CN114489657B - The system and process for compiling source code - Google Patents
The system and process for compiling source codeInfo
- Publication number
- CN114489657B CN114489657B CN202111336977.7A CN202111336977A CN114489657B CN 114489657 B CN114489657 B CN 114489657B CN 202111336977 A CN202111336977 A CN 202111336977A CN 114489657 B CN114489657 B CN 114489657B
- Authority
- CN
- China
- Prior art keywords
- instruction
- additional
- code
- translated
- source code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/44—Encoding
- G06F8/447—Target code generation
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
本公开的实施例涉及用于编译源代码的系统和过程。根据一个方面,一种用于通过编译工具将源代码编译为计算机可执行代码的方法包括:接收源代码作为到编译工具的输入;将源代码转译为包括由处理器可执行的机器指令的目标代码;然后在目标代码的机器指令之间引入从非法指令和非操作指令中选择的附加指令,以获得可执行代码;然后传递可执行代码作为编译工具的输出。
Embodiments of the present disclosure relate to systems and processes for compiling source code. According to one aspect, a method for compiling source code into computer executable code using a compilation tool includes: receiving the source code as input to the compilation tool; translating the source code into target code comprising machine instructions executable by a processor; then introducing additional instructions selected from illegal instructions and no-operation instructions between the machine instructions of the target code to obtain executable code; and then delivering the executable code as output of the compilation tool.
Description
Cross Reference to Related Applications
The application claims the benefit of french application number 2011657 filed on 11/13 2020, which is incorporated herein by reference.
Technical Field
Implementations and embodiments of the present disclosure relate to security of certain aspects of a computer system, such as, for example, security of an instruction set executed by the computer system, and in particular, to security or security aspects against error injection attacks.
Background
Embodiments are advantageously, but not exclusively, applied to computer systems whose processing units include, for example, microcontrollers or microprocessors.
A program includes at least one object code comprised of a plurality of machine instructions (or simply "instructions").
Machine instructions are basic operations of object code that can be executed by a processor.
The machine instructions may be obtained from source code by means of a compilation tool.
A compilation tool (or "compiler") is a program that converts source code into object code. In particular, the source code may include functions that are translated into instructions in the object code.
Further, execution of the object code instructions by the processor is clocked by a clock.
Interference may occur on the electronic components of the clock. Such interference may affect the execution of instructions and may reduce the security of the program.
To ensure proper execution of the program, execution of the instruction sequence may be controlled, at least in some strategic steps of the program. This requires application of specific coding rules. These specific coding rules require a high level of technical skill. Furthermore, the application of these coding rules requires time.
Therefore, a solution to avoid specific coding needs to be proposed.
Furthermore, misled persons may succeed in interfering with the execution of program instructions by misinjection attacks that cause errors in the clock used to clock instruction execution.
In particular, by making the clock error, certain instructions may be jumped over and thus not executed. Other instructions may be executed multiple times. When some function-ending branch instructions are not executed, the executive may execute a subsequent function in code without the function being called.
Thus, by making the clock error, the execution of the program may not be controlled, which may cause a security problem.
In particular, by interfering with the execution of program instructions, misleading persons may successfully destroy the program.
To combat error injection attacks, the executed instructions may be controlled. Function calls may also be replicated to ensure that they are executed correctly.
The drawbacks of these solutions are very disturbing in the development of program code.
These solutions also have the disadvantage that all possible consequences of an error injection into the program execution cannot be predicted. Indeed, it is still possible that the error injection affects some parts of the assembly code for which no control is performed. Thus, the false injection may not be detected.
Furthermore, the compiled code is the same for any computer system that uses common code. Specifically, the compiled code is identical for the same compilation tool that uses the same level of compilation optimization. Thus, error injection attacks can be easily reproduced on multiple platforms based on the same code.
Thus, it is desirable to make the program more robust to error injection attacks and/or external disturbances.
There is also a need to propose a solution for detecting uncontrolled execution of programs, which may be caused in particular by error injection attacks.
Disclosure of Invention
According to one aspect, a method for compiling source code into computer executable code by a compiling tool or compiler, the compiling tool being implemented within a computer processing unit, the method comprising receiving the source code as input to the compiling tool and storing the source code in a memory of the processing unit, the compiling tool translating the source code into object code comprising machine instructions executable by a processor, then the compiling tool introducing additional instructions selected from among the illegal instructions and the non-operational instructions between the machine instructions of the object code to obtain the executable code, then passing the executable code as output of the compiling tool.
Such a compiling method may be implemented by a compiling tool, which may be executed by a computer in particular. Such a compiling method may be implemented to obtain a plurality of executable codes that can be linked, thereby obtaining a compiler that is executed by a computer system including a processing unit.
Such a compilation method thus makes it possible to obtain modified object code, which comprises translation instructions of the source code and additional instructions introduced by the compilation tool.
The compiling method is executed according to a processor that can execute the executable code that is expected to be obtained. For example, the processor that is expected to execute the obtained executable code may be a processor having an ARM type architecture. The source code is then translated into instructions that such a processor can read.
In particular, the executable code may be executed by a processor of a microcontroller of a processing unit of the computer system.
Introducing additional instructions between the translated instructions of the source code may improve the robustness of the obtained executable code in terms of security and protection against error injection attacks.
Such a compiling method may be implemented by a compiling tool. In particular, the compilation tool may automatically implement the proposed compilation method during compilation of source code.
Such a compilation method may facilitate the development of executable code because the insertion of additional instructions is performed automatically by the compilation tool.
Further, the execution of the obtained executable code may be performed by using a flash memory instead of a Random Access Memory (RAM).
An illegal instruction is an instruction with invalid operation code. The operation code is invalid in that it does not correspond to any type of instruction that can be executed by the processor on which the executable code is executed.
When an illegal instruction is read by the processor, the processor cannot execute the instruction. An illegal instruction exception is then issued.
Thus, by introducing an illegal instruction from the translated instruction of the source code, a fault in the execution of the executable code can be detected by detecting an illegal instruction exception.
Specifically, a control device configured to detect an illegal instruction abnormality caused by an additional illegal instruction introduced from a translated instruction of a source code may be used.
The control device may be further configured to stop uncontrolled execution of the executable code after detecting an illegal instruction exception, and then perform a safety action to prevent a safety problem. The security action to prevent security problems may be, for example, re-initializing a processor executing executable code or erasing sensitive data, such as an encryption key. The security action may also be writing to a Real Time Clock (RTC) register to store the error injection attack attempt in memory. The processor speed may also be slowed down to slow down the attack attempt.
Only additional illegal instructions may be introduced. Only additional non-operational instructions may be introduced. These different types of additional instructions may also be combined.
The object code may include a function having a set of machine instructions. These functions were originally written in source code.
In an advantageous implementation, additional illegal instructions are introduced between the functions of the object code.
The introduction of illegal instructions has the advantage of being simple to implement and does not interfere with the execution of the executable code.
In an advantageous implementation, at least one additional illegal instruction is introduced after a branch instruction of the object code translated from the source code.
For example, when at least one illegal instruction is inserted between two functions of the object code, the at least one illegal instruction is inserted after an unconditional branch instruction marking the end of a first function of the two functions of the object code.
Thus, when the code is executing normally, the function-ending branch instruction is executed and at least one additional illegal instruction is not read. Further, at least one additional illegal instruction may be fetched when the code is executing an exception and when the function ends the branch instruction jump. The reading of the at least one additional illegal instruction then generates an illegal instruction exception indicating that execution of the executable code is faulty.
Furthermore, unconditional branch instructions may already be included in some functions of the object code. At least one instruction may then also be inserted after the branch instruction included within the function.
Thus, when the code is executing normally, the branch instruction within the function is executed and at least one additional illegal instruction is not fetched. Further, when the branch instruction is jumped following a fault in the execution of the executable code, at least one illegal instruction is read and an illegal instruction exception is generated, thereby indicating that the fault occurred in the execution of the executable code.
Additional illegal instructions may also be introduced after conditional branch instructions when ensuring that the condition of the executing branch will be checked during normal execution of the executable code.
In an advantageous implementation, an additional branch instruction and subsequently at least one additional illegal instruction are introduced between two machine instructions of the translation object code of the source code.
The introduction of a branch instruction followed by at least one illegal instruction may be performed at any location within the function between the two instructions.
Specifically, a branch instruction is introduced after the first of two translated instructions of source code. The branch instruction has as an operand the address of a second instruction of the two translated instructions from the source code.
Thus, when the code is executing normally, the introduced branch instruction is executed and at least one additional illegal instruction is not fetched. The instruction that is subsequently executed is the next translated instruction of the source code.
Further, when the branch instruction is jumped after a fault occurs in the execution of the executable code, at least one illegal instruction is read and an illegal instruction exception is generated, thereby indicating a fault in the execution of the executable code.
The branch instruction may be unconditional or conditional when it is ensured that the condition of executing the branch during normal execution of the executable code will be checked.
In particular, in an advantageous embodiment, the translation object code of the source code includes a compare instruction followed by a conditional branch instruction. Further, an additional compare instruction and subsequent additional conditional branch instructions are introduced into the target code upstream of or subsequent to the translation compare instruction of the source code, the additional compare instruction being identical to the translation compare instruction of the source code and the additional conditional branch instructions being opposite to the conditional branch instructions following the translation compare instruction of the source code. And at least one additional illegal instruction is introduced after the additional conditional branch instruction of the source code and the last conditional branch instruction of the translated conditional branch instruction.
Furthermore, in an advantageous embodiment, after a function calls a branch instruction, at least one additional illegal instruction is introduced and at least one add instruction is introduced into the function, the add instruction being configured to be able to modify the return address stored in the link register by adding to the return address the number of additional illegal instructions introduced after the function calls the branch instruction.
In one advantageous implementation, at least two consecutive additional illegal instructions are introduced between at least two machine instructions of the translation object code of the source code.
During uncontrolled execution of executable code, the reading of additional illegal instructions may be skipped.
Thus, by introducing several consecutive illegal instructions greater than two, the chance of reading additional illegal instructions during uncontrolled execution of the executable code is higher. Thus, the chance of detecting a fault in the execution of the executable code is higher.
In an advantageous implementation, the number of consecutive additional illegal instructions introduced between at least two machine instructions of the translation target code of the source code is randomly selected.
By introducing a random number of consecutive additional illegal instructions, a different executable code can be obtained for each compilation of the same source code.
Since each executable code obtained from the same source code is different, it is more difficult to perform an error injection attack having the same effect on each executable code.
Thus, introducing a random number of consecutive additional illegal instructions may complicate replication of error injection attacks on multiple different computer systems.
In an advantageous implementation, the introduction of the additional instruction is performed only on a portion of the object code.
In an advantageous implementation, additional instructions are introduced into the object code at locations of the object code that are at least partially randomly selected.
Specifically, additional instructions are introduced at locations randomly selected from a variety of possible locations.
By randomly introducing additional instructions, different executable code may be obtained for each compilation of the same source code.
Since each executable code generated by the same source code is different, it is more difficult to perform an error injection attack having the same effect with respect to the execution of each obtained executable code.
Thus, at least partially randomly introducing additional instructions may complicate replication of error injection attacks on multiple different computer systems.
According to another aspect, a compilation tool is proposed, the compilation tool being configured to implement a compilation method as described before.
According to another aspect, a computer-readable recording medium is proposed, on which a compiling tool is recorded as previously described.
According to another aspect, a computer system includes a memory including executable code obtained from a compilation method as previously described, and a processor configured to execute the executable code.
In an advantageous implementation, the computer system further comprises a control device configured to receive an illegal instruction exception that the processor is able to generate when the processor reads an additional illegal instruction during execution of the executable code, and to stop executing the executable code after receiving the illegal instruction exception.
Drawings
Other advantages and features of the present invention will become apparent after review of the detailed description of non-limiting implementations and embodiments and the accompanying drawings, in which:
FIG. 1 illustrates one embodiment compilation tool;
FIG. 2 illustrates an embodiment compilation method that may be implemented by a compilation tool, and
FIG. 3 illustrates an embodiment computer system including non-volatile memory including executable code obtained from a compilation method.
Detailed Description
FIG. 1 illustrates a compilation tool CMP, according to one embodiment. The compilation tool CMP is a compiler or compiler program implemented within a computer processing unit, e.g. a PC type computer.
The compiler CMP comprises an input IN and an output OUT. The input IN of the compilation tool CMP is configured to receive the source code CS. The source code CS is stored in a memory of the processing unit. The compilation tool CMP is configured to implement a compilation method according to an embodiment and described below. The compiling method makes it possible to obtain the computer executable code PRG as the output OUT. The code PRG is in particular a program executable by a processor.
The processor on which the executable code may be executed may have an ARM type architecture. The processor may be a processor of a microcontroller. The processor may also be a microprocessor.
The source code is written according to a programming language, such as C. The source code includes instructions written in accordance with the programming language. The source code may define a plurality of functions, each function including at least one instruction.
The executable code PRG comprises binary instructions executable by a processor.
A compilation method according to an embodiment that can be implemented by a compilation tool CMP is illustrated in fig. 2. The compiling method makes it possible to compile the source code CS into computer executable code PRG.
First, the method includes a receiving step 20, wherein the compilation tool receives source code as input.
The compiling method comprises a step 21 of translating source code CS received as input to a compiling tool CMP. During this step 21, the compilation tool translates the instructions of the source code into processor-executable machine instructions, the executable code PRG having to be executed with the processor.
The compiling method then comprises a step 22 of introducing additional instructions. During this step 22, additional instructions are introduced between the translated machine instructions of the source code. This introduction step 22 makes it possible to obtain the executable code PRG.
The executable code PRG thus comprises the translation instructions of the source code in step 21 and the additional instructions introduced in step 22.
Additional instructions that can be introduced may include illegal instructions and/or non-operational instructions. In particular, additional instructions of the same type or of a plurality of different types may be introduced.
Additional instructions are introduced at locations where machine instruction code can be selected from a plurality of possible locations, particularly in or between functions of the code. The location at which the additional instruction is introduced may be selected randomly.
Additional instructions may be introduced into the overall machine instruction code or into only some portions of the code. The number of which may also be varied and randomly selected.
Furthermore, the introduction of additional instructions or the movement of word pools to be described later may require updating the address of the translated instructions of the source code, particularly in functions and for function calls. In examples 3-1 to 3-8 in the appendices below, the address of the translated instruction of the source code is not updated for ease of understanding and comparing the examples of fig. 2.
The introduction of additional instructions makes it possible to obtain a robust executable code PRG, in particular for error injection attacks or disturbances external to the processor.
The compiling method then comprises a transfer step 23, in which the executable code PRG is transferred as output of the programming tool.
According to various embodiments, the various executable codes shown in examples 3-1 to 3-8 of the appendix can be obtained by various implementations M1 to M8 of step 22 of the compiling method according to the C language source code shown in example 1 of the appendix.
The illustrated source code is used only to facilitate understanding of the compilation method.
The source code includes a "main" function, a "function_a" function, and a "function_b" function.
The "function_b" function is written after the "function_a" function.
The "main" function is written after the "function_b" function.
The main function includes a "function_a" function call.
The source code is translated into executable binary instructions by a processor having an ARM architecture. These translated instructions are shown in assembly language in example 2 of the appendix to facilitate understanding of the compilation method.
As shown in example 2 in the appendix, the translate instruction of the "function_b" function follows the translate instruction of the "function_a" function.
In addition, the "function_a" and "function_b" functions each include a function end branch instruction shown in assembly language by the "bx lr" ARM instruction (see instructions 5C and 94), which translates the "return" instruction into the C language as shown in example 1 in the appendix.
Additional instructions are then introduced into the translated instruction sequence of the source code. Various examples of additional instructions introduced in the translated instruction sequence of the source code are illustrated in examples 3-1 through 3-8 in the appendix. For ease of understanding, the instructions are shown in assembly language in these examples.
In embodiment M1 of step 22 shown in example 3-1, additional illegal instructions are introduced between the functions. Specifically, these additional illegal instructions are introduced for each function after the function ends the branch instruction (i.e., the "bx lr" instruction).
These illegal instructions are shown by the expression "< UNDEFINED >".
In this embodiment M1, the same number of additional illegal instructions are introduced after the function end branch instruction of each function. Specifically, in the present embodiment, three additional illegal instructions are introduced after the function ends the branch instruction. Preferably, at least two additional illegal instructions are added after the function ends the branch instruction.
Alternatively, in embodiment M2 of step 22 shown in example 3-2, a random number of additional illegal instructions are introduced after the function of each function ends the branch instruction. Here, for example, 2 additional illegal instructions are introduced after the function of the "function_a" function ends the branch instruction, 4 additional illegal instructions are introduced after the function of the "function_b" function ends the branch instruction, and 5 additional illegal instructions are introduced after the function of the "function_a" function ends the branch instruction. Preferably, at least two additional illegal instructions are added after the function ends the branch instruction.
The additional illegal instructions introduced may be read by a processor on which the executable code PRG is executed. Reading the additional illegal instruction generates an illegal instruction exception.
When the executable code PRG is functioning properly, the function-ending branch instruction is executed such that additional illegal instructions are not read.
These additional instructions may be read if the function ending branch instruction is not executed by the processor. The end of function branch instruction may be especially jumped over when the processor experiences a fault injection attack or disturbance external to the processor.
When a function-ending branch instruction of a function is jumped over, the processor may execute the function that follows the jump function. For example, if the function end branch instruction of the "function_a" function is not executed, the processor may execute the "function_b" function.
However, the reading of an additional illegal instruction located after the function ends the branch instruction makes it possible to generate an illegal instruction exception. Since the additional illegal instruction is read only when the function-ending branch instruction is not executed, generating an illegal instruction exception after the additional illegal instruction is read may indicate an execution failure of the executable code PRG.
Introducing at least two additional illegal instructions may reduce the chance that both additional illegal instructions will be jumped upon failure of the execution of the executable code PRG.
Additional illegal instructions may also be introduced within the functions, such as in the implementations illustrated in examples 3-3 and 3-4.
As shown in the implementation M3 of step 22 shown in example 3-3, the compilation method may be adapted to introduce at least one additional unconditional branch instruction between two translated instructions of source code, followed by at least one additional illegal instruction. Thus, an additional unconditional branch instruction follows the first of the two translated instructions of the source code and takes the address of the second of the two instructions as an operand. Preferably, at least two additional illegal instructions are introduced after the additional branch instruction. The number of additional illegal instructions following the additional unconditional branch instruction may also be randomly selected.
The introduction of a random number of consecutive additional illegal instructions may complicate replication of error injection attacks on multiple different computer systems.
Specifically, in the illustrated example, these additional instructions are introduced between instructions 34 and 38 of the "function_a" function. The additional unconditional branch instruction points to the address of instruction 38 of the function "function_a" and is followed by two additional illegal instructions.
Thus, when the executable code PRG is executing normally, the additional branch instruction is executed such that the additional illegal instruction is not read.
However, when additional branch instructions are not executed after a fault occurs in the execution of the executable code PRG, additional illegal instructions located after these additional branch instructions are read. Illegal instruction exceptions are then generated. An illegal instruction exception may thus be used to detect a fault in the execution of the executable code PRG.
Furthermore, as shown in the implementation M4 of step 22 shown in examples 3-4, at least one additional illegal instruction may be introduced within the function following the translated unconditional branch instruction of the source code. Preferably, at least two additional illegal instructions are added after the translated unconditional branch instruction of the source code. The number of additional illegal instructions following the translated branch instruction of the source code may also be randomly selected.
Specifically, in the example shown in examples 3-4, after the unconditional branch instructions 2c, 4c and 50 of the "function_a" function, two additional illegal instructions are added.
The unconditional branch instruction 2c is used prior to the "return" instruction of the first "if" structure of the "function_a" function in the source code. This branch instruction 2c then makes it possible to execute the function end branch instruction 5c that translates the "return" instruction.
The branch instruction 4c is thus used before the "return" instruction of the second "if" structure of the "function_a" function in the source code. This branch instruction 2c then makes it possible to execute the function end branch instruction 5c that translates the "return" instruction.
The branch instruction 50 is used to translate the "while (1)" structure of the "function_a" function of the source code.
Thus, when the executable code PRG executes normally, the translated branch instruction of the source code is executed such that the additional illegal instructions following it are not read.
However, when a translated branch instruction of the source code is not executed after a fault occurs in the execution of the executable code PRG, an additional illegal instruction located after the branch instruction is read. Illegal instruction exceptions are then generated. These illegal instruction exceptions can thus be used to detect faults in the execution of the executable code PRG.
Furthermore, some word pools may also be used as additional illegal instructions within the function, such as in implementation M5 of step 22 shown in examples 3-5.
The literal value is an immediate value that can be stored in an executable code area. These literal values are not instructions to be executed by the processor and are treated as illegal instructions when read. Thus, the literal value may be used as an illegal instruction to detect a fault in the execution of the executable code PRG. For example, the literal value may be used as an illegal instruction by moving the pool of literal values after an additional branch instruction is introduced from the translated instruction of the source code, or after the translated branch instruction of the source code.
In the example shown in examples 3-5, two literal values are used as illegal instructions, a literal value stored at address < function_a+0x60> and a literal value stored at address < function_a+0x6c >. Additional illegal instructions are introduced after the last literal value.
Specifically, as can be seen from examples 3-5, the literal pool has been shifted to be placed after the function-ending branch instruction.
Thus, the two literal values and the additional illegal instruction may be used to detect a fault in the execution of the executable code PRG.
More specifically, when the executable code PRG is normally executed, the translation function end branch instruction of the source code is executed such that the literal values and the additional illegal instructions following them are not executed.
However, when the function ending branch instruction is not executed after a fault occurs in the execution of the executable code PRG, the literal value may be read and interpreted as an illegal instruction. In this case, an illegal instruction exception is generated. Similarly, a read that appends an illegal instruction results in the generation of an illegal instruction exception. These illegal instruction exceptions can thus be used to detect faults in the execution of the executable code PRG.
Using literal values as illegal instructions may reduce the number of additional illegal instructions inserted into the executable code PRG. This thus makes it possible to reduce the size of the executable code PRG.
Furthermore, as shown in implementation M6 of step 22 shown in examples 3-6, at least one additional illegal instruction may be introduced after the function call. Preferably, at least two additional illegal instructions may be introduced after the function call. The number of additional illegal instructions introduced after the function call may also be randomly selected.
Specifically, in the example shown in examples 3-6, after the branch instruction b4 ("bl 0< function_a >") used as a function call, three additional illegal instructions are added in the "main" function.
Adding illegal instructions after a function call instruction involves modifying the Link Register (LR) at the end of the function call. In particular, the link register is modified to point to an instruction address following an additional illegal instruction introduced after the function call instruction.
For example, in the examples shown in examples 3-6, to modify the Link Register (LR), an additional instruction is added in the "function_a" function before the function end branch instruction 5c ("bx LR") makes it possible to return to the "main" function (translating the "return" instruction in the source code). The additional instruction is an add instruction ("add LR, LR, # 12") so that the number of additional illegal instructions introduced after the function call instruction b4 can be added to the address contained in the Link Register (LR). Specifically, in examples 3-6, since three additional illegal instructions are introduced, 12 is added to the value of the Link Register (LR), and each additional illegal instruction has a size of four bytes.
Thus, when the executable code PRG is normally executed, the branch instruction b4 for calling the "function_a" function is executed. Then, at the end of execution of the function_a function, the processor executes instruction b8 after the additional illegal instruction. The additional instructions are therefore not fetched.
However, when the branch instruction b4 for calling the "function_a" function is not executed after a fault occurs in the execution of the executable code PRG, the "function_a" function is not executed and an additional illegal instruction located after the branch instruction is read. Illegal instruction exceptions are then generated. These illegal instruction exceptions can thus be used to detect faults in the execution of the executable code PRG.
Furthermore, as shown in implementation M7 of step 22 shown in examples 3-7, at least one additional illegal instruction may be introduced into the function after the conditional branch instruction (particularly after the "beq" or "bne" instruction). Conditional branch instructions may be translated instructions of source code or even instructions added from translated instructions of source code. In this last case, a conditional branch instruction is thus introduced, followed by at least one additional illegal instruction from the translated instruction of the source code.
Specifically, during normal execution of the executable code PRG, additional illegal instructions are added after conditional branch instructions, the condition of these branches being inevitably checked.
More specifically, conditional branch instructions may be used, for example, after a compare instruction.
The compare instruction makes it possible to compare two values to know if the values are equal and then execute some other instruction based on the result obtained from the comparison. The selection of these other instructions is performed due to conditional branch instructions.
To ensure that the translated compare instruction of the source code and subsequently the first conditional branch instruction are correctly executed during execution of the executable code PRG, the same compare instruction may be introduced along with subsequently a second conditional branch instruction, which is opposite to the first conditional branch instruction. The compare instruction and the subsequent second branch instruction may be introduced before or after the translation of the compare instruction and the subsequent first branch instruction in the source code.
Additional illegal instructions are introduced furthest after the compared conditional branch instruction in the order of execution of the instructions of the executable code PRG. Thus, if neither the first conditional branch nor the second conditional branch is executed, then additional illegal instructions are fetched. This means that execution of the executable code PRG does not occur correctly. In fact, since the two conditional branch instructions are opposite, during normal execution of the executable code PRG, at least one of the two conditional branches must be executed.
Reading the additional illegal instruction generates an illegal instruction exception. The illegal instruction exception may thus be used to detect a fault in the execution of the executable code PRG.
Specifically, in the examples shown in examples 3-7, additional instructions are introduced from the translated instructions of the source code to check whether the compare instruction c4 and the conditional branch instruction c8 were executed correctly during execution of the executable code PRG.
Specifically, a first series of additional instructions S1 are introduced between the translated instructions c0 and c4 of the source code. A first series of additional instructions is introduced to initialize the zero flag to "1". Specifically, the value of the zero flag is defined by the result of each compare instruction. The conditional branch instruction uses the zero flag to determine whether the branch must be executed.
The first series of additional instructions includes a compare instruction for comparing the value of register r3 with the same value of register r 3. Register r3 is a register for comparing translation instruction c4 of the source code. The two comparison values are the same and the introduced comparison instruction can determine that the two values are equal. Thus, the introduced compare instruction may initialize the zero flag to "1" when executed.
The first series of additional instructions further includes a conditional branch instruction following the compare instruction and an additional illegal instruction following the conditional branch instruction. Conditional branch instructions are of the "beq" (if equal, branch) type, and thus a branch may be executed when the comparison result before the branch may determine that there is an equal between the two test values. Conditional branch instructions read the zero flag to determine if the branch must be executed. If the compare instruction introduced before the conditional branch instruction has been executed correctly, the zero flag is "1", so that branching is unavoidable if the executable code PRG executes normally, and the next instruction that must be executed is instruction c4. However, if the compare instruction is not executed, after the fault, the branch is not executed and additional illegal instructions are read. Reading the additional illegal instruction generates an illegal instruction exception. The illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
Instruction c4 following the first series of additional instructions is a translation compare instruction of the source code so that the value of register r3 can be compared to the value "0".
This instruction is followed by a conditional branch instruction c8 of the "bne" (if not equal, branch) type. If the values of the comparison tests performed from instruction c4 are not equal, then the instruction may execute a branch.
After the translated instruction c8 of the source code, a second series of additional instructions S2 is introduced.
The second series of additional instructions includes a compare instruction for comparing the value of register r3 with the value "1". The introduced compare instruction may thus set the zero flag to "0".
The second series of additional instructions further includes a conditional branch instruction following the compare instruction and an additional illegal instruction following the conditional branch instruction. Conditional branch instructions are of the "bne" (if not equal, branch) type, and thus a branch may be executed when the comparison result before the branch can determine the difference between the two test values. Conditional branch instructions read the zero flag to determine if the branch must be executed. If the compare instruction introduced before the conditional branch instruction has been executed correctly, the zero flag is "0", so that branching is unavoidable if the executable code PRG executes normally, and the next instruction that must be executed is instruction yy. However, if the compare instruction is not executed, after the fault, the branch is not executed and additional illegal instructions are read. Reading the additional illegal instruction generates an illegal instruction exception. The illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
After the second series of additional instructions S2, a third series of additional instructions S3 is introduced.
The third series of additional instructions includes the same compare instruction as the translated compare instruction c4 of the source code.
The third series of additional instructions further includes a conditional branch instruction following the compare instruction, and an additional illegal instruction following the conditional branch instruction.
The conditional branch instruction is of the "beq" (branch if equal) type and is thus opposite to conditional branch instruction c 8.
During normal execution of the executable code PRG, the compare instruction of the third series of instructions may be executed only when the comparison performed from instruction c4 is such that the determination register r3 is equal to "0". Thus, during normal execution of the executable code PRG, the comparison performed from the compare instruction introduced into the third series of additional instructions must determine that the value of register r3 is unmodified, still equal to "0". Thus, during normal execution of the executable code PRG, the condition of the conditional branch instruction of the third series of additional instructions is checked and the branch has to be executed. Thus, the following instruction that must be fetched is instruction cc.
However, if an additional illegal instruction of the third series of additional instructions is read, this means that the execution of the executable code PRG fails. Reading the additional illegal instruction generates an illegal instruction exception. The illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
In an implementation in which additional illegal instructions are introduced from translated instructions of the source code, the control device DCTRL is provided in the computer system SYS, with which the executable code can be executed.
Such a computer system SYS is shown in fig. 3. The computer system SYS comprises a non-volatile memory MEM comprising executable code PRG obtained from the compiling method described previously.
The computer system SYS further comprises a processor PROC configured to execute the executable code PRG.
The control device DCTRL is configured to detect illegal instruction exceptions. The control device DCTRL is configured to stop uncontrolled execution of the executable code PRG after detection of these illegal instruction exceptions, and then to perform a safety action.
The security action may be, for example, a re-initialization of the processor executing the executable code PRG or an erasure of sensitive data, such as an encryption key. The security action may also be writing to a Real Time Clock (RTC) register to store the error injection attack attempt in memory. The processor speed may also be slowed down to slow down the attack attempt.
The computer system on which the executable code PRG is executed may comprise such a control device.
The control device may be implemented by software means or hardware means, for example by logic circuitry.
Further, as seen previously, the additional instruction introduced in step 22 of the compilation method may be a no operation ("nop") instruction. Such an implementation M8 of step 22 is shown in examples 3-8.
These additional non-operational instructions are introduced within the function of randomly selected locations from the translated instructions of the source code.
Indeed, the random introduction of non-operational instructions makes it possible to obtain a different executable code PRG for each compilation, complicating the replication of error injection attacks on multiple computer systems based on the same software implementation.
The introduction of additional instructions between the translated instructions of the source code makes it possible to improve the robustness of the compiled executable code PRG with respect to security and against error injection attacks.
Such a compilation method may facilitate the development of executable code because the insertion of additional instructions is performed automatically by the compilation tool.
Further, the execution of the executable code may be performed by using a flash memory instead of a Random Access Memory (RAM).
Appendix
Example 1 Source code (language C):
example 2 translation object code of Source code of example 1 (ARM assembly language)
Example 3-1 executable code (translated into ARM assembly language) that is available through the first implementation M1 of step 22 of the compilation method
Example 3-2 executable code (translated into ARM assembly language) that is available through the second implementation M2 of step 22 of the compilation method
Example 3-3 executable code (translated into ARM assembly language) that is available through the third implementation M3 of step 22 of the compilation method
Examples 3-4 executable code (translated into ARM assembly language) that is available through the fourth implementation M4 of step 22 of the compilation method
Examples 3-5 executable code (translated into ARM assembly language) obtainable by the fifth implementation M5 of step 22 of the compilation method
Examples 3-6 executable code (translated into assembly language) obtainable by the sixth implementation M6 of step 22 of the compilation method
Examples 3-7 executable code (translated into assembly language) that can be obtained by the seventh implementation M7 of step 22 of the compilation method
Examples 3-8 executable code (translated into assembly language ARM) obtainable by the eighth implementation M8 of step 22 of the compilation method
Claims (22)
1. A method of compiling source code into computer executable code by a compiling tool, the compiling tool implemented within a computer processing unit, the method comprising:
receiving the source code as input to the compilation tool;
Storing the source code in a memory of the computer processing unit;
Translating, by the compilation tool, the source code into object code comprising machine instructions executable by a processor;
Introducing, by the compilation tool, an introduced branch instruction between machine instructions of the object code and an additional instruction selected from an additional illegal instruction or an additional non-operational instruction subsequent to the introduced branch instruction after the translation to obtain the computer executable code, wherein the introduced branch instruction is an unconditional branch instruction, and
After the introducing, passing the computer executable code as an output of the compiling tool;
Introducing at least one additional illegal instruction after the function call branch instruction, and
At least one add instruction is introduced in a function, the at least one add instruction being configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction.
2. The method of claim 1 wherein the object code comprises functions comprising a set of machine instructions and the method comprises introducing the additional illegal instructions between the functions of the object code.
3. The method of claim 1, further comprising introducing at least one additional illegal instruction after a branch instruction of the object code translated from the source code.
4. The method of claim 1, further comprising introducing at least one additional illegal instruction between two machine instructions of the object code translated from the source code after the introduced branch instruction.
5. The method of claim 1, wherein the object code translated from the source code includes a translated compare instruction followed by a translated conditional branch instruction, and further comprising:
Introducing an additional compare instruction and a subsequent additional conditional branch instruction in the object code upstream of or subsequent to the translated compare instruction of the source code, the additional compare instruction being identical to the translated compare instruction of the source code and the additional conditional branch instruction being opposite to the translated conditional branch instruction following the translated compare instruction of the source code, and
At least one additional illegal instruction is introduced after the last conditional branch instruction from the additional conditional branch instruction and the translated conditional branch instruction of the source code.
6. The method of claim 1, further comprising introducing at least two consecutive additional illegal instructions between at least two machine instructions of the object code translated from the source code.
7. The method of claim 6, further comprising randomly selecting a number of consecutive additional illegal instructions to be introduced between the at least two machine instructions of the object code translated from the source code.
8. The method of claim 1, further comprising performing the introducing of the additional instruction on only a portion of the object code.
9. The method of claim 1, further comprising introducing the additional instruction into the object code at a location of the object code that is at least partially randomly selected.
10. A non-transitory computer-readable recording medium, comprising:
A compilation tool for compiling source code into computer-executable code, the compilation tool configured to:
receiving the source code as input;
storing the source code in a memory of a computer processing unit;
Translating the source code into object code comprising machine instructions executable by a processor;
Introducing an introduced branch instruction between machine instructions of the object code and an additional instruction selected from an additional illegal instruction or an additional non-operational instruction after the introduced branch instruction after the translation to obtain the computer executable code, wherein the introduced branch instruction is an unconditional branch instruction;
Delivering the computer executable code as an output after the introducing;
Introducing at least one additional illegal instruction after the function call branch instruction, and
At least one add instruction is introduced in a function, the at least one add instruction being configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction.
11. The non-transitory computer-readable recording medium of claim 10, wherein the object code comprises functions comprising a set of machine instructions, and wherein the compilation tool is configured to introduce the additional illegal instructions between the functions of the object code.
12. The non-transitory computer-readable recording medium of claim 10, wherein the compilation tool is configured to introduce at least one additional illegal instruction after a branch instruction of the object code translated from the source code.
13. The non-transitory computer-readable recording medium of claim 10, wherein the compilation tool is configured to introduce at least one additional illegal instruction between two machine instructions of the object code translated from the source code after the introduced branch instruction.
14. The non-transitory computer-readable recording medium of claim 10, wherein the object code translated from the source code comprises a translated compare instruction followed by a translated conditional branch instruction, and wherein the compilation tool is configured to:
Introducing an additional compare instruction and a subsequent additional conditional branch instruction in the object code upstream of or subsequent to the translated compare instruction of the source code, the additional compare instruction being identical to the translated compare instruction of the source code and the additional conditional branch instruction being opposite to the translated conditional branch instruction following the translated compare instruction of the source code, and
At least one additional illegal instruction is introduced after the last conditional branch instruction from the additional conditional branch instruction and the translated conditional branch instruction of the source code.
15. The non-transitory computer-readable recording medium of claim 10, wherein the compilation tool is configured to introduce at least two consecutive additional illegal instructions between at least two machine instructions of the object code translated from the source code.
16. A computer system, comprising:
A non-transitory memory comprising computer executable code obtained from source code by a compilation tool configured to:
receiving the source code as input;
storing the source code in a memory of a computer processing unit;
Translating the source code into object code comprising machine instructions executable by a processor;
Introducing an introduced branch instruction between machine instructions of the object code and an additional instruction selected from an additional illegal instruction or an additional non-operational instruction after the introduced branch instruction after the translation to obtain the computer executable code, wherein the introduced branch instruction is an unconditional branch instruction, and
Delivering the computer executable code as an output after the introducing;
Introducing at least one additional illegal instruction after the function call branch instruction, and
Introducing at least one add instruction in a function, the at least one add instruction configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction, and
A processor configured to execute the computer executable code.
17. The computer system of claim 16, further comprising a control device configured to:
Receiving an illegal instruction exception generated by the processor in response to the processor reading an additional illegal instruction during execution of the computer executable code, and
After receiving the illegal instruction exception, the execution of the computer executable code is stopped.
18. The computer system of claim 16, wherein the object code comprises functions comprising a set of machine instructions, and wherein the compilation tool is configured to introduce the additional illegal instructions between the functions of the object code.
19. The computer system of claim 16, wherein the compilation tool is configured to introduce at least one additional illegal instruction following a branch instruction of the object code translated from the source code.
20. The computer system of claim 16, wherein the compilation tool is configured to introduce at least one additional illegal instruction between two machine instructions of the object code translated from the source code after the introduced branch instruction.
21. The computer system of claim 16, wherein the object code translated from the source code comprises a translated compare instruction followed by a translated conditional branch instruction, and wherein compilation tool is configured to:
Introducing an additional compare instruction and a subsequent additional conditional branch instruction in the object code upstream of or subsequent to the translated compare instruction of the source code, the additional compare instruction being identical to the translated compare instruction of the source code and the additional conditional branch instruction being opposite to the translated conditional branch instruction following the translated compare instruction of the source code, and
At least one additional illegal instruction is introduced after the last conditional branch instruction from the additional conditional branch instruction and the translated conditional branch instruction of the source code.
22. The computer system of claim 16, wherein the compilation tool is configured to introduce at least two consecutive additional illegal instructions between at least two machine instructions of the object code translated from the source code.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR2011657 | 2020-11-13 | ||
| FR2011657A FR3116356B1 (en) | 2020-11-13 | 2020-11-13 | METHOD FOR COMPILING A SOURCE CODE |
| US17/451,394 US11893370B2 (en) | 2020-11-13 | 2021-10-19 | System and process for compiling a source code |
| US17/451,394 | 2021-10-19 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114489657A CN114489657A (en) | 2022-05-13 |
| CN114489657B true CN114489657B (en) | 2025-09-30 |
Family
ID=81492966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111336977.7A Active CN114489657B (en) | 2020-11-13 | 2021-11-12 | The system and process for compiling source code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114489657B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119149115B (en) * | 2024-11-16 | 2025-04-01 | 北京麟卓信息科技有限公司 | Dynamic instruction conversion debugging method based on self-reflection mechanism |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101446905A (en) * | 2008-12-29 | 2009-06-03 | 北京飞天诚信科技有限公司 | Method for compiling and compiler |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3801545B2 (en) * | 2002-08-02 | 2006-07-26 | 松下電器産業株式会社 | COMPILER PROGRAM, COMPILER DEVICE, AND COMPILING METHOD |
| CN101266549B (en) * | 2008-03-19 | 2010-10-20 | 华为技术有限公司 | Method and device for inserting code |
| CN101872393A (en) * | 2009-04-23 | 2010-10-27 | 李嘉 | Tamper-proof response scheme of Java program |
| JP6370098B2 (en) * | 2014-05-16 | 2018-08-08 | 杉中 順子 | Information processing apparatus, information processing monitoring method, program, and recording medium |
| CN105224864B (en) * | 2015-11-04 | 2018-05-04 | 中国科学院计算技术研究所 | A kind of progress of work method of randomization and system for resisting code reuse attack |
| US10902129B2 (en) * | 2017-12-07 | 2021-01-26 | Virtual Forge GmbH | Method for detecting vulnerabilities in software |
| US10635823B2 (en) * | 2018-01-12 | 2020-04-28 | Intel Corporation | Compiling techniques for hardening software programs against branching programming exploits |
| US11809871B2 (en) * | 2018-09-17 | 2023-11-07 | Raytheon Company | Dynamic fragmented address space layout randomization |
| CN111475152B (en) * | 2020-04-14 | 2023-03-14 | 中国人民解放军战略支援部队信息工程大学 | Code processing method and device |
-
2021
- 2021-11-12 CN CN202111336977.7A patent/CN114489657B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101446905A (en) * | 2008-12-29 | 2009-06-03 | 北京飞天诚信科技有限公司 | Method for compiling and compiler |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114489657A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4777903B2 (en) | Method of controlling program execution consistency by verifying execution trace print | |
| US8930657B2 (en) | Method and apparatus for realtime detection of heap memory corruption by buffer overruns | |
| JP7154365B2 (en) | Methods for securing software code | |
| CN103019799B (en) | There is the distributed compilation process that instruction signature is supported | |
| US20080271001A1 (en) | Method of generating program, information processing device and microcomputer | |
| CN110088736B (en) | Self-tuning method and system | |
| Schiffel et al. | ANB-and ANBDmem-encoding: detecting hardware errors in software | |
| US20170337047A1 (en) | Methods, Apparatuses, and Systems for Zero Silent Data Corruption (ZDC) Compiler Technique | |
| US9129137B2 (en) | Method, computer program and device for providing security for intermediate programming code for its execution by a virtual machine | |
| JP6435834B2 (en) | Instruction execution control device and instruction execution control method | |
| Kyle et al. | Application of domain-aware binary fuzzing to aid Android virtual machine testing | |
| CN114489657B (en) | The system and process for compiling source code | |
| JP4754635B2 (en) | Control flow protection mechanism | |
| TWI801505B (en) | Branch target variant of branch-with-link instruction | |
| US11256786B2 (en) | Method to secure a software code | |
| Fazeli et al. | A software-based concurrent error detection technique for power PC processor-based embedded systems | |
| Hager-Clukas et al. | Dmti: Accelerating memory error detection in precompiled c/c++ binaries with arm memory tagging extension | |
| Geier et al. | CompaSeC: A compiler-assisted security countermeasure to address instruction skip fault attacks on RISC-V | |
| De Goër et al. | Now you see me: Real-time dynamic function call detection | |
| Lehniger et al. | Combination of ROP Defense Mechanisms for Better Safety and Security in Embedded Systems | |
| US6832181B1 (en) | Method to distinguish between physical hardware and simulated hardware | |
| CN111309444B (en) | Method, device, system and storage medium for anti-debugging by using process virtual machine | |
| US11893370B2 (en) | System and process for compiling a source code | |
| Le Bon et al. | DAMAS: Control-Data Isolation at Runtime through Dynamic Binary Modification | |
| US20230418950A1 (en) | Methods, Devices, and Systems for Control Flow Integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |