计算机应用 ›› 2011, Vol. 31 ›› Issue (06): 1483-1486.DOI: 10.3724/SP.J.1087.2011.01483

• 计算机软件技术 • 上一篇    下一篇

基于指令流的嵌入式系统非预期行为检测方法

苏永新,段斌   

  1. 湘潭大学 信息工程学院,湖南 湘潭 411105
  • 收稿日期:2010-11-25 修回日期:2011-01-18 发布日期:2011-06-20 出版日期:2011-06-01
  • 通讯作者: 苏永新
  • 作者简介:苏永新(1975-),男,湖南永州人,博士研究生,主要研究方向:可信计算、容错计算;段斌(1966-),男,湖南湘潭人,教授,博士生导师,主要研究方向:可信计算、电力系统。
  • 基金资助:
    国家863计划项目;湖南省自然科学基金资助项目;湖南省自然科学基金资助项目

Unexpected behaviors detection in embedded system based on instruction stream

SU Yong-xin,DUAN Bin   

  1. School of Information Engineering, Xiangtan University, Xiangtan Hunan 411105, China
  • Received:2010-11-25 Revised:2011-01-18 Online:2011-06-20 Published:2011-06-01
  • Contact: SU Yong-xin

摘要: 针对嵌入式系统安全检测具有独立性、快速性、不干涉应用软件的需求,提出了一种嵌入式系统软件非预期行为检测方法。该方法的主要特点是检测系统独立于嵌入式系统,与之并行运行;通过嵌入式系统执行的指令与源程序预期的指令逐条比对,检出嵌入式系统任何不符合源程序的行为;借助哈希运算屏蔽被检系统指令集多样性引入的复杂性,使检测系统对各种指令集的嵌入式系统具有普遍适用性。实验结果表明,该方法具备检出嵌入式系统执行的代码与源代码间比特偏差的能力,从而能检出最小粒度的计划外代码的执行;在不计保护现场指令片段对非中断服务程序的影响时,检测时延不超过6个时钟周期。

关键词: 嵌入式系统安全, 指令流, 行为检测, 实时, 恶意代码

Abstract: Most traditional embedded system security detection methods cannot meet all of the requirements of fast detection, independent detection and without interference to application program. Thus, the authors have developed a method of unexpected behaviors detection for embedded system to meet those requirements. The proposed detection system is independent and operates parallel to an embedded processor. And, the logic of the proposed detection is to compare the instruction stream from embedded processor with the instruction expected by source binary, thus detecting any unexpected behaviors caused by deviating from its original program. Moreover, the detection logic presents common suitability of adapting different repertoires. Then experimental results show that this method has the ability of detecting minimum granularity unexpected behavior by checking out random bit flips, and with average detection latency of 6 cycles if taking no account of the instructions for interrupt-site protection.

Key words: embedded system security, instruction stream, behavior detection, real time, malicious code