CN111552959B - Program feature sequence generation method and device - Google Patents
Program feature sequence generation method and device Download PDFInfo
- Publication number
- CN111552959B CN111552959B CN202010558726.2A CN202010558726A CN111552959B CN 111552959 B CN111552959 B CN 111552959B CN 202010558726 A CN202010558726 A CN 202010558726A CN 111552959 B CN111552959 B CN 111552959B
- Authority
- CN
- China
- Prior art keywords
- instruction
- jump
- program
- scanned
- scanning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000009191 jumping Effects 0.000 claims abstract description 16
- 238000000605 extraction Methods 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 10
- 238000004458 analytical method Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Programmable Controllers (AREA)
Abstract
The application discloses a program feature sequence generation method and device, which are used for judging whether a running program is tampered or not. The application comprises the following steps: when a program is scanned, scanning an unscanned program instruction with the minimum instruction sequence number in a plurality of program instructions, and judging the instruction type of the currently scanned program instruction; when the instruction type is a jump instruction, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair; judging whether the instruction sequence number of the currently running program instruction is equal to a preset threshold value or not; if not, jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions; if yes, the feature sequence is generated by using the saved jump relation number pairs, and the scanning program is stopped.
Description
Technical Field
The present application relates to the field of program feature analysis technologies, and in particular, to a method and an apparatus for generating a program feature sequence.
Background
Before the program is run, a trusted check needs to be made to check whether the program has been tampered with to ensure that the running program is the intended program. During the running process of the program, the program also needs to be subjected to credibility check, so that the running behavior of the program is ensured to be consistent with the expected behavior.
In the prior art, a program signature method is mostly adopted to check whether a program is tampered, but the method is only suitable for checking before the program runs. In the running process of the program, since the instruction part, the data part and the stack part are all different and the data part is changed at any time, it is difficult to check whether the program is tampered in the running process of the program.
Disclosure of Invention
The application provides a program feature sequence generation method and device, which solve the problem that whether a program is tampered or not is difficult to check in the running process of the program in the prior art.
The application provides a method for generating a program characteristic sequence, wherein the program comprises a plurality of program instructions; the program instructions respectively have corresponding instruction serial numbers; the method comprises the following steps:
when the program is scanned, scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions, and judging the instruction type of the currently scanned program instruction;
when the instruction type is a jump type instruction, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair;
judging whether the instruction sequence number of the currently running program instruction is equal to a preset threshold value;
if not, jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions;
if yes, the stored jump relation number pairs are adopted to generate a characteristic sequence, and the scanning of the program is stopped.
Optionally, the plurality of program instructions further have corresponding instruction addresses; and when the instruction type is a jump instruction, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair, wherein the jump relation number pair comprises the following steps:
when the instruction type is a jump instruction, extracting a jump address from the currently scanned program instruction;
calculating a difference between the jump address and an instruction address of the currently scanned program instruction;
acquiring a current counter value of a preset counter;
and generating a jump relation number pair of the program instruction of the current scanning by adopting the current counter value and the difference value, and storing the jump relation number pair.
Optionally, the method further comprises:
if the instruction type is a non-jump instruction, jumping to a step of scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions.
Optionally, the jump class instruction includes a conditional jump instruction; the step of extracting the jump address from the currently scanned program instruction when the instruction type is a jump instruction includes:
and when the instruction type is a conditional jump instruction, extracting a jump address from the currently scanned program instruction.
Optionally, the jump class instruction further includes an unconditional jump instruction; the method further comprises the steps of:
and when the instruction type is an unconditional jump instruction, jumping to a step of scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions.
The application provides a program characteristic sequence generating device, wherein the program comprises a plurality of program instructions; the program instructions respectively have corresponding instruction serial numbers; comprising the following steps:
the instruction type judging module is used for scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions when the program is scanned, and judging the instruction type of the currently scanned program instruction;
the jump relation number pair generating module is used for generating the jump relation number pair of the currently scanned program instruction when the instruction type is a jump instruction, and storing the jump relation number pair;
the judging module is used for judging whether the instruction sequence number of the currently running program instruction is equal to a preset threshold value;
the first jump module is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions if not;
and the characteristic sequence generating module is used for generating a characteristic sequence by adopting the saved jump relation number pairs if yes, and stopping scanning the program.
