JP2009199529A - Information equipment, program and method for preventing execution of unauthorized program code - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To surely and easily prevent an unauthorized access related to buffer overflow. <P>SOLUTION: Information equipment which performs data processing by cooperation of each program code developed in a memory and a central control unit, hooks a call of any one program code to perform stack layout check. In the stack layout check, a return address of each program code developed in the memory is successively acquired, and the data processing is stopped based on attribute information of an address shown by each return address. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information device, a program, and an illegal program code execution prevention method.

  Generally, in an information device such as a PC (Personal Computer) or WS (Work Station), a program in which a control unit such as a CPU (Central Processing Unit) is developed in a work area of a storage unit such as a RAM (Random Access Memory). Various data processing is executed by sequentially executing the code. In recent years, unauthorized access such as data stealing or tampering has occurred in the above information devices due to malicious operations being performed by malicious users when executing program codes.

  Usually, access authority is set for data managed by an information device. Therefore, unauthorized access will not be performed if there is no access right to the data. However, unauthorized access is possible when an unauthorized operation is performed using normal program code that has the authority to access data. As a technique for enabling unauthorized access using the program code described above, a technique using a so-called buffer overflow is known in which data at the time of execution of the program code is overflowed from a predetermined area secured in a RAM or the like. .

  Here, the illegal access using the buffer overflow will be described in detail by comparing the case where the program code is executed normally and the case where the program code is executed illegally.

  First, a case where the program code is executed normally will be described with reference to FIGS. FIG. 11 is a conceptual diagram illustrating the source code of the program code. FIG. 12 is a conceptual diagram illustrating the outline of the stack area when the program code is executed.

  The program code by the source code illustrated in FIG. 11 starts from the main () function, and calls the strcpy_helloworld () function in the main () function. In this program code, the character string “hello!” To be displayed on the screen or the like is prepared in the strcpy_helloworld () function, and is displayed by the printf () function of the main () function. A function is a subroutine, subprogram, or the like obtained by modularizing predetermined functions, and can be called at any time in a main program.

  Data at the time of execution of the program code is stored in a stack area secured in a RAM or the like. In this stack area, data is stored in a last-in-first-out (LIFO) structure. Specifically, as shown in FIG. 12, the data at the time of execution of the program code is stored in an area sequentially secured from the top to the bottom.

  For example, when executing the program code by the source code illustrated in FIG. 11, ReturnAddress1, ebp Backup, char Buf [8], etc. are stored as one stack frame when the main () function is processed. Next, when the strcpy_helloworld () function is called in the main () function, ReturnAddress2, ebp Backup2, inti, and the like are stored as one stack frame.

  ReturnAddress indicates an address value to be returned at the end of the program, or an address value to be returned at the end of the subprogram when the subprogram is called by a function or the like. This ReturnAddress is automatically stored in the stack area by the CPU immediately after the execution of the program or immediately after the subprogram is called by a function or the like.

  ebp is a kind of register of the CPU and indicates immediately before the address of the temporary memory area currently used. In the example of FIG. 12, this is the address before char Buf [8] and int i and corresponds to the ReturnAddress of the stack frame. Therefore, by backing up the register value as ebp Backup in the stack frame, it is possible to easily use one area in the stack frame as a memory area for storing temporary data (variables, arrays, etc.). Become.

  char Buf [8] stores Buf which is an array used in the main () function. This Buf is an array for storing eight char type variables (1 byte), and can store 8 bytes of data. int i stores i, which is an int type variable used in the strcpy_helloworld () function.

  Therefore, by executing the program code, a stack frame for the main () function is secured in the stack area, and a stack frame for the strcpy_helloworld () function is secured. Next, the value of int i is sequentially incremented, and a 6-byte character string “hello!” Is stored in char Buf [8]. Next, when the strcpy_helloworld () function ends, ReturnAddress2 is read and returned to the main () function, and when the main () function ends, ReturnAddress1 is read and the program ends normally.

  Next, a case where fraud is performed during the execution of the program code will be described with reference to FIGS. FIG. 13 is a conceptual diagram illustrating the source code of the program code. FIG. 14 is a conceptual diagram illustrating the outline of the stack area when the program code is executed.

  The program code by the source code illustrated in FIG. 13 has data of 12 bytes (11 characters + character string end) of “Hello World” written in the array buf, as can be seen from comparison with FIG. 11 described above.

  As shown in FIG. 14, in the stack area, an area of 8 bytes is secured as an area for storing the array buf. Therefore, when the strcpy_helloworld () function is executed, data larger than the secured size is written. In this way, writing of data larger than the size secured in the memory is called buffer overflow. The case where this buffer overflow occurs in the stack area is called a stack-based buffer overflow.

  In the stack area illustrated in FIG. 14, the areas are sequentially reserved from the top to the bottom, and the data writing to the reserved areas is performed from the bottom to the top. Therefore, ReturnAddress1 and ebp Backup are overwritten by 12 bytes of data “Hello World” when the strcpy_helloworld () function is executed. When the contents of ReturnAddress1 are rewritten to the address where the executable program code is placed by the above-described overwriting, ReturnAddress1 is read by the end of the main () function, and the rewritten program code is executed.

  In the source code illustrated in FIG. 13, an overflow is caused by a predefined character string “Hello World”. However, in practice, data received at a communication port such as a mail server or a Web server, data input from a console or a file, and the like may be stored in the array buf. In such a case, an arbitrary program code is executed by a malicious user via communication, console input, file input, etc., and unauthorized access such as data stealing or falsification occurs.

Patent Documents 1 and 2 are useful techniques for preventing the above-described unauthorized access. Patent Document 1 discloses that a program flow is checked at any time using a debugging function of a CPU to prevent unauthorized access. Specifically, the validity of the execution flow in the program code is checked, and if the execution flow transitions to an invalid execution flow, the execution is stopped or corrected assuming that the program code has been attacked. Patent Document 2 discloses that a program code for detecting buffer overflow is inserted into the program code as needed.
International Publication Number WO2005 / 024630 JP 2001-216161 A

  However, the above prior art cannot sufficiently prevent the unauthorized access related to the buffer overflow described above.

  For example, in Patent Document 1, it is necessary to define the validity of an execution flow, but the definition is very difficult. It is difficult to distinguish the difference between the case of executing illegal program code and the case of normal program code. For this reason, it has not been sufficient to reliably prevent unauthorized access. Further, in order to implement the technique described in Patent Document 1, it is necessary to depend on the debugging function of the CPU, which may cause a decrease in performance.

  Moreover, in patent document 2, the source code of the program code used as protection object is required. Therefore, the program code developer (provider) has to insert the fraud detection program code, and the program code can be implemented only by the developer.

  An object of the present invention has been made in view of the above-described problems of the prior art, and is to provide a technique for reliably and easily preventing unauthorized access related to buffer overflow.

In order to solve the above-mentioned problem, the invention according to claim 1 is an information device that performs data processing in cooperation with each program code developed in a memory and a central control unit,
Detecting means for detecting when the program code is called;
Return address acquisition means for sequentially acquiring the return address of each program code expanded in the memory at the time of calling the program code detected by the detection means;
Attribute acquisition means for acquiring attribute information of addresses indicated by return addresses sequentially acquired by the return address acquisition means when calling the program code detected by the detection means;
Stop means for stopping the data processing based on attribute information of an address indicated by each return address acquired by the attribute acquisition means when calling the program code detected by the detection means;
Is provided.

The invention according to claim 2 is the invention according to claim 1, wherein the memory includes a stack area for storing a return address of each program code,
The return address acquisition means traces and acquires the return address stored in the stack area.

  According to a third aspect of the present invention, in the first or second aspect of the present invention, the stop means is a code in which attribute information of an address indicated by each return address acquired by the attribute acquisition means stores a program code. If it is not information indicating an area, the data processing is stopped.

  According to a fourth aspect of the present invention, in the invention according to any one of the first to third aspects of the present invention, the stop means includes attribute information of an address indicated by each return address acquired by the attribute acquisition means. The data processing is stopped when the information indicates an area in which writing of the file is permitted.

According to a fifth aspect of the present invention, there is provided a computer for executing each program code expanded in a memory.
Detecting means for detecting when the program code is called,
Return address acquisition means for sequentially acquiring the return address of each program code expanded in the memory when calling the program code detected by the detection means;
Attribute acquisition means for acquiring attribute information of addresses indicated by return addresses sequentially acquired by the return address acquisition means when calling the program code detected by the detection means;
Stop means for stopping data processing by each program code based on attribute information of an address indicated by each return address acquired by the attribute acquisition means when calling the program code detected by the detection means;
To function as.

The invention described in claim 6 is a method for preventing unauthorized execution of program code in a computer that executes each program code expanded in a memory,
When any one of the program codes is called, the return address of each program code developed in the memory is sequentially obtained when the detected program code is called, and the sequentially obtained return address indicates Address attribute information is acquired, and data processing by each program code is stopped based on the address attribute information indicated by each acquired return address.

  According to the present invention, it is possible to reliably and easily prevent unauthorized access related to buffer overflow.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, the scope of the present invention is not limited to the following embodiments.

  First, the configuration of the information device according to the present embodiment will be described with reference to FIGS. FIG. 1 is a block diagram schematically showing a functional configuration of the information device 1. FIG. 2 is a conceptual diagram illustrating the stack area of the RAM 30.

  As illustrated in FIG. 1, the information device 1 includes a CPU 10, a storage unit 20, a RAM 30, an operation unit 40, a display unit 50, and an I / F unit 60. Each part of the information device 1 is electrically connected by a bus 70. Specifically, the information device 1 may be a PC, WS, PDA (Personal Digital Assistant), mobile phone, or the like.

  The CPU 10 centrally controls the operation of the information device 1. Specifically, the CPU 10 expands the program code and various data stored in the storage unit 20 in the work area of the RAM 30, and outputs a control signal to each unit in cooperation with the data expanded in the RAM 30. The central control is performed.

  The storage unit 20 stores data such as program codes and various setting information in a readable / writable manner from the CPU 10. For example, the storage unit 20 may be an HDD (Hard Disk Drive), a semiconductor memory, or the like. The storage unit 20 may be configured to store the data in a ROM (Read Only Memory) or the like. The program code stored in the storage unit 20 includes various software programs provided by vendors, programs related to processing to be described later, and the like in addition to basic software such as an OS (Operating System).

  In the RAM 30, a stack area for storing data when the program code is executed is secured. Specifically, a stack area as shown in FIG. 2 is secured in a predetermined area of the RAM 30. In this stack area, data is stored for each stack frame. One stack frame stores data such as ReturnAddress, ebp Backup, and data (variables, arrays, etc.) temporarily used when executing the program code.

  ReturnAddress is the return address of the program code. ebp Backup indicates the previous stack frame ebp Backup. Since there is ReturnAddress immediately before ebp Backup, ReturnAddress can be traced and acquired sequentially by following ebp Backup.

  When each program code is sequentially executed, the stack frame is secured sequentially as the program code is executed. For example, when a main program code is executed, a program code related to a subroutine is called in the program code, and another program code is called, the respective programs are sequentially arranged in the stack frames Fr1 to Fr3 as shown in the figure. An area related to the code is secured. When the processing related to each program code is completed, the return address of the stack frames Fr1 to Fr3 is read, so that the return to the main program code and the processing after the program end are performed.

  The operation unit 40 receives an operation input from a user and outputs an operation signal corresponding to the operation to the CPU 10. For example, the operation unit 40 may be a character input key, a numeric input key, a keyboard provided with keys associated with various other functions, a pointing device such as a mouse, and the like.

  The display unit 50 displays an image based on the display control signal output from the CPU 10 on the display screen. For example, the display unit 50 may be a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), or the like.

  The I / F unit 60 includes a data communication IC (Integrated Circuit), a connection connector, and the like (none of which are shown), and is communicably connected to an external device or a communication network. For example, the I / F unit 60 is a USB (Universal Serial Bus) communication port, a LAN (Local Area Network), a WAN (Wide Area Network), a network interface card (NIC) connected to the Internet, or the like. It's okay.

  Next, processing executed under the control of the CPU 10 of the information device 1 will be described in detail with reference to FIGS.

  FIG. 3 is a flowchart showing hook processing of the information device 1. 4 to 6 are conceptual diagrams illustrating source codes for dynamically generating a function. FIG. 7 is a conceptual diagram illustrating a normal function call. FIG. 8 is a conceptual diagram illustrating a hooked function call. FIG. 9 is a flowchart showing the stack layout check process of the information device 1. FIG. 10 is a flowchart illustrating a modification of the stack layout check process of the information device 1.

  In the information device 1, in order to prevent execution of illegal program code, detection of API, library function, system call, etc. necessary for execution of the illegal program code, that is, detection of subprogram code call, It is necessary to insert a process for checking the execution of illegal program code. In the present embodiment, the detection of calling the subprogram code and the insertion of processing for performing an illegal check are realized using a hook.

  A hook is a mechanism that allows a user to add a unique process to a specific part of a program. In other words, it is used when the programmer who created the hooked program code and the programmer who created the hooked program code are not the same programmer, and the source code related to each other's program code is not created by the same programmer It is a mechanism to be done. Therefore, it is used when changing the function of an OS or function provided by a vendor or adding arbitrary processing.

  Note that the hook may be used even when the programmer can modify a subprogram such as a function to be checked. However, if the programmer himself can modify the subprogram and corrects it so that an illegal check is performed when the subprogram is executed, it is not necessary to use a hook, and existing functions and libraries can be used more effectively. It can be implemented as safe.

  First, a case where an API hook (a library function is hooked) to check whether or not an illegal program code is executed will be described with reference to FIGS.

  In the following, a hook of a library function called WinExec () prepared by a vendor is exemplified, and a stack layout check process executed when the library function is called is exemplified.

  As shown in FIG. 3, when a hook function is started by calling a library function called WinExec (), an address where the function of WinExec () exists is acquired (step S1). The address of this function can be obtained by calling a function provided by the vendor.

  Next, a small function (temporary function) that hooks API execution is dynamically generated (step S2). This dynamically generated function is a function that calls a stack layout check process described later.

  Next, the top code of the WinExec () function is rewritten and changed so as to jump to the function generated in step S2 (step S3).

  Source codes for dynamically generating the function for the API hook described above are illustrated in FIGS. As shown in FIG. 4, the source code C1 defines a hook target code. As shown in FIG. 5, the source code C2 is a TrampolineStdcall_CodeHook () function that outputs a template of code that is actually generated. In this function, in the part with 0xccccccc1, an address obtained by adding 5 bytes to the address of the WinExec () function is input. In the part with 5 nop, the first 5 bytes of the original WinExec () function before code rewriting is copied as it is.

  As shown in FIG. 6, the source code C3 is a BuildTrampolineCode_CodeHook () function. This function performs two rewrites of the TrampolineStdcall_CodeHook () function.

  In the information device 1, by the hook process described above, it is possible to insert a process for detecting an invocation of a subprogram code and performing an illegal check. Normally, when a subprogram related to a function is called, as shown in FIG. 7, the functions f2 and f3 called by the function f1 and the function f4 called by the function f2 are executed as they are. However, in the information device 1, as shown in FIG. 8, when the function f2 is called by the function f1, the hook function f2a for calling the stack layout check process is executed before the function f2 is called.

  As shown in FIG. 9, when the stack layout check process is started after the hook process, the StackWolk () library is initialized (step S11). The StackWolk () library is a stack trace function provided by the vendor. By using StackWolk () to increment or decrement the trace position, it is possible to sequentially obtain return addresses stored in the stack area.

  Next, StackWolk () is called and one stack is backtraced so as to sequentially call stack frames in the stack area (step S12), and it is determined whether or not the return address has been correctly acquired after tracing (step S13). ).

  In step S13, if the return address cannot be acquired correctly, the execution of WinExec () that is the check target is continued as normal termination. This is the case when the stack is destroyed due to unknown reasons other than unauthorized access, and StackWolk () does not operate normally. In this embodiment, StackWolk () terminates normally when it does not operate normally, but even if this stack trace fails, it is confirmed whether or not to stop the program or to the user. A dialog for this purpose may be displayed on the display unit 50.

  In step S13, if the return address can be correctly acquired, attribute information of the memory area indicated by the acquired return address is acquired (step S14). This attribute information is acquired using a function that outputs attribute information of the address by designating the address.

  Next, based on the attribute information acquired in step S13, it is determined whether or not the memory area indicated by the return address is a code area (step S15). The code area is a memory area in which program code is stored. If it is determined in step S15 that the area is a code area, it is determined whether or not the memory area indicated by the return address is not writable (or whether or not writing is permitted). (Step S16).

  If it is determined in step S16 that the area is not writable, it is determined whether an unchecked return address exists (step S17). If an unchecked return address exists, the process proceeds to step S12. Returning, the next return address is traced. In step S17, if there is no unchecked return address, WinExec () to be checked is executed as a normal end.

  If it is determined in step S15 that it is not a code area (data area), and if it is determined in step S16 that writing is not possible (area where writing is permitted), an attack such as unauthorized access is detected. Then, a dialog for temporarily stopping data processing is displayed on the display unit 50 in order to prevent execution of illegal program code (step S18), and execution of the program is stopped (step S19).

  An illegal program code or the like is temporarily stored in a data area for storing data, and then executed from the data area by a program code having execution authority using buffer overflow. Therefore, in the information device 1, since the execution of the program is stopped when it is determined in step S15 that the memory area indicated by the return address is not a code area (a data area), execution of an illegal program code is prevented. It becomes possible to do.

  In addition, since an illegal program code or the like needs to be temporarily stored in a data area for storing data, it exists in an area where data writing is permitted. Accordingly, in the information device 1, since the execution of the program is stopped when it is determined in step S16 that the memory area indicated by the return address is an area where writing is permitted, the execution of an illegal program code is prevented. It becomes possible.

  Next, as a modification, a case where a system call is hooked to check whether or not an illegal program code is executed will be described with reference to FIG.

  FIG. 10 illustrates a stack layout check process for checking the userland stack from the kernel when any system call is called. In the stack layout check process, stack tracing is performed by a method using a normal ebp.

  The stack layout check process is executed before the system call process by hooking a function in the kernel that is processing the system call. Thus, by hooking the system call, it becomes possible to create a program code related to the stack layout check process as a kernel module, and it is not necessary to rebuild or modify the kernel body.

  Therefore, even if the kernel source code is not disclosed, it can be implemented. Even if source code is provided, it is not necessary to replace the kernel, and it can be implemented simply by installing a kernel module.

  As shown in FIG. 10, when the stack layout check process is started by calling a system call, the latest ebp backup is acquired from the current ebp value (step S21). That is, in step S21, the current read position in the stack area of the RAM 30 is acquired.

  Next, the return address immediately before it is acquired from ebp backup (step S23), and it is determined whether or not the return address has been correctly acquired (step S23). In step S23, if the return address cannot be acquired correctly, the process ends normally and the called system code is executed as in step S13 described above.

  In step S23, if the return address can be acquired correctly, it is determined whether or not the stack frame including the return address is a signal processing stack frame (step S24). The determination of the stack frame is performed based on an output result of a library function (for example, libunwind function) prepared in advance.

  If it is determined in step S24 that the stack frame is a signal processing stack frame, the process ends normally and the called system code is executed. The signal processing differs depending on the type and setting of the OS, but in the case of signal processing, the program execution method may be special, and the stack frame also has a special layout. Therefore, in order to avoid false detection, the check is interrupted in the case of signal processing, and the normal termination is always performed.

  If it is determined in step S24 that the stack frame is not a signal processing stack frame, the same processing as in steps S14 to S17 described above is performed (steps S26 to S28). If there is an unchecked return address in step S28, the next ebp backup is acquired from ebp backup (step S29), and the process returns to step S22 to acquire the next return address.

  If it is determined in step S26 that it is not a code area (data area), and if it is determined in step S27 that writing is not possible (area where writing is permitted), steps S18 and S19 are performed. Similarly, the program execution is stopped (steps S30 and S31).

  Therefore, in the information device 1, even when a system call is called, the program execution is stopped when it is determined in step S26 that the memory area indicated by the return address is not a code area (a data area). It is possible to prevent execution of illegal program code. Similarly, in the information device 1, the execution of the program is stopped when it is determined in step S27 that the memory area indicated by the return address is an area where writing is permitted. It becomes possible to do.

  As described above, the information device 1 performs data processing in cooperation with each program code developed in the memory (RAM 30) and the central control unit (CPU 10). In addition, the information device 1 includes a detection unit (CPU 10, hook processing) that detects when any one of the program codes is called, and a return of each program code developed in the memory when the program code detected by the detection unit is called. Return address acquisition means (CPU 10, steps S12, S22) for sequentially acquiring addresses, and at the time of calling the program code detected by the detection means, the attribute information of the addresses indicated by the return addresses sequentially acquired by the return address acquisition means is acquired. The data processing is stopped based on the attribute information of the address indicated by each return address acquired by the attribute acquisition unit when the program code detected by the attribute acquisition unit (CPU 10, steps S14 and S25) is called. Stop means Comprises CPU 10, and Step S19, S31), the.

  For this reason, the information device 1 can control whether or not to stop the data processing by checking all return addresses of the program codes developed in the memory when the program code is called. Further, the information device 1 does not need to modify each program code. Therefore, 1 can reliably and easily prevent unauthorized access related to buffer overflow.

  Note that the description in the above-described embodiment shows an example, and the present invention is not limited to this. The configuration and operation in the embodiment described above can be changed as appropriate.

  For example, in the above description, an example in which the storage unit 20 and the ROM are used as a computer-readable medium of the program according to the present invention is disclosed, but the present invention is not limited to this example. As other computer-readable media, a non-volatile memory such as a flash memory and a portable recording medium such as a CD-ROM can be applied. A carrier wave is also applied to the present invention as a medium for providing program data according to the present invention via a communication line connected to the I / F unit 60.

It is a block diagram which shows typically the functional structure of the information equipment which concerns on this Embodiment. It is a conceptual diagram which illustrates the stack area | region of RAM. It is a flowchart which shows the hook process of information equipment. It is a conceptual diagram which illustrates the source code for generating a function dynamically. It is a conceptual diagram which illustrates the source code for generating a function dynamically. It is a conceptual diagram which illustrates the source code for generating a function dynamically. It is a conceptual diagram which illustrates a normal function call. It is a conceptual diagram which illustrates the function call hooked. It is a flowchart which shows the stack layout check process of an information device. It is a flowchart which shows the modification of the stack layout check process of an information device. It is a conceptual diagram which illustrates the source code of a program code. It is a conceptual diagram which illustrates the outline | summary of the stack area | region at the time of program code execution. It is a conceptual diagram which illustrates the source code of a program code. It is a conceptual diagram which illustrates the outline | summary of the stack area | region at the time of program code execution.

Explanation of symbols

1 Information device 10 CPU
20 storage unit 30 RAM
40 Operation unit 50 Display unit 60 I / F unit 70 Bus C1 to C3 Source code Fr1 to Fr3 Stack frame

Claims (6)

An information device that performs data processing in cooperation with each program code developed in a memory and a central control unit,
Detecting means for detecting when the program code is called;
Return address acquisition means for sequentially acquiring the return address of each program code expanded in the memory at the time of calling the program code detected by the detection means;
Attribute acquisition means for acquiring attribute information of addresses indicated by return addresses sequentially acquired by the return address acquisition means when calling the program code detected by the detection means;
Stop means for stopping the data processing based on attribute information of an address indicated by each return address acquired by the attribute acquisition means when calling the program code detected by the detection means;
Information equipment equipped with. The memory includes a stack area for storing a return address of each program code,
The information device according to claim 1, wherein the return address acquisition unit traces and acquires a return address stored in the stack area.   The stop means stops the data processing when the attribute information of the address indicated by each return address acquired by the attribute acquisition means is not information indicating a code area for storing a program code. Information equipment described.   The said stop means stops the said data processing, when the attribute information of the address which each return address acquired by the said attribute acquisition means is the information which shows the area | region where data writing was permitted. 4. The information device according to any one of 3. A computer that executes each program code expanded in memory
Detecting means for detecting when the program code is called,
Return address acquisition means for sequentially acquiring the return address of each program code expanded in the memory when calling the program code detected by the detection means;
Attribute acquisition means for acquiring attribute information of addresses indicated by return addresses sequentially acquired by the return address acquisition means when calling the program code detected by the detection means;
Stop means for stopping data processing by each program code based on attribute information of an address indicated by each return address acquired by the attribute acquisition means when calling the program code detected by the detection means;
Program to function as. A method for preventing unauthorized execution of program code in a computer that executes each program code expanded in memory,
When any one of the program codes is called, the return address of each program code developed in the memory is sequentially obtained when the detected program code is called, and the sequentially obtained return address indicates An illegal program code execution prevention method that acquires address attribute information and stops data processing by each program code based on the address attribute information indicated by each acquired return address.

Images