Method To Obtain The Control Flow Graph Of Kernel Base On Compiler

As a kind of typical attacks, buffer overflow attacks have great harm, for attackers can gain unauthorized access to a computer system.. Therefore, Operating System introduce new security mechanism constantly, such as Data Execution Prevention(DEP) and the Address Space Layout Randomization(ASLR). But with the development of new types of attack techniques based on buffer overflow,such as Return-into-libc and Return-oriented programming(ROP), buffer overflow attack threat has never been eliminated. Return-into-libc and ROP attack the Operating System Kernel, by hijacking the control flow of the Kernel. So we can eliminate this kind of threat, through protecting the kernel control flow. The kernel Control Flow Graph(CFG) is the premise of these protective mechanisms.The CFG of the kernel in this paper, needs to record the instruction address and the destination address which will jump to. There are three types of jump in the kernel about function call: direct function calls and indirect function calls and function return. The direct function calls? and function return?s addresses are easy to be obtained by analyzing the disassembled code of the kernel. But for indirect function calls, the call instruction uses a function pointer to find the address of the real function that to be called. So this paper presents a method to obtain the control flow graph of the kernel based on compiler intermediate representation.The IR has low complexity and high readability, so we can get the pass path of the function pointers through IR analysis, and find the function?s address of indirect function calls, and then construct the complete Control Flow Graph of the Kernel. In the IR, the transfer process of function pointer is divided into tow processes logically, the storing process and the calling process. The storing process starts from the instructions that contents a function name, until find the place the function pointer stored, such as global variables, structure, parameter. The calling process starts from a function call instruction, until find out the function name that the pointer points to. And then get the function address in the disassemble code, you can determine the destination address of the indirect function call.A demo system to obtain the control flow graph of the kernel based on the IR has been built.And the demo system work fine on the Linux Kernel 3.12.0.