A Global Offset Table Protection Method Based on Address Randomization and Segment Isolation

An offset table and address technology, which is applied in computer security devices, platform integrity maintenance, instruments, etc., can solve the problems of time-consuming function analysis and analysis waste, etc.

Active Publication Date: 2017-10-10
THE PLA INFORMATION ENG UNIV +1
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, function parsing is time-consuming, parsing all library functions during loading will delay the program startup process, and many library functions may not be executed at all, and parsing them is also a waste, so this method is not implemented in GCC Enabled by default in the compiler

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Global Offset Table Protection Method Based on Address Randomization and Segment Isolation
  • A Global Offset Table Protection Method Based on Address Randomization and Segment Isolation
  • A Global Offset Table Protection Method Based on Address Randomization and Segment Isolation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0026] Example 1, see figure 1 As shown, the global offset table protection method based on address randomization and segment isolation includes the following steps:

[0027] Step 1. After the ELF program is loaded, randomly apply for a memory space, copy the content of the ELF segment into the memory space, give a new segment name, and define the loading field PT_DYNAMIC in the ELF program header to describe .dynamic section information;

[0028] Step 2. Create a segment descriptor for the randomly applied memory space in step 1, select a free segment register as a special segment register, and load the segment descriptor into the special segment register;

[0029] Step 3. Modify the program header and the section content given the new section name in Step 1 to satisfy the pointing relationship of the section in the ELF, and modify the code in the .plt section to access the GOT through the special segment register surface;

[0030] Step 4. Initialize the dynamic linker, mo...

Embodiment 2

[0032] Example 2, see Figures 2 to 3 As shown, it is basically the same as the first embodiment, except that: in the step 1, randomly applying for a memory space and copying the content of the ELF segment into the memory space specifically includes randomly applying for at least three pages of memory space on demand, including Readable and executable pages, readable and writable pages, and readable and writable pages, where .plt is copied to a readable and executable page, denoted as .new.plt; .rel.plt is copied to a readable-only page, denoted as . For .new.rel.plt; .dynamic and .got.plt are copied to readable and writable pages, and recorded as .new.dynamic and .new.got.plt respectively. The memory space of the three pages can be any address space. Three unused pages of memory.

[0033] Preferably, in step 1, the content of the ELF section is copied to the memory space, and the new section name is assigned to specifically include: copying the content of the .plt, .rel.plt,...

Embodiment 3

[0041] Embodiment 3, the technical scheme of the present invention is further introduced in conjunction with specific embodiments, and the specific implementation process is as follows:

[0042] The ELF program header table contains a section of type PT_DYNAMIC, which contains the .dynamic section. By parsing the .dynamic section, you can obtain the starting offset of .plt.got, .rel.plt section, and .rel.plt section size, the type of the relocation item in .rel.plt; according to the obtained information about the .rel.plt section, you can know the number of library functions referenced by the program:

[0043] libfun_num=size(.rel.plt) / sizeof(Type_Rel)

[0044] Among them, Type_Rel is determined as Elf32_Rel or Elf32_Rela according to the type of the relocation table. The definitions of these two types are as follows Figure 7 shown.

[0045] According to the number of library functions, the size of .got.plt is calculated, size(.got.plt)=libfun_num*4+12, the library function...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a global offset table protection method based on address randomness and segment isolation. The global offset table protection method comprises the steps that an ELF program is loaded, a memory space is randomly applied, ELF segment content is copied and given a new segment name, and a field PT_DYNAMIC is loaded; a segment descriptor is established for the memory space, an idle segment register is selected, and the segment descriptor is loaded into the segment register; the header of the program and the segment content in the memory space are modified, and codes in a .plt segment are modified; a dynamic linker is initialized, the segment content of the header of the program is modified, and an address where a .dynamic segment is located is hidden. According to the global offset table protection method, randomization processing is added, the address of a GOT is obtained by disassembling the codes, the address of the GOT cannot be worked out under the situation that the segment base address of the segment register is not known, the malicious code hijack attack carried out on the original fixed address of the GOT fails, and the malicious attack through the method of trying to read the fixed memory address and working out the address of the GOT fails.

Description

technical field [0001] The invention relates to the technical field of computer executable file security, in particular to a global offset table protection method based on address randomization and segment isolation. Background technique [0002] In a dynamically linked ELF program, the external symbols referenced are divided into two categories, one is the reference to the external global data (such as global variables), and the other is the call to the external global function; the locations of the reference and the call are distributed throughout the whole executable program. In order to facilitate management, two sections .got and .got.plt are defined in the executable file in ELF format, called the global offset table GOT (Global Offset Table), which is specially used to centrally store the global symbols referenced by the executable program. And the destination address of the function, where the destination address of the global data symbol is recorded in the .got sec...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
CPCG06F21/566
Inventor 林键郭玉东周少皇何红旗董卫宇王立新蔄羽佳
Owner THE PLA INFORMATION ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap