息，所述控制流信息包括过程内程序执行过程和过程间函数跳转过程；Step 301: Use control flow analysis to obtain the control flow information for the initial key data, where the control flow information includes the program execution process within the process and the function jump process between processes;

需要说明的是，采用控制流分析去分析分支指令branch、switch以及跳转指令call、ret等指令得到控制流信息，进一步得到数据的传递过程和函数跳转过程。It should be noted that control flow analysis is used to analyze branch instructions branch, switch and jump instructions call, ret and other instructions to obtain control flow information, and further obtain the data transfer process and function jump process.

步骤302、对所述控制流信息采用指针分析得到所述指针指向信息；Step 302: Use pointer analysis to obtain the pointer pointing information for the control flow information;

需要说明的是，使用指针分析分析指针，建立指针和它所指向的变量地址关系，得到指针指向的目标集合。It should be noted that pointer analysis is used to analyze the pointer, establish the relationship between the pointer and the variable address it points to, and obtain the target set pointed to by the pointer.

步骤303、将所述指针指向信息中指向的目标集合替换所述初始关键数据中的指针，得到精确关键数据。Step 303: Replace the pointer in the initial key data with the target set pointed to by the pointer pointing information to obtain accurate key data.

在本发明的至少一个实施例中，所述指针分析采用安德森指针分析算法。In at least one embodiment of the present invention, the pointer analysis uses Anderson pointer analysis algorithm.

需要说明的是，采用安德森(Andersen)指针分析算法对代码中的指针或引用进行标记和跟踪，找出程序中指针可能的指向目标集合，同一指针指向的变量使用相同标签。安德森指针分析算法的分析对象包括Unsafe data，以及识别间接调用目标地址，返回地址等Exploit data。It should be noted that the Andersen pointer analysis algorithm is used to mark and track pointers or references in the code, find out the possible target set of pointers in the program, and use the same label for variables pointed to by the same pointer. The analysis objects of the Anderson pointer analysis algorithm include Unsafe data, as well as identifying indirect call target addresses, return addresses and other Exploit data.

在本发明的至少一个实施例中，由于标签数和数据分类有关，因此所述标签的标签位为3bit。In at least one embodiment of the present invention, since the number of tags is related to data classification, the tag bit of the tag is 3 bits.

需要说明的是，现有DFI采用16bit作为标签位。本发明根据内存攻击中数据的不同作用，按照关键数据的类别设计了3bit标签位，极大降低了空间开销，并在运行时会降低性能损耗。It should be noted that the existing DFI uses 16 bits as tag bits. The present invention designs 3-bit tag bits according to the different roles of data in memory attacks and the categories of key data, which greatly reduces space overhead and reduces performance loss during operation.

在本发明的至少一个实施例中，由于关键数据根据数据在内存攻击中的不同作用分成三类且通过静态分析可以确定每个数据的类别。由于攻击者的恶意行为会更改数据的类别，从而产生异常。因此需要按照关键数据的类别设计标签。In at least one embodiment of the present invention, since the key data is divided into three categories according to the different roles of the data in the memory attack and the category of each data can be determined by static analysis, the malicious behavior of the attacker will change the category of the data, thereby generating anomalies. Therefore, it is necessary to design labels according to the categories of the key data.

具体的，运行时标签与合法标签用三位二进制表示：Specifically, the runtime label and legal label are represented by three bits of binary:

001：表示此数据为Unsafe data001: indicates that the data is Unsafe data

010：表示此数据为Exploited data010: Indicates that this data is Exploited data

100：表示此数据为Input data100: indicates that the data is input data

最后数据的标签值为三者相加之和。普通变量标签均用000表示。The final data label value is the sum of the three. Common variable labels are all represented by 000.

本实施例公开了一段攻击检测的实际代码：This embodiment discloses a piece of actual code for attack detection:

1：int main(){1: int main(){

2：char*dfibuf；2: char* dfibuf;

3：char buffer[1024]；3: char buffer[1024];

4：socketConnet()；4: socketConnet();

5：read(client_sockfd，buffer，1024)；5: read(client_sockfd, buffer, 1024);

6：static void(*pfun2)()；6: static void (*pfun2) ();

7：static void(*pfun1)()；7: static void (*pfun1) ();

8：static char*tmpfile，aa[16]，*tmpfile1；8: static char*tmpfile, aa[16], *tmpfile1;

9：static void(*pfun)()；9: static void (*pfun) ();

10：tmpfile＝aa；10: tmpfile = aa;

11：tmpfile1＝aa；11: tmpfile1 = aa;

12：static char bb[16]；12: static char bb[16];

