CN110727925A - Target application safety detection method and device and electronic equipment - Google Patents
Target application safety detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN110727925A CN110727925A CN201910785003.3A CN201910785003A CN110727925A CN 110727925 A CN110727925 A CN 110727925A CN 201910785003 A CN201910785003 A CN 201910785003A CN 110727925 A CN110727925 A CN 110727925A
- Authority
- CN
- China
- Prior art keywords
- program
- block
- control flow
- jump
- program block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 238000000034 method Methods 0.000 claims abstract description 35
- 230000014509 gene expression Effects 0.000 claims abstract description 21
- 230000015654 memory Effects 0.000 claims abstract description 18
- 238000005457 optimization Methods 0.000 claims abstract description 5
- 238000000605 extraction Methods 0.000 claims abstract description 4
- 238000011084 recovery Methods 0.000 claims abstract description 4
- 238000004590 computer program Methods 0.000 claims abstract description 3
- 210000003813 thumb Anatomy 0.000 claims description 4
- 230000009191 jumping Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 16
- 238000004458 analytical method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a target application safety detection method, a device and electronic equipment, which can perform accurate anti-confusion processing and effective safety detection on target application. The method comprises the following steps: decompiling the target application to generate intermediate expression; extracting key characteristic values of confusion control flow relations among a plurality of program blocks forming the intermediate expression; recovering the confusion control flow relation by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relation; optimizing the normal control flow relationship, and generating a corresponding executable program according to the optimized normal control flow relationship; and carrying out safety performance detection on the executable program and outputting a safety detection result. The device comprises a decompilation module, a feature extraction module, a recovery module, an optimization module and a detection module. The electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor for implementing the target application security detection method.
Description
Technical Field
The invention relates to the technical field of intelligent terminal software safety, in particular to a target application safety detection method, a target application safety detection device and electronic equipment.
Background
With the rapid popularization of intelligent terminal equipment, the number of application software suitable for intelligent terminals also shows explosive growth. While mobile applications are rapidly increasing, the number and types of malicious software are increasing, and the subsequent potential safety hazard problem also causes serious influence. Research shows that more and more malicious software starts to escape detection of the existing security detection means by using a software obfuscation technology, most of the malicious software adopts a control flow flattening method as a bluebook, and changes or complicates the program control flow of the software, so that the decoding difficulty is greatly improved.
Some available anti-aliasing techniques are classified into PC general program anti-aliasing and android program anti-aliasing:
in the general program anti-confusion technology of the PC, the anti-confusion technical views proposed by Francis Gabriel and El-Faramaw and the like restore the confused functions into a control flow graph, but the challenges brought by basic block splitting and instruction optimization cannot be solved, and because the problems of context inheritance and sub-function calling are not considered, the success rate is low when a large program is analyzed; the general method proposed by Yadegari et al for automatically anti-obfuscating binary code at x86 is not suitable for analyzing Android project programs.
In the android program anti-obfuscation technology, most of the existing methods deal with anti-obfuscation of a Java layer. The problem of layout confusion can be solved to a certain extent, but the change of program logic caused by control flow flattening confusion still cannot be faced.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a target application security detection method, apparatus and electronic device, which can perform accurate anti-obfuscation processing on malicious software obfuscated by a control flow flattening method to achieve effective security detection on the malicious software.
Based on the above purpose, the present invention provides a target application security detection method, which includes:
decompiling the target application to generate intermediate expression;
extracting key characteristic values of confusion control flow relations among a plurality of program blocks composing the intermediate expression;
recovering the confusion control flow relation by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relation;
optimizing the normal control flow relationship, and generating a corresponding executable program according to the optimized normal control flow relationship;
and carrying out safety performance detection on the executable program and outputting a safety detection result.
Optionally, the extracting key feature values of the confusion control flow relationship among the blocks constituting the intermediate expression includes:
according to the code instruction content, selecting a scheduling program block from the plurality of program blocks;
determining a Switch scheduling structure among the program blocks according to the jump instruction in the scheduling program block;
determining a jump routing variable according to a comparison instruction in the scheduling program block;
the key characteristic value comprises the Switch scheduling structure and the jump routing variable.
Optionally, the determining a jump routing variable according to a comparison instruction in the scheduler block includes:
address + n ═ immediate + ins
Wherein V denotes a jump route variable, ins. address denotes an address of the compare instruction, n denotes an offset, and the offset n is 8 in the ARM instruction set mode and 4 in the Thumb instruction set mode.
Optionally, the recovering the confusion control flow relationship by splitting the symbolic execution according to the key feature value to obtain a normal control flow relationship includes:
the program blocks comprise a sequence screen program block, a scheduling program block, a related program block and a return program block, an out-of-order block queue is established for the sequence screen program block, the related program block and the return program block, and the sequence screen program block is arranged at the head of the queue;
determining a subsequent program block of each program block in the out-of-order block sequence by adopting a split symbol execution mode according to the key characteristic value from a head program block in the out-of-order block queue, and adjusting the sequence of a plurality of program blocks in the out-of-order block queue to obtain a positive sequence block queue;
and determining the normal control flow relation according to the positive sequence block queue.
Optionally, the determining, according to the key feature value, a successor chunk of each chunk in the out-of-order chunk sequence in a split symbol execution manner, and adjusting the sequence of the multiple chunks in the out-of-order chunk queue includes:
a: setting an execution pointer to point to a first bit of the out-of-order block queue, and setting an exchange pointer to point to a second bit of the out-of-order block queue;
b: if the program block pointed by the execution pointer is positioned at the tail of the queue, finishing the sequence adjustment;
otherwise, judging the jump type of the program block pointed by the execution pointer, if the jump type is a conditional jump, executing the step C, and if the jump type is an unconditional jump, executing the step G;
c: determining a True branch successor program block corresponding to a True jump branch of the program block currently pointed to by the execution pointer according to the key characteristic value;
d: exchanging the position of the program block which is followed by the True branch with the program block which is pointed by the exchange pointer currently, and moving the exchange pointer backwards by one bit;
e: determining a False branch successor program block corresponding to a False jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
f: exchanging the subsequent program block of the False branch with the position of the program block currently pointed by the exchange pointer, and moving the exchange pointer one bit backwards to execute the step I;
g: determining an Only branch successor program block corresponding to the unique jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
h: and exchanging the position of the program block which is followed by the Only branch and the program block which is pointed by the exchange pointer currently, and moving the exchange pointer one bit backwards to execute the step I.
I: and B, moving the execution pointer backward by one bit, and returning to the step B.
Optionally, in the process of adjusting the sequence of the multiple program blocks in the out-of-order block queue, before exchanging the position of the program block currently pointed to by the exchange pointer with the True branch successor program block, the False branch successor program block, or the Only branch successor program block, the execution state of the corresponding successor program block is saved;
after the execution pointer is shifted backward by one bit, the execution state of the block it points to is restored.
Optionally, the optimizing the normal control flow relationship includes:
for two blocks connected by unconditional jumping, if the degree of the block of the parent node is not more than 1, the two blocks are merged.
Optionally, the optimizing the normal control flow relationship includes:
for a plurality of program blocks with two jump branches, if the program blocks are connected in series by one branch and the other branch of the program blocks points to the same subsequent program block, optimizing the jump structure between the program blocks as a loop structure.
Based on the above object, the present invention further provides a security detection device for target applications, comprising:
a decompilation module configured to decompilate the target application to generate an intermediate expression;
a feature extraction module configured to extract key feature values of confusion control flow relationships among a plurality of blocks constituting the intermediate expression;
the recovery module is configured to recover the confusion control flow relationship by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relationship;
the optimization module is configured to optimize the normal control flow relationship and generate a corresponding executable program according to the optimized normal control flow relationship;
and the detection module is configured to detect the safety performance of the executable program and output a safety detection result.
In view of the above object, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor implements the target application security detection method when executing the program.
From the above, it can be seen that the target application security detection method provided by the invention can be used for decompiling a target application to obtain an intermediate expression, cutting an original control flow through static features by using key feature values of the extracted original control flow, so as to overcome the problems caused by basic block splitting, then dynamically adjusting an analysis target sequence by taking each basic block as an analysis target to maximally protect and restore a context inheritance relationship, and continuously optimizing an instruction after dynamic adjustment, so as to accurately and confuse the target application, thereby realizing effective security detection of the target application.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a target application security detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a control flow planarization obfuscation method;
fig. 3 is a schematic diagram illustrating a method for extracting a key feature value in a target application security detection method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of the intermediate expression obtained by decompiling in the target application security detection method according to the embodiment of the present invention;
fig. 5 is a schematic diagram of a method for recovering an obfuscated control flow relationship in a target application security detection method provided in an embodiment of the present invention.
Fig. 6 is a schematic diagram illustrating a method for adjusting the sequence of program blocks in an out-of-order block queue in a target application security detection method according to an embodiment of the present invention;
fig. 7-1 is a schematic diagram illustrating a method for adjusting a sequence of program blocks when an execution pointer points to a conditional jump program block in a target application security detection method according to an embodiment of the present invention;
fig. 7-2 is a schematic diagram illustrating a method for adjusting a sequence of program blocks when an execution pointer points to an unconditional jump program block in a target application security detection method according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a jump structure for optimizing a normal control flow relationship in a target application security detection method according to an embodiment of the present invention.
Fig. 9 is a schematic diagram of a jump structure for optimizing a normal control flow relationship in a target application security detection method according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a target application security detection apparatus according to an embodiment of the present invention;
fig. 11 is a schematic diagram of an electronic device for security detection of a target application according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In one aspect, the invention provides a target application security detection method.
As shown in fig. 1, some optional embodiments of the present invention provide a target application security detection method, including:
s1: decompiling the target application to generate intermediate expression;
s2: extracting key characteristic values of confusion control flow relations among a plurality of program blocks composing the intermediate expression;
s3: recovering the confusion control flow relation by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relation;
s4: optimizing the normal control flow relationship, and generating a corresponding executable program according to the optimized normal control flow relationship;
s5: and carrying out safety performance detection on the executable program and outputting a safety detection result.
As shown in fig. 2, a schematic diagram of the control flow flattening obfuscation principle is provided, in which all easily recognizable conditional jumps, loop structures, and the like in the original code program are removed, and the conditional jumps, loop structures, and the like are replaced by a large Switch structure, and accordingly, the control flow execution of the boot code is controlled by the large Switch structure to flow into the basic blocks. As shown in the figure, the control flow flattening obfuscation method replaces the simple jump structure in the original code program shown in the left half of the figure to obtain the complex control flow jump structure shown in the right half, so that the control flow relationship is difficult to identify, the completed execution code in the original code program is split into basic blocks, and the context integration relationship between the basic blocks is also disturbed. These aforementioned operations present difficulties in the anti-obfuscation of control flow flattened obfuscated software.
The target application safety detection method includes decompiling a target application to obtain intermediate expression, cutting an original control flow through static characteristics by using key characteristic values of the extracted original control flow, overcoming problems caused by basic block splitting, dynamically adjusting an analysis target sequence to protect and restore context inheritance relationships to the maximum extent by taking each basic block as an analysis target, and continuously optimizing instructions after dynamic adjustment, so that the target application is accurately and reversely mixed, and effective safety detection of the target application can be achieved.
As shown in fig. 3, in a security detection method for a target application according to some alternative embodiments of the present invention, the extracting a key feature value S2 of an obfuscated control flow relationship between a plurality of program blocks constituting the intermediate representation includes:
s21: according to the code instruction content, selecting a scheduling program block from the plurality of program blocks;
s22: determining a Switch scheduling structure among the program blocks according to the jump instruction in the scheduling program block;
s23: determining a jump routing variable according to a comparison instruction in the scheduling program block;
the key characteristic value comprises the Switch scheduling structure and the jump routing variable.
Fig. 4 is a schematic diagram of the intermediate representation after control flow flattening obfuscation. The program blocks composing the intermediate expression include a program block Prologue, a scheduler block Dispatcher, a related program block Relevant and a Return program block Return. The Dispatcher module Dispatcher can be selected according to the code instruction content of each program module, and the program module ending with the conditional jump instruction consists of three instructions, and such a program module is the Dispatcher module Dispatcher. Determining a large Switch jump structure of the target application according to jump instructions in the plurality of Dispatcher blocks dispatchers; the jump routing variable can be determined according to a comparison instruction in the Dispatcher.
In the target application safety detection method, after the target application is decompiled to obtain the intermediate expression, the key characteristic value is determined through the code instruction of each program block, so that the static cutting of the original control flow of the target application is realized, a plurality of program blocks are independent, the dynamic adjustment of the plurality of program blocks is facilitated, and the problem caused by the splitting of basic blocks can be solved.
In some alternative embodiments of the present invention, in a method for detecting security of a target application, the determining a jump routing variable S23 according to a comparison instruction in the scheduler block includes:
address + n ═ immediate + ins
Wherein V denotes a jump route variable, ins. address denotes an address of the compare instruction, n denotes an offset, and the offset n is 8 in the ARM instruction set mode and 4 in the Thumb instruction set mode. As shown in fig. 4, the code instruction of each block is an assembler instruction represented by an instruction in the ARM instruction set, where the offset n is 8, and it is also possible to represent the code instruction of the block by an instruction in the Thumb instruction set, where the offset n is 4.
As shown in fig. 5, in a method for detecting security of a target application according to some alternative embodiments of the present invention, recovering the obfuscated control flow relationship by splitting symbolic execution according to the key feature value to obtain a normal control flow relationship S3 includes:
s31: the program blocks comprise a sequence screen program block Prologue, a Dispatcher, a related program block Relevant and a Return program block Return, a disorder block queue is established for the sequence screen program block Prologue, the related program block Relevant and the Return program block Return, and the sequence screen program block Prologue is arranged at the head of the queue;
the sequence block Prologue is the first block to be executed when the program runs, and therefore the sequence block Prologue is also set at the head of the queue as the first block to be analyzed.
S32: determining a subsequent program block of each program block in the out-of-order block sequence by adopting a split symbol execution mode according to the key characteristic value from a head program block in the out-of-order block queue, and adjusting the sequence of a plurality of program blocks in the out-of-order block queue to obtain a positive sequence block queue;
s33: and determining the normal control flow relation according to the positive sequence block queue.
In the target application safety detection method, queues are created for other program blocks except a scheduler program block Dispatcher, the sequence of the program blocks in the created queues is out of order at the moment, namely the created out-of-order block queues are created, then the sequence of the program blocks in the out-of-order block queues is adjusted by using the key characteristic value, and finally a positive sequence block queue is obtained.
As shown in fig. 6, in a method for detecting security of a target application according to some alternative embodiments of the present invention, determining successors of each chunk in the out-of-order chunk sequence by using the split symbolic execution according to the key feature value, and adjusting an order of a plurality of chunks in the out-of-order chunk queue S32 include:
a: setting an execution pointer to point to a first bit of the out-of-order block queue, and setting an exchange pointer to point to a second bit of the out-of-order block queue;
b: if the program block pointed by the execution pointer is positioned at the tail of the queue, finishing the sequence adjustment;
otherwise, judging the jump type of the program block pointed by the execution pointer, if the jump type is a conditional jump, executing the step C, and if the jump type is an unconditional jump, executing the step G;
c: determining a True branch successor program block corresponding to a True jump branch of the program block currently pointed to by the execution pointer according to the key characteristic value;
d: exchanging the position of the program block which is followed by the True branch with the program block which is pointed by the exchange pointer currently, and moving the exchange pointer backwards by one bit;
e: determining a False branch successor program block corresponding to a False jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
f: exchanging the subsequent program block of the False branch with the position of the program block currently pointed by the exchange pointer, and moving the exchange pointer one bit backwards to execute the step I;
g: determining an Only branch successor program block corresponding to the unique jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
h: and exchanging the position of the program block which is followed by the Only branch and the program block which is pointed by the exchange pointer currently, and moving the exchange pointer one bit backwards to execute the step I.
I: and B, moving the execution pointer backward by one bit, and returning to the step B.
In the target application security detection method, before the sequence adjustment is performed on the program blocks in the out-of-order block queue, a Pointer is initialized, and a condition for finishing the adjustment is set, that is, when the Execution Pointer points to the program block at the tail of the queue, the sequence adjustment work on all the program blocks in the queue is completed. During adjustment, the program block pointed by the Execution Pointer is always taken as a target, and different subsequent Execution operations are adopted according to different jump types of the pointed program block.
As shown in fig. 7-1, when the block pointed by the Execution Pointer is a conditional jump, taking the Prologue block Prologue as an example, the Prologue block Prologue generally always has two subsequent branches, and two subsequent branch paths can be respectively determined according to the key feature values by using a symbolic splitting Execution method. Determining a subsequent program Block of the True branch of the program curtain program Block Prologue, as indicated by a program Block5, exchanging the position of the program Block5 with the position of a program Block1 pointed by the exchange Pointer Swap Pointer, after the exchange, positioning the program Block5 at the second position in the out-of-order Block queue, positioning the program Block1 at the sixth position in the out-of-order Block queue, and shifting the exchange Pointer Swap Pointer by one bit to point to a program Block 2; then, determining a fault branch successor Block of the Prologue Block Prologue, as indicated by a Block3, then exchanging the position of the Block3 with the position of the Block2 pointed to by the exchange Pointer Swap Pointer, after the exchange, positioning the Block3 at the third position in the out-of-order Block queue, positioning the Block2 at the fourth position in the out-of-order Block queue, and shifting the exchange Pointer Swap Pointer one bit later to point to a Block 3; after the successor blocks of both branches are determined and swapped, the Execution Pointer is shifted back by one bit, pointing to Block 5.
As shown in fig. 7-2, when the program Block pointed to by the Execution Pointer is unconditionally jumped, taking the program Block5 as an example, only has a unique jump branch, and by using a symbolic splitting Execution method, a unique jump branch path can be determined according to the key feature value. Determining an Only branch successor Block of Block5, indicated as Block1 in fig. 7-2, then swapping Block1 with the position of Block2 pointed to by the Swap Pointer, after swapping Block1 is located in the fourth place in the out-of-order Block queue, and shifting the Swap Pointer backward by one bit to point to Block4, and then shifting the execution Pointer execute Pointer backward by one bit to point to Block 3.
In the target application safety detection method, the key characteristic values are utilized to adjust the sequence of the program blocks in the disordered block queue, and finally the positive sequence block queue is obtained.
In a method for detecting security of a target application provided in some optional embodiments of the present invention, in a process of adjusting a sequence of a plurality of program blocks in an out-of-order block queue, before exchanging a position of a program block currently pointed to by the exchange pointer with a program block that follows a True branch, a program block that follows a False branch, or a program block that follows an Only branch, an execution state of the corresponding program block is saved;
after the execution pointer is shifted backward by one bit, the execution state of the block it points to is restored.
In the target application safety detection method, the execution state of the program block in the out-of-order block queue is stored before position exchange is carried out on the program block, and the periodic execution state is recovered when the subsequent program block is determined by taking the program block as a target.
As shown in fig. 8, in a method for detecting security of a target application according to some alternative embodiments of the present invention, the optimizing the normal control flow relationship S4 includes:
for two blocks connected by unconditional jumping, if the degree of the block of the parent node is not more than 1, the two blocks are merged.
As shown in fig. 8, a jump connection relationship between nodes is shown, in which the program blocks represented by the nodes 3, 4 and 5 are connected through unconditional jumps. For nodes 3 and 4, the degree of the parent node 1 of node 3 is 2, and for nodes 4 and 5, the degree of the parent node 3 of node 4 is 1, so that the blocks represented by nodes 4 and 5 can be merged.
In the target application safety detection method, some redundant jump structures may still exist in the recovered normal control flow relation, and for the jump structures, two connected node program blocks are merged, so that finally obtained executable program codes can be simplified and optimized, and safety performance detection of the executable program is facilitated later.
As shown in fig. 9, in a method for detecting security of a target application according to some alternative embodiments of the present invention, the optimizing the normal control flow relationship S4 includes:
for a plurality of program blocks with two jump branches, if the program blocks are connected in series by one branch and the other branch of the program blocks points to the same subsequent program block, optimizing the jump structure among the program blocks into a loop structure.
As shown in FIG. 9, the jump connection relationship between nodes is shown. The program blocks represented by the nodes 1, 2, 3 and 4 all have two jump branches, the nodes 1 to 4 are connected in series in sequence through one branch, and the other branch points to the node 6. The structure of jumps between blocks represented by nodes 1 to 4 can then be optimized as a loop structure.
In the target application safety detection method, some redundant jump structures may still exist in the recovered normal control flow relation, and for the jump structures, a plurality of node program blocks connected in series are optimized into a loop structure, so that finally obtained executable program codes can be optimized in a precise degeneracy manner, and safety performance detection of the executable program is facilitated later.
In another aspect, the invention further provides a target application safety detection device.
As shown in fig. 1, some alternative embodiments of the present invention provide a security detection apparatus for a target application, including:
a decompilation module 1 configured to decompilate the target application to generate an intermediate expression;
a feature extraction module 2 configured to extract key feature values of confusion control flow relationships among a plurality of blocks constituting the intermediate expression;
a recovery module 3, configured to recover the confusion control flow relationship by splitting the symbolic execution according to the key feature value, so as to obtain a normal control flow relationship;
the optimization module 4 is configured to optimize the normal control flow relationship and generate a corresponding executable program according to the optimized normal control flow relationship;
and the detection module 5 is configured to perform security performance detection on the executable program and output a security detection result.
In another aspect, the invention further provides an electronic device for executing the target application security detection method.
As shown in fig. 11, the electronic apparatus includes:
one or more processors 601 and a memory 602, one processor 601 being illustrated in fig. 6.
The electronic device executing the target application security detection method may further include: an input device 603 and an output device 603.
The processor 601, the memory 602, the input device 603 and the output device 603 may be connected by a bus or other means, and fig. 7 illustrates the connection by a bus as an example.
The memory 602, serving as a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the target application security detection method in the embodiments of the present application. The processor 601 executes various functional applications and data processing of the server by running nonvolatile software programs, instructions and modules stored in the memory 602, that is, implements the target application security detection method of the above method embodiment.
The memory 602 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a device that performs the target application security detection method, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 602 optionally includes memory located remotely from processor 601, and these remote memories may be connected to member user behavior monitoring devices via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 603 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the device performing the security detection method for the target application. The output device 603 may include a display device such as a display screen.
The one or more modules are stored in the memory 602 and when executed by the one or more processors 601, perform the target application security detection method in any of the above method embodiments. The technical effect of the embodiment of the device for executing the target application security detection method is the same as or similar to that of any method embodiment.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. A target application security detection method is characterized by comprising the following steps:
decompiling the target application to generate intermediate expression;
extracting key characteristic values of confusion control flow relations among a plurality of program blocks composing the intermediate expression;
recovering the confusion control flow relation by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relation;
optimizing the normal control flow relationship, and generating a corresponding executable program according to the optimized normal control flow relationship;
and carrying out safety performance detection on the executable program and outputting a safety detection result.
2. The method of claim 1, wherein extracting key feature values of obfuscated control flow relationships between blocks that make up the intermediate representation comprises:
according to the code instruction content, selecting a scheduling program block from the plurality of program blocks;
determining a Switch scheduling structure among the program blocks according to the jump instruction in the scheduling program block;
determining a jump routing variable according to a comparison instruction in the scheduling program block;
the key characteristic value comprises the Switch scheduling structure and the jump routing variable.
3. The method of claim 2, wherein determining a jump routing variable based on a compare instruction in the scheduler block comprises:
address + n ═ immediate + ins
Wherein V denotes a jump route variable, ins. address denotes an address of the compare instruction, n denotes an offset, and the offset n is 8 in the ARM instruction set mode and 4 in the Thumb instruction set mode.
4. The method of claim 1, wherein recovering the obfuscated control flow relationship by split symbolic execution according to the key eigenvalue to obtain a normal control flow relationship comprises:
the program blocks comprise a sequence screen program block, a scheduling program block, a related program block and a return program block, an out-of-order block queue is established for the sequence screen program block, the related program block and the return program block, and the sequence screen program block is arranged at the head of the queue;
determining a subsequent program block of each program block in the out-of-order block sequence by adopting a split symbol execution mode according to the key characteristic value from a head program block in the out-of-order block queue, and adjusting the sequence of a plurality of program blocks in the out-of-order block queue to obtain a positive sequence block queue;
and determining the normal control flow relation according to the positive sequence block queue.
5. The method of claim 4, wherein determining successor chunks to each chunk in the out-of-order chunk sequence by performing the split symbol according to the key feature value comprises:
a: setting an execution pointer to point to a first bit of the out-of-order block queue, and setting an exchange pointer to point to a second bit of the out-of-order block queue;
b: if the program block pointed by the execution pointer is positioned at the tail of the queue, finishing the sequence adjustment;
otherwise, judging the jump type of the program block pointed by the execution pointer, if the jump type is a conditional jump, executing the step C, and if the jump type is an unconditional jump, executing the step G;
c: determining a True branch successor program block corresponding to a True jump branch of the program block currently pointed to by the execution pointer according to the key characteristic value;
d: exchanging the position of the program block which is followed by the True branch with the program block which is pointed by the exchange pointer currently, and moving the exchange pointer backwards by one bit;
e: determining a False branch successor program block corresponding to a False jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
f: exchanging the subsequent program block of the False branch with the position of the program block currently pointed by the exchange pointer, and moving the exchange pointer one bit backwards to execute the step I;
g: determining an Only branch successor program block corresponding to the unique jump branch of the program block currently pointed by the execution pointer according to the key characteristic value;
h: and exchanging the position of the program block which is followed by the Only branch and the program block which is pointed by the exchange pointer currently, and moving the exchange pointer one bit backwards to execute the step I.
I: and B, moving the execution pointer backward by one bit, and returning to the step B.
6. The method of claim 5, wherein in adjusting the order of the plurality of blocks in the out-of-order block queue, the execution state of the respective successor block is saved before swapping the True branch successor block, the False branch successor block, or the Only branch successor block with the location of the block currently pointed to by the swap pointer;
after the execution pointer is shifted backward by one bit, the execution state of the block it points to is restored.
7. The method of claim 1, wherein the optimizing the normal control flow relationship comprises:
for two blocks connected by unconditional jumping, if the degree of the block of the parent node is not more than 1, the two blocks are merged.
8. The method of claim 1, wherein the optimizing the normal control flow relationship comprises:
for a plurality of program blocks with two jump branches, if the program blocks are connected in series by one branch and the other branch of the program blocks points to the same subsequent program block, optimizing the jump structure between the program blocks as a loop structure.
9. A security detection apparatus for a target application, comprising:
a decompilation module configured to decompilate the target application to generate an intermediate expression;
a feature extraction module configured to extract key feature values of confusion control flow relationships among a plurality of blocks constituting the intermediate expression;
the recovery module is configured to recover the confusion control flow relationship by adopting a split symbol execution mode according to the key characteristic value to obtain a normal control flow relationship;
the optimization module is configured to optimize the normal control flow relationship and generate a corresponding executable program according to the optimized normal control flow relationship;
and the detection module is configured to detect the safety performance of the executable program and output a safety detection result.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910785003.3A CN110727925B (en) | 2019-08-23 | 2019-08-23 | Target application safety detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910785003.3A CN110727925B (en) | 2019-08-23 | 2019-08-23 | Target application safety detection method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110727925A true CN110727925A (en) | 2020-01-24 |
| CN110727925B CN110727925B (en) | 2021-02-02 |
Family
ID=69217749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910785003.3A Active CN110727925B (en) | 2019-08-23 | 2019-08-23 | Target application safety detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110727925B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111814120A (en) * | 2020-07-10 | 2020-10-23 | 北京嘀嘀无限科技发展有限公司 | Program anti-aliasing processing method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| US9124640B2 (en) * | 2011-08-09 | 2015-09-01 | CloudPassage, Inc. | Systems and methods for implementing computer security |
| CN106951366A (en) * | 2017-03-09 | 2017-07-14 | 南京邮电大学 | A kind of dead code detection method of C language based on program slicing technique |
| CN109145534A (en) * | 2018-07-24 | 2019-01-04 | 上海交通大学 | For the antialiasing system and method for software virtual machine protection |
-
2019
- 2019-08-23 CN CN201910785003.3A patent/CN110727925B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| US9124640B2 (en) * | 2011-08-09 | 2015-09-01 | CloudPassage, Inc. | Systems and methods for implementing computer security |
| CN106951366A (en) * | 2017-03-09 | 2017-07-14 | 南京邮电大学 | A kind of dead code detection method of C language based on program slicing technique |
| CN109145534A (en) * | 2018-07-24 | 2019-01-04 | 上海交通大学 | For the antialiasing system and method for software virtual machine protection |
Non-Patent Citations (2)
| Title |
|---|
| ZELIANG KAN ET AL.: "deobfuscation android native binary code", 《INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING:COMPANION PROCEEDINGS》 * |
| 肖顺陶 等: "基于符号执行的底层虚拟机混淆器反混淆框架", 《计算机应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111814120A (en) * | 2020-07-10 | 2020-10-23 | 北京嘀嘀无限科技发展有限公司 | Program anti-aliasing processing method, device, equipment and storage medium |
| CN111814120B (en) * | 2020-07-10 | 2021-04-23 | 北京嘀嘀无限科技发展有限公司 | Program anti-aliasing processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110727925B (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109034660B (en) | Method and related device for determining risk control strategy based on prediction model | |
| CN109951547B (en) | Transaction request parallel processing method, device, equipment and medium | |
| CN105117621B (en) | The control levelling exhibitionization of Code obfuscation | |
| CN110046101B (en) | Page automatic testing method and device and computer storage medium | |
| EP3649547A1 (en) | Method for compiling from a high-level scripting language to a blockchain native scripting language | |
| CN109643346B (en) | Control flow integrity | |
| JP2019518257A (en) | State control method and apparatus | |
| CN107580013B (en) | Method and device for requesting data in cross-domain mode | |
| US20140033178A1 (en) | Method and apparatus for reverse debugging source code using causal analysis | |
| CN107370684A (en) | Business current-limiting method and business current-limiting apparatus | |
| JP2021197157A (en) | Key point specification method, device, apparatus, and storage media | |
| US20180025162A1 (en) | Application program analysis apparatus and method | |
| Zhu et al. | Determining image base of firmware files for ARM devices | |
| CN110727925B (en) | Target application safety detection method and device and electronic equipment | |
| CN106021101A (en) | Method and device for testing mobile terminal | |
| EP2937803A1 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| CN105404635A (en) | Character string matching method and device and heterogeneous computing system | |
| CN111666771A (en) | Semantic label extraction device, electronic equipment and readable storage medium of document | |
| CN110147653B (en) | Application program security reinforcing method and device | |
| CN106681714A (en) | Method and device for setting program environments and electronic equipment | |
| CN108182358B (en) | File protection method and device, computing equipment and computer storage medium | |
| CN106202017A (en) | Fill in the method and device of list | |
| CN105677730A (en) | Method and device for reading webpage resources and electronic equipment | |
| CN108021790B (en) | File protection method and device, computing equipment and computer storage medium | |
| CN111881047B (en) | Method and device for processing obfuscated script |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |