一种抗地址淹没的缓冲区栈溢出算法

缓冲区溢出是常见的网络漏洞攻击,其中最重要的是栈溢出攻击。通过分析缓冲区溢出攻击的方法和特点,提出一种基于StackShield改进的RetProtect算法,首先利用IDA Pro对源程序反汇编分析,然后建立新的库函数,并通过修改gcc源代码来实现程序执行时对函数返回地址的备份的方法来检测缓冲区溢出攻击的发生。与其它栈溢出攻击检测方法相比,RetProtect算法可有效地阻止对返回地址进行淹没的栈溢出攻击,对用户透明,系统兼容性好。     

基于返回地址保护的防止缓冲区溢出方法

缓冲区溢出是一种使用广泛、威胁大的攻击.现在提出一种对于函数返回地址进行混合保护的方法,防止攻击者通过改变函数返回地址来执行注入的代码.这种方法包括一个简单的编译器补丁,增强编译器的安全功能,建立一个安全区域保存所有的函数返回地址的拷贝,而且该拷贝通过动态的编码,让攻击者难以进行猜测和攻击.使用这种方法,不需要改变用户程序的原代码,也不会改变用户程序的二进制堆栈结构,所以可以很好的和原有的操作系统、函数库结合.现在对这种方法的性能进行测试,详细描述测试结果,并认为对性能的影响在可以接受的范围,因此这种方法是一种有效的抵御缓冲区攻击的方法.     

基于系统调用与进程堆栈信息的入侵检测方法

提出一种利用动态提取进程堆栈中的信息来寻找不定长模式的方法。该方法以进程中产生系统调用的函数返回地址链作为提取不定长模式的依据，根据函数的结构关系对模式集进行精简，得到一组不定长模式集。在此基础上，以不定长模式作为基本单位构建了一个马尔可夫链模型来检测异常行为。实验结果表明，该方法的检测性能要优于传统的不定长模式方法和一阶马尔可夫链模型方法，能够获得更高的检测率和更低的误报率。     

基于地址完整性检查的函数指针攻击检测

针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。     

在远程进程中动态搜索API函数的入口地址

利用应用程序或远程线程函数被加载后,其进程堆栈中存有位于Kernel32.DLL中的返回地址,利用这个返回地址,可在远程进程中获取Kernel32.DLL的基地址,从而可以得到关键的2个API函数GetProcAddress和LoadLibrary的入口地址。利用这二个函数就可以在远程进程中动态装入DLL,动态搜索并取得所需要的API函数入口地址。     

后备栈：一种高效的返回地址栈修复机制

当前,大多数高性能微处理器都使用返回地址栈为返回指令提供预测目标地址.而要想获得高的返回地址预测精度,在发生分支误预测后对返回地址栈进行修复是必不可少的.本文首先分析了三种常见的返回地址栈修复机制,提出了一种新的返回地址栈修复机制--后备栈,并详细描述了后备栈机制的逻辑实现和工作原理.最后,本文把后备栈机制和其其他三种常见的修复机制进行了比较.在不发生返回地址栈溢出时,使用后备栈机制能够获得100%的返回地址预测精度.     

实时控制中多任务系统实现的方法

提出划分实时多任务系统的一个方法,并具体给出用时间表和修改中断返回地址指针等方法实现单片微机多任务系统的程序框图或程序。     

FPW对缓冲区溢出的实时检测

缓冲区溢出类的安全漏洞是最为常见的一种攻击形式．本文介绍了缓冲区溢出的机理和作者所设计的FPW(Frame Pointer Watcher)，FPW通过监视前帧指针来实时检测对函数返回地址的溢出攻击，和同类工具相比，FPW具有更好的性能．     

基于运动函数的行走识别方法研究

结合人体生理特征与物体运动特点,提出了一种用运动函数表示人体运动的方法,来用于视频图像的运动检测。针对智能监控系统的特点,以人行走视频为例,通过提取实验数据并对其进行分析处理,得到人行走函数方程。在此基础上,进行实验验证人行走函数中各参数的有效性,得到人行走函数关系表达式。     

一种改进的Main()函数地址定位算法的设计与实现

基于对ELF文件加载机制的分析,提出了一种新的main()函数定位思路,当从符号表中查找main()函数地址失败时,则从.text的起始位置(即start例程)开始进行分析,根据特定体系结构下_start例程的规范来确定函数_libc_start_main同main()函数地址相关的参数,依据这些参数来获取main()函数地址。     

Platform‐independent profiling in a virtual execution environment

Virtual execution environments, such as the Java virtual machine, promote platform‐independent software development. However, when it comes to analyzing algorithm complexity and performance bottlenecks, available tools focus on platform‐specific metrics, such as the CPU time consumption on a particular system. Other drawbacks of many prevailing profiling tools are high overhead, significant measurement perturbation, as well as reduced portability of profiling tools, which are often implemented in platform‐dependent native code. This article presents a novel profiling approach, which is entirely based on program transformation techniques, in order to build a profiling data structure that provides calling‐context‐sensitive program execution statistics. We explore the use of platform‐independent profiling metrics in order to make the instrumentation entirely portable and to generate reproducible profiles. We implemented these ideas within a Java‐based profiling tool called JP. A significant novelty is that this tool achieves complete bytecode coverage by statically instrumenting the core runtime libraries and dynamically instrumenting the rest of the code. JP provides a small and flexible API to write customized profiling agents in pure Java, which are periodically activated to process the collected profiling information. Performance measurements point out that, despite the presence of dynamic instrumentation, JP causes significantly less overhead than a prevailing tool for the profiling of Java code. Copyright © 2008 John Wiley & Sons, Ltd.     

JBInsTrace: A tracer of Java and JRE classes at basic-block granularity by dynamically instrumenting bytecode

Understanding what happens during the runtime of a Java program is difficult. Tracking runtime flow can bring valuable information for program understanding and behavior analysis. Polymorphism, thread concurrency or even simple facts like the number of method invocations and the number of executed bytecodes are valuable information to track, but are difficult to compute outside the Java Virtual Machine (JVM) on running programs. In this paper, we present JBInsTrace, a new tool that instruments and traces Java bytecode. It produces static information about source code and a very fine grained trace of Java software execution, combining them to allow detailed analysis of the runtime. Our tool differs from others because it does not only trace program classes but also JRE classes, and does so at basic block level, without altering the JVM and without statically modifying class files. We explain JBInsTrace design, focused towards efficiency, which results in reasonable performance penalty.     

The Clara framework for hybrid typestate analysis

A typestate property describes which operations are available on an object or a group of inter-related objects, depending on this object??s or group??s internal state, the typestate. Researchers in the field of static analysis have devised static program analyses to prove the absence of typestate-property violations on all possible executions of a given program under test. Researchers in runtime verification, on the other hand, have developed powerful monitoring approaches that guarantee to capture property violations on actual executions. Although static analysis can greatly benefit runtime monitoring, up until now, most static analyses are incompatible with most monitoring tools. We present Clara, a novel framework that makes these approaches compatible. With Clara, researchers in static analysis can easily implement powerful typestate analyses. Runtime-verification researchers, on the other hand, can use Clara to specialize AspectJ-based runtime monitors to a particular target program. To make aspects compatible to Clara, the monitoring tool annotates them with so-called dependency state machines. Clara uses the static analyses to automatically convert an annotated monitoring aspect into a residual runtime monitor that is triggered by fewer program locations. If the static analysis succeeds on all locations, this proves that the program fulfills the stated typestate properties, making runtime monitoring entirely obsolete. If not, the residual runtime monitor is at least optimized. We instantiated Clara with three static typestate analyses and applied these analyses to monitoring aspects generated from tracematches. In two-thirds of the cases in our experiments, the static analysis succeeds on all locations, proving that the program fulfills the stated properties, and completely obviating the need for runtime monitoring. In the remaining cases, the runtime monitor is often significantly optimized.     

基于定理证明的内存安全性动态检测算法的正确性研究

随着软件运行时验证技术的发展,出现了许多面向C语言的运行时内存安全验证工具。这些工具大多是基于源代码或者中间代码插桩技术来实现内存安全的运行时检测。但是,其中一些没有经过严格证明的验证工具往往存在两方面的问题,一是插桩程序的加入可能会改变源程序的行为及语义,二是插桩程序并不能有效保证内存安全。为了解决这些问题,文中提出了一种使用Coq定理证明器来判定内存安全验证工具算法是否正确的形式化方法,并使用该方法对C语言运行时验证工具Movec的动态检测算法的正确性进行了证明。对安全规范性质的证明结果表明了Movec的内存安全性动态检测算法是正确的。     

一种利用适合性测试支持方法重定向的演算

一些面向上下文的编程语言使用结构化的块结构(block-structured construct)将方法调用重定向到层中方法.但该结构无法支持层的动态添加与激活,这增加了程序可执行文件的大小.为了解决该问题,提出一种新方法:使用适合性测试支持方法的重定向,并定义一个运行时的适合性测试演算(runtime fitness testing calculus on top offeatherweight Java calculus)形式化描述该方法.该演算以FJ 演算(featherweight Java calculus)为核心,通过融入新的语言结构——层,基于上下文的方法查找与对象转化描述基于适合性测试的方法重定向,分析它对程序类型安全的影响,制定相应约束,并证明在满足该约束的条件下能够保持程序的类型安全,从而证明所提方法的有效性.以该演算为指导,描述如何通过扩展Java 的编译器与虚拟机,实现将层、基于上下文的方法查找与对象转化融入到Java 语言,并通过实验测试实现,证明所提方法的可行性.该演算及其实现可用于指导如何扩展类似Java(Java-like)的语言以支持程序基于上下文动态调整其行为,并同时保证程序的类型安全.     

Software development for high-performance, reconfigurable, embedded multimedia systems

Reconfigurable platforms can be very effective for lowering production costs because they allow the reuse of architecture resources across a variety of applications. We show how to program a reduced-instruction-set-computing (RISC) microprocessor with a reconfigurable functional unit, focusing on DSP applications and using the example of a turbodecoder. We have developed a complete design flow, including a methodology and compilation tool chain, to address the instruction set hardware-software codesign problem for a processor with a runtime reconfigurable unit. The flow starts from a system-level specification (usually a software program) of the application and partitions it into software and hardware domains to achieve the best speed, power, and area performance, while satisfying resource constraints imposed by the target platform architecture. We describe a methodology and a set of tools that allow extensive design exploration for hardware-software codesign with the goal of improving the overall utilization of reconfigurable multimedia platforms.     

嵌入式装置可视化页面程序代码处理架构设计

提出一种灵活的嵌入式装置可视化页面程序的代码处理架构.基于元件的层次模型,形成相关数据结构和功能调用函数.通过在脚本中调用代码生成器开放的接口,可定制形成不同运行场景的代码.通过扩充解析预处理函数,支持形成高效紧凑的代码.采用通用模板替换的方法,可自动形成多种处理器的编译文件.本文提出的技术已经在电力系统保护控制装置开发中进行了批量应用,显著提升了开发效率和质量.     

Dynamic Event Generation for Runtime Checking using the JDI

Approaches to runtime checking have to track the execution of a software system and therefore have to deal with generating and processing execution events. Often these techniques are applied at the code level – either by inserting new source code prior to the compilation or by modifying the target code, e.g. Java byte code, before running the program.The jassda [4,3] framework and tool enable runtime checking of Java programs against a CSP-like specification. For generating events it uses the Java Debug Interface (JDI) and thus no modifications to the code are necessary. Another advantage is that events are generated on demand, i.e. dynamically at runtime it is determined which events to generate for the current debug run without modifying the program itself. This paper shows how this event generation is done by the jassda framework.