13：static void(*pfun3)()；13: static void (*pfun3) ();

14：pfun＝pPp；14: pfun = pPp;

15：memcpy(aa，buffer，32)；15: memcpy(aa, buffer, 32);

16：(*pfun)()；16: (*pfun)();

17：}17:}

图4是本发明实施例的攻击检测实例示意图，参照图4和上述代码，通过静态分析得到aa、pfun是Exploit data，aa还是Unsafe data，通过对其添加标签和检查标签的机制对其进行保护。未初始化静态变量和全局变量都存在bss数据段，所以变量数组aa和函数指针*pfun均存储在bss段。在第15行写入数组aa时，在地址标签对应表里设置其标签为011。在14行写入函数指针*pfun，设置标签为010，在16行读取函数指针过程中检查*pfun的标签，*pfun的合法标签为010，但是由于数组aa溢出覆盖*pfun对应内存，则*pfun内存地址对应的标签此时为011，不属于合法标签集合，所以检查出错误，提示错误并终止程序的运行。FIG4 is a schematic diagram of an attack detection example of an embodiment of the present invention. Referring to FIG4 and the above code, it is determined through static analysis whether aa and pfun are Exploit data or aa is Unsafe data, and they are protected by adding labels and checking labels. Uninitialized static variables and global variables are both in the bss data segment, so the variable array aa and the function pointer *pfun are both stored in the bss segment. When the array aa is written in line 15, its label is set to 011 in the address label corresponding table. The function pointer *pfun is written in line 14, and the label is set to 010. The label of *pfun is checked during the reading of the function pointer in line 16. The legal label of *pfun is 010, but since the array aa overflows and covers the corresponding memory of *pfun, the label corresponding to the memory address of *pfun is 011 at this time, which does not belong to the legal label set, so an error is detected, an error is prompted, and the program is terminated.

如图5所示，为本发明实施例提供的一种内存数据损坏攻击的监测方法的流程图。首先，获取源程序。在静态分析阶段，使用多阶段的静态数据流分析去识别关键数据。在代码插桩阶段，根据识别的关键数据计算每个数据的具体标签值。对源码程序插桩实现对数据标签的读写检查，在内存写指令前插入设置标签的指令，在内存读指令前插入一段标签检查的指令。遇到函数返回指令，在函数头添加标签，保护函数指针，在函数尾添加检查标签的指令，确保返回地址没有被修改。对于函数调用指令，得到函数名称、函数参数等信息。对于函数参数，如果是普通的函数调用，则对函数参数传递过程中的内存读写进行插桩，如果没有则不进行操作。尤其针对间接调用指令，需要根据指针分析得到间接调用函数的指针指向集，求出每个指向的函数指针对应的合法标签，在间接调用指令之前添加标签检查，最终得到可执行文件。As shown in FIG5 , a flow chart of a method for monitoring memory data corruption attacks provided by an embodiment of the present invention is provided. First, the source program is obtained. In the static analysis stage, multi-stage static data flow analysis is used to identify key data. In the code stub stage, the specific label value of each data is calculated based on the identified key data. The source code program is stubbed to implement the read and write check of the data label, insert the instruction to set the label before the memory write instruction, and insert a section of label check instructions before the memory read instruction. When encountering a function return instruction, add a label to the function header to protect the function pointer, and add a label check instruction to the end of the function to ensure that the return address has not been modified. For the function call instruction, information such as the function name and function parameters is obtained. For the function parameters, if it is an ordinary function call, the memory read and write in the function parameter passing process is stubbed, and if not, no operation is performed. In particular, for indirect call instructions, it is necessary to obtain the pointer pointing set of the indirect call function based on pointer analysis, find the legal label corresponding to each pointed function pointer, add a label check before the indirect call instruction, and finally obtain an executable file.

运行可执行文件，遇到内存写指令，则计算对应的运行时标签并存储。遇到内存读指令，获取内存读指令中关键数据对应的运行时标签。然后进行标签检查，如果此标签值和静态分析得到的合法标签值一致，继续执行程序；若不一致，报错终止程序执行。遇到函数返回指令和函数调用指令，也执行对应的标签检查操作。When running the executable file and encountering a memory write instruction, the corresponding runtime label is calculated and stored. When encountering a memory read instruction, the runtime label corresponding to the key data in the memory read instruction is obtained. Then the label is checked. If this label value is consistent with the legal label value obtained by static analysis, the program continues to execute; if not, an error is reported and the program execution is terminated. When encountering a function return instruction and a function call instruction, the corresponding label check operation is also performed.

下面对本发明提供的内存数据损坏攻击的监测装置进行描述，下文描述的内存数据损坏攻击的监测装置与上文描述的内存数据损坏攻击的监测方法可相互对应参照。如图6所示，本发明的内存数据损坏攻击的监测装置，包括：The following is a description of the memory data corruption attack monitoring device provided by the present invention. The memory data corruption attack monitoring device described below and the memory data corruption attack monitoring method described above can be referred to each other. As shown in FIG6 , the memory data corruption attack monitoring device of the present invention includes:

静态分析模块601，用于对内存数据进行静态分析得到关键数据；Static analysis module 601, used to perform static analysis on memory data to obtain key data;

代码插桩模块602，用于在所述内存数据的内存读指令、函数调用指令和函数返回指令前插入标签检查指令，在所述内存数据的内存写指令前插入设置标签的指令，得到所述内存数据的可执行文件；A code stub module 602 is used to insert a label check instruction before a memory read instruction, a function call instruction and a function return instruction of the memory data, and to insert a label setting instruction before a memory write instruction of the memory data, so as to obtain an executable file of the memory data;

标签检查模块603，用于执行所述可执行文件，根据所述关键数据的内存读指令、函数调用指令和函数返回指令的标签检查指令进行标签检查。The tag checking module 603 is used to execute the executable file and perform tag checking according to the tag checking instructions of the memory read instructions, function call instructions and function return instructions of the key data.

本发明实施例提供的一种内存数据损坏攻击的监测装置，通过在内存数据中锁定关键数据，缩减保护数据量，提出了基于关键数据的数据流完整性防御机制，在程序运行时，更加高效地监测内存数据损坏攻击。A monitoring device for memory data corruption attacks provided by an embodiment of the present invention locks key data in memory data, reduces the amount of protected data, and proposes a data flow integrity defense mechanism based on key data, so as to more efficiently monitor memory data corruption attacks when a program is running.

若所述内存读指令的关键数据的运行时标签与合法标签一致，则未发现攻击，继续执行；若不一致，则发现攻击，停止执行。If the runtime tag of the key data of the memory read instruction is consistent with the legal tag, no attack is found and the execution continues; if they are inconsistent, an attack is found and the execution stops.

在本发明的至少一个实施例中，所述根据所述函数调用指令和函数返回指令的标签检查指令进行标签检查，包括：In at least one embodiment of the present invention, the performing label checking according to the label checking instruction of the function call instruction and the function return instruction comprises:

对于函数调用指令，若间接调用指令的函数指针的标签在对应的合法标签中，则未发现攻击；若不在，则发现攻击。For the function call instruction, if the label of the function pointer of the indirect call instruction is in the corresponding legal label, no attack is found; if not, an attack is found.

在本发明的至少一个实施例中，所述对所述初始关键数据进行控制流分析和指针分析得到精确关键数据，包括：In at least one embodiment of the present invention, the performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data includes:

与现有技术相比，本发明采用了较为精确的多阶段的静态分析过程，分析结果更加精确，冗余信息更少。本实施例使用RIPE，CVE-2002-1496进行安全评估，如表2所示，经评估本发明可以更加有效的监测内存数据损坏攻击。Compared with the prior art, the present invention adopts a more accurate multi-stage static analysis process, the analysis result is more accurate, and the redundant information is less. This embodiment uses RIPE and CVE-2002-1496 for security assessment. As shown in Table 2, the present invention can more effectively monitor memory data corruption attacks.

表2 RIPE的监测结果Table 2 RIPE monitoring results

防御机制Defense Mechanism 攻击总数Total number of attacks 成功防御数Successful defense number 成功监测率Successful monitoring rate DFIDFI 850850 663663 78.00％78.00% 本发明The present invention 850850 769769 90.47％90.47%

由于缩小了保护数据集合，设计了本发明减少了运行时检查的频率，从而可减少检查时的性能开销。本发明实施例使用SPEC2000进行测试，如表3所示，开销约为10％。Since the protection data set is reduced, the present invention is designed to reduce the frequency of runtime checks, thereby reducing the performance overhead during checks. The embodiment of the present invention is tested using SPEC2000, and as shown in Table 3, the overhead is about 10%.

表3 SPEC2000的评估结果Table 3 SPEC2000 evaluation results

图7示例了一种电子设备的实体结构示意图，如图7所示，该电子设备可以包括：处理器(processor)710、通信接口(Communications Interface)720、存储器(memory)730和通信总线740，其中，处理器710，通信接口720，存储器730通过通信总线740完成相互间的通信。处理器710可以调用存储器730中的逻辑指令，以执行内存数据损坏攻击的监测方法，该方法包括：FIG7 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG7 , the electronic device may include: a processor 710, a communications interface 720, a memory 730, and a communication bus 740, wherein the processor 710, the communications interface 720, and the memory 730 communicate with each other through the communication bus 740. The processor 710 may call the logic instructions in the memory 730 to execute a method for monitoring memory data corruption attacks, the method comprising:

此外，上述的存储器730中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the logic instructions in the above-mentioned memory 730 can be implemented in the form of a software functional unit and can be stored in a computer-readable storage medium when it is sold or used as an independent product. Based on such an understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes.

另一方面，本发明还提供一种计算机程序产品，所述计算机程序产品包括计算机程序，计算机程序可存储在非暂态计算机可读存储介质上，所述计算机程序被处理器执行时，计算机能够执行上述各方法所提供的内存数据损坏攻击的监测方法，该方法包括：On the other hand, the present invention further provides a computer program product, the computer program product comprising a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, when the computer program is executed by a processor, the computer can execute the memory data corruption attack monitoring method provided by the above methods, the method comprising:

又一方面，本发明还提供一种非暂态计算机可读存储介质，其上存储有计算机程序，该计算机程序被处理器执行时实现以执行上述各方法提供的内存数据损坏攻击的监测方法，该方法包括：In another aspect, the present invention further provides a non-transitory computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the method for monitoring memory data corruption attacks provided by the above methods is implemented, and the method comprises:

以上所描述的装置实施例仅是示意性的，其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下，即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of this embodiment. Those of ordinary skill in the art may understand and implement it without creative work.

通过以上的实施方式的描述，本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现，当然也可以通过硬件。基于这样的理解，上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品可以存储在计算机可读存储介质中，如ROM/RAM、磁碟、光盘等，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that each implementation method can be implemented by means of software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solution is essentially or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, a disk, an optical disk, etc., including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in each embodiment or some parts of the embodiments.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. The method for monitoring the damage attack of the memory data is characterized by comprising the following steps of:

Performing static analysis on the memory data to obtain key data;

Inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data, and inserting an instruction for setting a tag before a memory writing instruction of the memory data to obtain an executable file of the memory data;

executing the executable file, and performing tag inspection according to the memory read instruction, the function call instruction and the tag inspection instruction of the function return instruction of the key data;

the static analysis of the memory data to obtain key data includes:

performing data stream analysis on the memory data to obtain initial key data;

performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data, wherein the accurate key data comprises control flow information and pointer pointing information of the initial key data;

Carrying out key data propagation analysis according to the data dependency relationship of the initial key data and the accurate key data to obtain the key data;

the initial key data comprises three types, namely:

The pointer that has operated through the operation and the parameter of the vulnerable function;

user input and external data received in the web application;

Conditional branch parameters, loop judgment parameters, library function parameters, system call parameters, function pointers, indirect call target addresses and return addresses;

the performing control flow analysis and pointer analysis on the initial key data to obtain accurate key data includes:

Adopting control flow analysis to the initial key data to obtain control flow information, wherein the control flow information comprises an intra-process program execution process and an inter-process function jump process;

pointer analysis is adopted on the control flow information to obtain pointer pointing information;

And replacing the pointer in the initial key data with the target set pointed in the pointer pointing information to obtain accurate key data.

2. The method for monitoring a memory data corruption attack of claim 1 wherein the pointer analysis employs an anderson pointer analysis algorithm.

3. The method for monitoring a memory data corruption attack according to claim 1 or 2, wherein the performing a tag check according to the tag check instruction of the memory read instruction comprises:

If the running time label of the key data of the memory read instruction is consistent with the legal label, no attack is found; if not, then an attack is found.

4. A device for monitoring a memory data corruption attack, comprising:

The static analysis module is used for carrying out static analysis on the memory data to obtain key data;

The code instrumentation module is used for inserting a tag checking instruction before a memory reading instruction, a function calling instruction and a function returning instruction of the memory data and inserting an instruction for setting a tag before a memory writing instruction of the memory data to obtain an executable file of the memory data;

The tag checking module is used for executing the executable file and checking the tag according to the tag checking instructions of the memory reading instruction, the function calling instruction and the function returning instruction of the key data;

the static analysis of the memory data to obtain key data includes:

performing data stream analysis on the memory data to obtain initial key data;

the initial key data comprises three types, namely:

user input and external data received in the web application;

5. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements a method of monitoring for a memory data corruption attack according to any one of claims 1 to 3 when executing the program.

6. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements a method of monitoring for a memory data corruption attack according to any one of claims 1 to 3.

7. A computer program product comprising a computer program which, when executed by a processor, implements a method of monitoring for a memory data corruption attack according to any one of claims 1 to 3.