The processor based on SPARC V8 often cause trap of the overlapping windows: a save instruction attempted to cause the current window pointer (CWP) to point to an invalid window in the window invalid mask register (WIM), then the Window_Overflow trap occurs. A restore or rett instruction attempted to cause the current window pointer (CWP) to point to an invalid window in the window invalid mask register (WIM), then the Window_Underflow trap occurs. Stack data structure storages the contents of the window and releases the overflow one to handle the exceptions of the overlapping windows. Through the stack overflow vulnerability analysis, completed the code layer attacks. Finally, based on the theoretical analysis of vulnerabilities, proposed solutions stack overflow defense programs. Tested and verified the feasibility of the program based on the SPARC V8 processor as AT697F.
Introduction
Currently microprocessors based on SPARC architecture has huge development space in embedded applications, there are about more than 30,000 successful cases worldwide. More wellknown control computer DMS-R and spatial automatic shifter ATV which were on International Space Station used the SPARC microprocessor architecture. In China, SPARC microprocessor architecture in the field of defense electronics and aerospace fields are widely used.
SPARC, formulated at Sun Microsystems in 1985, is based on the RISC I & II designs engineered at the University of California at Berkeley from 1980 through 1982. The SPARC "register window" architecture, pioneered in UC Berkeley designs, allows for straightforward, high-performance compilers and a significant reduction in memory load/store instructions over other RISCs, particularly for large application programs [1] .
Based on SPARC microprocessor architecture's notable features is its circular overlapping register windows. Although this structure can effectively improve the efficiency of the procedure call, but the register window exceptions also occur frequently. Register window exceptions handling and vulnerability analysis it has better theoretical and practical value in the embedded field. Papers selected ATMEL manufactured SPARC V8 architecture AT697F microprocessor hardware as the research object for the window register exceptions and vulnerability analysis, propose solutions, and complete the experiments on this platform.
Description of AT697F
The AT697F is a highly integrated, high-performance 32-bit RISC embedded processor based on the SPARC V8 architecture. The implementation is based on the European Space Agency (ESA) LEON2 fault tolerant model. By executing powerful instructions in a single clock cycle, the AT697F achieves throughputs approaching 1MIPS per MHz, allowing the system designer to optimize power consumption versus processing speed.
The AT697F is designed to be used as a building block in computers for on-board embedded realtime applications. It brings up-to-date functionality and performance for space application. The AT697F only requires memory and application specific peripherals to be added to form a complete on-board computer [2] .
The AT697F contains an Integer Unit (IU), a Floating Point Unit (FPU), separate instruction and data caches, a hardware multiplier and divider, an interrupt controller, two 32-bit timers and a watchdog, two UARTs, a general-purpose I/O interfaces, a PCI Interface and a flexible memory controller. The design is highly testable with support from an embedded Debug Support Unit (DSU) with trace buffers and a JTAG interface for boundary scan. See Fig. 1 . 
Register's window exception handling and Vulnerability Analysis
Register's window exception handling. SPARC register window to achieve the number of 2-32, the window number represents CWP is currently being used, each window can be divided into four states: normal use, invalid, used and unused. To ensure the maximum number of register window, CWP is set to 5 bits. Assuming that the WIM is 0x01, then the register window pack can be divided as follows: W0 invalid, W1-W4 unused, W5 are using, W6-W7 has been used. WIM register and only one position is 1, which indicates the position of the window the next time the exception occurred.
SPARC architecture design, let CALL and JMP instruction not to influence, and let subroutines themselves. Subroutine call to the rotation by the SAVE instruction and assign a new window for the subroutine; while the main program out registers becomes subroutine in registers. Subroutine returns to rotate and restore the original window by the RESTORE instruction; at the same time the subroutine in registers reduced to the main program out registers.
AT697F use CWP [4: 0] bits of PSR (processor status register) and WIM [31: 0] register to supervise register windows, as well as two overflow and underflow trap under the window. When a program called exceeds a predetermined number of layers, window resources exhausted, overflow occurred at the window; when the subroutine returned, the window empty, underflow occurred at the window. Window_Overflow trap and Window_Underflow trap are judged by comparison of CWP and WIN.
Window_Overflow trap processing idea is to save the contents of the overflow window to their corresponding memory stack, and then release the window. For example, a function calls to save instruction when the value of CWP is 3. If this time WIM [2] is 1, it will enter the trap, after entering the CWP becomes 2. Window overflow function will clear the WIM, and save the contents of the register window when CWP equals to 1 and then zero the WIM [2] bit, set one the WIM [1] bit. Such a design is very clever. First, we need to know, WIM is changed by software. At initialization software set WIM [1] to one and set CWP to zero. Such has been calling the function execution save instruction until CWP is 2, proceed to execute the save instruction to trigger once Window_Overflow trap. Window overflow handler WindowOverflow does the work as follows: 1) WIM register move right one bit (rotate shift right); 2) save the contents of in and local registers to stack. 3) When the trap occurs, processor save the value of PC to the l1 register and save the value of NPC to the l2 register.
jmp and rett instructions were to restore them back to the window trap occurred to work.
Window_Underflow trap processing idea is to save the contents in memory stack back to their corresponding window, and then fill in the window. For example, a function calls to restore instruction when the value of CWP is 3. If this time WIM [4] is 1, it will enter the trap, after entering the CWP becomes 2. WindowUnderflow function will clear the WIM, and save the contents of the register window when CWP equals to 4 and then set one the WIM [5] bit. After processing PC pointer to jump back CWP = 3 to continue the previous restore instruction. SPARC Window underflow handler WindowOverflow does the work as follows: 1) WIM register move left one bit (rotate shift left); 2) return the contents in stack back to in and local registers. 3) When the trap occurs, processor save the value of PC to the l1 register and save the value of NPC to the l2 register. jmp and rett instructions were to restore them back to the window trap occurred to work.
Vulnerability Analysis of Register Window Structure. When the window does not fall into the trap, the subroutine return address is stored in the caller window% o7. In this case there is no stack overflow problems. When the window overflow occurs, the first allocation of the window contents of the register are stored in its allocated memory stack. A register window to save the contents include a subroutine return address, which is also saved to the memory stack when the window overflow occurs. At this time the situation is similar to a subroutine call just like X86, you can find out the SPARC V8 register window structure overlapping vulnerabilities [3, 4] .
Register Window Attack procedures under the SPARC V8 architecture design as follows: First, multilayer subroutine call result the register window overflow, then the overflow window contents will be stored to the corresponding memory stack.; Second, find the subroutine return address storage in memory address, and change its contents, making it has been designed to attack function entry address.
Design process to calculate 2 11 value. When the program is not under attack, the processor AT697F run and Leon simulation results equal to 2048, hexadecimal 0x800.When the program is attacked by attack function, shown by the above two results can be seen, the evaluation function is broken and the result of the program error after the attack program runs. This indicates that the program can attack register window and cause a stack overflow trap. There are loopholes in the system based on the SPARC V8 overlapping register window structure, therefore it is necessary to design and implement a program to defense register windows stack overflow.
Defense of Stack Overflow.
According to the system using a register window and stack technology to co-management features of subroutine calls, combined with buffer overflow attacks in the final analysis is to cover, change the nature of the subroutine return address, taking into account the protection of the buffer zone, we design SPARC V8 architecture defense module stack overflow attacks. The module can be detected after a stack overflow, overflow repair address, make the program quickly and effectively return to normal. Defense module consists of flow control module, an encryption and decryption module compare modules [5] .
Flow control module. The integer unit of processor AT697F only send single instruction, and have five pipeline construction, so the design of stack overflow defense module should be synchronous with the five pipeline, all the control signals of stack overflow defense module come from the five pipeline.
Encryption and decryption module. Taking advantage of the ASI (Address Space Descriptor) mechanism of the architecture of SPARC, apply for a space that general users could not access to construct data structure of stack. This space used to store the right return address of the encrypted subroutine. When the subroutine finished, and return call functions, decrypt the encrypted address and send it to the comparators.
Compare modules. As a result of SPARC V8 uses 32bit address, the comparator should be 32bit too. Comparing the decrypted address with the return address to get the right return address, and transfer to flow control module to return to the call functions correctly. Thus prevent the exception caused by stack overflow successfully.
The construction diagram of the program are shown in Fig. 4 . According to the proposal, this paper choose processor AT697F which based on the construction of SPARC V8 and the LEON simulator to implement. Finally, through the test procedure of AT697F, tested and verified that added the stack overflow defense module to the processor having no influence to the other part of AT697F, and could export the return address of the right subroutine to accomplish the function of stack overflow defense.
Summary
This paper studied the overlapping register window technology of the processor which based on SPARC V8, its main content could summarized as below: 1. Introduced the primary features of processor AT697F which based on the architecture of SPARC V8 and the mechanism of overlapping window technology; 2. According to the feature of SPARC, accomplished the exception handling of register window overflow and window underflow, achieved to call the multilayer functions; 3. Analysis the vulnerability of overlapping register window, designed an attack procedure to prove the existence of register window vulnerability; 4. By means of designing defense module, achieved the goal of preventing the vulnerability of stack overflow. Through the test of processor AT697F's test procedure, proved that the design of stack overflow defense module is effective. There are 16 kinds of exception of SPARC V8 processor, this paper only analyzed the window exception which is the most common exception of processor. There should pay more patient on the other exceptions of processor. It will have significant meaning on the field of SPARC processor's application in embedded systems.
