[go: up one dir, main page]

CN105260659B - A kind of kernel level code reuse type attack detection method based on QEMU - Google Patents

A kind of kernel level code reuse type attack detection method based on QEMU Download PDF

Info

Publication number
CN105260659B
CN105260659B CN201510574168.8A CN201510574168A CN105260659B CN 105260659 B CN105260659 B CN 105260659B CN 201510574168 A CN201510574168 A CN 201510574168A CN 105260659 B CN105260659 B CN 105260659B
Authority
CN
China
Prior art keywords
addr
file
ret
instruction
qemu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510574168.8A
Other languages
Chinese (zh)
Other versions
CN105260659A (en
Inventor
李金库
程坤
孙聪
卢笛
姚青松
马建峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201510574168.8A priority Critical patent/CN105260659B/en
Publication of CN105260659A publication Critical patent/CN105260659A/en
Application granted granted Critical
Publication of CN105260659B publication Critical patent/CN105260659B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种基于QEMU的内核级代码重用型攻击检测方法,主要解决现有技术依赖硬件或需要修改内核源代码的问题。它通过对QEMU虚拟机管理器的功能模块进行扩展,遍历检测运行在其上的操作系统内核中的每一条指令,从中识别出与控制流程相关的跳转指令,包括ret和间接call指令,通过记录它们的跳转目标地址,然后将这些目标地址与系统正常执行流程中的合法目标地址进行对比来检测系统是否正常执行;同时,它对中断发生时压入栈中的中断返回地址和中断实际返回时使用的返回地址进行对比验证,以判断是否发生了攻击。本发明针对代码重用型攻击均需要改变系统原有执行流程的特点,通过对改变内核执行流程的指令(和地点)进行监测,能有效发现攻击,可用于保护操作系统的安全。

The invention discloses a QEMU-based kernel-level code reuse type attack detection method, which mainly solves the problems of relying on hardware or needing to modify kernel source codes in the prior art. It expands the functional modules of the QEMU virtual machine manager, traverses and detects every instruction in the operating system kernel running on it, and identifies jump instructions related to the control flow, including ret and indirect call instructions, through Record their jump target addresses, and then compare these target addresses with the legal target addresses in the normal execution flow of the system to detect whether the system is running normally; at the same time, it checks the interrupt return address and actual The return address used when returning is compared and verified to determine whether an attack has occurred. The present invention needs to change the characteristics of the original execution flow of the system for code reuse type attacks, and can effectively detect the attack by monitoring the instructions (and locations) that change the execution flow of the kernel, and can be used to protect the safety of the operating system.

Description

一种基于QEMU的内核级代码重用型攻击检测方法A Kernel-Level Code Reuse Attack Detection Method Based on QEMU

技术领域technical field

本发明属于计算机科学与技术领域,涉及恶意软件的防护,具体是一种基于QEMU的内核级代码重用型攻击检测方法。The invention belongs to the field of computer science and technology, relates to the protection of malicious software, in particular to a QEMU-based kernel-level code reuse type attack detection method.

背景技术Background technique

作为一种当代新型的攻击方法,内核级代码重用型攻击不需要注入任何新的代码,仅仅利用(或重用)内核中已有的(合法)代码就能构造完整攻击并从根本上颠覆整个操作系统,它能够逃过内核代码完整性保护机制的防护,给用户计算机系统安全带来了巨大威胁。As a new contemporary attack method, the kernel-level code reuse attack does not need to inject any new code, and only uses (or reuses) the existing (legal) code in the kernel to construct a complete attack and fundamentally subvert the entire operation. system, it can escape the protection of the kernel code integrity protection mechanism, which brings a huge threat to the security of the user's computer system.

代码重用型攻击需要两步来完成:(1)攻击者精心选择可用的指令片段,并将它们通过特定的指令(比如ret)串接起来;(2)改变系统原有的执行流程(通过篡改内核执行中的某个控制数据,比如函数指针或函数返回地址),跳转到攻击者选择的首个指令片段,实施攻击。Code reuse attacks need two steps to complete: (1) The attacker carefully selects available instruction fragments and connects them through specific instructions (such as ret); (2) Changes the original execution flow of the system (by tampering Some control data in the kernel execution, such as function pointer or function return address), jump to the first instruction segment selected by the attacker to carry out the attack.

最早的代码重用型攻击是ROP(return-oriented programming)攻击。由于它精心选择的指令片段都以ret指令结尾,其构造的工具集会包含许多ret指令,这在正常的系统中是不合理的。由此,Chen等人[ICISS 2009]提出了一种通过检测系统指令执行流程中ret指令调用的频繁程度,从而发现ROP攻击的技术方法。北卡州立大学的Li等人[ACM EuroSys2010]通过修改编译器,去除内核中所有的ret指令操作码字节,使攻击者无法找到可用的指令片段构造攻击。而最新的代码重用型攻击变种已经不再依赖于ret指令,而是改为利用类似的跳转指令(比如间接jmp或“pop+jmp”指令)来串接指令片段,更加难以对付。为此,北卡州立大学的Li等人[IEEE TIFS 2011]提出了一种基于编译器的方法,通过修改内核相关指令(比如间接call和ret指令)保护内核中的控制数据(包括函数指针和函数返回地址)来防止代码重用型攻击。EPFL的Kuznetsov等人[OSDI2014]同样提出了一种基于编译器方法,他们对程序中所有的code-pointer进行保护,从而抵御代码重用型攻击。The earliest code reuse attack is ROP (return-oriented programming) attack. Since its carefully selected instruction fragments all end with ret instructions, the toolset it constructs will contain many ret instructions, which is unreasonable in a normal system. Therefore, Chen et al. [ICISS 2009] proposed a technical method to discover ROP attacks by detecting the frequency of ret instruction calls in the system instruction execution process. Li et al. [ACM EuroSys2010] from North Carolina State University removed all ret instruction opcode bytes in the kernel by modifying the compiler, making it impossible for attackers to find usable instruction fragments to construct attacks. The latest code reuse attack variants no longer rely on the ret instruction, but instead use similar jump instructions (such as indirect jmp or "pop+jmp" instructions) to concatenate instruction fragments, which is even more difficult to deal with. To this end, Li et al. [IEEE TIFS 2011] from North Carolina State University proposed a compiler-based approach to protect control data in the kernel (including function pointers and function return address) to prevent code reuse attacks. Kuznetsov et al. [OSDI2014] of EPFL also proposed a compiler-based method, which protects all code-pointers in the program to resist code reuse attacks.

应该说,当前的研究成果对代码重用型攻击的检测已经有一定的效果。但是,已有检测方法大都有技术限制。它们要么需要额外的硬件支持,要么需要修改内核源代码。前者会增加硬件成本且可扩展性较差,而后者对于非开源操作系统内核(比如Windows)则不适用。It should be said that the current research results have achieved certain results in the detection of code reuse attacks. However, most of the existing detection methods have technical limitations. They either require additional hardware support or modifications to the kernel source code. The former will increase hardware costs and have poor scalability, while the latter is not suitable for non-open source operating system kernels (such as Windows).

本发明提出的检测方法是基于QEMU虚拟机管理器完成的。QEMU是一款快速、便捷的动态二进制翻译器,它可以启动虚拟机并支持多种不同的CPU架构。由于QEMU以二进制指令翻译的形式执行,它能够对虚拟机内核执行的每一条指令进行干涉(或介入)。而代码重用型攻击均需要改变系统原有的执行流程(第二步),本发明通过对改变内核执行流程的指令(和地点)进行监测,就可以有效检测和发现攻击。并且,现有检测方法中都没有提供对内核中断流程的检测,而攻击者同样能够通过改变内核中断处理中的流程实施攻击。本发明提供了对于内核中断流程的检测和验证。The detection method proposed by the present invention is completed based on the QEMU virtual machine manager. QEMU is a fast and convenient dynamic binary translator that can start virtual machines and support many different CPU architectures. Since QEMU is executed in the form of binary instruction translation, it can intervene (or intervene) in every instruction executed by the virtual machine kernel. The code reuse type attacks all need to change the original execution flow of the system (the second step). The present invention can effectively detect and discover the attack by monitoring the instructions (and locations) that change the kernel execution flow. Moreover, none of the existing detection methods provides detection of the kernel interrupt process, and attackers can also implement attacks by changing the process of kernel interrupt processing. The invention provides the detection and verification of the kernel interrupt flow.

发明内容Contents of the invention

为了弥补现有技术的不足,本发明提出了一种基于QEMU的内核级代码重用型攻击检测方法,该方法用以检测各种内核级代码重用型攻击(及其变种)的行为,保护操作系统的安全。In order to make up for the deficiencies in the prior art, the present invention proposes a QEMU-based kernel-level code reuse attack detection method, which is used to detect the behavior of various kernel-level code reuse attacks (and variants thereof) to protect the operating system safety.

为了实现上述目的,本发明所采用的技术方案包括以下步骤:In order to achieve the above object, the technical solution adopted in the present invention comprises the following steps:

1)预处理1) Pretreatment

1.1)创建一个空的临时文件temp_file,并将操作系统内核镜像文件中的内容输出到临时文件temp_file中;1.1) Create an empty temporary file temp_file, and output the contents of the operating system kernel image file to the temporary file temp_file;

1.2)创建一个记录内核中函数入口地址的文件func_addr_file,从temp_file文件中依次取得内核所有函数的入口地址,并将这些地址写入func_addr_file文件中;1.2) Create a file func_addr_file that records the entry addresses of functions in the kernel, obtain the entry addresses of all functions of the kernel in turn from the temp_file file, and write these addresses into the func_addr_file file;

1.3)创建一个记录内核中函数返回地址的文件ret_addr_file,从temp_file文件中依次取得系统中所有有效的函数返回地址,并将这些地址写入ret_addr_file文件中;1.3) Create a file ret_addr_file that records the return address of the function in the kernel, obtain all valid function return addresses in the system in turn from the temp_file file, and write these addresses into the ret_addr_file file;

2)基于QEMU的跳转指令目标地址的记录和中断流程验证2) Record and interrupt process verification of jump instruction target address based on QEMU

3)跳转指令目标地址验证3) Jump instruction target address verification

在指令翻译的同时,对QEMU记录的跳转指令的目标地址进行验证,检测是否发生了攻击。While the instruction is translated, the target address of the jump instruction recorded by QEMU is verified to detect whether an attack has occurred.

本发明进一步的改进在于:The further improvement of the present invention is:

所述步骤2)中,基于QEMU的跳转指令目标地址的记录和中断流程验证的具体方法如下:Described step 2) in, the specific method of recording and interrupt flow verification based on the jump instruction target address of QEMU is as follows:

2.1)使用QEMU启动虚拟机内核;2.1) Use QEMU to start the virtual machine kernel;

2.2)在QEMU的从客户机指令到主机指令的翻译阶段,取得内核指令中的一条指令I;2.2) In the translation stage of QEMU from the client instruction to the host instruction, obtain an instruction I in the kernel instruction;

2.3)在对指令I进行翻译之前,首先判断是否发生了中断事件,如果发生了中断,则跳转到步骤2.7);2.3) before instruction 1 is translated, at first judge whether interrupt event has occurred, if interrupt occurs, then jump to step 2.7);

2.4)判断指令I的类型:如果I是间接call指令,则跳转到步骤2.5);如果I是ret指令,则跳转到步骤2.6);否则跳转到步骤2.8);2.4) judge the type of instruction I: if I is an indirect call instruction, then jump to step 2.5); if I is a ret instruction, then jump to step 2.6); otherwise jump to step 2.8);

2.5)对间接call指令I进行如下操作:2.5) Perform the following operations on the indirect call instruction I:

2.5a)若文件call_addr.out不存在,则创建记录间接call指令目标地址的文件call_addr.out;2.5a) If the file call_addr.out does not exist, create a file call_addr.out that records the target address of the indirect call instruction;

2.5b)在翻译间接call指令I时,对其标志call_flag赋值为1;2.5b) When translating the indirect call instruction I, assign a value of 1 to its flag call_flag;

2.5c)若此时发生中断,进入中断处理函数时判断call_flag是否为1,若是,则记录中断处理时压栈的返回地址到call_addr.out文件中,然后将call_flag赋值为0,跳转到步骤2.5e);2.5c) If an interrupt occurs at this time, when entering the interrupt processing function, judge whether the call_flag is 1, if so, record the return address pushed on the stack during the interrupt processing to the call_addr.out file, then assign the call_flag value to 0, and jump to the step 2.5e);

2.5d)QEMU跳转到间接call指令的目标地址进行翻译,在翻译之前判断标志call_flag是否为1,若是,则记录翻译块首地址到call_addr.out文件中,即为间接call指令的目标地址,然后将call_flag赋值为0;2.5d) QEMU jumps to the target address of the indirect call instruction for translation. Before translation, judge whether the flag call_flag is 1. If so, record the first address of the translation block in the call_addr.out file, which is the target address of the indirect call instruction. Then assign call_flag to 0;

2.5e)跳转到步骤2.8);2.5e) jump to step 2.8);

2.6)对ret指令I进行如下操作:2.6) Carry out the following operations to the ret instruction I:

2.6a)若文件ret_addr.out不存在,则创建记录ret指令的目标地址的文件ret_addr.out;2.6a) If the file ret_addr.out does not exist, then create a file ret_addr.out that records the target address of the ret instruction;

2.6b)在翻译ret指令I时,对其标志ret_flag赋值为1;2.6b) When translating the ret instruction I, its flag ret_flag is assigned a value of 1;

2.6c)若此时发生中断,进入中断处理函数时判断ret_flag是否为1,若是,则记录中断处理时压栈的返回地址到ret_addr.out文件中,然后将ret_flag赋值为0,跳转到步骤2.6e);2.6c) If an interrupt occurs at this time, when entering the interrupt processing function, judge whether ret_flag is 1, if so, record the return address pushed on the stack during interrupt processing to the ret_addr.out file, then assign ret_flag to 0, and jump to step 2.6e);

2.6d)QEMU跳转到ret指令的目标地址进行翻译,在翻译之前判断ret_flag是否为1,若是,则记录翻译块首地址到ret_addr.out文件中,即为ret指令的目标地址,然后将ret_flag赋值为0;2.6d) QEMU jumps to the target address of the ret command for translation. Before translation, judge whether ret_flag is 1. If so, record the first address of the translation block in the ret_addr.out file, which is the target address of the ret command, and then set ret_flag assign a value of 0;

2.6e)跳转到步骤2.8);2.6e) jump to step 2.8);

2.7)对中断进行如下操作:2.7) Perform the following operations on the interrupt:

2.7a)若int_addr.out文件不存在,则创建记录中断信息的文件int_addr.out;2.7a) If the int_addr.out file does not exist, create a file int_addr.out that records the interrupt information;

2.7b)若无自定义栈,则初始化栈int_addr,栈顶指针指向第一个位置;2.7b) If there is no custom stack, initialize the stack int_addr, and the top pointer of the stack points to the first position;

2.7c)在QEMU处理中断的函数中将系统压栈的返回地址同时压入自定义栈int_addr中;2.7c) Push the return address of the system push stack into the custom stack int_addr in the QEMU interrupt processing function;

2.7d)当QEMU执行中断程序完毕后,调用中断返回指令时,将自定义栈int_addr中的返回地址出栈,与中断返回指令的返回地址相比较,如果二者不同,则报告发生了攻击,并将对比结果不同的返回地址记录到int_addr.out文件中;2.7d) When QEMU finishes executing the interrupt program and calls the interrupt return instruction, it pops the return address in the custom stack int_addr and compares it with the return address of the interrupt return instruction. If the two are different, it reports that an attack has occurred. And record the return addresses with different comparison results in the int_addr.out file;

2.7e)跳转到步骤2.4);2.7e) jump to step 2.4);

2.8)如果操作系统内核还有未处理的指令,返回步骤2.2),开始下一条指令的处理;否则结束。2.8) If the operating system kernel still has unprocessed instructions, return to step 2.2), and start the processing of the next instruction; otherwise, end.

所述步骤2.4)中,指令I的类型是QEMU通过识别二进制指令的操作码进行判断的。In said step 2.4), the type of instruction I is judged by QEMU by identifying the opcode of the binary instruction.

所述步骤3)中,跳转指令目标地址验证步骤具体如下:In said step 3), the verification steps of the jump instruction target address are as follows:

3.1)读取call_addr.out中的每个新增的目标地址,验证其是否是func_addr_file文件中的函数入口地址,如果不是,则报告发生了攻击;3.1) Read each newly added target address in call_addr.out, verify whether it is the function entry address in the func_addr_file file, if not, report an attack;

3.2)读取ret_addr.out中的每个新增的目标地址,验证其是否是ret_addr_file文件中的有效函数返回地址,如果不是,则报告发生了攻击;3.2) Read each newly added target address in ret_addr.out, verify whether it is a valid function return address in the ret_addr_file file, if not, report an attack;

3.3)返回到3.1)。3.3) Return to 3.1).

本发明与现有的技术相比,具有以下有益效果:Compared with the prior art, the present invention has the following beneficial effects:

1)本发明基于QEMU虚拟机管理器实施,不需要扩展硬件,也不用修改操作系统内核源代码就可以识别、定位和记录所需要检测的跳转指令的目标地址。这种机制相对于已有方法成本低,可扩展性强,且可支持多种操作系统类型(比如非开源操作系统)。通过将记录的目标地址与系统合法的跳转地址进行比较,就能检测出内核级代码重用型攻击,保护操作系统的安全。1) The present invention is implemented based on the QEMU virtual machine manager, does not need to expand the hardware, and does not need to modify the source code of the operating system kernel to identify, locate and record the target address of the jump instruction that needs to be detected. Compared with existing methods, this mechanism has low cost, strong scalability, and can support multiple types of operating systems (such as non-open source operating systems). By comparing the recorded target address with the legal jump address of the system, it is possible to detect kernel-level code reuse attacks and protect the security of the operating system.

2)本发明仅在需要翻译跳转指令时增加一次存储操作,即将目的地址记录到文件的操作。它具有性能高效的优点,基于UnixBench的性能测试结果表明,本发明所带来的性能损失约为4%。2) The present invention only adds a storage operation when a jump instruction needs to be translated, that is, the operation of recording the destination address to a file. It has the advantage of high performance, and the performance test result based on UnixBench shows that the performance loss caused by the present invention is about 4%.

3)本发明提供了对操作系统内核中绝大部分跳转指令的检测,同时,它提出了当系统发生中断时,对中断处理过程中的返回地址进行检测和验证的方法。QEMU实际上监督了整个操作系统控制流程的跳转过程,所以它能够检测出内核级代码重用型攻击,为操作系统安全提供强有力的保障。3) The present invention provides the detection of most of the jump instructions in the operating system kernel, and at the same time, it proposes a method for detecting and verifying the return address in the interrupt processing process when the system is interrupted. QEMU actually supervises the jump process of the entire operating system control flow, so it can detect kernel-level code reuse attacks and provide a strong guarantee for operating system security.

附图说明Description of drawings

图1是本发明的流程图。Fig. 1 is a flow chart of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明做进一步详细的说明:Below in conjunction with accompanying drawing and embodiment the present invention is described in further detail:

参照图1,本发明包括预处理与基于QEMU的跳转指令目标地址的记录和中断流程验证,以及跳转指令目标地址的合法性验证。其中,与控制流程相关的跳转指令包括间接call指令、ret指令,通过记录它们的跳转目标地址,然后将这些目标地址和正常系统执行流程当中的目标地址对比来检测系统是否正常执行,是否被攻击。Referring to FIG. 1 , the present invention includes preprocessing and QEMU-based recording of the jump instruction target address and interrupt flow verification, as well as legality verification of the jump instruction target address. Among them, the jump instructions related to the control flow include indirect call instructions and ret instructions. By recording their jump target addresses, and then comparing these target addresses with the target addresses in the normal system execution process, it is detected whether the system is running normally. be attacked.

本发明是基于这样一种观测而提出的:无论哪种类型的代码重用型攻击,它们要想实施攻击,必须改变系统原有的执行流程(或控制流程),跳转到攻击者所挑选的首个指令片段才能进行。如果能够对可能改变系统执行流程的地方进行检测(或验证),就可以检测(或阻止)攻击。为此,必须对系统中改变系统控制流程的间接call指令、ret指令和中断流程进行保护。The present invention is proposed based on such an observation: no matter what type of code reuse attack, if they want to implement the attack, they must change the original execution flow (or control flow) of the system and jump to the attacker's selected The first instruction fragment is required to proceed. Attacks can be detected (or prevented) if they can be detected (or verified) where they could alter the flow of system execution. For this reason, the indirect call instruction, ret instruction and interrupt flow that change the system control flow in the system must be protected.

本发明的核心思想是以QEMU虚拟机管理器为平台,使用QEMU虚拟机管理器运行操作系统内核进行检测或验证。由于QEMU基于二进制指令翻译技术实现,系统内核的每一条指令都会在QEMU虚拟机管理器中翻译运行,QEMU能够对虚拟机内核执行的每一条指令进行干涉(或介入)。通过对QEMU虚拟机管理器的功能模块进行修改,遍历检测操作系统内核中每一条指令,从中识别ret指令、间接call指令和中断的翻译方式,然后记录这些指令的跳转目标地址,通过将记录信息与合法信息进行对比,就可以实现对代码重用型攻击的检测。操作系统运行在QEMU启动的虚拟机上,而攻击发生在操作系统上,攻击者不会妨碍QEMU的运行;在QEMU中进行检测不用修改系统内核代码,也就是对任意操作系统,都不需要重新编译就能进行检测。同时,QEMU是一款开源代码的软件,不需要进行大量的代码改动,只需要对QEMU当中关键的地方加入处理代码就能完成对代码重用型攻击的检测。The core idea of the present invention is to use the QEMU virtual machine manager as a platform, and use the QEMU virtual machine manager to run the operating system kernel for detection or verification. Since QEMU is implemented based on binary instruction translation technology, each instruction of the system kernel will be translated and run in the QEMU virtual machine manager, and QEMU can intervene (or intervene) every instruction executed by the virtual machine kernel. By modifying the functional modules of the QEMU virtual machine manager, traversing and detecting each instruction in the operating system kernel, identifying the ret instruction, indirect call instruction and interrupt translation method, and then recording the jump target address of these instructions, by recording By comparing the information with legitimate information, the detection of code reuse attacks can be realized. The operating system runs on the virtual machine started by QEMU, and the attack occurs on the operating system, and the attacker will not hinder the operation of QEMU; the detection in QEMU does not need to modify the system kernel code, that is, for any operating system, there is no need to reinstall Compilation will be able to detect. At the same time, QEMU is an open-source software that does not require a large number of code changes. It only needs to add processing codes to key places in QEMU to complete the detection of code reuse attacks.

针对跳转目标地址,因为目标地址的值是在系统运行时动态生成并且是变化的,在QEMU进行动态翻译的时候可以进行记录。具体来说,遵照系统中函数调用的流程,当执行间接call指令调用一个函数时,会跳转到下一个QEMU翻译块继续执行,此时翻译块的首地址即是跳转指令的目的地址,从而就能记录间接call指令调用的函数的首地址。同理,ret指令在执行之后也会跳转到下一个翻译块执行指令执行流程,用同样的方式可以记录ret指令的返回地址。For the jump target address, because the value of the target address is dynamically generated and changed when the system is running, it can be recorded when QEMU performs dynamic translation. Specifically, following the flow of function calls in the system, when an indirect call instruction is executed to call a function, it will jump to the next QEMU translation block to continue execution. At this time, the first address of the translation block is the destination address of the jump instruction. Thus, the first address of the function called by the indirect call instruction can be recorded. Similarly, after the ret instruction is executed, it will also jump to the next translation block to execute the instruction execution flow, and the return address of the ret instruction can be recorded in the same way.

将跳转指令的目标地址综合考虑,本发明需要对系统中的间接call指令、ret指令的跳转目标地址进行记录,以便后续进行合法性判断;并对中断发生时压入栈中的中断返回地址和中断实际返回时使用的返回地址进行对比验证,以判断是否发生了攻击。Considering the target address of the jump instruction comprehensively, the present invention needs to record the jump target address of the indirect call instruction and the ret instruction in the system, so that the subsequent legality judgment is carried out; and the interrupt pushed into the stack when the interrupt occurs returns The address is compared and verified with the return address used when the interrupt actually returns to determine whether an attack has occurred.

对照图1,本发明详细的操作步骤如下:With reference to Fig. 1, the detailed operating steps of the present invention are as follows:

预处理步骤preprocessing step

a)创建临时文件temp_file,使用系统自带的代码反汇编命令(比如objdump),将操作系统内核镜像文件中的内容输出到temp_file文件中;a) Create a temporary file temp_file, use the code disassembly command (such as objdump) that comes with the system, and output the contents of the operating system kernel image file to the temp_file file;

b)创建文件func_addr_file,将temp_file文件中所有的函数入口地址记录到文件func_addr_file中;b) Create a file func_addr_file, and record all function entry addresses in the temp_file file into the file func_addr_file;

c)创建文件ret_addr_file,将temp_file文件中所有有效的函数返回地址记录在文件ret_addr_file中(每个有效的返回地址都指向紧挨着某个call指令后面的那条指令)。c) Create a file ret_addr_file, and record all effective function return addresses in the temp_file file in the file ret_addr_file (each effective return address points to the instruction immediately after a certain call instruction).

基于QEMU的跳转指令目标地址的记录和中断流程验证步骤QEMU-based jump instruction target address recording and interrupt process verification steps

d)使用QEMU启动虚拟机内核,读取内核指令进行翻译执行;d) Use QEMU to start the virtual machine kernel, read kernel instructions for translation and execution;

在QEMU翻译指令的阶段,QEMU并非以单条指令为单位进行翻译,翻译过程分为两步,第一步先将整个系统指令流程以跳转指令为界限进行划分,将整个指令流程划分为不同的指令块,叫做翻译块。这样,每个翻译块都是以一个跳转指令作为结尾,这样的特性使得对地址的获取有了一定的特性。指令流程被分割为翻译块后,QEMU以翻译块作为翻译单元;第二步就是对翻译块中的每一条指令进行翻译。In the stage of QEMU translating instructions, QEMU does not translate in units of a single instruction. The translation process is divided into two steps. A block of instructions is called a translation block. In this way, each translation block ends with a jump instruction, and this feature makes the address acquisition have certain features. After the instruction flow is divided into translation blocks, QEMU uses the translation blocks as the translation unit; the second step is to translate each instruction in the translation block.

e)在QEMU的从客户机指令到主机指令的翻译阶段,取得内核指令中的一条指令I,在翻译之前,首先判断是否发生了中断,如果发生了中断,则执行步骤i);e) in the translation stage from the client computer instruction to the host computer instruction in QEMU, obtain an instruction I in the kernel instruction, before translation, first judge whether an interruption has occurred, if an interruption occurs, then perform step i);

f)通过读取指令的操作码,判断指令I的类型:如果I是间接call指令则执行步骤g),如果I是ret指令则执行步骤h),否则执行步骤j);f) by reading the opcode of the instruction, the type of the instruction I is judged: if I is an indirect call instruction, step g) is executed, if I is a ret instruction, step h) is executed, otherwise step j) is executed;

g)对间接call指令I进行如下操作:g) Perform the following operations on the indirect call instruction I:

g1)若call_addr.out文件不存在,则创建记录间接call指令的目标地址的文件call_addr.out;g1) If the call_addr.out file does not exist, then create a file call_addr.out that records the target address of the indirect call instruction;

g2)在翻译间接call指令I时,将call_flag赋值为1;g2) when translating the indirect call instruction I, call_flag is assigned a value of 1;

步骤g2)中为每个间接call指令在翻译时添加标志以表示间接call指令正在被翻译,每次翻译间接call指令时call_flag都被赋值为1;In step g2), a flag is added during translation for each indirect call instruction to indicate that the indirect call instruction is being translated, and call_flag is assigned a value of 1 each time the indirect call instruction is translated;

g3)在翻译块继续执行下一块翻译块之前,判断是否发生中断,如果发生中断,则跳转到中断处理函数中判断call_flag是否为1,如果是,则将中断处理时压栈的返回地址记录在文件call_addr.out中(此时中断压栈返回地址即为间接call指令的跳转目的地址),然后将call_flag赋值为0,跳转到步骤g5);g3) Before the translation block continues to execute the next translation block, judge whether an interruption occurs. If an interruption occurs, jump to the interrupt processing function to determine whether call_flag is 1. If so, push the return address record on the stack when interrupt processing In the file call_addr.out (at this time, the interrupt push return address is the jump destination address of the indirect call instruction), then assign call_flag to 0, and jump to step g5);

步骤g3)中之所以需要判断中断的发生,是因为QEMU在进行动态二进制翻译时,并不是随时都能进行中断,由于翻译需要使用的翻译块分块会非常小,所以QEMU在判断中断时会在每一个翻译块开始翻译时进行中断发生的判断,所以在这里进行跳转指令目标地址的判断需要考虑中断发生的可能性;The reason why it is necessary to judge the occurrence of interruption in step g3) is that QEMU cannot interrupt at any time when performing dynamic binary translation. Since the translation blocks used for translation will be very small, QEMU will judge the interruption. When each translation block starts to translate, the judgment of interrupt occurrence is made, so the judgment of the target address of the jump instruction needs to consider the possibility of interrupt occurrence;

g4)在QEMU翻译下一个翻译块之前,判断call_flag是否为1,如果为1,则将翻译块首地址记录在文件call_addr.out中,然后将call_flag赋值为0;g4) Before QEMU translates the next translation block, judge whether call_flag is 1, if it is 1, record the first address of the translation block in the file call_addr.out, and then assign call_flag to 0;

g5)跳转到步骤j);g5) jump to step j);

h)对ret指令I进行如下操作:h) carry out the following operations to the ret instruction I:

h1)若ret_addr.out文件不存在,则创建记录ret指令的目标地址的文件ret_addr.out;h1) If the ret_addr.out file does not exist, create a file ret_addr.out that records the target address of the ret command;

h2)在翻译ret指令I时,将ret_flag赋值为1;h2) when translating ret instruction I, ret_flag is assigned a value of 1;

步骤h2)中为每个ret指令在翻译时添加标志以表示ret指令正在被翻译,每次翻译ret指令时ret_flag都被赋值为1;In step h2), a flag is added to indicate that the ret instruction is being translated for each ret instruction during translation, and ret_flag is assigned a value of 1 each time the ret instruction is translated;

h3)在翻译块继续执行下一块翻译块之前,判断是否发生中断,如果发生中断,则跳转到中断处理函数中判断ret_flag是否为1,如果是,则将中断处理时压栈的返回地址记录在文件ret_addr.out中(此时中断压栈返回地址即ret指令的跳转目标地址),然后将ret_flag赋值为0,跳转到步骤h5);h3) Before the translation block continues to execute the next translation block, judge whether an interruption occurs. If an interruption occurs, jump to the interrupt processing function to judge whether ret_flag is 1. If so, push the return address record on the stack when interrupt processing In the file ret_addr.out (at this time, the interrupt push return address is the jump target address of the ret instruction), then assign ret_flag to 0, and jump to step h5);

这里进行中断发生的判断的原因和间接call指令一样。The reason for judging the occurrence of an interrupt here is the same as that of the indirect call instruction.

h4)在QEMU翻译下一个翻译块之前,判断ret_flag是否为1,如果是,则将翻译块首地址记录在文件ret_addr.out中,然后将ret_flag赋值为0;h4) Before QEMU translates the next translation block, judge whether ret_flag is 1, if yes, record the first address of the translation block in the file ret_addr.out, and then assign ret_flag to 0;

h5)跳转到步骤j);h5) jump to step j);

i)对中断进行如下操作:i) Perform the following operations on the interrupt:

i1)若int_addr.out文件不存在,则创建文件int_addr.out;i1) If the int_addr.out file does not exist, then create the file int_addr.out;

i2)若没有自定义栈,则初始化栈int_addr,并将栈的空间设置为50,栈顶指针指向第一个位置;i2) If there is no custom stack, initialize the stack int_addr, and set the space of the stack to 50, and the top pointer of the stack points to the first position;

i3)在执行中断函数之前需要将寄存器的值和上下文压栈,其中包括中断返回地址,首先进行判断自定义栈int_addr空间是否已满,如果未满,则将中断返回地址压入自定义栈int_addr,而后栈顶指针自加1;否则(int_addr空间已满)系统报错;i3) Before executing the interrupt function, the value of the register and the context need to be pushed onto the stack, including the interrupt return address. First, judge whether the custom stack int_addr space is full. If not, push the interrupt return address into the custom stack int_addr , and then the top pointer of the stack increases by 1; otherwise (int_addr space is full) the system reports an error;

i4)当中断函数执行完毕之后,系统调用中断返回函数来返回发生中断的地方继续执行,将调用中断处理函数时栈顶记录的中断返回地址弹出,同时将记录在自定义栈int_addr中的中断返回地址取出,判断中断返回函数使用的返回地址和自定义栈int_addr中记录的返回地址是否一致;如果两者不一致,则可知中断流程中的返回地址被篡改,报告发生了攻击,并将两个不同的返回地址输出到文件int_addr.out中;i4) After the execution of the interrupt function is completed, the system calls the interrupt return function to return to the place where the interrupt occurred to continue execution, pops the interrupt return address recorded at the top of the stack when the interrupt processing function is called, and returns the interrupt recorded in the custom stack int_addr Take out the address and judge whether the return address used by the interrupt return function is consistent with the return address recorded in the custom stack int_addr; The return address of the output to the file int_addr.out;

i5)跳转到步骤f);i5) jump to step f);

j)如果操作系统指令集中还有未处理的指令,返回步骤e),开始下一条指令的处理;否则指令翻译阶段结束。j) If there are unprocessed instructions in the instruction set of the operating system, return to step e) and start processing the next instruction; otherwise, the instruction translation phase ends.

跳转指令目标地址验证步骤Jump instruction target address verification steps

k)在指令翻译的同时,对QEMU记录的跳转指令的目标地址进行验证,检测是否发生了攻击:k) While the instruction is being translated, the target address of the jump instruction recorded by QEMU is verified to detect whether an attack has occurred:

k1)对间接call指令目标地址的验证:读取call_addr.out中的每一个新增的跳转目标地址,验证其是否是func_addr_file文件中的函数入口地址,如果不是,则报告发生了攻击;k1) Verification of the target address of the indirect call instruction: read each newly added jump target address in call_addr.out, verify whether it is the function entry address in the func_addr_file file, if not, report that an attack has taken place;

k2)对ret指令目标地址的验证:读取ret_addr.out中的每一个新增的返回目标地址,验证其是否是ret_addr_file文件中的有效函数返回地址,如果不是,则报告发生了攻击。k2) Verification of the target address of the ret instruction: read each newly added return target address in ret_addr.out, verify whether it is a valid function return address in the ret_addr_file file, if not, report that an attack has occurred.

本发明的性能效果可以通过以下实验进一步说明:Performance effect of the present invention can further illustrate by following experiment:

实验条件:Experimental conditions:

将本发明实现到QEMU虚拟机管理器中。本发明利用QEMU1.5.0版本对Linux3.11.1版本的内核进行代码重用型攻击的检测,通过修改QEMU的源代码实现该功能。Implement the present invention into the QEMU virtual machine manager. The invention utilizes the QEMU1.5.0 version to detect the code reuse type attack on the kernel of the Linux3.11.1 version, and realizes the function by modifying the source code of the QEMU.

实验内容:Experiment content:

选用性能测试工具UnixBench,分别对原始QEMU启动系统内核和添加了本发明功能的QEMU启动系统内核进行性能测试,以得出本发明所带来的性能损失。各测试三次,求平均值。The performance test tool UnixBench is selected to perform performance tests on the original QEMU boot system kernel and the QEMU boot system kernel with the function of the present invention added, to obtain the performance loss caused by the present invention. Each test was performed three times, and the average value was calculated.

结果分析:Result analysis:

基于UnixBench的性能测试结果表明,本所带来的性能损失约为4%。总体上,本发明具有性能高效的优点。The performance test results based on UnixBench show that the performance loss caused by this solution is about 4%. Overall, the present invention has the advantage of high performance.

以上内容仅为说明本发明的技术思想,不能以此限定本发明的保护范围,凡是按照本发明提出的技术思想,在技术方案基础上所做的任何改动,均落入本发明权利要求书的保护范围之内。The above content is only to illustrate the technical ideas of the present invention, and cannot limit the protection scope of the present invention. Any changes made on the basis of the technical solutions according to the technical ideas proposed in the present invention shall fall within the scope of the claims of the present invention. within the scope of protection.

Claims (3)

1. a kind of kernel level code reuse type attack detection method based on QEMU, it is characterised in that comprise the following steps:
1) pre-process
1.1) an empty temporary file temp_file is created, and the content in operating system nucleus image file is output to In temporary file temp_file;
1.2) the file f unc_addr_file of function entrance address in a record kernel is created, from temp_file files The entry address of all functions of kernel is obtained successively, and these addresses are write in func_addr_file files;
1.3) create one record kernel in Function return addresses file ret_addr_file, from temp_file files according to All efficient function return addresses in secondary acquirement system, and these addresses are write in ret_addr_file files;
2) record of the jump instruction destination address based on QEMU and interruption flow verification, specific method are as follows:
2.1) virtual machine kernel is started using QEMU;
2.2) I is instructed in the QEMU translating phase from guest instruction to host command, one obtained in core instructions;
2.3) before being translated to instruction I, it is first determined whether there occurs interrupt event, in the event of interrupting, then jump Go to step 2.7);
2.4) decision instruction I type:If I is indirect call instructions, step 2.5) is jumped to;If I is ret instructions, Then jump to step 2.6);Otherwise step 2.8) is jumped to;
2.5) indirect call instructions I is proceeded as follows:
If 2.5a) file call_addr.out is not present, the file call_ for recording indirect call instruction target address is created addr.out;
2.5b) when translating indirect call instructions I, call_flag, which is entered as 1, to be indicated to it;
Judge whether call_flag is 1 if 2.5c) now interrupting, during into interrupt processing function, if so, in then recording Pop down is returned an address in call_addr.out files during disconnected processing, and call_flag then is entered as into 0, jumps to step 2.5e);
2.5d) QEMU jumps to the destination address that indirect call is instructed and translated, before translation judgement symbol call_flag Whether it is 1, if so, then record translates block first address into call_addr.out files, the target of as indirect call instructions Location, call_flag is then entered as 0;
2.5e) jump to step 2.8);
2.6) ret instructions I is proceeded as follows:
If 2.6a) file ret_addr.out is not present, the file ret_ of the destination address of record ret instructions is created addr.out;
2.6b) when translating ret instruction I, ret_flag, which is entered as 1, to be indicated to it;
Judge whether ret_flag is 1 if 2.6c) now interrupting, during into interrupt processing function, if so, then record interrupts Pop down is returned an address in ret_addr.out files during processing, ret_flag then is entered as into 0, jumps to step 2.6e);
2.6d) QEMU jumps to the destination address that ret is instructed and translated, and judges whether ret_flag is 1 before translation, if It is that then record translation block first address is into ret_addr.out files, the destination address of as ret instructions, then by ret_ Flag is entered as 0;
2.6e) jump to step 2.8);
2.7) interruption is proceeded as follows:
If 2.7a) int_addr.out files are not present, the file int_addr.out of record interrupting information is created;
If 2.7b) initializing stack int_addr without self-defined stack, top-of-stack pointer points to first position;
The return address of system pop down 2.7c) is pressed into self-defined stack int_addr simultaneously in the function that QEMU processing is interrupted In;
2.7d) after QEMU performs interrupt routine, when calling interrupt return instruction, by returning in self-defined stack int_addr Go back to address to pop, compared with the return address of interrupt return instruction, if the two is different, report is attacked, and will The different return address of comparing result recorded in int_addr.out files;
2.7e) jump to step 2.4);
If 2.8) operating system nucleus also has untreated instruction, return to step 2.2), start the processing of next instruction;It is no Then terminate;
3) jump instruction destination address is verified
While instruction translation, the destination address of the jump instruction to QEMU records is verified, detects whether to be attacked Hit.
2. the kernel level code reuse type attack detection method according to claim 1 based on QEMU, it is characterised in that institute State in step 2.4), the type for instructing I is QEMU by identifying that the command code of binary command is judged.
3. the kernel level code reuse type attack detection method according to claim 1 or 2 based on QEMU, its feature exist In in the step 3), jump instruction destination address verification step is specific as follows:
3.1) each newly-increased destination address in call_addr.out is read, verifies whether it is func_addr_file texts Function entrance address in part, if it is not, then report is attacked;
3.2) each newly-increased destination address in ret_addr.out is read, verifies whether it is ret_addr_file files In valid function return address, if it is not, then report attacked;
3.3) return to 3.1).
CN201510574168.8A 2015-09-10 2015-09-10 A kind of kernel level code reuse type attack detection method based on QEMU Active CN105260659B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510574168.8A CN105260659B (en) 2015-09-10 2015-09-10 A kind of kernel level code reuse type attack detection method based on QEMU

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510574168.8A CN105260659B (en) 2015-09-10 2015-09-10 A kind of kernel level code reuse type attack detection method based on QEMU

Publications (2)

Publication Number Publication Date
CN105260659A CN105260659A (en) 2016-01-20
CN105260659B true CN105260659B (en) 2018-03-30

Family

ID=55100343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510574168.8A Active CN105260659B (en) 2015-09-10 2015-09-10 A kind of kernel level code reuse type attack detection method based on QEMU

Country Status (1)

Country Link
CN (1) CN105260659B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506638B (en) * 2017-08-09 2020-10-16 南京大学 Kernel control flow abnormity detection method based on hardware mechanism
CN109508536B (en) * 2017-09-15 2020-12-15 华为技术有限公司 A detection method and device for tampering program flow attack
EP3877881B1 (en) * 2018-11-07 2024-12-11 C2A-SEC, Ltd. Return-oriented programming protection
CN109471668B (en) * 2018-11-20 2021-11-26 南方电网科学研究院有限责任公司 Cross-platform display card firmware translation execution method, device, equipment and readable medium
CN110457046B (en) * 2019-08-22 2023-05-12 广州小鹏汽车科技有限公司 Disassembles method, disassembles device, storage medium and disassembles terminal for hybrid instruction set programs
CN111552959B (en) * 2020-06-18 2023-08-29 南方电网科学研究院有限责任公司 Method and device for generating program feature sequence
CN112100686B (en) * 2020-08-28 2022-04-08 浙江大学 Core code pointer integrity protection method based on ARM pointer verification
CN112426714B (en) * 2020-12-16 2023-01-10 广州繁星互娱信息科技有限公司 Live broadcast fighting picture display method and device, terminal and storage medium
CN114662098B (en) * 2020-12-23 2025-07-25 奇安信网神信息技术(北京)股份有限公司 Attack code detection method, apparatus, electronic device, program, and storage medium
CN114996696A (en) * 2021-03-02 2022-09-02 奇安信安全技术(珠海)有限公司 Safety detection method and system
CN113076136A (en) * 2021-04-23 2021-07-06 中国人民解放军国防科技大学 Safety protection-oriented branch instruction execution method and electronic device
CN113312088B (en) * 2021-06-29 2022-05-17 北京熵核科技有限公司 Method and device for executing program instruction
CN113641995B (en) * 2021-07-08 2022-12-09 中国人民解放军战略支援部队信息工程大学 Cisco IOS-oriented ROP attack positioning and code capturing method
CN114329446B (en) * 2021-11-11 2024-11-05 奇安信科技集团股份有限公司 Operating system threat detection method, device, electronic device and storage medium
CN115758164A (en) * 2022-10-12 2023-03-07 清华大学 Binary code similarity detection method, model training method and device
CN116501387B (en) * 2023-06-16 2023-09-12 龙芯中科技术股份有限公司 Instruction jump method and device, electronic equipment and readable storage medium
CN117891624B (en) * 2024-01-17 2024-07-26 北京火山引擎科技有限公司 Method, device and electronic device for inter-application communication based on virtualization device
CN119781831B (en) * 2025-03-12 2025-08-15 龙芯中科技术股份有限公司 Interrupt detection method, device, electronic equipment and readable storage medium
CN120046148B (en) * 2025-04-24 2025-08-12 中国人民解放军军事科学院国防科技创新研究院 Method and system for resisting return-oriented programming attack based on zero-delay dynamic depth RAS

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012987A (en) * 2010-12-02 2011-04-13 李清宝 Automatic behavioural analysis system for binary malicious codes
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012987A (en) * 2010-12-02 2011-04-13 李清宝 Automatic behavioural analysis system for binary malicious codes
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
一种有效的Return-Oriented-Programming攻击检测方法;刘智 等;《小型微型计算机系统》;20130731;第34卷(第7期);第1625-1630页 *
利用返回地址保护机制防御代码复用类攻击;陈林博 等;《计算机科学》;20130915;第40卷(第9期);第93-98页 *
基于动态二进制翻译框架的代码复用攻击检测与防御;刘超;《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》;20130615;第I138-114 *

Also Published As

Publication number Publication date
CN105260659A (en) 2016-01-20

Similar Documents

Publication Publication Date Title
CN105260659B (en) A kind of kernel level code reuse type attack detection method based on QEMU
US12045322B2 (en) Defending against speculative execution exploits
KR102306568B1 (en) Processor trace-based enforcement of control flow integrity in computer systems
Pappas et al. Transparent {ROP} exploit mitigation using indirect branch tracing
CN109508536B (en) A detection method and device for tampering program flow attack
US10055585B2 (en) Hardware and software execution profiling
US8966623B2 (en) Managing execution of a running-page in a virtual machine
JP6706273B2 (en) Behavioral Malware Detection Using Interpreted Virtual Machines
KR100942795B1 (en) Malware detection device and method
EP2350903B1 (en) Heuristic method of code analysis
EP2790122B1 (en) System and method for correcting antivirus records to minimize false malware detections
US9471783B2 (en) Generic unpacking of applications for malware detection
US20170206357A1 (en) Malicious code protection for computer systems based on process modification
US20140372991A1 (en) System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
US20160196427A1 (en) System and Method for Detecting Branch Oriented Programming Anomalies
CN110647748A (en) A code reuse attack detection system and method based on hardware characteristics
US11126721B2 (en) Methods, systems and apparatus to detect polymorphic malware
CN105184169A (en) Method for vulnerability detection in Windows operating environment based on instrumentation tool
CN107330323A (en) A kind of dynamic testing method of ROP and its mutation attacks based on Pin instruments
US10885184B1 (en) Rearranging executables in memory to prevent rop attacks
CN117909956B (en) Hardware-assisted embedded system program control flow security authentication method
EP3887985B1 (en) Malicious code protection for computer systems based on system call table modification and runtime application patching
JP2006330864A (en) Server computer system control method
Wang et al. Irepf: An instruction reorganization virtual platform for kernel stack overflow detection
EP4310707A1 (en) System and method for detecting malicious code by an interpreter in a computing device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant