CN116738414A - Attack detection method, processor, electronic device and storage medium - Google Patents

Attack detection method, processor, electronic device and storage medium Download PDF

Info

Publication number
CN116738414A
CN116738414A CN202310686819.7A CN202310686819A CN116738414A CN 116738414 A CN116738414 A CN 116738414A CN 202310686819 A CN202310686819 A CN 202310686819A CN 116738414 A CN116738414 A CN 116738414A
Authority
CN
China
Prior art keywords
instruction
branch
landing state
indirect
landing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310686819.7A
Other languages
Chinese (zh)
Inventor
张仕健
黄嘉逸
吴优
段立德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202310686819.7A priority Critical patent/CN116738414A/en
Publication of CN116738414A publication Critical patent/CN116738414A/en
Pending legal-status Critical Current

Links

Landscapes

  • Executing Machine-Instructions (AREA)

Abstract

The embodiment of the application provides an attack detection method, a processor, electronic equipment and a storage medium, wherein the attack detection method comprises the following steps: writing landing state parameters of an indirect branch instruction into a branch landing state register in response to the indirect branch instruction being executed, wherein the indirect branch instruction comprises an indirect jump instruction, a function call instruction or a return instruction, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters; determining a checkpoint instruction to jump from the indirect branch instruction; performing validity check on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register; and if the check point instruction is illegal, sending out alarm information. The scheme can reduce the consumption of computing resources for JOP attack protection and ROP attack protection.

Description

Attack detection method, processor, electronic device and storage medium
Technical Field
The embodiment of the application relates to the technical field of processors, in particular to an attack detection method, a processor, electronic equipment and a storage medium.
Background
Jump-pilot programming (JOP) attacks and Return-pilot programming (ROP) attacks are two types of code reuse attacks that can reuse legitimate code of a vulnerable program and construct an attack program without injecting code. JOP attacks use program indirect jump instructions and indirect call instructions to change the control flow of the program, and ROP attacks use return instructions (ret instructions) to change the control flow of the program.
At present, different protection modes are adopted by JOP attack and ROP attack, the JOP attack can be protected by verifying whether an internal function jump control flow is complete, and the ROP attack can be protected by randomizing address space layout.
However, since the JOP attack and the ROP attack are protected in different manners, the JOP attack protection and the ROP attack protection both need to consume more computing resources of the processor, which results in a greater impact on the performance of the processor.
Disclosure of Invention
In view of the above, embodiments of the present application provide an attack detection method, a processor, an electronic device and a storage medium, so as to at least partially solve the above problems.
According to a first aspect of an embodiment of the present application, there is provided an attack detection method, including: writing landing state parameters of an indirect branch instruction into a branch landing state register in response to the indirect branch instruction being executed, wherein the indirect branch instruction comprises an indirect jump instruction, a function call instruction or a return instruction, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters; determining a checkpoint instruction to jump from the indirect branch instruction; performing validity check on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register; and if the check point instruction is illegal, sending out alarm information.
According to a second aspect of an embodiment of the present application, there is provided a processor including: an electrically connected branch landing status register and an instruction execution unit to: writing landing state parameters of an indirect branch instruction into a branch landing state register in response to the indirect branch instruction being executed, wherein the indirect branch instruction comprises an indirect jump instruction, a function call instruction or a return instruction, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters; determining a checkpoint instruction to jump from the indirect branch instruction; performing validity check on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register; and if the check point instruction is illegal, sending out alarm information.
According to a third aspect of an embodiment of the present application, there is provided an electronic apparatus including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface are communicated with each other through the communication bus; the memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform operations corresponding to the method according to the first aspect.
According to a fourth aspect of embodiments of the present application, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the method of the first aspect described above.
According to the technical scheme, after the indirect branch instruction is instructed, the landing state parameters of the indirect branch instruction are written into the branch landing state register, the checkpoint instruction jumped to from the indirect branch instruction is determined, the validity check is carried out on the checkpoint instruction according to the type of the checkpoint instruction and the difference between the instruction parameters of the checkpoint instruction and the landing state parameters in the branch landing state register, and if the checkpoint instruction is illegal, alarm information is sent out. The target instruction jumped to from the indirect branch instruction has a specific instruction type, the indirect branch instruction is matched with the landing state parameter and the instruction parameter of the target instruction, if the processor is attacked by ROP or JOP, the type of the target instruction or the instruction parameter of the target instruction is changed, so that the validity of the checkpoint instruction can be checked according to the type of the checkpoint instruction and the difference between the instruction parameter of the checkpoint instruction and the landing state parameter in the branch landing state register, whether the processor is attacked by ROP or JOP is determined, unified detection and protection of JOP attack and ROP attack are realized, and the calculation resources consumed by JOP attack protection and ROP attack protection are reduced, thereby improving the performance of the processor.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a schematic diagram of a processor according to one embodiment of the application;
FIG. 2 is a flow chart of an attack detection method of one embodiment of the present application;
FIG. 3 is a schematic diagram of a return address stack of one embodiment of the present application;
FIG. 4 is a schematic diagram of a branch landing status register write process according to one embodiment of the present application;
FIG. 5 is a schematic diagram of an attack detection procedure for indirect jump instructions according to one embodiment of the present application;
FIG. 6 is a schematic diagram of an attack detection procedure for an indirect jump instruction according to another embodiment of the present application;
FIG. 7 is a schematic diagram of an attack detection procedure for a function call instruction according to one embodiment of the present application;
FIG. 8 is a schematic diagram of an attack detection procedure for a function call instruction according to another embodiment of the present application;
FIG. 9 is a schematic diagram of an attack detection procedure for a return instruction according to one embodiment of the present application;
FIG. 10 is a schematic diagram of an attack detection procedure for a return instruction according to another embodiment of the present application;
fig. 11 is a schematic diagram of an electronic device according to an embodiment of the application.
Detailed Description
The present application is described below based on examples, but the present application is not limited to only these examples. In the following detailed description of the present application, certain specific details are set forth in detail. The present application will be fully understood by those skilled in the art without the details described herein. Well-known methods, procedures, and flows have not been described in detail so as not to obscure the nature of the application. The figures are not necessarily drawn to scale.
First, partial terms or terminology appearing in the course of describing the embodiments of the application are applicable to the following explanation.
Buffer overflow: buffer overflow (buffer overflow) is a process of writing the content (usually, data exceeding the maximum data amount that can be stored in the buffer) overflowed to the program input buffer against the programming defect, thereby destroying the program operation and obtaining the control right of the program or the system through program jump.
Return-directed programming attack: return-to-oriented Programming (ROP) attacks refer to using buffer overflows to destroy stack frames and modify the Return address of the currently executing function on the stack, the modified Return address being the branch target, directing program control flow and executing the attack.
Jump-oriented programming attack: jump-oriented programming (JOP) attacks utilize indirect branch instructions to illegally modify register contents via buffer overflows to Jump to a specified program segment, and to implement the attack via the jumped-to program segment.
Indirect jump instruction: an indirect jump (direct jump) instruction is a jump instruction with the destination address of the jump in a register. The indirect jump instruction may be a jr instruction that may jump to a register in the format of jr rs, where jr represents a jump register and rs is a register address.
Function call instruction: the function call (function call) instruction is used for calling a function, and after the function execution is finished, the original program control flow is returned through the return instruction. The function call instruction includes a direct function call (direct function call) instruction whose target address is an immediate (immediate code) and an indirect function call (indirect function call) instruction whose operand is a register whose contents are addresses of functions to be called. The direct function call instructions include function call instructions jal (jump and link) and the indirect function call instructions include function call instructions jalr (jump and link register).
Return instruction: a return instruction (return) is included in the called function that, when executed by the called function, returns to the program control flow of the original calling function.
Application environment of the application
The embodiment of the application provides a processor attack detection scheme. The overall processor attack detection scheme is relatively versatile and can be used for various hardware devices including processors based on instruction set architectures such as advanced reduced instruction set machines (Advanced RISC Machine, ARM), fifth-generation reduced instruction set computers (RISC-V), etc., such as data centers, multi-processing servers, internet of things (Internet of Things, ioT) devices, embedded devices, etc.
Processor and method for controlling the same
FIG. 1 is a schematic block diagram of a processor 10 in accordance with one embodiment of the present application. As shown in fig. 1, processor 10 may include one or more processor cores 11 for processing instructions, the processing and execution of which may be controlled by a user (e.g., via an application program) and/or a system platform. The processor core 11 may be used to process specific instruction sets, which may support complex instruction set computations (Complex Instruction Set Computing, CISC), reduced instruction set computations ((Reduced Instruction Set Computing, RISC) or very long instruction word (Very Long Instruction Word, VLIW) based computations, it being particularly noted that the processor core 11 is adapted to process RISC-V instruction sets different processor cores 11 may each process different or the same instruction sets, the processor core 11 may further comprise other processing modules, such as a digital signal processor (Digital Signal Processor, DSP) etc. as an example, the processor cores 1 to m are shown in fig. 1, m being a positive integer.
The cache memory may be wholly or partially integrated into the processor 10. Depending on the architecture, the cache may be a single or multiple levels of internal cache (e.g., level 3 caches L1 and L2 shown in FIG. 1, generally indicated at 18 in FIG. 1) located within and/or outside of each processor core 11, or may include instruction-and instruction-oriented caches and data-oriented data caches. The components in processor 10 may share at least a portion of cache memory, e.g., processor cores 1 through m may share a second level cache memory L2. Processor 10 may also include an external cache (not shown), and other cache structures may also be used as external caches for processor 10.
As shown in fig. 1, processor 10 may include a Register File (Register File) 111, and Register File 111 may include a plurality of registers for storing different types of data and/or instructions, which may be different types, such as, for example, register File 111 may include integer registers, floating point registers, status registers, instruction registers, pointer registers, and the like. The registers in the register file 111 may be implemented using general purpose registers, or may be designed specifically according to the actual requirements of the processor 10.
The processor 10 may include a memory management unit (Memory Management Unit, MMU) 112 for effecting virtual address to physical address translation. Some entries in the page table are cached in the memory management unit 112, and the memory management unit 112 may also obtain entries from the memory that are not cached. One or more memory management units 112 may be disposed in the processor cores 11, and the memory management units 112 in different processor cores 11 may be synchronized with the memory management units 112 in other processors 10 or processor cores 11, so that the processors 10 or processor cores 11 may share a unified virtual storage system.
The processor 10 is configured to execute a sequence of instructions (i.e., a program). The process by which the processor 10 executes instructions includes: fetching the instruction from the memory for storing the instruction, decoding the fetched instruction, executing the decoded instruction, saving the instruction execution result and the like, and circulating the steps until all the instructions in the instruction sequence are executed or a stop instruction is encountered.
To implement the above-described process, the processor 10 may include an instruction fetch unit 113, an instruction decode unit 114, an instruction issue unit (not shown), an instruction execution unit 115, an instruction commit unit (not shown), and the like.
Instruction fetch unit 113 acts as a boot engine for processor 10 to handle instructions from memory 20 into instruction registers (which may be one of the register files 111 shown in FIG. 1 for storing instructions) and to receive a next fetch address or to obtain a next fetch address based on a fetch algorithm, which may be an increment or decrement of an address based on instruction length.
After fetching an instruction, the processor 10 enters an instruction decode stage, where the instruction decode unit 114 decodes the fetched instruction in accordance with a predetermined instruction format to obtain the operands required by the fetched instruction, in preparation for operation of the instruction execution unit 115. The operands may include pointing to an immediate, a register, or other software/hardware capable of providing the source operand.
Instruction issue units are typically present in high performance processors 10 between instruction decode units 114 and instruction execution units 115 for scheduling and control of instructions to efficiently distribute individual instructions to different instruction execution units 115, enabling parallel operation of multiple instructions. After an instruction is fetched, decoded, and dispatched to the corresponding instruction execution unit 115, the corresponding instruction execution unit 115 begins executing the instruction, i.e., performing the operation indicated by the instruction, to achieve the corresponding function.
The instruction commit unit (or referred to as an instruction writeback unit) is mainly responsible for writing back the execution result generated by the instruction execution unit 115 to a corresponding memory location (e.g., a register within the processor 10) so that subsequent instructions can quickly obtain the corresponding execution result from the memory location.
For different classes of instructions, different instruction execution units 115 may be provided accordingly in the processor 10. The instruction execution unit 115 may be an arithmetic unit (e.g., including an arithmetic logic unit, an integer processing unit, a vector operation unit, etc., for performing operations according to operands and outputting operation results), a memory execution unit (e.g., for accessing a memory to read data in the memory or write specified data to the memory, etc., according to instructions), a coprocessor, etc. In the processor 10, the respective instruction execution units 115 may run in parallel and output corresponding execution results.
The instruction execution unit 115, when executing some type of instruction (e.g., a memory access instruction), needs to access the memory 20 to retrieve information stored in the memory 20 or to provide data that needs to be written into the memory 20. It should be noted that, the instruction execution Unit 115 for executing the memory access instruction may also be referred to as a memory execution Unit, which may be a Load Store Unit (LSU) and/or other units for memory access.
After the access instruction is fetched by the instruction fetch unit 113, the instruction decode unit 114 may decode the access instruction so that the source operand of the access instruction may be fetched. The decoded memory access instruction is provided to a corresponding instruction execution unit 115, and the instruction execution unit 115 may perform a corresponding operation on a source operand of the memory access instruction (e.g., an operation on a source operand stored in a register by an arithmetic logic unit) to obtain address information corresponding to the memory access instruction, and initiate a corresponding request, such as an address translation request, a write access request, etc., according to the address information.
The source operands of the memory instructions typically include address operands that are operated on by the instruction execution unit 115 to obtain a virtual or physical address corresponding to the memory instruction. When the memory management unit 112 is disabled, the instruction execution unit 115 may obtain the physical address of the memory access instruction directly through a logical operation. When the memory management unit 112 is enabled, the corresponding instruction execution unit 115 initiates an address translation request according to the virtual address corresponding to the memory instruction, the address translation request including a virtual address corresponding to an address operand of the memory instruction; the memory management unit 112 responds to the address translation request and translates virtual addresses in the address translation request to physical addresses according to entries matching the virtual addresses so that the instruction execution unit 115 can access the cache 18 and/or the memory 20 according to the translated physical addresses.
Depending on the functionality, the memory access instructions may include load instructions and store instructions. The execution of a load instruction typically does not require modification of information in memory 20 or cache 18, and instruction execution unit 115 need only read data stored in memory 20, cache 18, or an external storage device based on the address operand of the load instruction. Unlike load instructions, the source operands of store instructions include not only address operands but also data information, and the execution of store instructions typically requires modification of the information in memory 20 and/or cache 18. The data information of the store instruction may point to write data, where the source of the write data may be the result of execution of an instruction such as an operation instruction or a load instruction, or may be data provided by a register or other storage unit in the processor 10, or may be an immediate.
After the instruction execution unit 115 executes the indirect branch instruction, the program control flow jumps to the target instruction, and if the processor 10 is under ROP attack or JOP attack, the target instruction is modified to be an illegal instruction, and the execution of the illegal instruction by the instruction execution unit 115 causes the program operation to be destroyed, or the control right of the program or the system to be illegally acquired. To detect whether the processor 10 is attacked by ROP and JOP, the instruction execution unit 115 may write the landing state parameters of the indirect branch instruction into the branch landing state register after executing the indirect branch instruction, where different types of indirect branch instructions correspond to different landing state parameters, and perform validity check on the checkpoint instruction according to the type of the checkpoint instruction and the difference between the instruction parameters of the checkpoint instruction and the landing state parameters in the branch landing state register before the instruction execution unit 115 executes the checkpoint instruction skipped from the indirect branch instruction, and if the check result is that the checkpoint instruction is illegal, issue alarm information.
If the processor 10 is attacked by ROP or JOP, the checkpoint instruction will be tampered with, which will cause the type or instruction parameters of the checkpoint instruction to change, so that when the validity of the checkpoint instruction is checked, the validity of the checkpoint instruction will be checked, and further alarm information will be sent to prompt the user to process or stop executing the checkpoint instruction.
The branch landing status register is used for storing the landing status parameters of the indirect branch instruction, and as the instruction executed by the instruction execution unit 115 changes, the landing status parameters in the branch landing status register correspondingly change. The branch landing status register may be a register in the register file 111, or may be a register outside the register file 111, which is not limited in this embodiment of the present application.
When the program executed by the processor 10 is developed, the instruction parameters of the checkpoint instruction skipped from the indirect branch instruction are matched with the landing state parameters of the indirect branch instruction, and the checkpoint instruction is an instruction of a specified type, so that when the processor 10 is not attacked by ROP and JOP, the result of validity check on the checkpoint instruction is that the checkpoint instruction is legal, and normal running of the program is ensured.
The embodiment of the present application mainly focuses on detection of a ROP attack and a JOP attack during execution of an instruction by the instruction execution unit 115, and a detailed description will be given below of detection of a ROP attack and a JOP attack.
Attack detection method
Fig. 2 is a flowchart of an attack detection method according to an embodiment of the present application, which can be executed by the instruction execution unit 115 in the above-described embodiment. As shown in fig. 2, the attack detection method includes the steps of:
step 201, in response to the indirect branch instruction being executed, writes a landing state parameter of the indirect branch instruction to a branch landing state register.
The indirect branch instruction may be an indirect jump instruction, a function call instruction or a return instruction, corresponding landing state parameters are set for the indirect jump instruction, the function call instruction and the return instruction respectively, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters. For the non-indirect branch instruction, a corresponding landing state parameter is also set, and the landing state parameter of the non-indirect branch instruction is different from the landing state parameter of the indirect branch instruction. The default value of the branch landing status register is the landing status parameter of the non-indirect branch instruction. For example, the landing state parameter of the indirect jump instruction is 0b0001, the landing state parameter of the function call instruction is 0b0010, and the landing state parameter of the non-indirect branch instruction is 0b0000, where 0b indicates that the data type of the landing state parameter is a binary number.
When the instruction execution unit 115 executes an instruction in the program, if the instruction is an indirect branch instruction, the corresponding landing state parameter is written into the branch landing state register according to the type of the indirect branch instruction, and if the instruction is a non-indirect branch instruction, the branch landing state register maintains a default value.
Step 202, determining a checkpoint instruction to jump from an indirect branch instruction.
The indirect branch instruction is used to implement the jump of the program flow, and after the instruction execution unit 155 executes the indirect branch instruction, the instruction after the indirect branch instruction is not executed any more, but jumps to the target instruction defined by the indirect branch instruction, where the target instruction defined by the indirect branch instruction is the checkpoint instruction.
Depending on the type of indirect branch instruction, the location of the checkpoint instruction in the program flow varies. When the indirect branch instruction is an indirect jump instruction, the checkpoint instruction is the jump target of the indirect branch instruction. When the indirect branch instruction is a function call instruction, the checkpoint instruction is the first instruction of the function entry called by the indirect branch instruction. When the indirect branch instruction is a return instruction, the check point instruction is the next instruction of a function call instruction in the program flow, which calls the function where the return instruction is located.
When developing a program executed by the processor 10, a corresponding branch landing instruction may be set for an indirect branch instruction in the program, and during program execution, it may be checked whether a checkpoint instruction skipped from the indirect branch instruction is a branch landing instruction, and if the checkpoint instruction is not a branch landing instruction, it may be determined that the program is subjected to ROP attack or JOP attack, resulting in tampering with the skip target of the indirect branch instruction.
Step 203, performing validity check on the checkpoint instruction according to the type of the checkpoint instruction and the difference between the instruction parameters of the checkpoint instruction and the landing state parameters in the branch landing state register.
When the processor is not under ROP attack and JOP attack, the checkpoint instruction to which the indirect branch instruction jumps should be a specific type of instruction, such as setting the jump target of the indirect branch instruction as a branch landing instruction when developing a program. If, upon execution of an indirect branch instruction, it is checked that the checkpoint instruction that jumps from the indirect branch instruction is not a particular type of instruction, such as is not a branch landing instruction, it may be determined that the checkpoint instruction was tampered with.
When developing a program to be executed by the processor 10, corresponding instruction parameters are set for the jump target of the indirect branch instruction, e.g. the jump target of the indirect branch instruction is a branch landing instruction, and then corresponding instruction parameters are set for the branch landing instruction, which match the landing state parameters of the indirect branch instruction. If the processor is not under ROP attack and JOP attack, the landing state parameters of the indirect branch instruction and the instruction parameters of the checkpoint instruction should match, and if the state data of the indirect branch instruction does not match the instruction parameters of the checkpoint instruction, it may be determined that the checkpoint instruction is tampered with.
And checking the legitimacy of the checkpoint instruction by combining the instruction type of the checkpoint instruction and the difference between the instruction parameters of the checkpoint instruction and the current branch landing state register content to determine whether the checkpoint instruction is tampered.
And 204, if the check point instruction is illegal, sending out alarm information.
After the validity check is carried out on the check point instruction, if the check point instruction is determined to be illegal, the processor is indicated to be attacked by ROP or JOP, and then alarm information is sent out. After sending out the alarm information, the processor or the user processes the alarm information aiming at the ROP attack or the JOP attack, and the embodiment of the application does not limit the follow-up processing adopted based on the alarm information.
In the embodiment of the application, after an indirect branch instruction is instructed, the landing state parameter of the indirect branch instruction is written into a branch landing state register, and a check point instruction skipped from the indirect branch instruction is determined, so that the validity check is carried out on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register, and if the check point instruction is illegal, alarm information is sent out. The target instruction jumped to from the indirect branch instruction has a specific instruction type, the indirect branch instruction is matched with the landing state parameter and the instruction parameter of the target instruction, if the processor is attacked by ROP or JOP, the type of the target instruction or the instruction parameter of the target instruction is changed, so that the validity of the checkpoint instruction can be checked according to the type of the checkpoint instruction and the difference between the instruction parameter of the checkpoint instruction and the landing state parameter in the branch landing state register, whether the processor is attacked by ROP or JOP is determined, unified detection and protection of JOP attack and ROP attack are realized, and the calculation resources consumed by JOP attack protection and ROP attack protection are reduced, thereby improving the performance of the processor.
In one possible implementation, different types of indirect branch instructions correspond to different landing state parameters, the landing state parameter corresponding to the indirect jump instruction is a first landing state parameter, the landing state parameter corresponding to the function call instruction is a second landing state parameter, and the first landing state parameter is different from the second landing state parameter, for example, the first landing state parameter is 0b0001, and the second landing state parameter is 0b0010. When an indirect branch instruction is instructed, the corresponding landing state parameters are written into the branch landing state registers according to the instruction type of the indirect branch instruction.
If the indirect branch instruction is an indirect jump instruction, a first landing state parameter is written to the branch landing state register, such as 0b0001 is written to the branch landing state register, in response to execution of the indirect branch instruction. If the indirect branch instruction is a function call instruction, a second landing state parameter is written to the branch landing state register, such as 0b0010 is written to the branch landing state register, in response to execution of the function call instruction.
In the embodiment of the application, the indirect jump instruction and the function call instruction correspond to different landing state parameters, the first landing state parameter is written into the branch landing state register when the indirect jump instruction is executed, and the second landing state parameter is written into the branch landing state register when the function call instruction is executed, so that JOP attack protection can be respectively carried out on the indirect jump instruction and the function call instruction, the attack difficulty of a JOP attack protection strategy is improved, and the effect of protecting against JOP attack is improved.
In one possible implementation, if the indirect branch instruction is a return instruction, the landing state parameter of the return instruction is written into the branch landing state register when the return instruction is executed according to the type of the function call instruction corresponding to the return instruction.
Because the function call instruction corresponding to the return instruction can be a direct function call instruction or an indirect function call instruction, the landing state parameter of the return instruction can be determined according to the type of the function call instruction corresponding to the return instruction. The landing state parameters of the return instructions corresponding to the different types of function call instructions are different, for example, the landing state parameter of the return instruction corresponding to the direct function call instruction is a third landing state parameter, the third landing state parameter may be 0b0100, the landing state parameter of the return instruction corresponding to the indirect function call instruction is a fourth landing state parameter, and the fourth landing state parameter may be 0b1000.
It should be noted that the same return instruction may return to the direct function call instruction or may return to the indirect function call instruction, so that the landing state parameters corresponding to the same return instruction are different when the same return instruction corresponds to different types of function call instructions.
In the embodiment of the application, the return instruction executes the return action aiming at the function call instruction of different types, the landing state parameters of the return instruction are determined according to the types of the function call instruction corresponding to the return instruction, and the landing state parameters of the return instruction corresponding to the different function call instructions are different, so that ROP attack protection can be carried out aiming at the return instruction corresponding to the function call instruction of different types, the attack difficulty of an ROP attack protection strategy is improved, and the effect of ROP attack protection is improved.
In one possible implementation, to determine a landing state parameter of a return instruction according to a type of a function call instruction, a return address of the direct function call instruction and a direct call instruction identification are written to a return address stack (Return Address Stack) when the direct function call instruction is executed, and a return address of the indirect function call instruction and an indirect call instruction identification are written to the return address stack when the indirect function call instruction is executed. The return address stack is used to determine landing status parameters for the return instruction.
The landing state parameters of the return instruction are determined based on the type of the function call instruction, after the function call instruction is executed, a plurality of instructions need to be executed before the return instruction, the instruction before the return instruction can be an indirect branch instruction or a non-indirect branch instruction, if the landing state parameters of the corresponding return instruction are written into a branch landing state register after the function call instruction is executed, the landing state parameters of the instruction before the return instruction can be covered, and therefore ROP attack misidentification is caused. Therefore, after the execution of the function call instruction, the type of the function call instruction is recorded, and when the return instruction corresponding to the function call instruction is executed, the landing state parameter of the return instruction is written into the branch landing state register based on the recorded type of the function call instruction.
The Return Address stack is a first-in-last-out buffer for buffering the Return Address (Return Address) of the function call instruction, so that the Return Address stack can buffer the Return Address of the function call instruction and the call instruction identification of the function call instruction by expanding the Return Address stack. FIG. 3 is a schematic diagram of a return address stack including two fields, a return address for caching return addresses of function call instructions and a call instruction identification for caching call instruction identifications of function call instructions, according to one embodiment of the application. Different types of function call instructions correspond to different call instruction identifications, the call instruction identification of the direct function call instruction is a direct call instruction identification, the call instruction identification of the indirect function call instruction is an indirect call instruction identification, in one example, the direct call instruction identification is 0, and the indirect call instruction identification is 1.
And writing the calling instruction identification of the function calling instruction into the return address stack, and determining the landing state parameter of the return address according to the calling instruction identification of the function calling instruction cached in the return address stack when executing the return instruction corresponding to the function calling instruction. For example, if the call instruction identifier of the function call instruction corresponding to the return instruction recorded in the return address stack is 0, that is, the direct call instruction identifier is cached, the landing state parameter of the return instruction is determined to be 0b0100, and if the call instruction identifier of the function call instruction corresponding to the return instruction recorded in the return address stack is 1, that is, the indirect call instruction identifier is cached, the landing state parameter of the return instruction is determined to be 0b1000.
The direct function call instruction may be a JAL instruction, JAL instruction in the format JAL rd, # imm, where rd is a link register (such as X1 or X5 in risc-v architecture), imm representing an immediate. After the jal instruction is fetched, the processor includes a branch prediction unit that writes the return address of the jal instruction and the direct call instruction identification 0 to the return address stack.
The indirect function call instruction may be a jar instruction in the format of jar rd, # imm (rs), where rd is a link register and imm (rs) represents a register. After the jar instruction is obtained, a branch prediction unit included in the processor writes a return address of the jar instruction and an indirect call instruction identification 1 into a return address stack.
In the embodiment of the application, after executing the function call instruction, a plurality of other instructions are required to be executed before executing the return instruction corresponding to the function call instruction, in order to determine the type of the corresponding function call instruction when executing the return instruction, after executing the function call instruction, the call instruction identification of the function call instruction is written into the return address stack, and further, when executing the return instruction, the type of the corresponding function call instruction can be determined according to the call instruction identification recorded by the return address stack, further, the landing state parameter of the return instruction is determined, and the landing state parameter of the return instruction is written into the branch landing state register, so that the landing state parameter of the return instruction can be accurately determined, and further, the accuracy of ROP attack protection is ensured.
In one possible implementation, if the indirect branch instruction is a return instruction, when the indirect branch instruction is executed, checking whether the return address stack is underflowed, if the return address stack is not underflowed, reading the latest piece of data from the return address stack, if the read data includes a direct call instruction identifier, writing a third landing state parameter corresponding to the direct function call instruction into the branch landing state register, and if the read data includes an indirect call instruction identifier, writing a fourth landing state parameter corresponding to the indirect function call instruction into the branch landing state register.
After the execution of the function call instruction into the function body, the function body may further include a function call instruction, where there may be a case where there is no return instruction between two or more function call instructions. When a plurality of function call instructions are executed in succession (no return instruction is executed between execution of two function call instructions), a plurality of pieces of data are written to the return address stack. For example, the function call instruction 1 is used for calling the function body 1, the function body 1 includes a function call instruction 2, the function call instruction 2 is used for calling the function body 2, when the function call instruction 1 is executed, a return address of the function body 1 and a call instruction identifier of the function call instruction 1 are written into a return address stack, when the function call instruction 2 is executed, a return address of the function body 2 and a call instruction identifier of the function call instruction 2 are written into the return address stack, and at this time, 2 pieces of data are written into the return address stack.
Because the function call instruction and the return instruction are in pairs, the return address stack is a buffer zone of first-in and last-out, data is written into the return address stack when the function call instruction is executed, and the data is read out from the return address stack when the return instruction is executed, on the premise that the return address stack does not generate underflow, the latest piece of data in the return address stack is the relevant data of the function call instruction corresponding to the return instruction when the return instruction is executed, and therefore, the landing state parameter of the return address can be determined according to the call instruction identifier included by the latest piece of data in the return address stack. For example, function call instruction 1 and function call instruction 2 are executed sequentially, function call instruction 1 corresponds to return instruction 1, function call instruction 2 corresponds to return instruction 2, data 1 is written to the return address stack when function call instruction 1 is executed, data 2 is written to the return address stack when function call instruction 2 is executed, and data 1 is written to the return address stack prior to data 2. Return instruction 2 is instructed prior to return instruction 1, and when return instruction 2 is executed, the latest piece of data in the return address stack is data 2, thereby reading data 2 from the return address stack, and determining the landing status parameter of return instruction 2 based on data 2. After data 2 is read from the return address stack, the latest piece of data in the return address stack is data 1, so that when return instruction 1 is executed, data 1 is read from the return address stack, and the landing status parameter of return instruction 1 is determined based on data 1.
When a return instruction is acquired, the hardware pops up the latest piece of data from the return address stack, writes 0b0100 (third landing state parameter) into the branch landing state register if the piece of data includes a call instruction identification of 0 (direct call instruction identification), and writes 0b1000 (fourth landing state parameter) into the branch landing state register if the piece of data includes a call instruction identification of 1 (indirect call instruction identification).
In the embodiment of the application, two function call instructions can be continuously executed, and no return instruction exists between the two function call instructions, so that the return address stack can buffer a plurality of data, data is written into the return address stack when the function call instruction is executed, and the data is read out from the return address stack when the return address is executed, so that when one return instruction is executed on the premise that the return address stack does not generate underflow, the latest data in the return address stack is the relevant data of the function call instruction corresponding to the return instruction, and further when the check point instruction is the return instruction, the latest data can be read from the return address stack, the landing state parameter of the return instruction is determined according to the read data, and the correct landing state parameter can be written into the branch landing state register, thereby ensuring the accuracy of checking ROP attacks.
In one possible implementation manner, due to the condition that the return address stack is overflowed, when the return address stack is overflowed, the related data of the function call instruction corresponding to the return instruction cannot be accurately read from the return address stack, namely, the return address of the function call instruction corresponding to the return instruction and the call instruction identification of the function call instruction cannot be accurately read from the return address stack. So in executing the return instruction, if the return address stack underflows, a fifth landing state parameter corresponding to the direct function call instruction and the indirect function call instruction is written into the branch landing state register.
When the return address stack is underflowed, the type of the function call instruction corresponding to the return instruction cannot be determined, the function call instruction actually corresponding to the return instruction can be a direct function call instruction or an indirect function call instruction, and the fifth landing state parameter is written into the branch landing state register. If the processor is not attacked by ROP, when the function call instruction corresponding to the return instruction is a direct function call instruction or an indirect function call instruction, the instruction parameters of the checkpoint instruction skipped to by the return instruction are matched with the fifth landing state parameters.
For example, when the function call instruction corresponding to the return instruction is a direct function call instruction, the instruction parameter of the target instruction skipped from the return instruction is 0b0100, and when the function call instruction corresponding to the return instruction is an indirect function call instruction, the instruction parameter of the target instruction skipped from the return instruction is 0b1000, and the fifth landing state parameter is 0b1100. When the legitimacy check is carried out on the check point instruction, carrying out bit and operation on the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register, when the instruction parameter of the check point instruction is 0b0100 or 0b1000, and when the instruction parameter of the check point instruction is 0b0100 or 0b1000, the bit and operation result of the instruction parameter of the check point instruction and the fifth landing state parameter are not equal to 0, namely the instruction parameter of the check point instruction is matched with the fifth landing state parameter stored in the branch landing state register, and when the check point instruction is a specific type instruction, the check point instruction is determined to be a legal instruction.