Optionally, the plurality of program instructions further have corresponding instruction addresses; the jump relation number pair generating module comprises:
the jump address extraction sub-module is used for extracting a corresponding jump address from the currently scanned program instruction when the instruction type is a jump instruction;
a difference value calculation sub-module, configured to calculate a difference value between the jump address and an instruction address of the currently scanned program instruction;
the current counter value acquisition module is used for acquiring the current counter value of the preset counter;
and the jump relation number pair generation sub-module is used for generating the jump relation number pair of the currently scanned program instruction by adopting the current counter value and the difference value, and storing the jump relation number pair.
Optionally, the apparatus further comprises:
and the second jump module is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions if the instruction type is a non-jump instruction.
Optionally, the jump class instruction includes a conditional jump instruction; the jump address extraction sub-module comprises:
and the jump address extraction unit is used for extracting the jump address from the currently scanned program instruction when the instruction type is a conditional jump instruction.
Optionally, the jump class instruction further includes an unconditional jump instruction; the jump address extraction submodule further comprises:
and the jump unit is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions when the instruction type is the unconditional jump instruction.
From the above technical scheme, the application has the following advantages: when the program is scanned, the program instructions are scanned in sequence, and when the program instructions are jump instructions, the difference value between the instruction addresses of the program instructions and the jump addresses is calculated; and generating a jump relation number pair by adopting the difference value and a counter value corresponding to the program instruction, so as to generate a characteristic sequence according to the jump relation number pair. And thus whether the running program is tampered with by judging whether the feature sequence is an expected feature sequence.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the application, and that other drawings can be obtained from these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a flowchart illustrating steps of an embodiment of a method for generating a program feature sequence according to the present application;
fig. 2 is a block diagram of an embodiment of a program feature sequence generating apparatus according to the present application.
Detailed Description
The embodiment of the application provides a method and a device for generating a program feature sequence, which are used for solving the technical problem that whether a program is tampered or not is difficult to check in the running process of the program in the prior art.
In order to make the objects, features and advantages of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in detail below with reference to the accompanying drawings, and it is apparent that the embodiments described below are only some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a method for generating a program feature sequence according to an embodiment of the present application.
The application provides a method for generating a program characteristic sequence, wherein the program comprises a plurality of program instructions; the program instructions respectively have corresponding instruction serial numbers and instruction addresses; the method comprises the following steps:
step 101, when the program is scanned, scanning an unscanned program instruction with the smallest instruction sequence number in the plurality of program instructions, and judging the instruction type of the currently scanned program instruction;
in practical applications, for the purpose of ensuring information security, it is necessary to detect whether a program is tampered with when the program is run. In the running process of the program, the instruction part, the data part and the stack part are all different, and the data part is changed at any time, so that whether the program is tampered is difficult to detect. According to the program characteristic sequence generation method provided by the application, the program jump condition and the like are analyzed, a sequence describing the program instruction address change is established and is used as the characteristic fingerprint for distinguishing the program, and when the characteristic fingerprint is inconsistent with the preset program characteristic fingerprint, the program jump condition is characterized to change, and the program is tampered.
In the embodiment of the application, the program instruction has a corresponding instruction sequence number and instruction address according to the scanning sequence. The instruction serial number is used for representing the scanned program instruction of which number the program instruction is; the instruction address characterizes the memory address of the program instruction.
The program instructions may include a skip instruction and a non-skip instruction, where the skip instruction records an instruction address of the program instruction that needs to be skipped after the program instruction is scanned, and is used for performing corresponding skip after the program instruction is scanned.
Based on the above teaching, when the program starts to run, it needs to determine whether the program instruction is a jump instruction one by one, so as to record the jump condition of the program.
Step 102, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair.
In the embodiment of the application, when the program instruction currently being scanned is a jump instruction in the process of traversing the program instruction from small to large according to the instruction sequence number of the program instruction, the jump relation of the jump instruction currently being scanned can be extracted, and a jump relation digital pair is generated and used for representing the jump relation of the jump instruction currently being scanned.
In an embodiment of the present application, step 102 may comprise the sub-steps of:
s11, when the instruction type is a jump instruction, extracting a corresponding jump address from the currently scanned program instruction;
in the embodiment of the application, when the program instruction currently being scanned is a jump instruction in the process of traversing the program instruction from small to large according to the instruction sequence number of the program instruction, the jump address of the program instruction currently being scanned is extracted, but the jump operation is not scanned, and the number of scanned instructions of the program instruction currently being scanned is recorded. For identifying whether the scanning order of the program instructions has been tampered with.
In the embodiment of the present application, when the instruction type is a non-jump instruction, the method jumps to a step of scanning an unscanned program instruction with the smallest instruction sequence number in the plurality of program instructions.
Specifically, when the instruction type is a non-jump instruction, the program instruction for current scanning does not include jump information, so that the next program instruction is scanned sequentially without recording the jump condition.
In an embodiment of the present application, the jump class program instructions include conditional jump instructions and unconditional jump instructions. When the currently scanned program sequence is a conditional jump instruction, the step of extracting the jump address from the currently scanned program instruction comprises: when the instruction type is a conditional jump instruction, the jump address is extracted from the currently scanned program instruction. When the currently scanned program sequence is an unconditional jump instruction, the next instruction is scanned sequentially.
S12, calculating a difference value between the jump address and an instruction address of the currently scanned program instruction;
after the jump address of the program instruction being scanned and the instruction address thereof are acquired, the difference between the jump address of the program instruction and the instruction address can be calculated for determining whether the jump content of the program instruction is tampered.
In one example, when the instruction address of the program instruction being scanned is N1 and the jump address is N5, the difference between the jump address and the instruction address is (N5-N1).
S13, acquiring a current counter value of a preset counter;
in an embodiment of the present application, the number of scanned program instructions may be counted by a counter.
In one example, when the program starts running, the counter value N of the counter is set to 0.
The program instructions are parsed starting from the start address of the program. The counter value of the counter is increased by 1, and the analysis of the 1 st program instruction is started. After the analysis of the first instruction is finished, the counter value of the counter is increased by 1 again, and the analysis of the 2 nd program instruction is started. The counter value is used to characterize what number of scanned program instructions the currently scanning program instruction is.
S14, generating a jump relation number pair of the currently scanned program instruction by adopting the current counter value and the difference value, and storing the jump relation number pair;
after the current counter value of the preset counter and the difference between the instruction address and the jump address of the currently scanned program instruction are obtained, a jump relation number pair for representing the scanning sequence and the jump condition of the currently scanned program instruction can be generated.
During program execution, each of the hopping relationship number pairs generated during the process may be saved to construct a signature sequence that characterizes the program hopping.
Step 103, judging whether the instruction sequence number of the currently running program instruction is equal to a preset threshold value;
in practical applications, the number of instructions of the program is fixed, so that whether the program is scanned can be determined by determining whether to traverse to the last program instruction. Specifically, the determination may be made by determining whether the instruction sequence number of the program instruction currently scanned is the instruction signal of the last program set.
Step 104, if not, jumping to a step of scanning the non-scanned program instruction with the smallest instruction sequence number in the plurality of program instructions;
when all the program instructions of the program are not scanned completely, the program instructions to be scanned need to be determined according to the scanning sequence of the program instructions. Therefore, after one program instruction is scanned, the program instruction to be scanned is the program instruction with the minimum sequence number in the program instruction which is not scanned.
And step 105, if yes, generating a characteristic sequence by using the saved jump relation number pairs, and stopping scanning the program.
If the currently scanned program instruction is the last program instruction of the program, the instruction sequence number of the currently scanned program instruction is represented as a threshold value of a preset instruction sequence number, and all the program instructions of the program are characterized to finish scanning. At this time, the program is run, all jump relation numbers generated in the process of running the program are saved in a sequence form, and a characteristic sequence representing the jump condition of the program is generated. By this feature sequence, it can be judged whether the program is tampered with.
When the program runs, the method sequentially scans the program instructions, and when the program instructions are jump instructions, the difference value between the instruction addresses of the program instructions and the jump addresses is calculated; and generating a jump relation number pair by adopting the difference value and a counter value corresponding to the program instruction, so as to generate a characteristic sequence according to the jump relation number pair. And judging whether the running program is tampered according to the characteristic sequence.
In order to facilitate understanding of embodiments of the present application by those skilled in the art, a description will be given below by way of specific examples.
As shown in table 1, assuming that the program has 1 to N10 program instructions, the counter value N of the preset counter is set to 0, i.e., let n=0, before starting the running of the program.
When the trigger program is run, it is,
the first step: the counter value N=1, scan the 1 st program instruction, judge the 1 st program instruction is the non-jump instruction, analyze the second program instruction sequentially;
and a second step of: the counter value N=2, scan the 2 nd program instruction, judge the 2 nd program instruction is jump type instruction, jump address is N1, record and jump the relation number pair (2, N1-2);
……
step N2: the counter value N=N2, scan the N2 instruction, judge the N2 program instruction is jump instruction, jump address is N6, record the jump relation digital pair (N2, N6-N2), the characteristic sequence is [ (2, N1-2), (N2, N6-N2) ];
……
step N5: the counter value N=N5, scan the Nth instruction, judge the Nth instruction is jump type instruction, jump address is N1, record jump relation digital pair (N5, N1-N5), the characteristic sequence is [ (2, N1-2), (N2, N6-N2), (N5, N1-N5) ];
……
step N8: the counter value N=N8, scan the N8 th instruction, judge the N8 th instruction is jump instruction, jump address is N10, record jump relation digital pair (N8, N10-N8), the characteristic sequence is [ (2, N1-2), (N2, N6-N2), (N5, N1-N5), (N8, N10-N8) ];
……
step N10: the counter value N=N10, the N10 program instruction is scanned, the N10 program instruction is judged to be a non-jump instruction, and the program operation is ended after the scanning is finished because N10 is the last program instruction.
Instruction address | Instructions for | Jump address |
1 | Non-jump class instruction | |
2 | Jump class instruction | N1 |
... | ... | |
N1 | Non-jump class instruction | |
N2 | Jump class instruction | N6 |
N3 | Non-jump class instruction | |
... | ... | |
N4 | Non-jump class instruction | |
N5 | Jump class instruction | N1 |
N6 | Non-jump class instruction | |
... | ... | |
N7 | Non-jump class instruction | |
N8 | Jump class instruction | N10 |
N9 | Non-jump class instruction | |
... | ... | |
N10 | Non-jump class instruction |
TABLE 1
Referring to fig. 2, fig. 2 is a flowchart illustrating steps of a generating device for a program feature sequence according to an embodiment of the application.
The application provides a program characteristic sequence generating device, which comprises:
an instruction type judging module 201, configured to scan an unscanned program instruction with a smallest instruction sequence number among the plurality of program instructions and judge an instruction type of a currently scanned program instruction when the program is scanned;
a jump relation number pair generating module 202, configured to generate a jump relation number pair of the currently scanned program instruction when the instruction type is a jump instruction, and store the jump relation number pair;
a judging module 203, configured to judge whether an instruction sequence number of the currently running program instruction is equal to a preset threshold;
a first skip module 204, configured to skip to scan the non-scanned program instruction with the smallest instruction sequence number in the plurality of program instructions if not;
and the feature sequence generating module 205 is configured to generate a feature sequence by using the saved skip relation number pair if yes, and stop scanning the program.
In the embodiment of the application, the program instructions also have corresponding instruction addresses; the jump relation number pair generating module 202 includes:
the jump address extraction sub-module is used for extracting a corresponding jump address from the currently scanned program instruction when the instruction type is a jump instruction;
a difference value calculation sub-module, configured to calculate a difference value between the jump address and an instruction address of the currently scanned program instruction;
the current counter value acquisition module is used for acquiring the current counter value of the preset counter;
and the jump relation number pair generation sub-module is used for generating the jump relation number pair of the currently scanned program instruction by adopting the current counter value and the difference value, and storing the jump relation number pair.
In an embodiment of the present application, the apparatus further includes:
and the second jump module is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions if the instruction type is a non-jump instruction.
In the embodiment of the application, the jump instruction comprises a conditional jump instruction; the jump address extraction sub-module comprises:
and the jump address extraction unit is used for extracting the jump address from the currently scanned program instruction when the instruction type is a conditional jump instruction.
In the embodiment of the application, the jump instruction further comprises an unconditional jump instruction; the jump address extraction submodule further comprises:
and the jump unit is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions when the instruction type is the unconditional jump instruction.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not scanned. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (8)
1. A program feature sequence generation method, wherein the program includes a plurality of program instructions; the program instructions respectively have corresponding instruction serial numbers; the method comprises the following steps:
when the program is scanned, scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions, and judging the instruction type of the currently scanned program instruction;
when the instruction type is a jump type instruction, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair;
judging whether the instruction sequence number of the currently scanned program instruction is equal to a preset threshold value;
if not, jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions;
if yes, generating a characteristic sequence by adopting the saved jump relation number pairs, and stopping scanning the program;
wherein the plurality of program instructions further have corresponding instruction addresses; and when the instruction type is a jump instruction, generating a jump relation number pair of the currently scanned program instruction, and storing the jump relation number pair, wherein the jump relation number pair comprises the following steps:
when the instruction type is a jump instruction, extracting a jump address from the currently scanned program instruction;
calculating a difference between the jump address and an instruction address of the currently scanned program instruction;
acquiring a current counter value of a preset counter;
and generating a jump relation number pair of the program instruction of the current scanning by adopting the current counter value and the difference value, and storing the jump relation number pair.
2. The method of claim 1, wherein the method further comprises:
if the instruction type is a non-jump instruction, jumping to an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions.
3. The method of claim 1, wherein the jump class instruction comprises a conditional jump instruction; the step of extracting the jump address from the currently scanned program instruction when the instruction type is a jump instruction includes:
and when the instruction type is a conditional jump instruction, extracting a jump address from the currently scanned program instruction.
4. The method of claim 3, wherein the jump class instruction further comprises an unconditional jump instruction; the method further comprises the steps of:
and when the instruction type is an unconditional jump instruction, jumping to a step of scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions.
5. A program feature sequence generating apparatus, wherein the program comprises a plurality of program instructions; the program instructions respectively have corresponding instruction serial numbers; comprising the following steps:
the instruction type judging module is used for scanning an unscanned program instruction with the minimum instruction sequence number in the plurality of program instructions when the program is scanned, and judging the instruction type of the currently scanned program instruction;
the jump relation number pair generating module is used for generating the jump relation number pair of the currently scanned program instruction when the instruction type is a jump instruction, and storing the jump relation number pair;
the judging module is used for judging whether the instruction sequence number of the currently scanned program instruction is equal to a preset threshold value;
the first jump module is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions if not;
the feature sequence generating module is used for generating a feature sequence by adopting the saved jump relation number pairs if yes, and stopping scanning the program;
wherein the plurality of program instructions further have corresponding instruction addresses; the jump relation number pair generating module comprises:
the jump address extraction sub-module is used for extracting a corresponding jump address from the currently scanned program instruction when the instruction type is a jump instruction;
a difference value calculation sub-module, configured to calculate a difference value between the jump address and an instruction address of the currently scanned program instruction;
the current counter value acquisition module is used for acquiring the current counter value of the preset counter;
and the jump relation number pair generation sub-module is used for generating the jump relation number pair of the currently scanned program instruction by adopting the current counter value and the difference value, and storing the jump relation number pair.
6. The apparatus of claim 5, wherein said apparatus further comprises:
and the second jump module is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions if the instruction type is a non-jump instruction.
7. The apparatus of claim 5, wherein the jump class instruction comprises a conditional jump instruction; the jump address extraction sub-module comprises:
and the jump address extraction unit is used for extracting the jump address from the currently scanned program instruction when the instruction type is a conditional jump instruction.
8. The apparatus of claim 7, wherein the jump class instruction further comprises an unconditional jump instruction; the jump address extraction submodule further comprises:
and the jump unit is used for jumping to the step of scanning the non-scanned program instruction with the minimum instruction sequence number in the plurality of program instructions when the instruction type is the unconditional jump instruction.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010558726.2A CN111552959B (en) | 2020-06-18 | 2020-06-18 | Program feature sequence generation method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010558726.2A CN111552959B (en) | 2020-06-18 | 2020-06-18 | Program feature sequence generation method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111552959A CN111552959A (en) | 2020-08-18 |
CN111552959B true CN111552959B (en) | 2023-08-29 |
Family
ID=72007045
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010558726.2A Active CN111552959B (en) | 2020-06-18 | 2020-06-18 | Program feature sequence generation method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111552959B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6301699B1 (en) * | 1999-03-18 | 2001-10-09 | Corekt Security Systems, Inc. | Method for detecting buffer overflow for computer security |
WO2004013755A1 (en) * | 2002-08-05 | 2004-02-12 | Osaka Industrial Promotion Organization | Data processing method, data processing device, computer program, and recording medium |
CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
CN105260659A (en) * | 2015-09-10 | 2016-01-20 | 西安电子科技大学 | Kernel-level code reuse type attack detection method based on QEMU |
CN106682496A (en) * | 2016-12-06 | 2017-05-17 | 北京奇虎科技有限公司 | Code injection attack detection method and device |
CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2877118B1 (en) * | 2004-10-22 | 2007-01-19 | Oberthur Card Syst Sa | PROTECTION AGAINST ATTACKS BY GENERATING FAULTS ON JUMPING INSTRUCTIONS |
FR3047585B1 (en) * | 2016-02-09 | 2018-03-09 | Stmicroelectronics (Rousset) Sas | METHOD AND DEVICE FOR MONITORING THE EXECUTION OF A PROGRAM CODE |
CN106407809B (en) * | 2016-09-20 | 2019-03-01 | 四川大学 | A kind of Linux platform malware detection method |
-
2020
- 2020-06-18 CN CN202010558726.2A patent/CN111552959B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6301699B1 (en) * | 1999-03-18 | 2001-10-09 | Corekt Security Systems, Inc. | Method for detecting buffer overflow for computer security |
WO2004013755A1 (en) * | 2002-08-05 | 2004-02-12 | Osaka Industrial Promotion Organization | Data processing method, data processing device, computer program, and recording medium |
CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
CN105260659A (en) * | 2015-09-10 | 2016-01-20 | 西安电子科技大学 | Kernel-level code reuse type attack detection method based on QEMU |
CN106682496A (en) * | 2016-12-06 | 2017-05-17 | 北京奇虎科技有限公司 | Code injection attack detection method and device |
CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
Also Published As
Publication number | Publication date |
---|---|
CN111552959A (en) | 2020-08-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108984389B (en) | Application program testing method and terminal equipment | |
CN106951364B (en) | Test method and device | |
CN113127338A (en) | Firmware testing method, server and computer readable storage medium | |
CN110554962A (en) | Regression testing process covering method, server and computer readable storage medium | |
CN107223257B (en) | Test method, test server and test system | |
CN111090593A (en) | Method, device, electronic equipment and storage medium for determining crash attribution | |
CN112433936A (en) | Test method, test device and storage medium | |
CN108650123B (en) | Fault information recording method, device, equipment and storage medium | |
CN111552959B (en) | Program feature sequence generation method and device | |
CN114422175A (en) | Network security supervision and inspection behavior auditing method and device | |
CN114020432A (en) | Task exception handling method and device and task exception handling system | |
CN112231232A (en) | Method, device and equipment for determining test data model and generating test data | |
CN115276844B (en) | Communication module testing method and device, storage medium and electronic equipment | |
CN108255715B (en) | Test result processing method and terminal equipment | |
CN117171030A (en) | Method, device, equipment and storage medium for detecting software running environment | |
CN113010885B (en) | Method and device for detecting kernel thread disguised with start address | |
CN113326046B (en) | Method and device for acquiring compiling time length | |
CN114338846B (en) | Message testing method and device | |
CN114422186A (en) | Attack detection method and device, electronic equipment and storage medium | |
CN115391224A (en) | Flow playback method and device, computer equipment and readable storage medium | |
CN113923190A (en) | Method and device for identifying equipment identification jump, server and storage medium | |
CN105657473A (en) | Data processing method and device | |
CN112417810A (en) | Method, device and equipment for confirming content information in display window and storage medium | |
CN110801630A (en) | Cheating program determining method, device, equipment and storage medium | |
CN111371818A (en) | Data request verification method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |