Method for calling a procedure on basis of binary stack

FIELD: computer science.

SUBSTANCE: after procedure call, control saving of return address in address space of calling program is performed, and prior to return from procedure, control check of return address is performed, and if values match, than transfer of control to calling software is permitted, in other cases, program, to which procedure belongs, is forcibly removed from memory of computer system.

EFFECT: possible effective detection and prevention of unsanctioned access attempt with use of distortion of memory address due to reservation of true return address.

 

The invention relates to a method for protecting software from unauthorized access.

Currently, the method of procedure call is divided by the reference to the procedure and return from a procedure.

The appeal procedure is to retain information about the context of the program at the point of procedure call and return from a procedure is to restore the saved context of the program. Under the context of the program understand information about the program state at the time of the procedure call.

Working with context is done using a special processor commands: command procedure call and commands return control to the caller.

There is a method invocation from the book authors Y. Beletsky Turbo Assembler Version 2.0: Textbook. a manual for students / Per. with Polish. V.v.yatsenko. - M.: Mashinostroenie, 1994. - 160 C., taken as a prototype. The way is to call the procedure using the call command, and after performing the procedure returns control to the caller using the return control command.

Command procedure call is placed in the code of the calling program. This command transfers control to the address of the location of the procedure, while in the stack retains the context of the calling procedure of the program: the return address and the current pointer to the top of the stack. The return address is the address of the command, following the command procedure call.

As a result of these actions the called procedure receives control information and where to return control after the operation.

The command, control returns to the caller is placed in the code called procedure. This command reads out the saved context and on the basis of the received data restores the values of the respective registers of the processor.

As a result of these actions caused the procedure program gets control at the point of return address and continues the execution.

The existing method has a serious drawback, associated with the fact that when using it may cause corruption of the return address of the function is placed in the stack. Such distortion can occur when the function will be overflow of the local array data, the area under which is reserved in the stack.

The existing method of procedure call does not protect the software from unauthorized access.

This problem is solved using the method of procedure call based on dual-stack.

This method is to call the procedure, including an entry in the stack is the return address, and transfer of control to the beginning of the called procedure, followed by execution of code by the URS and return from a procedure, including removing from the stack the return address and transfer control to the return address, enter data structure and using this structure after calling procedures to control the saving of the return address, and before returning from a procedure carry out control and verification of the return address and make a decision about the possibility of command return from the procedure.

Application of the above method procedure call based on dual-stack provides the correct return address before executing the command, control returns to the calling command. Such control allows you to effectively detect and prevent unauthorized access attempts using the distortion of the return address.

Method procedure call based on dual-stack is the introduction in the calling program special data structures, as well as the introduction to the transfer process and the process control returns additional controls based on the use of this structure.

Unlike the prototype method procedure call based on dual-stack when the transmission control procedure provides for the reservation of the true return address. The truth is reserved for the return address provided by the fact that the backup process the return address production is titsa immediately before the commencement of the procedure, i.e. at the time when the distortion of the return address is not possible.

Before each command is invoked, the control returns to the caller a way to call a procedure based on dual-stack provides for the control and verification of the return address, which must be passed to the control, with pre-stored real return address. If these addresses match, then transfer control to the calling program is allowed, if not, it is forced destruction of the program memory which has been detected distortion of the return address, with an entry in the system log information about the error that occurred.

Backup the true return addresses are recorded in the maintained data structure, as discussed above. This data structure is implemented as a dedicated stack and is located in the address space of the calling program so that the distortion is stored in this data structure is not possible. This ensures the reliability of stored data, which is very important for reliable protection.

Example.

During experimental studies of the efficiency of the method call treatments based on the double stack was produced by modification of a number of a priori vulnerable software.

As an example, the results of the modification prog is mnogo ensure OpenSSH version 1.2.2, contains a vulnerability associated with the possibility of integer overflow in module CRC32 Compensation Attack Detector. An integer overflow flaw in this module lets you remotely, i.e. via the network, to be placed in memory of the vulnerable program could allow arbitrary code and to transmit this code is running.

After modifying the code of the vulnerable program using the developed method, the attempt to transfer control to an in-memory process arbitrary code led to the generation of a control system of the exceptional situation due to which the process was stopped, i.e. the management of arbitrary code not implemented.

The way you call a procedure, consisting in the procedure call, including an entry in the stack is the return address, and transfer of control to the beginning of the called procedure and then code execution procedure and return from a procedure that includes removing from the stack the return address and transfer control to the return address, characterized in that after a call control procedures to produce saving the return address in the address space of the calling program, and before returning from a procedure carry out control and verification of the return address, and check if the values match, then transfer control to the calling program is allowed, if not identical, then proizvoditsa forced removal from memory computer system the program, which the procedure belongs.



 

Same patents:

FIELD: data protection technologies.

SUBSTANCE: method includes setting a number of standards for possible attacks, minimally allowed value of likeness coefficient of compared sign fields of message packets, maximally allowed number of matches of fields of support i-numbered packet (standard) to compared fields of packet from communication channel and setting a number of matches, recording a set of support packets, containing standards of given attacks, and after receiving from communication channel of k-numbered message packet, selecting it from fields header, comparing their value to values of fields of support packets, calculating comparison coefficients, comparing them to preset value Km.min, and with ≥ Km.min recoding Km.i, appropriate for it message packet, increasing Kmi for one unit, with < Km.min, receipt of k+1 message packet, after that actions, starting from selecting fields from header of k+1 packet, are repeated until satisfying condition Kmi≥Km.iadd, after that possibility of attack going on is evaluated.

EFFECT: higher efficiency.

2 cl, 7 dwg, 1 tbl

FIELD: computer science.

SUBSTANCE: device has external information carrier 1, made in form of energy-independent memory, external block 2 for reading information from external information carrier, containing external contact assembly 3 for reading information from external information carrier and controller 4 for information exchange with external carrier, and, positioned on same board 5, permanent memory device 6, processor 7 of identification and authentication, controller 8 for information exchange with personal computer, local bus 9, interface block 10, energy-independent memory block 11, power control device 12, and device 13 for blocking common bus 14 for control and data exchange of personal computer.

EFFECT: safe identification and authentication operations, higher effectiveness of protection.

2 dwg

FIELD: data protection.

SUBSTANCE: device has buffer memory block, conjunction device, device for forming control commands by conjunction device, indication block, block for controlling and transforming information to encoded and decoded states, hard memory device and device for information input from keyboard.

EFFECT: higher efficiency, higher speed of operation.

17 dwg

FIELD: electric communications.

SUBSTANCE: method includes counting rules of setting up and maintaining of communication session by increasing number of recorded message packets and using maximal allowed number of coincidences, which is necessary for stable functioning of automatic systems, including offering services to authorized clients. For monitoring sensitivity threshold is predetermined for safety monitoring system of automated system, which threshold is determined by maximal allowed number of matches and number of standards, while values of coefficients can be selected dependently on required trustworthiness of attack detection.

EFFECT: higher trustworthiness.

3 dwg

Protection means // 2260840

FIELD: mobile communications.

SUBSTANCE: protection means has key module and blocking module. Mobile communication system has protection means and communication port. Method describes operation of said protection means and mobile device.

EFFECT: broader functional capabilities.

3 cl, 5 dwg

FIELD: computer science.

SUBSTANCE: system has center of certification, forming and distribution of keys, at least one user device and at least one distributed data processing server. Method describes operation of said system. Subsystem for forming open keys contains memory block for tables of secret substitutions of columns and rows of secret keys tables, memory block for table of symmetric substitution of columns and rows of external key table, register for sequence of transitive connection between rows of secret substitutions tables, block for logical output on sequence of transitive dependence, memory block for table of relative non-secret substitution of columns and rows of external key table, open key register, input commutation block and control block.

EFFECT: higher efficiency, broader functional capabilities.

5 cl, 15 dwg

FIELD: computer science.

SUBSTANCE: system has electronic key, information processing block and conversion to video information, block for transmitting optical video information, block for receiving and processing optical video information and controlling electronic key.

EFFECT: higher reliability, higher efficiency, broader functional capabilities.

1 dwg

FIELD: computer science.

SUBSTANCE: previously for sender and receiver a binary series of digital watermark k-bit long is formed as well as binary series of secret key, message is certified at sender side using binary series of digital watermark and secret key, certified message is sent to receiver, where authenticity of received message is checked using binary series of digital watermark and secret key.

EFFECT: higher reliability, higher efficiency.

4 cl, 5 dwg

FIELD: computer science.

SUBSTANCE: system has means for confirming authenticity in real time scale, which detects standard digital signature for executable, using content of digital signature, excluding portions of executable, for which address linking is performed by program loader. Means for confirming authenticity in real time scale after loading of executable image determines integrity of digital signature for checking whether executable was modified in an unsanctioned way, and also guarantees that each pointer in executable image is not readdressed in an unsanctioned way.

EFFECT: higher efficiency, broader functional capabilities.

4 cl, 6 dwg

FIELD: data carriers.

SUBSTANCE: device has calculating, reserving and recording modules. Each variant of semiconductor memory card contains area for recording user data for controlling volume and area for recording user data. On carrier method for computer initialization is recorded, including calculation of size of volume control information, reserving areas and recording therein of control information for volume and user data, recording main boot record and sectors table in first section of first area, skipping preset number of sectors, recording information of boot sector of section, file allocation table and root directory element to following sectors.

EFFECT: higher efficiency.

5 cl, 59 dwg

FIELD: automatic systems for controlling technological processes.

SUBSTANCE: module has reverse counter, protection block for executable functions of control unit in form of USB controller, decoder, RS-trigger, pulse generator, three AND elements, generator of output signal for resetting personal computer.

EFFECT: higher reliability.

3 cl, 1 dwg

FIELD: computer science.

SUBSTANCE: device has comparison circuit, two system generators, two starting setting circuits, two identical channels, each of which has microprocessor unit, commutation device, Or circuit, error counter, pulse generator, time analyzer of intactness, trigger, OR-NOT circuit, outputs of commutation devices of both channels are combined and are output of device.

EFFECT: higher reliability.

8 dwg

FIELD: computer science.

SUBSTANCE: device has comparison circuit, two system generators, two starting setting circuits, two identical channels, each of which has microprocessor unit, commutation device, Or circuit, error counter, pulse generator, time analyzer of intactness, trigger, OR-NOT circuit, outputs of commutation devices of both channels are combined and are output of device.

EFFECT: higher reliability.

8 dwg

FIELD: information transfer technologies.

SUBSTANCE: in the method, via channel with non-zero conductive ability a set of M stochastic (n,k,q) codes is used with correction of errors with guaranteed in any channel upper limit of decoding error possibility due to use for all codes of same code base q, each of codes is optimal for certain quality of channel, prior to information transfer conductive ability of channel is checked by transferring testing set, in form of q-base stochastic (n,1,q) code, conductive ability of channel is determined by pair-wise comparison of q-based symbols of received block of (n,1,q) code and counting number of matching symbols N, parameters n and k of optimal (n,k,q) code are selected with correction of errors, information exchange is performed by code blocks of selected code with correction of errors and detection of blocks with error repetition factor exceeding correcting ability of code, blocks are transferred again with uncorrected errors, share of blocks with uncorrected errors is calculated within range of analysis with length G of last received blocks, compliance of this share to range of optimality criterion of effective code is checked on basis of current state of channel, on exit beyond limits of code optimality code parameters n and k and checking matrix H are altered synchronously for sending and receiving sides of channel.

EFFECT: higher speed of operation, higher resistance to interference, higher trustworthiness, higher efficiency.

FIELD: pulse engineering and computer engineering.

SUBSTANCE: proposed scaler that can be used in computer counting devices and control systems incorporating control and diagnostic circuits has control D flip-flops, D flip-flops, EXCLUSIVE OR gates, NOR gates, OR gates, D flip-flop, power bus, counting pulse bus, zeroing bus, and zero potential bus. Novelty is introduction of additional-control D flip-flop, AND gate that has n inputs, OR gate, and NOR gate.

EFFECT: enhanced operating reliability due to more comprehensive control.

1 cl, 3 dwg

FIELD: computer science.

SUBSTANCE: device has programmable controller with software integrated in random-access and hard memory for functions of gathering and processing of information about peripheral devices of segment, buffer memory, output register, input register, clock generator, power block, buffer output cascade of force outputs ad buffer input cascade for inputs.

EFFECT: higher efficiency, broader functional capabilities.

4 cl, 6 dwg

FIELD: electric communications.

SUBSTANCE: method includes counting rules of setting up and maintaining of communication session by increasing number of recorded message packets and using maximal allowed number of coincidences, which is necessary for stable functioning of automatic systems, including offering services to authorized clients. For monitoring sensitivity threshold is predetermined for safety monitoring system of automated system, which threshold is determined by maximal allowed number of matches and number of standards, while values of coefficients can be selected dependently on required trustworthiness of attack detection.

EFFECT: higher trustworthiness.

3 dwg

FIELD: technical systems diagnostics.

SUBSTANCE: method includes forming an equivalent standard model of connections, gaps of which include standard models of composition parts of current type of products, combinations of input signals are set in certain order, parameters of response on outputs of standard model of diagnosed product are determined as well as in characteristic intermediate points between standard models of composition parts of product, values of response parameters together with parameters of test input signals are recorded in database, after which process is repeated until fully searching all states of standard model.

EFFECT: possible forming of tests in absence of standard samples of control subject for different classes of products in different areas.

4 dwg

FIELD: control systems, for lasers in particular.

SUBSTANCE: each laser on each factory is connected to appropriate server of terminal, while at each factory server of central control node exchanges information with each laser through local network. Gathering of information from lasers is realized via server device of central control and this information is used for forming of total information, which is accessible for interested parties, which are allowed to view content of Web-server.

EFFECT: higher efficiency.

14 cl, 5 dwg, 2 tbl

FIELD: computer science.

SUBSTANCE: network has end ring neuron network, Hopfield neuron network, demultiplexer and multiplexer.

EFFECT: broader functional capabilities, higher efficiency, higher speed of operation.

1 dwg

FIELD: computers.

SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.

EFFECT: higher efficiency.

3 dwg

Up!