Nothing Special   »   [go: up one dir, main page]

CN116340081A - RISCV memory access violation detection method and device based on hardware virtualization - Google Patents

RISCV memory access violation detection method and device based on hardware virtualization Download PDF

Info

Publication number
CN116340081A
CN116340081A CN202111579284.0A CN202111579284A CN116340081A CN 116340081 A CN116340081 A CN 116340081A CN 202111579284 A CN202111579284 A CN 202111579284A CN 116340081 A CN116340081 A CN 116340081A
Authority
CN
China
Prior art keywords
memory
memory access
information
address
riscv
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111579284.0A
Other languages
Chinese (zh)
Inventor
杨轶
苏璞睿
黄桦烽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN202111579284.0A priority Critical patent/CN116340081A/en
Publication of CN116340081A publication Critical patent/CN116340081A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/301Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3024Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a central processing unit [CPU]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3037Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a device for detecting RISCV memory access violations based on hardware virtualization, wherein the method comprises the following steps: an operating system kernel running on the reverse RISCV acquires a process kernel data structure; simulating the RISCV CPU based on a hardware simulator; constructing a basic process list of an operating system; the sptbr register and a process kernel data structure are used for acquiring characteristic information of a new process; screening the characteristic information according to the basic process list to obtain a target process; API detection and instruction analysis are carried out based on the process information and the dynamic operation process information of the target process, and the obtained memory access data is compared with a memory access authority list to obtain a violation detection result. The invention can completely and transparently monitor the whole running process of the program on the RISCV CPU, provide a configurable memory violation access configuration interface, realize transparent process monitoring and memory violation access detection without depending on functions or interfaces provided by a system, and improve the memory violation access detection capability and accuracy.

Description

一种基于硬件虚拟化的RISCV内存访问违例检测方法及装置A RISCV memory access violation detection method and device based on hardware virtualization

技术领域technical field

本发明属于计算机科学与技术领域,具体涉及一种基于硬件虚拟化的RISCV内存访问违例检测方法及装置。The invention belongs to the field of computer science and technology, and in particular relates to a hardware virtualization-based RISCV memory access violation detection method and device.

背景技术Background technique

内存违例访问是指访问目的与预期设计不同,例如针对只读内存进行写操作,对静态变量进行动态更新等,目前针对内存违例访问最主要的检测方法是动态分析,由于RISCV是一个全新的硬件平台,在其上程序动态分析的研究工作目前较少。针对内存违例访问,主要依赖人工分析或在源代码中嵌入检测代码。人工分析费时费力,需要分析人员有较好的技术基础。基于源代码的方式确实在一定程度上提高了内存访问违例的检测能力,但当前大量软件产品并不提供源代码,因此基于源码的分析方式具有较大的局限性,难以对二进制形态的应用软件展开分析。Memory violation access means that the purpose of access is different from the expected design, such as writing to read-only memory, dynamically updating static variables, etc. At present, the most important detection method for memory violation access is dynamic analysis. Since RISCV is a brand new hardware platform, on which the research work on program dynamic analysis is currently less. For memory access violations, it mainly relies on manual analysis or embedding detection codes in the source code. Manual analysis is time-consuming and laborious, requiring analysts to have a good technical foundation. The method based on source code has indeed improved the detection capability of memory access violations to a certain extent, but currently a large number of software products do not provide source code. Expand the analysis.

当前在RISCV平台的内存访问违例检测,通常使用如下的几种方法:The current memory access violation detection on the RISCV platform usually uses the following methods:

1.基于调试器的违例访问检测1. Debugger-based access violation detection

代码违例访问是一种较为难以检测和分析的程序错误,大部分情况下违例访问不会引发程序或系统崩溃,而是引发程序执行时某些变量的值发生预期之外的改变,对违例访问的问题进行定位和排错都比较困难。目前针对代码违例访问检测,主要的方法是当程序运行出现逻辑错误时,由开发人员通过gdb等调试工具展开分析。但由于代码违例访问本身的特点,分析过程具有较高的时间复杂度,并且需要大量人力支持,这种分析方法具有较大的局限性。Code violation access is a program error that is difficult to detect and analyze. In most cases, violation access does not cause program or system crashes, but causes unexpected changes in the values of certain variables during program execution. It is difficult to locate and troubleshoot the problem. At present, the main method for code violation access detection is that when a logic error occurs in the program operation, the developer analyzes it through debugging tools such as gdb. However, due to the characteristics of code violation access itself, the analysis process has a high time complexity and requires a large amount of human support. This analysis method has relatively large limitations.

