一种软硬件结合的控制流检测与恢复方法

控制流检测可以有效地提高微处理器容错能力.针对传统软件实现的控制流检测时空开销大的缺点,提出了一种软硬件结合的控制流检测与恢复方法.该方法通过编译自动插入签名数据,由硬件在分支/跳转指令之后自动执行检测,并且提供了硬件现场保存和恢复机制,检测到控制流错误后无需复位系统即可以快速恢复正常控制流.基于8051体系结构实现了软硬件结合的控制流检测与恢复方法,实验结果表明与传统的软件控制流检测相比,该方法在保持相同的错误检测率的情况下,可以大幅减小二进制代码量和额外的性能开销,在发生控制流错误以后可以快速恢复正常控制流.     

一个基于硬件虚拟化的内核完整性监控方法

对操作系统内核的攻击就是通过篡改关键数据和改变控制流来危及操作系统的安全。已有的一些方法通过保护代码完整性或控制流完整性来抵御这些攻击,但是这往往只关注于某一个方面而没有给出一个完整的监控方法。通过对内核完整性概念的分析,得出了在实际系统中保证内核完整性需要的条件:保障数据完整性,影响系统功能的关键数据对象只能由指定的代码在特定情况下修改;保障控制流完整性,保护和监控影响代码执行序列改变的所有因素。并采用硬件虚拟化的Xen虚拟机监控器实现对Linux内核的保护和监控。实验结果证明,该方法能够阻止外来攻击和本身漏洞对内核的破坏。     

ARM架构中控制流完整性验证技术研究

通用平台目标二进制代码运行时控制流的提取主要依赖于处理器硬件特性,或其动态二进制插桩工具,该平台的控制流完整性验证方法无法直接移植到进阶精简指令集机器( ARM)架构中。为此,基于控制流完整性验证技术,设计一种用于ARM架构,利用缓冲溢出漏洞检测控制流劫持攻击的方法。该方法在程序加载时、执行前动态构建合法跳转地址白名单,在目标二进制代码动态执行过程中完成控制流完整性验证,从而检测非法控制流转移,并对非法跳转地址进行分析,实现漏洞的检测和诊断。在ARM-Linux系统的动态二进制分析平台上实施测试,结果表明,该方法能够检测出漏洞,并精确定位攻击矢量。     

进程控制流完整性保护技术综述

控制流劫持攻击利用程序内存漏洞获取程序的控制权,进而控制程序执行恶意代码,对系统安全造成极大的威胁.为了应对控制流劫持攻击,研究人员提出了一系列的防御手段.控制流完整性是一种运行时防御方法,通过阻止进程控制流的非法转移,来确保控制流始终处于程序要求的范围之内.近年来,越来越多的研究致力于解决控制流完整性的相关问题,例如提出新的控制流完整性方案、新的控制流完整性方案评估方法等.首先阐述了控制流完整性的基本原理,然后对现有控制流完整性方案进行了分类,并分别进行了分析,同时介绍了现有针对控制流完整性方案的评估方法与评价指标.最后,对控制流完整性的未来工作进行了展望,以期对未来的控制流完整性研究提供参考.     

汇编级软硬结合的控制流检测方法

控制流检测技术是防止由于瞬时故障造成程序错误运行的有效手段之一,在ARGOS卫星上测试过的基于汇编语言的软件控制流检测算法CFCSS具有较高的错误检测能力和较低的冗余指令开销,实用性较强,但此算法存在检测混淆和检测出错现象.为此,首先阐述了CFCSS算法中存在的检测混淆和检测出错现象;接下来根据汇编语言特点,修改了基础基本块的选择方法和多调整签名值赋值语句的插入位置,提出了改进的ICFCSS控制流检测算法;为了在ICFCSS算法基础上进一步提高错误检测能力、降低故障延迟时间和冗余指令开销,提出了软硬结合的ICFCSSHS控制流检测方法,此方法在编译程序时只增加了和签名有关的信息,在程序运行时通过译码阶段判指令类型来触发相应的硬件完成控制流检测.实验表明,此方法的冗余代码空间开销比CFCSS算法减少了21. 5%,平均未检测出错误率仅为1. 5%,具有一定的使用价值.     

KMBox:基于Linux内核改造的进程异构冗余执行系统

随机化技术防御进程控制流劫持攻击,是建立在攻击者无法了解当前内存地址空间布局的基础之上,但是,攻击者可以利用内存信息泄露绕过随机化防御获得gadget地址,向程序注入由gadget地址构造的payload,继续实施控制流劫持攻击,窃取敏感数据并夺取或破坏执行软件的系统。目前,异构冗余执行系统是解决该问题的方法之一,基本思想是同一程序运行多个多样化进程,同时处理等效的程序输入。随机化技术使冗余的进程对恶意输入做出不同的输出,同时正常功能不受影响。近年来,一些符合上述描述的系统已经被提出,分析进程异构冗余执行系统的表决设计可以发现,基于ptrace的实现方法会引入大量的上下文切换,影响系统的执行效率。率先直接修改内核设计出一种进程异构冗余执行系统,表决过程完全在内核中完成,冗余的进程独立地采用内存地址空间随机化技术,构建相互异构的内存地址空间布局,在与内存信息泄露相关的系统调用处进行表决,发现泄露信息不一致,阻断进程控制流劫持攻击。即使攻击者跳过内存信息泄露进行漏洞利用,异构内存空间布局也使得注入由gadget地址构造的payload无法同时在冗余的进程中有效,阻断进程控制流劫持攻击。实现...     

基于路径跟踪的控制流检测

硬件瞬时故障可以通过修改指令操作码和操作数的方式引发控制流错误,破坏程序的正常执行。针对硬件瞬时故障引起的程序控制流错误,提出一种指令级控制流检测方法,对程序执行路径进行跟踪。故障注入实验结果表明,该方法的平均错误检测率、增加的内存消耗和性能损耗分别为97.8%, 83.2%和52.9%。     

基于函数级控制流监控的软件防篡改

软件防篡改是软件保护的重要手段。针对由缓冲区溢出等攻击导致的控制流篡改,提出一种基于函数级控制流监控的软件防篡改方法。以函数级控制流描述软件正常行为,利用二进制重写技术在软件函数入口处植入哨兵,由监控模块实时获取哨兵发送的软件运行状态,通过对比运行状态和预期值判断程序是否被篡改。实现了原型系统并对其进行了性能分析,实验结果表明,基于函数级控制流监控的软件防篡改方法能有效检测对控制流的篡改攻击,无误报且开销较低,其实现不依赖程序源码,无需修改底层硬件和操作系统,监控机制与被保护软件隔离,提高了安全性。     

基于动态数据流分析的虚拟机保护破解技术

由于虚拟机采用虚拟化技术和代码混淆技术,采用传统的逆向分析方法还原被虚拟机保护的算法时存在较大困难。为此,提出一种基于动态数据流分析的虚拟机保护破解方法。以动态二进制插桩平台Pin作为支撑,跟踪记录被虚拟机保护的算法在动态执行过程中的数据流信息,对记录的数据流信息进行整理分析,获取虚拟机指令的解释执行轨迹,还原程序的控制流图,根据轨迹信息对数据生成过程进行分层次、分阶段还原,并由分析人员结合控制流图和数据生成过程进行算法重构。实验结果证明,该方法能够正确还原程序的控制流和数据生成过程,辅助分析人员完成被保护算法的重构。     

基于级联森林的控制流错误检测优化算法

在单粒子翻转引起的瞬时故障中,控制流错误占很大比例.主流的控制流错误软件检测方法依靠插桩标签来检测控制流错误.但基于标签的检测算法很难在标签插桩的开销和错误检测率之间找到一个平衡.本文提出一种智能的基本块拆分方法,在不用修改原有检测算法的基础上,提升控制流错误的检测率,同时尽可能的减小额外开销.首先,使用GDB调试工具...     

Analysis of dependencies in advanced transaction models

Transactional dependencies play an important role in coordinating and executing the subtransactions in advanced transaction processing models, such as, nested transactions and workflow transactions. Researchers have formalized the notion of transactional dependencies and have shown how various advanced transaction models can be expressed using different kinds of dependencies. Incorrect specification of dependencies can result in unpredictable behavior of the advanced transaction, which, in turn, can lead to unavailability of resources and information integrity problems. In this work, we focus on how to correctly specify dependencies in an advanced transaction. We enumerate the different kinds of dependencies that may be present in an advanced transaction and classify them into two broad categories: event ordering and event enforcement dependencies. Different event ordering and event enforcement dependencies in an advanced transaction often interact in subtle ways resulting in conflicts and redundancies. We describe the different types of conflicts that can arise due to the presence of multiple dependencies and describe how one can detect such conflicts. An advanced transaction may also contain redundant dependencies—these are dependencies that can be logically derived from other dependencies. We show how such extraneous dependencies can be eliminated to get an equivalent set of dependencies that has the same effect as the original set. Our dependency analysis is done in the context of a generalized advanced transaction model that is capable of expressing different kinds of advanced transactions. Recommended by: Amit Sheth     

A concurrent abstract interpreter

Abstract interpretation [6] has been long regarded as a promising optimization and analysis technique for high-level languages. In this article, we describe an implementation of aconcurrent abstract interpreter. The interpreter evaluates programs written in an expressive parallel language that supports dynamic process creation, first-class locations, list data structures and higher-order procedures. Synchronization in the input language is mediated via first-class shared locations. The analysis computes intra- and inter-threadcontrol anddataflow information. The interpreter is implemented on top of Sting [12], a multi-threaded dialect of Scheme that serves as a high-level operating system for modern programming languages.     

Rewriting executable files to measure program behavior

Inserting instrumentation code in a program is an effective technique for detecting, recording, and measuring many aspects of a program's performance. Instrumentation code can be added at any stage of the compilation process by specially-modified system tools such as a compiler or linker or by new tools from a measurement system. For several reasons, adding instrumentation code after the compilation process—by rewriting the executable file—presents fewer complications and leads to more complete measurements. This paper describes the difficulties in adding code to executable files that arose in developing the profiling and tracing tools qp and qpt. The techniques used by these tools to instrument programs on MIPS and SPARC processors are applicable in other instrumentation systems running on many processors and operating systems. In addition, many difficulties could have been avoided with minor changes to compilers and executable file formats. These changes would simplify this approach to measuring program performance and make it more generally useful.     

一种用于容错处理器的指令复制方法

介绍一种在容错处理器中实现指令复制的方法。处理器的容错机制是通过修改超标量体系结构,利用时间冗余技术实现的。指令复制是容错机制的一种重要功能。详细描述了其实现方法,同时论述了结合指令复制方法对程序控制流的正确性进行检测的问题。     

一种检测程序控制流故障的方法

本文介绍一种在容错处理器中实现控制流故障检测的方法。处理器的容错机制是通过修改超标量体系结构,利用时间冗余技术实现的。处理器支持两个指令流并发执行,本文提出的控制流检测算法是通过比较两个时间冗余的指令流的执行结果实现的,与同类实现方案相比,此方法可以进一步节省硬件资源以及额外的处理器执行时间。     

Analysis on demand: Instantaneous soundness checking of industrial business process models

We report on a case study on control-flow analysis of business process models. We checked 735 industrial business process models from financial services, telecommunications, and other domains. We investigated these models for soundness (absence of deadlock and lack of synchronization) using three different approaches: the business process verification tool Woflan, the Petri net model checker LoLA, and a recently developed technique based on SESE decomposition. We evaluate the various techniques used by these approaches in terms of their ability of accelerating the check. Our results show that industrial business process models can be checked in a few milliseconds, which enables tight integration of modeling with control-flow analysis. We also briefly compare the diagnostic information delivered by the different approaches and report some first insights from industrial applications.     

Extensible intraprocedural flow analysis at the abstract syntax tree level

We have developed a new approach for implementing precise intraprocedural control-flow and dataflow analyses at the abstract syntax tree level. Our approach is declarative, making use of reference attribute grammars augmented with circular attributes and collection attributes. This results in concise executable specifications of the analyses, allowing extensions both to the language and with further source code analyses.     

系统服务Rootkits隐藏行为分析

用挂钩系统服务来实现进程、文件、注册表、端口等对象的隐藏是最常见的rootkits实现方式.然而大量的检测方法并不能将rootkits和其所隐藏的对象对应起来.本文分析了用户层和内核层系统服务rootkits的隐藏行为,建立了6种模型.在检测出系统服务rootkits的基础上,提出了一种分析其二进制执行代码,匹配模型,找出隐藏对象的方法,实现了一个隐藏行为分析原型.实验结果证明这种隐藏行为分析方法能有效分析出隐藏对象.     

New aspect-oriented constructs for security hardening concerns

In this paper, we present new pointcuts and primitives to Aspect-Oriented Programming (AOP) languages that are needed for systematic hardening of security concerns. The two proposed pointcuts allow to identify particular join points in a program's control-flow graph (CFG). The first one is the GAFlow, Closest Guaranteed Ancestor, which returns the closest ancestor join point to the pointcuts of interest that is on all their runtime paths. The second one is the GDFlow, Closest Guaranteed Descendant, which returns the closest child join point that can be reached by all paths starting from the pointcut of interest. The two proposed primitives are called ExportParameter and ImportParameter and are used to pass parameters between two pointcuts. They allow to analyze a program's call graph in order to determine how to change function signatures for passing the parameters associated with a given security hardening. We find these pointcuts and primitives to be necessary because they are needed to perform many security hardening practices and, to the best of our knowledge, none of the existing ones can provide their functionalities. Moreover, we show the viability and correctness of the proposed pointcuts and primitives by elaborating and implementing their algorithms and presenting the result of explanatory case studies.