A Software Component Verification Method Based on Runtime Memory Analysis

By monitoring memory page table permission change signals at the kernel level and using hardware cache line alignment length to divide memory blocks and generate feature vectors, the problem of memory poisoning identification under high-concurrency cloud computing nodes is solved, achieving low-overhead and high-confidence software component verification.

CN122309327APending Publication Date: 2026-06-30GUIZHOU DONGGUAN TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUIZHOU DONGGUAN TECH
Filing Date
2026-05-28
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing technologies struggle to capture transient threats such as memory poisoning in real time on high-concurrency cloud computing nodes, leading to a decline in system processing performance. Furthermore, the verification logic at the logical level suffers from an imbalance between recognition confidence and computational overhead when facing polymorphic obfuscation.

Method used

By monitoring memory page table permission change signals at the kernel level, memory blocks are divided using hardware cache line alignment length, feature vectors are generated, and these vectors are matched with a legal component feature library. The legality of memory pages is determined using the Manhattan distance metric, and interception signals are sent to block abnormal pages.

Benefits of technology

It enables efficient identification of memory poisoning behavior, reduces response latency, and maintains the integrity of verification logic in a dynamic virtualization environment without affecting the main business process instruction pipeline frequency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122309327A_ABST
    Figure CN122309327A_ABST
Patent Text Reader

Abstract

This invention relates to the field of electronic digital data processing technology and discloses a software component verification method based on runtime memory analysis. The method includes: reading a virtual reference address and the instruction stream to be verified when the target memory page attribute switches from non-executable to executable; dividing the instruction stream to be verified into continuous memory blocks according to the hardware cache line alignment length; counting the number of instruction start boundaries within each memory block and serializing them in ascending address order to generate a feature vector representing load density; matching the feature vector with a reference library and sending an interception signal to the kernel scheduler when the distance metric exceeds a threshold. This invention utilizes the physical boundaries of the hardware cache lines to capture load structure distortions caused by code obfuscation, avoiding complex semantic parsing logic, effectively reducing system latency caused by verification, and synergistically improving the verification confidence for dynamically mutated components.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of electronic digital data processing technology, and particularly relates to a software component verification method based on runtime memory analysis. Background Technology

[0002] In current electronic digital data processing systems, ensuring the integrity and authenticity of runtime software components constitutes the core of system security defense. The mainstream approach currently relies on memory image comparison and signature verification to identify illegal tampering. However, under complex operating conditions such as high-concurrency cloud computing nodes, software components frequently generate dynamic loading and memory scheduling actions, making it impossible for static verification mechanisms to capture transient threats such as memory poisoning in real time. Conventional solutions typically use periodic snapshots to extract memory data, but when processing high-throughput instruction streams, such process suspension operations inevitably cause the instruction pipeline to stall, resulting in a decrease in system processing performance.

[0003] To avoid the lag caused by snapshots, the industry has attempted to introduce semantic parsing techniques based on control flow graphs to identify mutated components by extracting logical relationships between instructions. However, compiler optimization strategies and polymorphic obfuscation techniques can alter the logical topology of code, causing semantic features to exhibit high uncertainty when faced with large-scale equivalent instruction replacements. This contradiction between the flexibility at the logical level and the deterministic requirements of physical execution leads the verification logic into a zero-sum game between identification certainty and computational overhead when dealing with malicious attacks. In the evolution of logical-level protection, a refined verification scheme for software components and their memory logical distribution in dynamic runtime states is needed. Highly scrutinized, for example, Chinese invention patent CN103955438B discloses a process memory protection method based on hardware-assisted virtualization technology. This method utilizes hardware virtualization technology to establish a root mode monitoring module and achieves virtual machine memory isolation protection through shadow page tables. However, this solution relies on frequent context switching between the underlying Hypervisor and the guest operating system, resulting in performance overhead. The protection focuses on access control and page-level isolation, making it difficult to identify instruction stream distortions caused by code obfuscation at the fine-grained physical storage topology level. When dealing with covert memory poisoning behavior, the detection confidence level and the system's real-time throughput are out of balance.

[0004] Therefore, how to utilize the underlying physical loading rules to construct a low-overhead, high-confidence verification mechanism has become the technical problem to be solved by this invention. Summary of the Invention

[0005] The present invention aims to solve the problems of the verification process causing significant interference to business scheduling and the difficulty in resisting interference from polymorphic obfuscated instructions.

[0006] In this technical solution, a software component verification method based on runtime memory analysis includes the following steps: Step 101: Capture the memory page table permission change signal through the kernel-level page monitoring logic. At the time when the target memory page switches from non-executable to executable, read the virtual base address of the target memory page and the instruction stream to be verified, and mirror the instruction stream to be verified to the memory buffer. Step 102: Retrieve the processor's hardware cache line alignment length, and divide the instruction stream to be verified in the memory buffer into continuous memory blocks according to the hardware cache line alignment length, so that the starting boundary of each memory block is consistent with the physical alignment position of the hardware cache line. Step 103: Traverse each memory block to identify the offset position of the first byte of the machine instruction, count the number of instruction start boundaries in a single memory block, and serialize the number of instruction start boundaries in ascending order of memory block address to generate a feature vector characterizing the load density of the target memory page. Step 104: Match the feature vector with the preset legal component feature library, calculate the Manhattan distance measure between the feature vector and the standard vector in the legal component feature library. If the Manhattan distance measure exceeds the preset deviation threshold, send an interception signal to the kernel scheduler to block the processing time slice acquisition permission of the target memory page.

[0007] Preferably, step 101 specifically includes: presetting a page table attribute hook function in the memory management subsystem of the operating system kernel; using the page table attribute hook function to monitor the access control bits in the kernel page table entries, and triggering a memory context recording action when the non-executable flag bit in the access control bits is flipped; during the response action period, recording the physical base address of the target memory page and its associated process identifier, thereby realizing the dumping of the instruction to be verified to the memory buffer.

[0008] Preferably, in step 102, the process of obtaining the hardware cache line alignment length includes: reading the processor's instruction set architecture parameters; parsing the storage line alignment bit width of the L1 instruction cache from the instruction set architecture parameters; using the storage line alignment bit width as a fixed step size for address space partitioning, and performing linear slicing of the instruction stream to be verified starting from the first address bit pointed to by the virtual base address.

[0009] Preferably, after step 103, the method further includes cross-page feature aggregation processing for large components: opening a logical timing window bound to the process identifier; accumulating feature vectors of multiple target memory pages belonging to the same process within the logical timing window; and weighting the accumulated feature vectors to reconstruct the original logical distribution topology of the large components before they were physically split by the paging mechanism.

[0010] Preferably, the legitimate component feature library is constructed in the following way: obtaining a certified original software image; simulating the dynamic loading process of the original software image in a controlled sandbox; extracting all page features generated by loading and recording the call relationships between pages; and storing the full page features in a feature retrieval tree after hashing and encoding them.

[0011] Preferably, in step 104, before performing similarity matching, an offset compensation operation for the compilation environment is also included: identifying the compiler optimization level and instruction alignment mode corresponding to the target memory page; retrieving the corresponding feature position offset correction value according to the compiler optimization level; and using the feature position offset correction value to perform position alignment correction on the feature vector for each dimension component, so as to eliminate feature disturbances caused by differences in the compilation environment between computing nodes.

[0012] Preferably, after step 104, if the target memory page is determined to be valid, the following processing is performed: the verification status of the target memory page is recorded as a trusted status; the feature vector is transferred to a fast verification comparison table for direct use in subsequent repeated verification processes with the same feature vector; the kernel hook is released and the processor is allowed to enter the instruction fetch cycle for the target memory page.

[0013] Preferably, the method further includes a whitelist filtering step based on the runtime environment: obtaining the container namespace and kernel control group parameters of the current runtime environment; if the current process is detected to belong to a preset system core process or a high-confidence container cluster, the memory block partitioning step is skipped and the scheduling permission of the target memory page is directly restored.

[0014] Preferably, sending an intercept signal to the kernel scheduler specifically manifests as: sending alarm data containing the process identifier and the address of the abnormal page to the operating system's audit subsystem; modifying the existence validity bit of the target memory page in the kernel page table, making the target memory page inaccessible, thereby triggering a page access exception interrupt to truncate the execution logic of the abnormal instruction.

[0015] Compared with existing technologies, the software component verification method based on runtime memory analysis of this invention has the following advantages: 1. In the software component verification of memory analysis, by anchoring the verification action to the instantaneous node when the page table permissions transition from non-executable to executable, the verification process is synchronized with the kernel's memory distribution mechanism. Since there is no need to perform periodic full scans or snapshot extractions of the process memory space, the interruption frequency of the main business process instruction pipeline is greatly reduced. This capture path driven by permission change signals maintains high-frequency memory scheduling efficiency while shortening the response latency for memory poisoning behavior.

[0016] 2. By using the physical boundary of the hardware cache line as the slicing benchmark for instruction density features, the code obfuscation at the logical level is converted into a physical loading structure change. Since any redundant instruction insertion or equivalent instruction replacement intended to avoid feature detection is limited by the encoding length rules of the instruction set architecture, it causes a change in the instruction start boundary density within the 64-byte physical storage block. This physical topology-based mapping mechanism avoids the cumbersome semantic parsing process, enabling the system to identify advanced polymorphic variant components.

[0017] 3. An aggregation timing window for cross-page discrete features is introduced to solve the problem of code segment spatial distribution fragmentation caused by the operating system's on-demand paging mechanism. By accumulating the feature vectors of multiple memory pages belonging to the same process within a preset time range, the original logical density distribution of large components before physical partitioning is restored. This mechanism ensures that even in a highly dynamic virtualization environment, the verification benchmark can still maintain logical integrity and avoid identification bias caused by discontinuous loading of memory pages. Attached Figure Description

[0018] Figure 1 This is a flowchart of the software component verification method for runtime memory analysis according to the present invention; Figure 2 This is the logical topology diagram for cross-page feature aggregation processing in this invention. Detailed Implementation

[0019] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.

[0020] It should be noted that all directional and positional terms used in this invention, such as: up, down, left, right, front, back, vertical, horizontal, inner, outer, top, bottom, transverse, longitudinal, center, etc., are only used to explain the relative positional relationship and connection between components in a specific state (as shown in the accompanying drawings). They are only for the convenience of describing this invention and do not require that this invention be constructed and operated in a specific orientation. Therefore, they should not be construed as limiting this invention. In addition, the descriptions of "first," "second," etc., in this invention are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated.

[0021] In the description of this invention, unless otherwise explicitly specified and limited, the terms installation, connection, and linking should be interpreted broadly. For example, they can refer to fixed connections, detachable connections, or integral connections; they can refer to mechanical connections; they can refer to direct connections or indirect connections through an intermediate medium; they can refer to the internal connection of two components. For those skilled in the art, the specific meaning of the above terms in this invention can be understood according to the specific circumstances.

[0022] In the description of this specification, references to the terms "an embodiment," "some embodiments," "illustrative embodiments," "examples," "specific examples," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example, and the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0023] A software component verification method based on runtime memory analysis includes the following steps: Step 101: Capture the memory page table permission change signal through the kernel-level page monitoring logic. At the time when the target memory page switches from non-executable to executable, read the virtual base address of the target memory page and the instruction stream to be verified, and mirror the instruction stream to be verified to the memory buffer. Step 102: Retrieve the processor's hardware cache line alignment length, and divide the instruction stream to be verified in the memory buffer into continuous memory blocks according to the hardware cache line alignment length, so that the starting boundary of each memory block is consistent with the physical alignment position of the hardware cache line. Step 103: Traverse each memory block to identify the offset position of the first byte of the machine instruction, count the number of instruction start boundaries in a single memory block, and serialize the number of instruction start boundaries in ascending order of memory block address to generate a feature vector characterizing the load density of the target memory page. Step 104: Match the feature vector with the preset legal component feature library, calculate the Manhattan distance measure between the feature vector and the standard vector in the legal component feature library. If the Manhattan distance measure exceeds the preset deviation threshold, send an interception signal to the kernel scheduler to block the processing time slice acquisition permission of the target memory page.

[0024] Preferably, step 101 specifically includes: presetting a page table attribute hook function in the memory management subsystem of the operating system kernel; using the page table attribute hook function to monitor the access control bits in the kernel page table entries, and triggering a memory context recording action when the non-executable flag bit in the access control bits is flipped; during the response action period, recording the physical base address of the target memory page and its associated process identifier, thereby realizing the dumping of the instruction to be verified to the memory buffer.

[0025] Preferably, in step 102, the process of obtaining the hardware cache line alignment length includes: reading the processor's instruction set architecture parameters; parsing the storage line alignment bit width of the L1 instruction cache from the instruction set architecture parameters; using the storage line alignment bit width as a fixed step size for address space partitioning, and performing linear slicing of the instruction stream to be verified starting from the first address bit pointed to by the virtual base address.

[0026] Preferably, after step 103, the method further includes cross-page feature aggregation processing for large components: opening a logical timing window bound to the process identifier; accumulating feature vectors of multiple target memory pages belonging to the same process within the logical timing window; and weighting the accumulated feature vectors to reconstruct the original logical distribution topology of the large components before they were physically split by the paging mechanism.

[0027] Preferably, the legitimate component feature library is constructed in the following way: obtaining a certified original software image; simulating the dynamic loading process of the original software image in a controlled sandbox; extracting all page features generated by loading and recording the call relationships between pages; and storing the full page features in a feature retrieval tree after hashing and encoding them.

[0028] Preferably, in step 104, before performing similarity matching, an offset compensation operation for the compilation environment is also included: identifying the compiler optimization level and instruction alignment mode corresponding to the target memory page; retrieving the corresponding feature position offset correction value according to the compiler optimization level; and using the feature position offset correction value to perform position alignment correction on the feature vector for each dimension component, so as to eliminate feature disturbances caused by differences in the compilation environment between computing nodes.

[0029] Preferably, after step 104, if the target memory page is determined to be valid, the following processing is performed: the verification status of the target memory page is recorded as a trusted status; the feature vector is transferred to a fast verification comparison table for direct use in subsequent repeated verification processes with the same feature vector; the kernel hook is released and the processor is allowed to enter the instruction fetch cycle for the target memory page.

[0030] Preferably, the method further includes a whitelist filtering step based on the runtime environment: obtaining the container namespace and kernel control group parameters of the current runtime environment; if the current process is detected to belong to a preset system core process or a high-confidence container cluster, the memory block partitioning step is skipped and the scheduling permission of the target memory page is directly restored.

[0031] Preferably, sending an intercept signal to the kernel scheduler specifically manifests as: sending alarm data containing the process identifier and the address of the abnormal page to the operating system's audit subsystem; modifying the existence validity bit of the target memory page in the kernel page table, making the target memory page inaccessible, thereby triggering a page access exception interrupt to truncate the execution logic of the abnormal instruction.

[0032] Example 1: In a continuously running large-scale cloud computing data center with high concurrency container clusters, the system faces the threat of memory poisoning caused by software supply chain vulnerabilities. By using dynamic obfuscation, malicious instruction payloads are decrypted in memory at runtime and injected into the heap space of the target process. This causes the conventional static file hash verification mechanism to fail during the detection phase. Furthermore, since the business logic carried by the container nodes is in a state of extremely high throughput, the traditional method of periodic global memory snapshot extraction causes the instruction pipeline to stop, which in turn causes millisecond-level response latency fluctuations in business microservices.

[0033] The method protected by this invention uses a pre-defined page table attribute hook function in the memory management subsystem of the operating system kernel to monitor the permission transition signal of the access control bit in the kernel page table entry. When a deterministic instantaneous node is captured where the permission attribute of the target memory page flips from non-executable to executable, a context acquisition process for the target memory page is triggered. The corresponding virtual base address is read, and the instruction stream to be verified in the memory page is mirrored to the memory buffer. When processing the mirrored instruction stream to be verified, the storage line alignment bit width of the processor's L1 instruction cache is read. The hardware cache line alignment length corresponding to this bit width is 64 bytes, and this is used as the fixed step size for address space partitioning. Starting from the virtual base address, the linear instruction data in the memory buffer is physically sliced ​​to generate a series of continuous memory blocks that are consistent with the physical alignment position of the hardware cache lines.

[0034] The process iterates through each memory block to identify the offset of the first byte of the machine instruction, counts the number of instruction start boundaries within a single memory block, and serializes these instruction start boundaries in ascending order of memory block addresses to generate a feature vector representing the load density of the target memory page. This feature vector is then matched against a pre-defined legal component feature library, and the Manhattan distance measure between the feature vector and the standard vector in the legal component feature library is calculated. The formula for calculating the Manhattan distance measure is as follows: ,in, For Manhattan distance measurement, The components of the feature vector extracted in real time. The components of the standard vector in the pre-defined legal component feature library, To identify the incrementing sequence number of a memory block, if the calculated Manhattan distance metric exceeds a preset validity threshold, the system sends an intercept signal to the kernel execution scheduler. By modifying the valid bit of the target memory page in the kernel page table, it changes the page access exception to an inaccessible state, thereby inducing a page access exception interruption and truncating the execution logic of the exception instruction. This achieves blocking before malicious logic enters the instruction fetch cycle. By capturing the instantaneous features of the underlying memory page permission jump and measuring the load density based on the physical boundary of the hardware cache line, the system establishes a unique verification standard for software identity using the structural features of instruction loading distribution without causing a perceptible change in the main business response latency. This solves the technical problem of verification failure caused by logical semantic variations due to code obfuscation.

[0035] Example 2: In a distributed computing cluster test platform containing 200 independent container nodes, the system hardware environment is based on a processor architecture that supports a 64-byte L1 instruction cache line width. Real-time memory transaction data is collected by deploying a hardware performance counter with a 10ns time resolution in the kernel space. To verify the stability of the solution in an industrial electromagnetic environment, Gaussian white noise with a signal-to-noise ratio of 20dB is actively superimposed on the memory bus to simulate random jitter interference during signal transmission. Regarding the setting of the hardware cache line alignment length parameter, the technical trade-off lies in the physical completeness of instruction extraction and the computational redundancy caused by tearing across cache line boundaries. When the step size is set to deviate from the hardware cache line boundary, a single instruction encoding may cross adjacent blocks, causing logical breaks and resulting in glitches in feature extraction. In this experiment, the step size is selected as 64 bytes to keep the memory block start address and the processor's physical alignment position mirror-level, thus serving as a deterministic benchmark for load density vectorization calculation.

[0036] In the experimental phase simulating low-intensity obfuscation, the original input data was set as a legitimate software component memory page containing 32 jump instructions. The sequence of instruction start boundaries measured by the experimental group showed a periodic distribution under the physical alignment step size, and the mean of the extracted feature vector components was in the range of 4.15 to 4.82. In contrast, the feature collision rate generated by the control group using opcode sequence hash verification under the same noise background was 3.5%. This comparative data confirms that the feature vector constructed using physical loading topology has higher numerical stability when dealing with environmental disturbances. After injecting a malicious payload with dynamic rearrangement characteristics into the target process, the instruction loading distribution produces structural distortion. The Manhattan distance measure between the feature vector extracted in real time by the experimental group and the standard vector in the preset legitimate component feature library is... The value increased from 1.25 under normal conditions to 8.64, exceeding the preset legality judgment threshold of 5.0, and showed a monotonically increasing trend positively correlated with the increase in load variation intensity. The calculation formula for the Manhattan distance measure is as follows: ,in, For Manhattan distance measurement, These are the components of the feature vector extracted in real time, and the components of the standard vector in the preset legal component feature library. An incrementing sequence number used to identify memory blocks.

[0037] To verify the contribution of hardware cache line alignment length to verification confidence, a partially missing control group with alignment steps removed was established. This group, unable to map instruction boundaries to physical storage constraint sites, experienced Manhattan distance metric fluctuations between 2.1 and 3.8 after code injection, failing to reach the interception threshold. Furthermore, gradient tests were performed on the alignment step size from 16 bytes to 128 bytes. The results showed that when the step size was reduced to 16 bytes, the instruction cycle overhead for system interrupt handling increased by 142.3%; when the step size increased to 128 bytes, the sensitivity of the metric to mutated instructions showed a decreasing inflection point, confirming that 64 bytes is the optimal working window for achieving a balance between detection accuracy and system overhead. Final experimental data showed that, under adversarial conditions with superimposed Gaussian white noise and large-scale code reordering, the experimental group achieved a 99.2% confidence level in identifying malicious injection payloads, and the average response latency increase introduced by the verification logic in the main business process was only 0.15ms. These results confirm that the mechanism of capturing load structure distortions through the physical boundaries of hardware cache lines can achieve the identification of obfuscated payloads while maintaining business throughput stability.

[0038] Example 3: This example combines Figures 1 to 2 This section describes a software component verification method based on runtime memory analysis, such as... Figure 1 As shown, the flow structure of the software component verification method for runtime memory analysis includes step numbers located outside the rectangle and the corresponding execution steps. Step 101 indicates capturing change signals, reading the instruction stream to be verified, and mirroring it. The flow is passed down to step 102, which indicates dividing the continuous memory blocks according to the hardware cache line alignment length. Then the flow continues down to step 103, which indicates counting the number of instruction start boundaries, serializing them, and generating feature vectors. Finally, the flow points to step 104, which indicates calculating the Manhattan distance measure and sending an intercept signal when the threshold is exceeded.

[0039] like Figure 2As shown, the structure contains three target memory pages running in parallel at the top. Each target memory page corresponds to and points downwards unidirectionally to the feature vector below. Multiple feature vectors together point downwards to the accumulated feature vector node. Additionally, there is a process identifier within the elliptical boundary that unidirectionally points to the accumulated feature vector node via a dashed arrow. After this level of aggregation is completed, the accumulated feature vector node points downwards to the feature vector weighting processing node. Finally, the feature vector weighting processing node passes down and ultimately points to the original logical distribution topology.

[0040] Example 4: In an edge computing node environment deploying a distributed microservice architecture, the system faces the challenge of verification benchmark offset caused by high-frequency canary releases. When legitimate software components experience instruction sequence shifts due to compiler version differences or link address resets, the hash matching logic generates a large number of false alarm signals, and the computing resources of edge nodes limit the system's ability to run a high-load semantic parser. The method protected by this invention implements an initial state calibration procedure in a controlled sandbox environment to construct a legitimate component feature library. It selects digitally signed legitimate software components as the initial target, uses the debugger interface to obtain the memory image of the loaded component, and the feature extraction unit reads the instruction opcode distribution features in the memory image and calls the instruction prefix state machine matching algorithm. This algorithm pre-sets a lookup table for commonly used machine instruction lengths and performs a linear scan of memory blocks with a step size of 64 bytes. When a byte sequence matching the instruction opcode features is detected, the offset of that byte relative to the starting address of the memory block is recorded. Without parsing the instruction semantics, the number of instruction start boundaries within a single memory block is determined. In execution... During high-speed linear scanning, if the state machine encounters a non-standard opcode that fails to be recorded in the preset lookup table, or a non-aligned physical fragment caused by dynamic memory page swapping, the system immediately triggers bypass exception masking logic. It actively strips and skips the single physical byte that caused the matching failure, directly using the adjacent incremental memory address after that byte as the new starting point to perform a soft reset of the state machine, restarting the instruction prefix matching addressing cycle. This establishes a rigid hardware-level fault-tolerant operating boundary, preventing local data distortion from causing the overall verification task flow to enter an infinite loop. The corresponding feature position offset correction value is retrieved according to the compiler optimization level. In the offline calibration process, a baseline sampling action is performed to generate the feature position offset correction value. The instruction load vectors of the valid software image are read from both the unoptimized compilation baseline and the target optimization level environment. The count residuals of the two sets of feature vectors under the corresponding physical alignment dimension are extracted. A global physical displacement constant is generated using a formula. The parameter in the formula is the feature position offset correction value, representing the average global offset caused by the compiler optimizer's instruction rearrangement action on the memory topology, which is a dimensionless, non-negative, continuous value. Variables and The parameters indicate the number of instruction start boundaries in the same slice interval for the test feature vector and the reference feature vector, respectively. Constrained by the physical segmentation rules of instruction bytes, the value is an integer greater than or equal to zero. The parameter is the cumulative total number of memory blocks generated by hardware cache line slicing in the current storage space, which is a positive integer. The calculation model of this feature position offset correction value is as follows: Subtract the corresponding dimension components of the reference feature vector corresponding to the unoptimized compilation baseline environment from the test feature vector in the target optimization level environment one by one and take the absolute value. Summate the absolute value data on all physical memory blocks. Finally, divide the sum by the cumulative total number of memory blocks generated by hardware cache line physical slicing in the current storage space. This generates a system error scalar constant representing the degree of global displacement. After extracting the system error benchmark and solidifying it into a compensation matrix, the feature position offset correction value is used to align and correct the position of each dimension component of the feature vector.

[0041] When determining the legality threshold, the system performs 100 repeated loading tests on the same legal software component, records the feature vectors extracted in each test, and uses a statistical model to analyze the fluctuation range of the feature vector components under physical address offset interference. The Manhattan distance measure between the feature vectors extracted in each test and the average feature vector is calculated and denoted as the sample distance set. This is then calculated according to the formula... Determine the legality judgment threshold, whereby, The threshold for legality judgment; This is the arithmetic mean of the sample distance set; The standard deviation of the sample distance set is used to transform the threshold selection into a quantized output based on hardware loading fluctuations through this calibration procedure, giving the physical criteria for interception signal triggering statistical confidence. When the system is in production operation, the component feature comparison unit receives the feature vector extracted in real time and retrieves the standard vector of the corresponding component from the preset legal component feature library to perform measurement calculations. If the Manhattan distance measure calculated in real time is... satisfy If the logical condition is met, it is determined that the software components of the current memory page have not undergone loading topology distortion. Since the construction process of the standard vector synchronously considers the physical laws of instruction alignment, the Manhattan distance metric remains at the threshold when the system processes byte offsets caused by code segment address reset bits. The system achieves adaptive identification of legitimate software component updates under edge node computing power constraints by using lookup table processing for instruction boundary identification logic and threshold calibration based on sample deviation distribution. This eliminates the dependence on complex semantic modeling, ensuring the accuracy of malicious injection interception while coping with instruction distribution fluctuations caused by normal business iterations in the production environment, and maintaining a dynamic balance between security defense logic and business scheduling logic.

[0042] Example 5: In an automated operation and maintenance production environment implementing continuous integration and continuous deployment processes, the system faces the situation where the timeliness of the legitimate component feature library is insufficient due to the increased iteration frequency of software component versions. When the controlled code repository receives the source code update and completes the binary construction, the verification platform starts the pre-loading calibration process of the software image, reads the code segment reset table and symbol offset information of the binary image, and mirrors the image to the virtual address space to simulate kernel loading behavior. When the feature extraction unit processes the instruction flow in this space, it extracts the number of instruction start boundaries of each memory block according to the physical slicing rule with a step size of 64 bytes, and stores the sequence of this number as the standard vector of the corresponding component version in the legitimate component feature library. After the vector is written to the storage medium, the verification platform issues fingerprint update instructions to the cluster nodes, so that the component feature comparison unit in each node can retrieve the latest physical loading distribution benchmark when it receives the loading request of the corresponding component.

[0043] When the system is deployed in a multi-hardware architecture node environment with heterogeneous instruction sets, due to the physical differences in instruction coding density between processing units of different architectures, the system implements an adaptive sensitivity calibration process before loading the verification module. This process involves reading the processor's hardware specifications and extracting a fixed-length no-op code sequence as calibration input, then calculating the instruction distribution entropy value of this sequence under the current environment. Read the physical byte allocation width of all variable-length architecture machine instructions within a specific extraction sequence, and calculate the relative frequency of instructions of each physical span specification in the global sequence. According to the formula Output the underlying logic mapping quantity, dependent variable The instruction distribution entropy characterizes the tendency of the current hardware architecture decoder to handle the disordered arrangement of variable-length instruction memory packaging density at the underlying level; it is a dimensionless real number greater than or equal to zero; the independent variable is... The ratio of the occurrence frequency of a single inherent-length instruction to the total number of instructions in the overall sample is constrained by the probability event boundary, taking values ​​greater than zero and less than or equal to one. The sum of the probability components of all length categories in the sequence is normalized to one. It should be noted that the no-operation code sequence selected here is not a single form of single-byte instruction, but a calibration template sequence constructed by mixing all legal variable-length no-operation instructions and multi-byte redundant prefix combination instructions defined in the target deployment architecture instruction set specification according to the preset probability ratio of the default decoding channel of the hardware system. This ensures that the subsequently measured distribution entropy value can truly represent the physical base of the hardware architecture processor's inherent hardware-level divergence tendency when dealing with heterogeneous byte spans. The physical density feature baseline at the node architecture level is extracted, a factor is introduced into the decision loop, and the formula is used to... The aforementioned legality judgment threshold Bias adjustment is performed, where, For dynamic thresholds, As the baseline threshold, It is a dimensionless scaling factor. The dimensionless scaling factor k is determined by the following mechanism: by reading the microarchitecture development manual of the processor in the target running node, the native average instruction byte length value calibrated by the underlying decoder of the architecture is extracted. This value is then divided by the average instruction byte length benchmark value of the test machine on which the system relies when collecting reference feature vectors under unoptimized baseline conditions. The absolute parameter of the resulting ratio is the k value. Based on this, the system establishes a direct positive correlation between the natural physical byte span of the target hardware and the dynamic threshold drift scale. Through real-time updates to the benchmark library and hardware difference compensation based on instruction distribution entropy, the system achieves sensitivity balance to loading feature distortion in heterogeneous clusters, making the trigger probability of interception signals controlled by the degree of logical variation in the code itself.

[0044] The embodiments of this application have been described above with reference to the accompanying drawings. Unless otherwise specified, the embodiments and features in the embodiments of this application can be combined with each other. This application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit of this application and the scope of protection of this invention, and all of these forms are within the protection scope of this application.

Claims

1. A software component verification method based on runtime memory analysis, characterized in that, Includes the following steps: Step 101: Capture the memory page table permission change signal through the kernel-level page monitoring logic. At the time when the target memory page switches from non-executable to executable, read the virtual base address of the target memory page and the instruction stream to be verified, and mirror the instruction stream to be verified to the memory buffer. Step 102: Retrieve the processor's hardware cache line alignment length, and divide the instruction stream to be verified in the memory buffer into continuous memory blocks according to the hardware cache line alignment length, so that the starting boundary of each memory block is consistent with the physical alignment position of the hardware cache line. Step 103: Traverse each memory block to identify the offset position of the first byte of the machine instruction, count the number of instruction start boundaries in a single memory block, and serialize the number of instruction start boundaries in ascending order of memory block address to generate a feature vector characterizing the load density of the target memory page. Step 104: Match the feature vector with the preset legal component feature library, calculate the Manhattan distance measure between the feature vector and the standard vector in the legal component feature library. If the Manhattan distance measure exceeds the preset deviation threshold, send an interception signal to the kernel scheduler to block the processing time slice acquisition permission of the target memory page.

2. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, Step 101 specifically includes: presetting page table attribute hook functions in the memory management subsystem of the operating system kernel; using page table attribute hook functions to monitor access control bits in kernel page table entries, and triggering memory context recording when the non-executable flag bit in the access control bits is flipped; during the response action period, recording the physical base address of the target memory page and its associated process identifier, thereby realizing the dumping of the instruction to be verified to the memory buffer.

3. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, In step 102, the process of obtaining the hardware cache line alignment length includes: reading the processor's instruction set architecture parameters; parsing the storage line alignment bit width of the L1 instruction cache from the instruction set architecture parameters; using the storage line alignment bit width as a fixed step size for address space partitioning, and performing linear slicing of the instruction stream to be verified starting from the first address bit pointed to by the virtual base address.

4. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, Following step 103, the process also includes cross-page feature aggregation for large components: opening a logical timing window bound to the process identifier; accumulating feature vectors of multiple target memory pages belonging to the same process within the logical timing window; and weighting the accumulated feature vectors to reconstruct the original logical distribution topology of the large components before they were physically split by the paging mechanism.

5. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, The legitimate component feature library is constructed as follows: obtain the certified original software image; simulate the dynamic loading process of the original software image in a controlled sandbox; extract all page features generated during loading and record the call relationships between pages; and store the full page features in the feature retrieval tree after hashing and encoding them.

6. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, In step 104, before similarity matching, an offset compensation operation for the compilation environment is also included: identifying the compiler optimization level and instruction alignment mode corresponding to the target memory page; and retrieving the corresponding feature position offset correction value according to the compiler optimization level. The feature vector is aligned by using feature position offset correction values ​​to eliminate feature perturbations caused by differences in compilation environments between computing nodes.

7. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, After step 104, if the target memory page is determined to be valid, the following process is performed: the verification status of the target memory page is recorded as the trusted status; The feature vector is transferred to a fast verification comparison table for direct use in subsequent repeated verification processes with the same feature vector; the kernel hook is released and the processor is allowed to enter the instruction fetch cycle for the target memory page.

8. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, The method also includes a whitelist filtering step based on the runtime environment: obtaining the container namespace and kernel control group parameters of the current runtime environment; if the current process is detected to belong to a preset system core process or a high-confidence container cluster, the memory block partitioning step is skipped and the scheduling permission of the target memory page is directly restored.

9. The software component verification method based on runtime memory analysis according to claim 1, characterized in that, Sending an intercept signal to the kernel scheduler specifically manifests as: sending alarm data containing the process identifier and the address of the abnormal page to the operating system's audit subsystem; modifying the existence validity bit of the target memory page in the kernel page table, making the target memory page inaccessible, thereby triggering a page access exception interrupt to truncate the execution logic of the abnormal instruction.