2.基于编译器的违例访问检测2. Compiler-based access violation detection

目前也有部分工作基于编译器的代码优化功能,在代码优化阶段,将手写的违例访问检测的代码嵌入到目标程序中,在运行阶段针对与RISCV的程序开展动态分析,检测其中是否存在内存违例访问。该方法确实在一定程度上能够提高代码违例访问检测能力,但绝大部分软件以二进制形式发布,无法获得源代码,基于源代码的违例访问检测方式具有较大的局限性。At present, some work is based on the code optimization function of the compiler. In the code optimization stage, the handwritten illegal access detection code is embedded into the target program, and the dynamic analysis is carried out for the RISCV program in the running stage to detect whether there is a memory violation access. . This method can indeed improve the ability to detect code access violations to a certain extent, but most of the software is released in binary form, and the source code cannot be obtained. The detection method of violation access based on source code has great limitations.

综上,目前在RISCV硬件之上,对程序进行动态分析的方法主要缺陷在于:由于违例方位通常不带来程序崩溃或系统崩溃的现象,而是使程序的某些变量发生变化,因而不容易被分析人员定位和排错。现有的基于调试工具的分析方法具有很大局限性。尽管也有部分工作使用编译器优化技术将分析代码插入到源码中,通过插入的代码实现内存违例访问,但很多软件的源代码很难获取,基于源码的方式也具有较大的局限性。To sum up, the current method of dynamic analysis of programs based on RISCV hardware has the main defect that: because violations usually do not cause program crashes or system crashes, but cause some variables of the program to change, it is not easy to The analyst locates and troubleshoots. Existing analysis methods based on debugging tools have great limitations. Although some works use compiler optimization technology to insert the analysis code into the source code, and realize memory violation access through the inserted code, the source code of many software is difficult to obtain, and the method based on the source code also has great limitations.

发明内容Contents of the invention

针对现有针对RISCV CPU上程序内存违例访问检测依赖于手工分析或源代码实现,需要大量人力物力、时间复杂度高、局限性大的问题。本发明的目的在于提供一种基于硬件虚拟化的RISCV内存访问违例检测方法及装置,该方法通过修改硬件模拟器,在翻译执行RISCV指令的同时,提取并标定进程中内存访问的权限,监控RISCV指令的LOAD和STORE指令,检测内存违例访问。Aiming at the problem that the existing program memory violation access detection on RISCV CPU relies on manual analysis or source code implementation, which requires a lot of manpower and material resources, high time complexity, and large limitations. The object of the present invention is to provide a method and device for detecting violations of RISCV memory access based on hardware virtualization. By modifying the hardware simulator, while translating and executing RISCV instructions, the method extracts and calibrates the memory access authority in the process, and monitors RISCV The LOAD and STORE instructions of the instruction detect memory access violations.

本发明的技术内容包括:Technical contents of the present invention include:

一种基于硬件虚拟化的RISCV内存访问违例检测方法,其步骤包括:A kind of RISCV memory access violation detection method based on hardware virtualization, its step comprises:

逆向RISCV上运行的操作系统内核,获取进程内核数据结构;Reverse the operating system kernel running on RISCV to obtain the process kernel data structure;

基于硬件模拟器模拟RISCV CPU,并构建操作系统的基础进程列表;Simulate the RISCV CPU based on the hardware simulator, and build the basic process list of the operating system;

使用sptbr寄存器与进程内核数据结构,获取新进程的特征信息,并依据基础进程列表与特征信息,得到目标进程;Use the sptbr register and the process kernel data structure to obtain the characteristic information of the new process, and obtain the target process according to the basic process list and characteristic information;

基于目标进程的进程信息与动态运行过程信息进行API检测与指令分析,并通过API检测得到内存访问权限列表,利用指令分析得到目标进程的内存访问数据;Based on the process information and dynamic running process information of the target process, API detection and instruction analysis are performed, and the list of memory access permissions is obtained through API detection, and the memory access data of the target process is obtained by instruction analysis;

比对内存访问数据与内存访问权限列表,得到访问违例检测结果。Compare the memory access data with the memory access permission list to obtain the access violation detection result.

进一步地,所述操作系统包括:Linux操作系统或Windows操作系统。Further, the operating system includes: Linux operating system or Windows operating system.

进一步地,所述硬件模拟器的类型包括:Qemu硬件模拟器。Further, the type of the hardware simulator includes: Qemu hardware simulator.

进一步地,通过以下步骤获取新进程的特征信息:Further, obtain the feature information of the new process through the following steps:

1)监控sptbr寄存器的变化,并当出现新的地址时,得到新进程;1) Monitor changes in the sptbr register, and get a new process when a new address appears;

2)然后以sptbr指向的物理页为起点,通过特征搜索进程内核数据结构,获得新进程的特征信息。2) Then take the physical page pointed to by sptbr as a starting point, search the process kernel data structure through the feature, and obtain the feature information of the new process.

进一步地,所述特征信息包括:模块加载地址、长度,线程信息和内存信息。Further, the feature information includes: module loading address, length, thread information and memory information.

进一步地,目标进程的进程信息包括:进程结构地址、页表物理地址、进程名、模块结构信息列表和进程当前模块结构指针。Further, the process information of the target process includes: process structure address, page table physical address, process name, module structure information list and process current module structure pointer.

进一步地,通过以下步骤得到内存访问权限列表:Further, the list of memory access permissions is obtained through the following steps:

1)拦截所有的ecall指令,获取API调用的地址、函数名、输入/输出参数和返回值;1) Intercept all ecall instructions, obtain the address, function name, input/output parameters and return value of the API call;

2)基于API调用信息,判断API调用的地址的相应函数是否为内存申请/释放/权限操作函数:2) Based on the API call information, determine whether the corresponding function of the address called by the API is a memory application/release/permission operation function:

若是,通过用户输入的配置进程名称、内存区域的起始地址、内存区域的长度和内存区域的访问权限,更新现有的内存访问权限列表,并将更新后的内存访问权限列表作为内存访问权限列表;If so, update the existing memory access permission list through the configuration process name, the start address of the memory area, the length of the memory area, and the access permission of the memory area input by the user, and use the updated memory access permission list as the memory access permission list;

若否,将现有的内存访问权限列表作为内存访问权限列表。If not, use the existing memory access permission list as the memory access permission list.

进一步地,通过以下步骤得到内存访问数据:Further, the memory access data is obtained through the following steps:

1)拦截所有的LOAD指令与STORE指令;1) Intercept all LOAD instructions and STORE instructions;

2)基于LOAD指令与STORE指令,获得指令的操作码、操作数、寄存器、内存地址和内存内容;2) Obtain the opcode, operand, register, memory address and memory content of the instruction based on the LOAD instruction and the STORE instruction;

3)基于LOAD指令读取的地址与寄存器及STORE指令写入的地址与寄存器,得到内存访问数据。3) Obtain memory access data based on the address and register read by the LOAD instruction and the address and register written by the STORE instruction.

一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行以上所述方法。A storage medium, in which a computer program is stored, wherein the computer program is configured to execute the above method when running.

一种电子装置,包括存储器和处理器,其中存储器存储执行以上所述方法的程序。An electronic device includes a memory and a processor, wherein the memory stores a program for executing the method described above.

本发明的优点和积极效果如下:Advantage of the present invention and positive effect are as follows:

本发明能够完整、透明的监控在RISCV CPU上程序的运行全过程,提供可配置的内存违例访问配置接口,监控过程不依赖于系统提供的功能或接口,能够实现透明的进程监控和内存违例访问检测,有效提高了内存违例访问检测能力和准确度。The present invention can completely and transparently monitor the whole running process of the program on the RISCV CPU, provides a configurable memory access configuration interface, the monitoring process does not depend on the functions or interfaces provided by the system, and can realize transparent process monitoring and memory access configuration Detection, which effectively improves the ability and accuracy of memory access violation detection.

附图说明Description of drawings

图1为本发明一种基于硬件虚拟化的RISCV内存访问违例检测方法流程图。FIG. 1 is a flowchart of a hardware virtualization-based RISCV memory access violation detection method according to the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be described in further detail below in conjunction with specific embodiments and with reference to the accompanying drawings.

本发明的RISCV内存访问违例检测方法,包括:RISCV memory access violation detection method of the present invention comprises:

·在Qemu硬件模拟器上安装操作系统;· Install the operating system on the Qemu hardware emulator;

·基于Qemu硬件模拟器,以虚拟的sptbr寄存器为线索,区分不同的进程;·Based on the Qemu hardware simulator, using the virtual sptbr register as a clue to distinguish different processes;

·基于Qemu硬件模拟器,构建虚拟的进程内核数据结构寄存器,解析物理内存内容,搜索进程内核数据结构;·Based on the Qemu hardware simulator, build a virtual process kernel data structure register, analyze the physical memory content, and search the process kernel data structure;

·基于Qemu硬件模拟器,通过修改译码引擎,在用户态执行指令ecall指令时,检测是否实现了内存分配/释放/权限更新操作,标定内存区域的访问权限和访问规则;Based on the Qemu hardware simulator, by modifying the decoding engine, when the ecall command is executed in the user mode, it detects whether the memory allocation/release/privilege update operation has been implemented, and calibrates the access rights and access rules of the memory area;

·基于Qemu硬件模拟器,通过提供用户态接口,由用户标定内存区域的访问权限和访问规则;·Based on the Qemu hardware simulator, by providing a user mode interface, the user can calibrate the access rights and access rules of the memory area;

·基于Qemu硬件模拟器,通过修改译码引擎,在LOAD和STORE指令的前后加入回调函数实施分析,基于内存区域访问规则,检测内存访问违例。·Based on the Qemu hardware simulator, by modifying the decoding engine, adding callback functions before and after the LOAD and STORE instructions for analysis, and based on the memory area access rules, to detect memory access violations.

·将内存访问违例检测结果以JSON文件格式输出。· Output memory access violation detection results in JSON file format.

具体来说,如图1所示,其包括的步骤描述如下:Specifically, as shown in Figure 1, the steps it includes are described as follows:

1)手工逆向RISCV上运行的操作系统内核,解析内核数据结构,相关数据结构主要用于在物理内存中,通过多级指针相互验证(操作系统内核数据结构使用双向链表连接,通过内核数据结构间两个值是否指向关联的合法地址,可以检测是否为合法的内核数据结构)的方式找到进程内核数据结构,进入步骤2);1) Manually reverse the operating system kernel running on RISCV, and analyze the kernel data structure. The relevant data structure is mainly used in physical memory to verify each other through multi-level pointers (the operating system kernel data structure is connected by a doubly linked list, and the data structure between the kernel data structures Whether the two values point to the associated legal address, you can detect whether it is a legal kernel data structure) to find the process kernel data structure, and enter step 2);

2)基于Qemu硬件模拟器模拟的RISCV CPU,并安装Linux操作系统,记录一个通用Linux操作系统所需要启动的基础进程,构建基础进程列表,在后期分析中不监控此类进程进入步骤3);2) Based on the RISCV CPU simulated by the Qemu hardware emulator, and install the Linux operating system, record the basic processes that a general Linux operating system needs to start, build the basic process list, and do not monitor this type of process in the later analysis to enter step 3);

3)启动Linux操作系统和目标进程,构建进程内核数据结构寄存器,进入步骤4);3) start the Linux operating system and the target process, build the process kernel data structure register, and enter step 4);

4)监控系统中sptbr寄存器的变化:当出现新的地址时,认为出现了新的进程,然后以sptbr指向的物理页为起点,通过特征搜索进程内核数据结构,获得当前进程的特征信息,包括模块加载地址、长度,线程信息、内存信息等,并基于该特征信息,判定该进程是否属于基础进程列表,如果属于则忽略。如果不属于,则记录进程信息,进程信息包括:进程结构地址、页表物理地址、进程名、模块结构信息列表、进程当前模块结构指针,并进入步骤5);4) Monitoring the change of the sptbr register in the system: when a new address appears, it is considered that a new process has appeared, and then the physical page pointed to by sptbr is used as a starting point to search the process kernel data structure through the feature to obtain the feature information of the current process, including Module loading address, length, thread information, memory information, etc., and based on the characteristic information, determine whether the process belongs to the basic process list, and ignore it if it belongs. If not, record process information, process information includes: process structure address, page table physical address, process name, module structure information list, process current module structure pointer, and enter step 5);

5)对目标进程修改译码引擎,并在Qemu的译码机制中加入API检测和指令分析代码,其中,在Qemu实际执行时,除进程信息外,进一步提取动态运行过程信息进入步骤6);5) Modify the decoding engine to the target process, and add API detection and instruction analysis codes in the decoding mechanism of Qemu, wherein, when Qemu actually executes, except process information, further extract dynamic running process information and enter step 6);

6)针对目标进程,拦截所有的ecall指令,获得API调用的地址、函数名、输入/输出参数、返回值,判断调用地址的相应函数是否为内存申请/释放/权限操作函数:若是,更新内存访问权限列表,进入步骤7);若否,进入步骤8);6) For the target process, intercept all ecall instructions, obtain the address of the API call, function name, input/output parameters, and return value, and determine whether the corresponding function of the call address is a memory application/release/permission operation function: if so, update the memory Access permission list, go to step 7); if not, go to step 8);

7)用户通过提供的接口,输入命令行,配置进程名称、内存区域的起始地址、内存区域的长度、内存区域的访问权限等信息,实现内存访问规则的添加、删除、修改、查询。进入步骤8);7) The user enters the command line through the provided interface, configures information such as the process name, the starting address of the memory area, the length of the memory area, and the access rights of the memory area to realize the addition, deletion, modification, and query of memory access rules. Go to step 8);

8)针对目标进程,拦截所有的LOAD和STORE指令,获得指令的操作码、操作数、寄存器、内存地址和内存内容等信息,将LOAD指令读取的地址、寄存器,STORE指令写入的地址、寄存器和内存访问权限表进行对比,判定是否有内存违例访问,如果有,则输出违例访问检测结果,进入步骤9);8) For the target process, intercept all LOAD and STORE instructions, obtain information such as the opcode, operand, register, memory address and memory content of the instruction, and read the address and register of the LOAD instruction, the address written by the STORE instruction, The register and the memory access authority table are compared to determine whether there is a memory violation access, and if so, output the violation access detection result and enter step 9);

9)判定目标进程是否退出,若退出,将动态信息以JSON文件的方式输出,若没有退出,进入步骤4)。9) Determine whether the target process exits, if exits, output the dynamic information in the form of a JSON file, if not exit, enter step 4).

进一步地,所述在Qemu硬件模拟器上安装操作系统,由于Windows系统尚不支持RISCV CPU,当前仅为Linux系统。但针对Windows操作系统的监控过程与Linux系统监控过程原理一致,本发明也可支持Windows操作系统。Further, the installation of the operating system on the Qemu hardware emulator is currently only a Linux system because the Windows system does not yet support the RISCV CPU. However, the monitoring process for the Windows operating system is consistent with the principle of the Linux system monitoring process, and the present invention can also support the Windows operating system.

进一步地,所述基于Qemu硬件模拟器,以虚拟的sptbr寄存器为线索,区分不同的进程,其中sptbr为每个进程的页表物理地址,由于不同进程使用不同的页表,该页表信息能够唯一的标志进程,通过在内存中构建以页表地址为索引的HASH表,记录进程信息。Further, based on the Qemu hardware simulator, the virtual sptbr register is used as a clue to distinguish different processes, wherein sptbr is the physical address of the page table of each process. Since different processes use different page tables, the page table information can be The unique logo process records process information by building a HASH table indexed by the page table address in memory.

进一步地,所述基于Qemu硬件模拟器,以虚拟的内核数据结构寄存器为线索,在物理内存中遍历链表搜索内核进程数据结构,提取进程信息。Further, the Qemu-based hardware simulator uses the virtual kernel data structure register as a clue to traverse the linked list in the physical memory to search the kernel process data structure to extract process information.

进一步地,所述Qemu硬件模拟器,通过修改译码引擎,在程序执行指令ecall指令时,检测该指令的目标地址是否为内存分配/释放/内存权限设定的函数,记录内存区域和对应的访问权限。Further, the Qemu hardware simulator, by modifying the decoding engine, detects whether the target address of the instruction is a function of memory allocation/release/memory permission setting when the program executes the instruction ecall instruction, and records the memory area and the corresponding access permission.

进一步地,所述Qemu硬件模拟器,加入用户接口,允许用户通过输入命令的方式,定义目标进程内存区域的访问权限。Further, the Qemu hardware emulator adds a user interface, allowing the user to define the access rights of the memory area of the target process by inputting commands.

进一步地,所述基于Qemu硬件模拟器,通过修改译码引擎,在LOAD和STORE指令的前后加入回调函数实施分析,实现指令读写内存地址、长度的分析,并根据预定义的内存访问权限,判定该操作是否为违例操作。Further, based on the Qemu hardware simulator, by modifying the decoding engine, adding a callback function before and after the LOAD and STORE instructions for analysis, realizing the analysis of the instruction read and write memory address and length, and according to the predefined memory access authority, Determine whether the operation is a violation operation.

本发明提出的一种通过修改硬件模拟器,针对RISCV CPU,通过分析虚拟CPU中的寄存器、定位和读取物理内存中的操作系统关键数据结构,识别进程,拦截进程的函数调用和执行的指令,检测进程运行过程中发生的内存访问违例的方法。本发明能够完整、透明的监控在RISCV CPU上程序的运行全过程,提供可配置的内存违例访问配置接口,监控过程不依赖于系统提供的功能或接口,能够实现透明的进程监控和内存违例访问检测,有效提高了内存违例访问检测能力和准确度。The present invention proposes to identify the process by modifying the hardware simulator, aiming at the RISCV CPU, by analyzing the registers in the virtual CPU, locating and reading the key data structure of the operating system in the physical memory, and intercepting the function call and the executed instruction of the process , a method for detecting memory access violations that occur while a process is running. The present invention can completely and transparently monitor the whole running process of the program on the RISCV CPU, provides a configurable memory access configuration interface, the monitoring process does not depend on the functions or interfaces provided by the system, and can realize transparent process monitoring and memory access configuration Detection, which effectively improves the ability and accuracy of memory access violation detection.

尽管为说明目的公开了本发明的具体实施例和附图,其目的在于帮助理解本发明的内容并据以实施,但是本领域的技术人员可以理解:在不脱离本发明及所附的权利要求的精神和范围内,各种替换、变化和修改都是可能的。因此,本发明不应局限于最佳实施例和附图所公开的内容,本发明要求保护的范围以权利要求书界定的范围为准。Although specific embodiments and drawings of the present invention are disclosed for the purpose of illustration, the purpose is to help understand the content of the present invention and implement it accordingly, but those skilled in the art can understand that: without departing from the present invention and the appended claims Various substitutions, changes and modifications are possible within the spirit and scope of . Therefore, the present invention should not be limited to the content disclosed in the preferred embodiments and drawings, and the protection scope of the present invention should be defined by the claims.

Claims (10)

1.一种基于硬件虚拟化的RISCV内存访问违例检测方法,其步骤包括:1. A RISCV memory access violation detection method based on hardware virtualization, the steps comprising: 逆向RISCV上运行的操作系统内核,获取进程内核数据结构;Reverse the operating system kernel running on RISCV to obtain the process kernel data structure; 基于硬件模拟器模拟RISCV CPU,并构建操作系统的基础进程列表;Simulate the RISCV CPU based on the hardware simulator, and build the basic process list of the operating system; 使用sptbr寄存器与进程内核数据结构,获取新进程的特征信息,并依据基础进程列表与特征信息,得到目标进程;Use the sptbr register and the process kernel data structure to obtain the characteristic information of the new process, and obtain the target process according to the basic process list and characteristic information; 基于目标进程的进程信息与动态运行过程信息进行API检测与指令分析,并通过API检测得到内存访问权限列表,利用指令分析得到目标进程的内存访问数据;Based on the process information and dynamic running process information of the target process, API detection and instruction analysis are performed, and the list of memory access permissions is obtained through API detection, and the memory access data of the target process is obtained by instruction analysis; 比对内存访问数据与内存访问权限列表,得到访问违例检测结果。Compare the memory access data with the memory access permission list to obtain the access violation detection result. 2.如权利要求1所述的方法,其特征在于,所述操作系统包括:Linux操作系统或Windows操作系统。2. The method according to claim 1, wherein the operating system comprises: a Linux operating system or a Windows operating system. 3.如权利要求1所述的方法,其特征在于,所述硬件模拟器的类型包括:Qemu硬件模拟器。3. The method according to claim 1, wherein the type of the hardware simulator comprises: a Qemu hardware simulator. 4.如权利要求1所述的方法,其特征在于,通过以下步骤获取新进程的特征信息:4. The method according to claim 1, wherein the feature information of the new process is acquired through the following steps: 1)监控sptbr寄存器的变化,并当出现新的地址时,得到新进程;1) Monitor changes in the sptbr register, and get a new process when a new address appears; 2)然后以sptbr指向的物理页为起点,通过特征搜索进程内核数据结构,获得新进程的特征信息。2) Then take the physical page pointed to by sptbr as a starting point, search the process kernel data structure through the feature, and obtain the feature information of the new process. 5.如权利要求1所述的方法,其特征在于,所述特征信息包括:模块加载地址、长度,线程信息和内存信息。5. The method according to claim 1, wherein the feature information includes: module loading address, length, thread information and memory information. 6.如权利要求1所述的方法,其特征在于,目标进程的进程信息包括:进程结构地址、页表物理地址、进程名、模块结构信息列表和进程当前模块结构指针。6. The method according to claim 1, wherein the process information of the target process comprises: process structure address, page table physical address, process name, module structure information list and process current module structure pointer. 7.如权利要求1所述的方法,其特征在于,通过以下步骤得到内存访问权限列表:7. The method according to claim 1, characterized in that, the memory access authority list is obtained through the following steps: 1)拦截所有的ecall指令,获取API调用的地址、函数名、输入/输出参数和返回值;1) Intercept all ecall instructions, obtain the address, function name, input/output parameters and return value of the API call; 2)基于API调用信息,判断API调用的地址的相应函数是否为内存申请/释放/权限操作函数:2) Based on the API call information, determine whether the corresponding function of the address called by the API is a memory application/release/permission operation function: 若是,通过用户输入的配置进程名称、内存区域的起始地址、内存区域的长度和内存区域的访问权限,更新现有的内存访问权限列表,并将更新后的内存访问权限列表作为内存访问权限列表;If so, update the existing memory access permission list through the configuration process name, the start address of the memory area, the length of the memory area, and the access permission of the memory area input by the user, and use the updated memory access permission list as the memory access permission list; 若否,将现有的内存访问权限列表作为内存访问权限列表。If not, use the existing memory access permission list as the memory access permission list. 8.如权利要求1所述的方法,其特征在于,通过以下步骤得到内存访问数据:8. The method according to claim 1, wherein the memory access data is obtained through the following steps: 1)拦截所有的LOAD指令与STORE指令;1) Intercept all LOAD instructions and STORE instructions; 2)基于LOAD指令与STORE指令,获得指令的操作码、操作数、寄存器、内存地址和内存内容;2) Obtain the opcode, operand, register, memory address and memory content of the instruction based on the LOAD instruction and the STORE instruction; 3)基于LOAD指令读取的地址与寄存器及STORE指令写入的地址与寄存器,得到内存访问数据。3) Obtain memory access data based on the address and register read by the LOAD instruction and the address and register written by the STORE instruction. 9.一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行权利要求1-8中任一所述方法。9. A storage medium, wherein a computer program is stored in the storage medium, wherein the computer program is configured to execute the method according to any one of claims 1-8 when running. 10.一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行如权利要求1-8中任一所述方法。10. An electronic device, comprising a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to perform the method according to any one of claims 1-8.
CN202111579284.0A 2021-12-22 2021-12-22 RISCV memory access violation detection method and device based on hardware virtualization Pending CN116340081A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111579284.0A CN116340081A (en) 2021-12-22 2021-12-22 RISCV memory access violation detection method and device based on hardware virtualization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111579284.0A CN116340081A (en) 2021-12-22 2021-12-22 RISCV memory access violation detection method and device based on hardware virtualization

Publications (1)

Publication Number Publication Date
CN116340081A true CN116340081A (en) 2023-06-27

Family

ID=86877574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111579284.0A Pending CN116340081A (en) 2021-12-22 2021-12-22 RISCV memory access violation detection method and device based on hardware virtualization

Country Status (1)

Country Link
CN (1) CN116340081A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118519915A (en) * 2024-07-22 2024-08-20 北京麟卓信息科技有限公司 Global memory protection-based kernel memory access boundary crossing debugging method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118519915A (en) * 2024-07-22 2024-08-20 北京麟卓信息科技有限公司 Global memory protection-based kernel memory access boundary crossing debugging method

Similar Documents

Publication Publication Date Title
AU2019262864B2 (en) Execution control with cross-level trace mapping
EP3785127B1 (en) Selectively tracing portions of computer process execution
CN103399812B (en) Based on disk file operation supervise and control system and the method for supervising of Xen hardware virtualization
CN109583200B (en) A program exception analysis method based on dynamic taint propagation
EP3785125B1 (en) Selectively tracing portions of computer process execution
US12093398B2 (en) Vulnerability analysis and reporting for embedded systems
US10089474B2 (en) Virtual machine introspection
CN107368739B (en) Kernel drive monitoring method and device
CN101364253A (en) Anti-malicious program covert debugging engine and method
CN116340081A (en) RISCV memory access violation detection method and device based on hardware virtualization
Chen et al. ARMORY: An automatic security testing tool for buffer overflow defect detection
CN114443418A (en) A RISCV memory overflow vulnerability detection method and device based on hardware virtualization
US11030075B2 (en) Efficient register breakpoints
CN116594861A (en) Native dynamic link library analysis method and system based on simulation execution
CN113918950A (en) Sandbox construction method based on simulation execution
KR102421394B1 (en) Apparatus and method for detecting malicious code using tracing based on hardware and software
CN118171284B (en) Kernel data race detection method based on patch and concurrent behavior pattern analysis
CN112041823B (en) Selective tracing of portions of computer process execution
Julino Lightweight introspection for full system simulations
Xia et al. Parallelization of Extracting Binary Program Execution Trace Offline
Bau Tracking In-Memory Information Flow Through Memory Access Event Sampling and Loosely-Coupled Taint Tracking
CN116340082A (en) A method and device for dynamic analysis of RISCV application programs based on hardware virtualization
Chunlei et al. A software vulnerability analysis environment based on virtualization technology
WANG et al. Cross-Platform Embedded-System Dynamic Information Acquisition Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination