基于融合编译的软件多样化保护方法

doi:10.11959/j.issn.2096-109x.2020075

Abstract

Abstract:

For the obvious characteristics and single mode of the existing common protection methods,with the help of the LLVM framework,a diversity software protection method based on fusion compilation was proposed.In the proposed method,the target software is encrypted randomly,and deeply integrated with the bunker code at the compilation level,and the encrypted target software is decrypted by memory execution technology.Then it is executed in the form of no process in memory,and the diversified protection effect of the target software is realized by the diversity of the bunker and the randomness of the fusion strategies.A number of commonly used software are selected as the test case,and the proposed method is tested from the aspects of resource cost,protection effect,comparative experiment and so on.Compared with the traditional methods such as obfuscation and packing,the proposed method has great advantages in anti-static analysis and anti-dynamic debugging,and can effectively resist the mainstream methods of reverse analyzing and cracking.

Key words: software protection, diversification, fusion compilation, memory execution, LLVM, intermediate representation

CLC Number:

TP393

Xiaobing XIONG,Hui SHU,Fei KANG. Method of diversity software protection based on fusion compilation[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 13-24.

Figures/Tables 11

References 24

[1]	周国祥, 陆文海 . 基于 BHO 技术的数字版权保护系统的研究与设计[J]. 计算研究与发展, 2010,47(6): 316-320.
	ZHOU G X , LU W H . Application of BHO-based PDF digital management system[J]. Journal of Computing Research and Development, 2010,47(6): 316-320.
[2]	刘芳, 金松根, 卢国强 . 数字版权管理与数字图书馆建设[J]. 图书馆学刊, 2011(4): 105-108.
	LIU F , JIN S G , LU G Q . Digital copyright management and digital library construction[J]. Journal of Library Science, 2011(4): 105-108.
[3]	国务院 . 计算机软件保护条例[J]. 新疆新闻出版, 2013(2): 82-84.
	State Council . Regulations of protecting computer software[J]. Publishing House of Xinjiang News, 2013(2): 82-84.
[4]	刘军 . 基于 CUDA 的软件保护技术研究与实现[D]. 长沙:湖南大学, 2011: 5-25.
	LIU J . The Research and implementation of CUDA-assisted software protection technology[D]. Changsha:Hunan University, 2011: 5-25.
[5]	高艳军 . 数据安全管理系统加壳技术研究与实现[D]. 长沙:国防科学技术大学, 2008: 15-30.
	GAO Y J . Research and Implementation of packing technique for data security management System[D]. Changsha:National University of Defense Technology, 2008: 15-30.
[6]	马珂 . 基于虚拟机的内核模块行为分析技术研究[D]. 湘潭:湘潭大学, 2014: 20-28.
	MA K . Research on the technologies of kernel module behavior analysis based on VMM[D]. Xiangtan:Xiangtan University, 2014: 20-28.
[7]	郝景超 . Windows下软件实名机制的设计与实现[D]. 郑州:解放军信息工程大学, 2008: 24-36.
	HAO J C . Design and realization of the software real name mechanism in windows system[D]. Zhengzhou:PLA Information Engineering University, 2008: 24-36.
[8]	李勇 . 基于 Windows 平台的目标代码混淆[D]. 成都:电子科技大学, 2007: 37-45.
	LI Y . Object code obfuscation based on Windows platform[D]. Chengdu:University of Electronic Science and Technology of China, 2007: 37-45.
[9]	房鼎益, 张恒, 汤战勇 ,等. 一种抗语义攻击的虚拟化软件保护方法[J]. 四川大学学报(工程科学版), 2017,49(1): 159-168.
	FANG D Y , ZHANG H , TANG Z Y ,et al. DAS-VMP:a virtual machine-based software protection method for defending against semantic attacks[J]. Journal of Sichuan University (Engineering Science Edition), 2017,49(1): 159-168.
[10]	TANG Z , LI G , FANG D ,et al. Code virtualized protection system with instruction set randomization[J]. Journal of Huazhong University of Science ＆ Technology, 2016,44(3): 28-33.
[11]	KUANG K , TANG Z , GONG X ,et al. Exploiting dynamic scheduling for VM-based code obfuscation[C]// Proc of the Trustcom/Bigdatase/Ispa. 2017. 489-496.
[12]	COLLBERG C , THOMBORSON C , LOW D . A taxonomy of obfuscating transformations[J]. Department of Computer Science the University of Auckland New Zealand, 1997
[13]	COLLBERG C , THOMBORSON C , LOW D . Manufacturing cheap,resilient,and stealthy Opaque constructs[C]// Proc.25th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages '98. 1998: 184-196.
[14]	BANESCU S , COLLBERG C , GANESH V ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 189-200.
[15]	WANG Z , JIA C F , LIU W J ,et al. Branch obfuscation to combat symbolic execution[J]. Acta Electronica Sinica, 2015,43(5): 870-878.
[16]	潘雁, 祝跃飞, 林伟 . 基于指令交换的代码混淆方法[J]. 软件学报, 2019,30(6): 1778-1792.
	PAN Y , ZHU Y F , LIN W . Code obfuscation based on instructions swapping[J]. Journal of Software, 2019,30(6): 1788-1792.
[17]	BALACHANDRAN V , KEONG N W , EMMANUEL S . Function level control flow obfuscation for software security[C]// Eighth International Conference on Complex,Inteligence and Software Intensive Systems. 2014: 133-140.
[18]	王志 . 二进制代码路径混淆技术研究[D]. 天津:南开大学, 2012.
	WANG Z . Research on binary code path obfuscation[D]. Tianjin:Nankai University, 2012:
[19]	TAMBOLI T , AUSTIN T H , STAMP M . Metamorphic code generation from LLVM bytecode[J]. Journal of Computer Virology ＆Hacking Techniques, 2014,10(3): 177-187.
[20]	章立春 . 一种PE程序文件加载执行方法,CN 104331308 A[P]. 2015.
	ZHANG L C . A method for loading and executing PE program files,CN 104331308 A[P]. 2015.
[21]	ZHOU J . Method and apparatus for bypassing hook:CN 101414338 B[P]. 2012.
[22]	WANG H , FANG D , LI J ,et al. The research and discussion on effectiveness evaluation of software protection[C]// Proc of the Int’l Conf on Computational Intelligence and Security. 2016. 628-632.
[23]	SCHULMAN A . Finding binary clones with opstrings and function digests[J]. Dr.Dobb’s Journal, 2005,30(9): 64-70.
[24]	ZYNAMICS. Sabre BinDiff[EB].

Metrics

Recommended 0

No Suggested Reading articles found!

序号	用例名	文件大小	用例说明
1	systeminfo.exe	99 kB	Win10系统自带程序，显示本地或远程机器(包括服务包级别)的操作系统配置的信息
2	net.exe	56 kB	Win10系统自带程序，可用于管理账户、配置服务等
3	help.exe	12 kB	Win10系统自带程序，用户显示Windows下的各种帮助信息
4	telnet.exe	129 kB	Win10系统自带程序，用于连接外部特定主机和端口
5	tskill.exe	24 kB	Win10系统自带程序，用户结束指定的进程
6	where.exe	40 kB	Win10 系统自带程序，显示符合搜索模式的文件位置。在默认情况下，搜索是在当前目录和 PATH环境变量指定的路径中执行的
7	rar.exe	584 kB	Windows系统下常用压缩软件WinRAR 5.7的命令行文件
8	7z.exe	286 kB	Windows系统下常用压缩软件7z的命令行文件
9	server.exe	79 kB	Windows系统下一款常用开源远控软件
10	tcpscanner.exe	56 kB	Windows系统下一款基于TCP的端口扫描软件

用例	基本块相似性	函数相似性
systeminfo	5.3%	3.5%
net	2.4%	1.6%
help	3.1%	2.3%
telnet	5.2%	4.3%
tskill	2.6%	2.1%
where	3.9%	3.3%
rar	3.5%	2.8%
7z	4.3%	3.1%
server	6.2%	5.3%
tcpscanner	5.8%	4.3%

用例	比较维度	掩体A掩体B	掩体C掩体D	掩体E掩体F
tskill	基本块	4.3%	5.4%	4.8%
	函数	3.2%	4.6%	4.2%
7z	基本块	4.7%	5.3%	3.9%
	函数	3.1%	4.8%	3.7%
server	基本块	3.6%	3.9%	4.4%
	函数	3.3%	3.1%	3.7%

测试用例	UPX加壳			ASPack加壳			ASProtect加壳			多样化保护
测试用例	A	B	C	A	B	C	A	B	C	A	B	C
systeminfo	Y	65%	Y	Y	52%	Y	Y	36%	Y	N	0	N
net	Y	53%	Y	Y	46%	Y	Y	38%	Y	N	0	N
help	Y	68%	Y	Y	40%	Y	Y	30%	Y	N	0	N
telnet	Y	48%	Y	Y	56%	Y	Y	42%	Y	N	0	N
tskill	Y	42%	Y	Y	54%	Y	Y	46%	Y	N	0	N
where	Y	42%	Y	Y	38%	Y	Y	36%	Y	N	0	N
rar	Y	51%	Y	Y	42%	Y	Y	30%	Y	N	0	N
7z	Y	54%	Y	Y	46%	Y	Y	28%	Y	N	0	N
server	Y	80%	Y	Y	76%	Y	Y	74%	Y	N	8%	N
tcpscanner	Y	76%	Y	Y	72%	Y	Y	70%	Y	N	4%	N

Method of diversity software protection based on fusion compilation

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 24

Related Articles 3

Metrics

Recommended 0

[1]	Yuning CHI, Yunfei GUO, Yawen WANG, Hongchao HU. Software diversity evaluation method based on the properties of ROP/JOP gadgets [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 135-145.
[2]	Hao CHEN, Ping YI. Code vulnerability detection method based on graph neural network [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 37-45.
[3]	Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG. Software protection technology based on code fragmentation [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 57-68.