In the embodiment of the application, when the indirect branch instruction is the return instruction, if the return address stack overflows, the fifth landing state parameter is written into the branch landing state register, and the fifth landing state parameter corresponds to both the direct function call instruction and the indirect function call instruction, namely, when the function call instruction corresponding to the return instruction is the direct function call instruction or the indirect function call instruction, the instruction parameter of the check point instruction which the return instruction jumps to is matched with the fifth landing state parameter, so that the ROP attack can be checked after the return address stack overflows, the ROP attack false alarm caused by the return address stack underflow is avoided, and the illegal program can be prevented from bypassing the ROP attack protection by making the return address stack overflows, thereby improving the accuracy and the effectiveness of the ROP attack protection.
In one possible implementation, since the processor may make a branch prediction during execution of the program stream, the branch prediction has both a correctly predicted and incorrectly predicted outcome, and an indirect branch instruction that is predicted to be executed when the branch prediction is correct is committed such that the indirect branch instruction is executed by the processor, and an indirect branch instruction that is predicted to be executed when the branch prediction is incorrect is cleared, and the processor does not execute the indirect branch instruction.
When an indirect branch instruction is a return instruction and the indirect branch instruction is predicted to be executed, after the indirect branch instruction is acquired, the third landing state parameter, the fourth landing state parameter or the fifth landing state parameter is written into the branch landing buffer area according to the calling instruction identifier included in the latest piece of data in the return address stack. If the return instruction predicted to be executed is committed, the third, fourth, or fifth landing state parameters cached in the branch landing buffer are read and the read third, fourth, or fifth landing state parameters are written to the branch landing state registers. The return instruction predicted to be executed is a mispredicted branch instruction, and the branch landing buffer is emptied.
FIG. 4 is a schematic diagram of a branch landing status register write process according to one embodiment of the present application. When a return instruction is predicted to be executed, the latest piece of data is read from the return address stack, and the calling instruction identification included in the piece of data is acquired, as shown in fig. 4. If the call instruction identification is 0b00 (direct call instruction identification), the third landing state parameter 0b0100 is written to the branch landing buffer, if the call instruction identification is 0b01 (indirect call instruction identification), the fourth landing state parameter 0b1000 is written to the branch landing buffer, and if the return address stack is underflowed (corresponding to the call instruction identification being 0b10 or 0b 11), the fifth landing state parameter 0b1100 is written to the branch landing buffer.
The branch landing buffer is a first-in, first-out data buffer. If the branch prediction is correct, the cached landing state parameters in the branch landing buffer are read out at return instruction retirement (retried) and the read out landing state parameters are written into the branch landing state registers. If the branch prediction is incorrect, then the landing state parameter corresponding to the return instruction in the branch landing buffer, and the contents of the subsequent caches, are cleared when the return instruction is flushed (flushed).
In the embodiment of the application, since the processor has a branch prediction function, when a return instruction is predicted to be executed, corresponding landing state parameters are written into the branch landing buffer according to the calling instruction identification included in the latest piece of data in the return address stack, if the branch prediction is correct, the landing state parameters are read from the branch landing buffer when the return instruction is submitted, and the read landing state parameters are written into the branch landing state register, if the branch prediction is incorrect, the branch landing buffer is emptied when the return instruction is emptied, so that the landing state parameters of the executed return instruction are ensured to be written into the branch landing state register, and the landing state parameters of the return instruction with the branch prediction error are not written into the branch landing state register, thereby avoiding ROP attack errors caused by writing the landing state parameters of the return instruction with the branch prediction error into the branch landing state register, and further ensuring the accuracy of ROP attack protection.
In one possible implementation, when the validity check is performed on the checkpoint instruction according to the type of the checkpoint instruction and the difference between the instruction parameters of the checkpoint instruction and the landing state parameters in the branch state register, the validity of the checkpoint instruction may be determined according to the following logic:
(i) If the checkpoint instruction is not a branch landing instruction, it is determined that the checkpoint instruction is illegal.
(ii) If the check point instruction is a branch landing instruction and the instruction parameters of the check point instruction are not matched with the landing state parameters in the branch landing state register, determining that the check point instruction is illegal;
(iii) If the branch landing instruction is a checkpoint instruction and the instruction parameters of the checkpoint instruction are matched with the landing state parameters in the branch landing state register, determining that the checkpoint instruction is legal.
When a program executed by a processor is developed, a jump target of an indirect branch instruction is set as a branch landing instruction, namely when the processor is not attacked by JOP and ROP, a direct jump instruction, an indirect jump instruction and a check point instruction to which a return instruction jumps are all branch landing instructions. The format of the branch landing instruction may be bld#imm, where imm is an instruction parameter of the branch landing instruction.
If the checkpoint instruction to which the indirect branch instruction jumps is not a branch landing instruction, it is indicated that the processor is under JOP attack or ROP attack, resulting in the jump target of the indirect jump instruction being tampered with, thus determining that the checkpoint instruction is illegal. If the checkpoint instruction is a branch landing instruction, it is further determined whether the instruction parameters of the checkpoint instruction match the landing state parameters in the branch landing state register.
When a program executed by the processor is developed, instruction parameters of the corresponding branch landing instruction are set according to the type of the indirect branch instruction, so that when the processor is not attacked by JOP and ROP, the instruction parameters of the branch landing instruction are matched with landing state parameters of the corresponding indirect branch instruction. In one example, the instruction parameter and the landing state parameter are matched, that is, the result of the bit and operation is not equal to 0, and the following table 1 shows the correspondence relationship between the landing state parameter of the indirect branch instruction and the instruction parameter of the branch landing instruction to which the indirect branch instruction jumps.
TABLE 1
If the check point instruction is a branch landing instruction and the instruction parameters of the branch landing instruction are not matched with the landing state parameters of the corresponding indirect branch instruction, the processor is proved to be attacked by JOP or ROP, the jump target of the indirect jump instruction is tampered by forging the branch landing instruction, and further the illegal check point instruction is determined. If the checkpoint instruction is a branch landing instruction and the instruction parameters of the branch landing instruction match the landing state parameters of the corresponding indirect branch instruction, then it is determined that the checkpoint instruction is legitimate.
In the embodiment of the application, when a program is developed, a target instruction returned from an indirect branch instruction is set as a branch landing instruction, and the instruction parameters of the branch landing instruction are matched with the landing state parameters of the corresponding indirect branch instruction, so that when the indirect branch instruction is executed, whether a checkpoint instruction jumped to from the indirect branch instruction is the branch landing instruction is judged, whether the instruction parameters of the checkpoint instruction are matched with the landing state parameters of the corresponding indirect branch instruction is judged, and whether the checkpoint instruction is a legal instruction is further determined according to the judging results of the two judging operations, so as to determine whether a processor is subjected to JOP attack or ROP attack, and ensure that the JOP attack or the ROP attack can be correctly detected.
In one possible implementation, the instruction parameters of the branch landing instruction include a first landing state parameter, a second landing state parameter, a third landing state parameter, a fourth landing state parameter, a fifth landing state parameter, and a sixth landing state parameter, corresponding to the landing state parameters of the indirect branch instruction.
When the instruction parameter of the branch landing instruction is the first landing state parameter, the indirect branch instruction corresponding to the branch landing instruction is an indirect jump instruction. When the instruction parameter of the branch landing instruction is the second landing state parameter, the indirect branch instruction corresponding to the branch landing instruction is a function call instruction. When the instruction parameter of the branch landing instruction is the third landing state parameter, the indirect branch instruction corresponding to the branch landing instruction is a return instruction corresponding to the direct function call instruction. When the instruction parameter of the branch landing instruction is the fourth landing state parameter, the indirect branch instruction corresponding to the branch landing instruction is a return instruction corresponding to the indirect function call instruction. When the instruction parameter of the branch landing instruction is the fifth landing state parameter, the indirect branch instruction corresponding to the branch landing is a return instruction corresponding to the direct function call instruction and the indirect function call instruction. When the instruction parameter of the branch landing instruction is the sixth landing state parameter, the indirect branch instruction corresponding to the branch landing is an indirect jump instruction or a function call instruction.
When the instruction parameter matches with the landing state parameter, that means that the result of the two bit and operation is not equal to 0, the following table 2 shows the correspondence between the indirect branch instruction and the landing state parameter, and the following table 3 shows the correspondence between the indirect branch instruction and the instruction parameter.
TABLE 2
In table 2, when the landing state parameter is written into the branch landing state register through the return address stack, since the return address stack may underflow, the type of the function call instruction corresponding to the return instruction cannot be accurately determined after the return address stack underflow occurs, so the instruction parameter of the branch landing instruction corresponding to the direct function call instruction and the instruction parameter of the branch landing instruction corresponding to the indirect function call instruction are set to be matched with the fifth landing state parameter, as shown in table 3 below.
The indirect jump instruction may be a jr instruction, the direct function call instruction may be a jal instruction, and the indirect function call instruction may be a jar instruction.
TABLE 3 Table 3
In table 3, since some return instructions may be executed for both direct function call instructions and indirect function call instructions, the instruction parameters of the branch landing instructions to which these return instructions jump are the fifth landing state parameter 0b1100, so that when the return instructions are executed for either the direct function call instructions or the indirect function call instructions without ROP attack, the branch landing instructions are not determined to be illegal instructions, and false alarm is avoided.
Some branch landing instructions can jump from either indirect jump instructions or return instructions, so the instruction parameters of these branch landing instructions are set to the sixth landing state parameter 0b0011, and the landing state parameters of the indirect jump instruction and the function call instruction are matched with the sixth landing state parameter, as detailed in table 2 above.
In the embodiment of the application, the landing state parameters of the indirect branch instruction comprise first to fifth landing state parameters, and the instruction parameters of the branch landing instruction comprise first to fifth landing state parameters and sixth landing state parameters corresponding to the landing state parameters of the indirect branch instruction, the corresponding instruction parameters are set for the branch landing instruction when a program is developed, and the corresponding landing state parameters are written into a branch landing state register when the indirect branch instruction is executed, so that whether the check point instruction is legal or not can be determined according to the type of the check point instruction and the matching of the instruction parameters of the check point instruction and the landing state parameters in the branch landing state register, and further whether the check point instruction is attacked by JOP and ROP is determined, and JOP attack protection and ROP attack protection are realized through less calculation resource consumption.
The attack detection process will be described by way of several examples in conjunction with the landing state parameters shown in table 2 and the instruction parameters shown in fig. 3.
Fig. 5 is a schematic diagram of an attack detection procedure for an indirect jump instruction according to an embodiment of the present application. As shown in fig. 5, when the indirect jump instruction JR X9 is executed, the first landing state parameter 0b0001 is written into the branch landing state register, and before the branch landing instruction bld#0b0001 jumped to from the indirect jump instruction JR X9 is executed, it is verified whether the instruction parameter of the branch landing instruction matches the landing state parameter in the branch landing state register, and since the instruction parameter 0b0001 of the branch landing instruction bld#0b0001 matches the contents of the branch landing state register, it is determined that the branch landing instruction bld#0b0001 is legal, and no alarm information is issued.
Fig. 6 is a schematic diagram of an attack detection procedure for an indirect jump instruction according to another embodiment of the present application. As shown in fig. 6, when the indirect jump instruction JR X9 is executed, the first landing state parameter 0b0001 is written into the branch landing state register, and before the branch landing instruction bld#0b0010 jumped from the indirect jump instruction JR X9 is executed, it is verified whether the instruction parameter of the branch landing instruction matches the landing state parameter in the branch landing state register, and since the instruction parameter 0b0010 of the branch landing instruction bld#0b0010 does not match the contents of the branch landing state register, it is determined that the branch landing instruction bld#0b0010 is illegal, and alarm information is issued.
FIG. 7 is a schematic diagram of an attack detection procedure for a function call instruction according to one embodiment of the present application. As shown in fig. 7, when the indirect function call instruction FALR X2 is executed, the second landing state parameter 0b0010 is written into the branch landing state register, and before the branch landing instruction bld#0b0010 skipped from the indirect function call instruction FALR X2 is executed, it is verified whether the instruction parameter of the branch landing instruction matches the landing state parameter in the branch landing state register, and since the instruction parameter 0b0010 of the branch landing instruction bld#0b0010 matches the contents of the branch landing state register, it is determined that the branch landing instruction bld#0b0010 is legal and no alarm information is issued.
FIG. 8 is a schematic diagram of an attack detection procedure for a function call instruction according to another embodiment of the present application. As shown in fig. 8, when the indirect function call instruction FALR X2 is executed, the second landing state parameter 0b0010 is written into the branch landing state register, and before the instructions ADD X1, X2, X3 skipped from the indirect function call instruction FALR X2 are executed, the instructions ADD X1, X2, X3 are verified not to be branch landing instructions, so that it is determined that the instructions ADD X1, X2, X3 are illegal, and alarm information is issued.
FIG. 9 is a schematic diagram of an attack detection procedure for a return instruction according to one embodiment of the present application. As shown in fig. 9, when the indirect function call instruction FALR X2 is executed, the second landing state parameter 0b0010 is written into the branch landing state register, and before the branch landing instruction bld#0b0010 to which the indirect function call instruction FALR X2 jumps is executed, it is verified that the instruction parameter 0b0010 of the branch landing instruction bld#0b0010 matches the contents of the branch landing state register, so that it is determined that the branch landing instruction bld#0b0010 is legal, and no alarm information is issued. When the return instruction RET is executed, the fourth landing state parameter 0b1000 is written into the branch landing state register, and before the branch landing instruction bld#0b1000 skipped from the return instruction RET is executed, the instruction parameter 0b1000 of the branch landing instruction bld#0b1000 is verified to match the contents of the branch landing state register, so that it is determined that the branch landing instruction bld#0b1000 is legal, and no alarm information is issued.
Fig. 10 is a schematic diagram of an attack detection procedure for a return instruction according to another embodiment of the present application. As shown in fig. 10, when the indirect function call instruction FALR X2 is executed, the second landing state parameter 0b0010 is written into the branch landing state register, and before the branch landing instruction bld#0b0010 to which the indirect function call instruction FALR X2 jumps is executed, it is verified that the instruction parameter 0b0010 of the branch landing instruction bld#0b0010 matches the contents of the branch landing state register, so that it is determined that the branch landing instruction bld#0b0010 is legal, and no alarm information is issued. When executing the return instruction RET, the fourth landing state parameter 0b1000 is written into the branch landing state register, and before executing the instruction ADD X1, X2, X3 skipped from the return instruction RET, the instructions ADD X1, X2, X3 are verified not to be branch landing instructions, so that it is determined that the instructions ADD X1, X2, X3 are illegal, and alarm information is issued.
The processor may switch in different modes by interrupt instructions, such as risc-v architecture based processors, may switch from a virtualized user mode (virtualized user mode, VU-mode) to a virtualized management mode (virtualized supervisor mode, VS-mode) by interrupt instructions, and may switch from a virtualized management mode to a virtualized extended management mode (HS-mode) by interrupt instructions.
After the interrupt instruction is executed, the processor stops the current operation and executes other operations, in order to avoid covering the landing state parameters cached in the branch landing state register before the interrupt instruction, after the interrupt instruction is received, the landing state parameters cached in the branch landing state register can be transferred to other cache positions, after the interrupt instruction is executed and returned, the landing state parameters transferred to other cache positions are transferred back to the original position in the branch state, and JOP attack protection and ROP attack protection can be continuously carried out based on the landing state parameters in the branch landing state register after the interrupt is returned.
In one possible implementation, in response to receiving the first interrupt instruction, the landing state parameters of the indirect branch instruction are transferred from the first field of the branch landing state register to the second subunit, and after executing the first interrupt instruction and returning, the landing state parameters of the indirect branch instruction are transferred from the second field of the branch landing state register to the first field.
In another possible implementation, in response to receiving the second interrupt instruction, the landing state parameter of the indirect branch instruction is transferred from the branch landing state register to the standby branch landing state register, the branch landing state register and the standby branch landing state register being different registers, and after executing the second interrupt instruction and returning, the landing state parameter in the standby branch landing state register is transferred to the branch landing state register.
In the embodiment of the application, after receiving the interrupt instruction, the landing state parameter is transferred from the first field to the second field in the branch landing state register, or the landing state parameter is transferred from the branch landing state register to the standby branch landing state register, after executing the interrupt instruction and returning, the transferred landing state parameter is transferred back to the original position in the branch landing state register, thereby ensuring that JOP attack protection and ROP attack protection can be normally carried out when the interrupt instruction is executed, and improving the comprehensiveness and reliability of JOP attack protection and ROP attack protection.
Electronic equipment
Fig. 11 is a schematic block diagram of an electronic device according to an embodiment of the present application, which is not limited to the specific implementation of the electronic device. As shown in fig. 11, the electronic device may include: a processor 1102, a communication interface (Communications Interface), a memory 1106, and a communication bus 1108. Wherein:
Processor 1102, communication interface 1104, and memory 1106 communicate with each other via a communication bus 1108.
A communication interface 1104 for communicating with other electronic devices or servers.
The processor 1102 is configured to execute the program 1110, and may specifically perform relevant steps in any of the foregoing attack detection method embodiments.
In particular, program 1110 may include program code including computer-operating instructions.
The processor 1102 may be a CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit) or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors comprised by the smart device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
RISC-V is an open source instruction set architecture based on the principle of Reduced Instruction Set (RISC), which can be applied to various aspects such as single chip microcomputer and FPGA chip, and can be particularly applied to the fields of Internet of things security, industrial control, mobile phones, personal computers and the like, and because the real conditions of small size, rapidness and low power consumption are considered in design, the RISC-V is particularly suitable for modern computing equipment such as warehouse-scale cloud computers, high-end mobile phones, micro embedded systems and the like. With the rise of AIoT of the artificial intelligent Internet of things, RISC-V instruction set architecture is also receiving more and more attention and support, and is expected to become a CPU architecture widely applied in the next generation.
The computer operating instructions in embodiments of the present application may be computer operating instructions based on a RISC-V instruction set architecture, and correspondingly, the processor 1102 may be RISC-V based instruction set design. Specifically, the chip of the processor in the electronic device provided by the embodiment of the application may be a chip designed by adopting a RISC-V instruction set, and the chip may execute executable codes based on the configured instructions, thereby implementing the attack detection method in the embodiment.
Memory 1106 for storing program 1110. The memory 1106 may include high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 1110 may be specifically configured to cause the processor 1102 to execute the attack detection method in any of the foregoing embodiments.
The specific implementation of each step in the procedure 1110 may refer to corresponding steps and corresponding descriptions in units in any of the foregoing attack detection method embodiments, which are not described herein. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and modules described above may refer to corresponding procedure descriptions in the foregoing method embodiments, which are not repeated herein.
According to the electronic equipment provided by the embodiment of the application, after the indirect branch instruction is instructed, the landing state parameter of the indirect branch instruction is written into the branch landing state register, the checkpoint instruction jumped to from the indirect branch instruction is determined, the validity check is carried out on the checkpoint instruction according to the type of the checkpoint instruction and the difference between the instruction parameter of the checkpoint instruction and the landing state parameter in the branch landing state register, and if the checkpoint instruction is illegal, alarm information is sent out. The indirect branch instruction jumps to the target instruction from the indirect branch instruction to have a specific instruction type, and the indirect branch instruction is matched with the landing state parameter and the instruction parameter of the target instruction, if the processor is attacked by ROP or JOP, the type of the target instruction or the instruction parameter of the target instruction is changed, so that the validity of the check point instruction can be checked according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register, whether the processor is attacked by ROP or JOP is determined, unified detection and protection of JOP attack and ROP attack are realized, and the calculation resources consumed by JOP attack protection and ROP attack protection are reduced, thereby improving the performance of the processor.
Computer storage medium
The present application also provides a computer readable storage medium storing instructions for causing a machine to perform an attack detection method as described herein. Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present application.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Computer program product
Embodiments of the present application also provide a computer program product comprising computer instructions that instruct a computing device to perform any corresponding operations of the above-described method embodiments.
Those skilled in the art will appreciate that the present disclosure may be implemented as a system, method, and computer program product. Accordingly, the present disclosure may be embodied in the form of hardware entirely, software (including firmware, resident software, micro-code), or in a combination of software and hardware. Furthermore, in some embodiments, the present disclosure may also be embodied in the form of a computer program product in one or more computer-readable media having computer-readable program code embodied therein.
Any combination of one or more computer readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium is, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the above. More specific examples of the computer readable storage medium include the following: in particular, the electrical connection of one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD ROM), an optical memory, a magnetic memory, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a processing unit, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a notch. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any other suitable combination. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., and any suitable combination of the foregoing.
Computer program code for carrying out embodiments of the present disclosure may be written in one or more programming languages or combinations. The programming languages include object oriented programming languages such as JAVA, c++, and may also include conventional procedural programming languages such as C. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
It should be noted that, the information related to the user (including, but not limited to, user equipment information, user personal information, etc.) and the data related to the embodiments of the present disclosure (including, but not limited to, sample data for training the model, data for analyzing, stored data, presented data, etc.) are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and are provided with corresponding operation entries for the user to select authorization or rejection.
It should be understood that each embodiment in this specification is described in an incremental manner, and the same or similar parts between each embodiment are all referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for method embodiments, the description is relatively simple as it is substantially similar to the methods described in the apparatus and system embodiments, with reference to the description of other embodiments being relevant.
It should be understood that the foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
It should be understood that elements described herein in the singular or shown in the drawings are not intended to limit the number of elements to one. Furthermore, modules or elements described or illustrated herein as separate may be combined into a single module or element, and modules or elements described or illustrated herein as a single may be split into multiple modules or elements.
It is also to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. The use of these terms and expressions is not meant to exclude any equivalents of the features shown and described (or portions thereof), and it is recognized that various modifications are possible and are intended to be included within the scope of the claims. Other modifications, variations, and alternatives are also possible. Accordingly, the claims should be looked to in order to cover all such equivalents.

Claims (14)

1. An attack detection method comprising:
writing landing state parameters of an indirect branch instruction into a branch landing state register in response to the indirect branch instruction being executed, wherein the indirect branch instruction comprises an indirect jump instruction, a function call instruction or a return instruction, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters;
Determining a checkpoint instruction to jump from the indirect branch instruction;
performing validity check on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register;
and if the check point instruction is illegal, sending out alarm information.
2. The method of claim 1, wherein the writing the landing state parameters of the indirect branch instruction to the branch landing state register in response to the indirect branch instruction being executed comprises:
if the indirect branch instruction is an indirect jump instruction, responding to the execution of the indirect branch instruction, and writing a first landing state parameter corresponding to the indirect jump instruction into a branch landing state register;
and if the indirect branch instruction is a function call instruction, responding to the execution of the indirect branch instruction, and writing a second landing state parameter corresponding to the function call instruction into a branch landing state register.
3. The method of claim 2, wherein the writing the landing state parameters of the indirect branch instruction to the branch landing state register in response to the indirect branch instruction being executed comprises:
If the indirect branch instruction is a return instruction, writing the landing state parameters of the return instruction into a branch landing state register when the return instruction is executed according to the type of the function call instruction corresponding to the return instruction, wherein the landing state parameters of the return instruction corresponding to the different types of the function call instructions are different.
4. A method according to claim 3, the method further comprising:
when executing the direct function call instruction, writing the return address of the direct function call instruction and the direct call instruction identification into a return address stack;
when an indirect function call instruction is executed, writing a return address of the indirect function call instruction and an indirect call instruction identification into the return address stack;
wherein the return address stack is used to determine landing state parameters for the return instruction.
5. The method of claim 4, wherein the writing the landing state parameter of the return instruction into the branch landing state register when the return instruction is executed according to the type of the function call instruction corresponding to the return instruction comprises:
reading the latest piece of data from the return address stack if the return address stack does not underflow when the return instruction is executed;
If the read data comprises the direct call instruction identifier, writing a third landing state parameter corresponding to the direct function call instruction into a branch landing state register;
and if the read data comprises the indirect call instruction identification, writing a fourth landing state parameter corresponding to the indirect function call instruction into a branch landing state register.
6. The method of claim 5, wherein the writing the landing state parameter of the return instruction into the branch landing state register when the return instruction is executed according to the type of the function call instruction corresponding to the return instruction comprises:
if the return address stack underflows while the return instruction is executed, fifth landing state parameters corresponding to the direct function call instruction and the indirect function call instruction are written into a branch landing state register.
7. The method of claim 6, the method further comprising:
when the indirect branch instruction is a return instruction, writing the third landing state parameter, the fourth landing state parameter or the fifth landing state parameter into a branch landing buffer area according to a calling instruction identifier included in the latest piece of data in the return address stack;
Reading the third landing state parameter, the fourth landing state parameter or the fifth landing state parameter cached in the branch landing buffer if the return instruction is submitted, and writing the read third landing state parameter, fourth landing state parameter or fifth landing state parameter into the branch landing state register;
and if the return instruction is a branch instruction with a prediction error, emptying the branch landing buffer zone.
8. The method of claim 6, wherein the legitimacy check of the checkpoint instruction based on the type of the checkpoint instruction and a difference in instruction parameters of the checkpoint instruction and landing state parameters in the branch landing state register comprises:
if the checkpoint instruction is not a branch landing instruction, determining that the checkpoint instruction is illegal;
if the check point instruction is a branch landing instruction and the instruction parameters of the check point instruction are not matched with the landing state parameters in the branch landing state register, determining that the check point instruction is illegal;
if the checkpoint instruction is a branch landing instruction and the instruction parameters of the checkpoint instruction are matched with the landing state parameters in the branch landing state register, determining that the checkpoint instruction is legal.
9. The method of claim 8, wherein the instruction parameters of the branch landing instruction include the first landing state parameter, the second landing state parameter, the third landing state parameter, the fourth landing state parameter, the fifth landing state parameter, or a sixth landing state parameter;
when the instruction parameters of the branch landing instruction comprise the first landing state parameters, the indirect branch instruction is an indirect jump instruction;
when the instruction parameters of the branch landing instruction comprise the second landing state parameters, the indirect branch instruction is a function call instruction;
when the instruction parameters of the branch landing instruction include the third landing state parameter, the indirect branch instruction is a return instruction corresponding to a direct function call instruction;
when the instruction parameters of the branch landing instruction include the fourth landing state parameter, the indirect branch instruction is a return instruction corresponding to an indirect function call instruction;
when the instruction parameters of the branch landing instruction include the fifth landing state parameter, the indirect branch instruction is a return instruction corresponding to a direct function call instruction and an indirect function call instruction, and the fifth landing state parameter is matched with the third landing state parameter and the fourth landing state parameter;
When the instruction parameters of the branch landing instruction include the sixth landing state parameter, the indirect branch instruction is an indirect jump instruction or a function call instruction, and the sixth landing state parameter is matched with the first landing state parameter and the second landing state parameter.
10. The method of any one of claims 1-9, the method further comprising:
transferring a landing state parameter of the indirect branch instruction from a first field to a second field of the branch landing state register in response to a received first interrupt instruction;
after executing the first interrupt instruction and returning, transferring the landing state parameter of the indirect branch instruction from the second field to the first field of the branch landing state register.
11. The method of any one of claims 1-9, the method further comprising:
storing landing state parameters in the branch landing state registers to a standby branch landing state register in response to a received second interrupt instruction;
and after the second interrupt instruction is executed and returned, transferring the landing state parameters in the standby branch landing state register to the branch landing state register.
12. A processor, comprising: an electrically connected branch landing status register and an instruction execution unit to:
writing landing state parameters of an indirect branch instruction into a branch landing state register in response to the indirect branch instruction being executed, wherein the indirect branch instruction comprises an indirect jump instruction, a function call instruction or a return instruction, and the indirect jump instruction, the function call instruction and the return instruction correspond to different landing state parameters;
determining a checkpoint instruction to jump from the indirect branch instruction;
performing validity check on the check point instruction according to the type of the check point instruction and the difference between the instruction parameter of the check point instruction and the landing state parameter in the branch landing state register;
and if the check point instruction is illegal, sending out alarm information.
13. An electronic device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface are communicated with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the method of any one of claims 1-11.
14. A computer storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-11.
CN202310686819.7A 2023-06-09 2023-06-09 Attack detection method, processor, electronic device and storage medium Pending CN116738414A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310686819.7A CN116738414A (en) 2023-06-09 2023-06-09 Attack detection method, processor, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310686819.7A CN116738414A (en) 2023-06-09 2023-06-09 Attack detection method, processor, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN116738414A true CN116738414A (en) 2023-09-12

Family

ID=87907492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310686819.7A Pending CN116738414A (en) 2023-06-09 2023-06-09 Attack detection method, processor, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN116738414A (en)

Similar Documents

Publication Publication Date Title
US11762982B2 (en) Processor extensions to protect stacks during ring transitions
US10176104B2 (en) Instruction predecoding
US20070130448A1 (en) Stack tracker
CN109643346B (en) Control flow integrity
US9851973B2 (en) Dynamic branch hints using branches-to-nowhere conditional branch
US9996356B2 (en) Method and apparatus for recovering from bad store-to-load forwarding in an out-of-order processor
TWI781588B (en) Apparatus, system and method comprising mode-specific endbranch for control flow termination
US11861365B2 (en) Macro-op fusion
US12020033B2 (en) Apparatus and method for hardware-based memoization of function calls to reduce instruction execution
JP2021057006A (en) Hardware for eliding security check when deemed safe during speculative execution
CN115576608A (en) Processor core, processor, chip, control equipment and instruction fusion method
EP3757773A1 (en) Hardware load hardening for speculative side-channel attacks
JP2021174513A (en) Instruction set architecture-based automatic load tracking for opportunistic reinduction of data-dependent vulnerable branch
EP3198400B1 (en) Dependency-prediction of instructions
CN112596792B (en) Branch prediction method, apparatus, medium, and device
US11216278B2 (en) Multi-thread processing
WO2017112315A1 (en) Non-tracked control transfers within control transfer enforcement
CN116738414A (en) Attack detection method, processor, electronic device and storage medium
WO2017112359A1 (en) Method and apparatus for loop-invariant instruction detection and elimination
JP2004038338A (en) Information processor having branch estimation mechanism
CN115576607A (en) Count to NULL for micro-architectural return predictor security
CN115167924A (en) Instruction processing method and device, electronic equipment and computer-readable storage medium
CN115167923A (en) Instruction processing method and device, electronic equipment and computer-readable storage medium
JP2011128709A (en) Information processor and method for processing processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination