基于指令流的嵌入式系统非预期行为检测方法.docVIP

基于指令流的嵌入式系统非预期行为检测方法苏永新，段斌( 湘潭大学 信息 基于指令流的嵌入式系统非预期行为检测方法 苏永新，段 斌 ( 湘潭大学 信息工程学院，湖南 湘潭 411105 ) ( su_yong_xin@ 163 ． com) 摘 要:针对嵌入式系统安全检测具有独立性、快速性、不干涉应用软件的需求，提出了一种嵌入式系统软件非 预期行为检测方法。该方法的主要特点是检测系统独立于嵌入式系统，与之并行运行; 通过嵌入式系统执行的指令 与源程序预期的指令逐条比对，检出嵌入式系统任何不符合源程序的行为; 借助哈希运算屏蔽被检系统指令集多样 性引入的复杂性，使检测系统对各种指令集的嵌入式系统具有普遍适用性。实验结果表明，该方法具备检出嵌入式 系统执行的代码与源代码间比特偏差的能力，从而能检出最小粒度的计划外代码的执行; 在不计保护现场指令片段 对非中断服务程序的影响时，检测时延不超过 6 个时钟周期。 关键词:嵌入式系统安全; 指令流; 行为检测; 实时; 恶意代码 中图分类号: TP393． 03; TP309． 1 文献标志码:A Unexpected behaviors detection in embedded system based on instruction stream SU Yong-xin， DUAN Bin ( School of Information Engineering， Xiangtan University， Xiangtan Hunan 411105 ， China) Abstract: Most traditional embedded system security detection methods cannot meet all of the requirements of fast detection， independent detection and without interference to application program． Thus， the authors have developed a method of unexpected behaviors detection for embedded system to meet those requirements． The proposed detection system is independent and operates parallel to an embedded processor． And， the logic of the proposed detection is to compare the instruction stream from embedded processor with the instruction expected by source binary， thus detecting any unexpected behaviors caused by deviating from its original program． Moreover， the detection logic presents common suitability of adapting different repertoires． Then experimental results show that this method has the ability of detecting minimum granularity unexpected behavior by checking out random bit flips， and with average detection latency of 6 cycles if taking no account of the instructions for interrupt-site protection． Key words: embedded system security; instruction stream; behavior detection; real time; malicious code 在处理器内核集成硬件跟踪非信任 I / O 口信息流，分析系统 是否安全，能在低开销的情况下进行安全检测，但该方法需要 改变处理器结构，工程实现难度大。基于硬件的控制流检测 方法［5］能在不改变处理器内核的情