《计算机应用研究》|Application Research of Computers

基于不透明谓词的软件抗动态逆向分析研究

Research on software anti-dynamic reverse analysis based on opaque predicate

免费全文下载 (已被下载 次)  
获取PDF全文
作者 韩翔宇,李强,黄海军,余祥
机构 电子工程学院,合肥 230037
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2017)08-2422-07
DOI 10.3969/j.issn.1001-3695.2017.08.042
摘要 传统的不透明谓词对谓词内部逻辑结构进行复杂化,难以有效应对软件的动态逆向分析。通过插入运行环境检测代码并将检测结果返回给不透明谓词,动态选择分支路径使软件仅在安全环境下运行被保护代码,防止代码被动态分析。引入一般和关键节点概念,提高谓词内部逻辑结构的复杂度,并使用形式化方法进行描述。实验证明,成功检测出虚拟机和调试器并避开了受保护代码;在静态指令统计上与使用变形隐匿的方法对比,具有更好的隐匿效果。
关键词 不透明谓词;代码混淆;抗逆向分析;软件保护
基金项目 技术基础条件建设项目(72131022)
电子工程学院科研基金资助项目(KY15N639)
本文URL http://www.arocmag.com/article/01-2017-08-042.html
英文标题 Research on software anti-dynamic reverse analysis based on opaque predicate
作者英文名 Han Xiangyu, Li Qiang, Huang Haijun, Yu Xiang
机构英文名 ElectronicEngineeringInstitute,Hefei230037,China
英文摘要 Traditional opaque predicate aims at complex the internal construction of predicate which cannot deal with dynamic analysis. This paper proposed to return the result of condition checking to the predicates to limit the software running the protected code only in the safe environment, which kept the code away from dynamic reverse analysis. This paper introduced the concept of key point and normal point to increase the complexity of the opaque predicate and describe it with formalized language. Experimental result shows that proposed method finds the debugger and the virtual machine successfully and shows a better result in the statistics compared with instructions transformation.
英文关键词 opaque predicate; code obfuscation; anti-reverse analysis; software protection
参考文献 查看稿件参考文献
  [1] Collberg C S, Thomborson C. Watermarking, tamper-proofing, and obfliscation-tools for software protection[J] . IEEE Trans on Software Engineering, 2002, 28(8):735-746.
[2] 苏庆, 吴伟民, 李忠良, 等. 混沌不透明谓词在代码混淆中的研究与应用[J] . 计算机科学, 2013, 40(6):155-159.
[3] 吴伟民, 林水明, 林志毅. 一种基于混沌不透明谓词的压扁控制流算法[J] . 计算机科学, 2015, 42(5):178-182.
[4] Popov I V, Debray S K, Andrews G R. Binary obfuscation using signals[J] . Usenix Security Symposium on Usenix Security Symposium, 2007, 84(11):1296-1299.
[5] 贾春福, 王志, 刘昕, 等. 路径模糊:一种有效抵抗符号执行的二进制混淆技术[J] . 计算机研究与发展, 2011, 48(11):2111-2119.
[6] Yang Yubo. The research of multi-point function opaque predicates obfuscation algorithm[J] . Applied Mathematics & Information Sciences, 2014, 8(6):3063-3070.
[7] Zong Nan, Jia Chunfu. Branch obfuscation using “black boxes”[C] //Proc of Theoretical Aspects of Software Engineering Confe-rence. 2014:114-121.
[8] Chang C C, Lin C J. LibSVM:a library for support vector machines[J] . ACM Trans on Intelligent Systems and Technology, 2011, 2(3):389-396.
[9] Lin Qian, Xia Mingyuan, Yu Miao, et al. SPAD:software protection through anti-debugging using hardware virtualization[J] . ACM Symposium on Applied Computing, 2011, 28(5):813-827.
[10] Yin Tengfei, Zong Aijun, Yu Miao, et al. Anti-debugging framework based on hardware virtualization technology[C] //Proc of Internatio-nal Conference on Research Challenges in Computer Science. 2009:218-220.
[11] Gagnon M N, Taylor S, Ghosh A K. Software protection through anti-debugging[J] . IEEE Security and Privacy Magazine, 2007, 5(3):82-84. [12] Chen Ping, Huygens C, Desmet L, et al. Advanced or not? A comparative study of the use of anti-debugging and anti-vm techniques in generic and targeted malware[C] //Advances in Information and Communication Technology. 2016:323-336.
[13] Raffetseder T, Kruegel C, Kirda E. Detecting system emulators[C] //Proc of International Conference on Information Security. Berlin:Springer, 2006:1-18.
[14] 刘磊, 张晶, 赵健, 等. 程序分析方法[M] . 北京:机械工业出版社, 2013.
[15] 司斯. 基于微软COFF平台的中间代码混淆技术研究[D] . 广州:广东工业大学, 2013.
[16] 杨峰, 姜辉, 诸葛建伟, 等. 虚拟机环境检测方法研究综述[J] . 小型微型计算机系统, 2012, 33(8):1830-1835.
[17] VMware. Understanding full virtualization, paravirtualization, and hardware assist[EB/OL] . http://www. vmware. com/files/pdf/ VMware_paravirtualization. pdf.
[18] Rutkowska J. Redpill[EB/OL] . [2014] . http://invisiblethings. org/papers/redpill. html.
[19] Carpenter M, Liston T, Skoudis E. Hiding virtualization from attackers and malware[J] . IEEE Security and Privacy Magazine, 2007, 5(3):62-65.
[20] Garfinkel T, Adams K, Warfield A. Compatibility is not transparency:VMM detection myths and realities[C] //Proc of the 11th USENIX Workshop on Hot Topics in Operating Systems. San Diego California USA:ACM Press, 2007:333-340.
[21] 许晓炜, 李明禄, 翁楚良. 基于指令相对吞吐率的虚拟机检测方法[J] . 计算机工程, 2011, 37(12):288-290.
[22] 段钢. 加密与解密[M] . 北京:电子工业出版社, 2003.
[23] 陆钟万. 面向计算机学科的数理逻辑[M] . 北京:科学出版社, 1998.
[24] Collberg C, Thomborson C, Low D. Manufacturing cheap, resilient, and stealthy opaoue constructs[C] //Proc of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 1998:184-196.
[25] Darwish S M, Guirguis S K, Zalat M S. Stealthy code obfuscation technique for software security[C] //Proc of International Conference on Computer Engineering & Systems. Las Vegas:IEEE Press, 2010:93-99.
收稿日期 2016/9/24
修回日期 2016/12/1
页码 2422-2428
中图分类号 TP311.5
文献标志码 A