基于代码碎片化的软件保护技术

doi:10.11959/j.issn.2096-109x.2020063

Abstract

Abstract:

Aiming at the shortcomings of the current software protection technology,a code fragmentation technology was proposed.This technology is a new software protection technology that takes functions as units,shells functions,randomizes memory layout,and performs dynamic linking.The code shellization realizes the position-independent morphing of code fragments,the memory layout randomizes the random memory loading of the code fragments,the dynamic linking realizes the dynamic execution of the code fragments,and the program fragmentation processing is achieved through the above three links.The experiments show that the code fragmentation technology can not only realize the randomization of the memory location of function fragments during program execution,but also the dynamic link execution of function fragments,increasing the difficulty of static reverse analysis and dynamic reverse debugging of the program,and improving the anti-reverse analysis ability of the program.

Key words: code fragmentation, software protection, separation, dynamic linking

CLC Number:

TP309.5

Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG. Software protection technology based on code fragmentation[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 57-68.

Figures/Tables 15

标识符	定义
G_di	f _i 中所使用的全局变量的集合
LC_di	f _i 中所使用的局部变量的集合
T_i	f _i 的导入表
I_i	f _i 中所有指令的集合
$Q_{I_{i} \to G_{d i}}$	指令与全局变量的关系
$Q_{I_{i} \to L C_{d i}}$	指令与局部变量的关系
$Q_{I_{i} \to L C_{d i}}$	指令与导入函数的关系
P_i	调用 f_i 的所有函数的集合
$L_{P_{i} \to f_{i}}$	调用 f_i 的函数与 f_i 的调用关系
C_i	f _i 调用的所有函数的集合
$L_{f_{i} \to C_{i}}$	f _i 与 f_i 调用的函数的调用关系
$M_{f_{i}}$	f_i 在PE文件中的内存布局

标识符	定义
S₁	G_di→G_{new di}
S₂	T_i→T_{new i}
S₃	I_i→I _newi
S₄	$Q_{I_{i} \to G_{d i}} \to Q_{I_{new i} \to G_{new d i}}$
S₅	$Q_{I_{i} \to T_{i}} \to Q_{I_{new i} \to T_{new i}}$

标识符	定义
D₁	$L_{P_{i} \to f_{i}} \to L_{new P_{i} \to f_{i}}$
D₂	$L_{f_{i} \to C_{i}} \to L_{new f_{i} \to C_{i}}$

References 16

[1]	许团, 屈蕾蕾, 石文昌 . 基于结构特征的二进制代码安全缺陷分析模型[J]. 网络与信息安全学报, 2017,3(9): 31-39.
	XU T , QU L L , SHI W C . Analysis model of binary code security flaws based on structure characteristics[J]. Chinese Journal of Network and Information Security, 2017,3(9): 31-39.
[2]	孙博文, 黄炎裔, 温俏琨 ,等. 基于静态多特征融合的恶意软件分类方法[J]. 网络与信息安全学报, 2017,3(11): 68-76.
	SUN B W , HUANG Y Y , WEN Q K ,et al. Malware classification method based on static multiple-feature fusion[J]. Chinese Journal of Network and Information Security, 2017,3(11): 68-76.
[3]	李伟明, 邹德清, 孙国忠 . 针对恶意代码的连续内存镜像分析方法[J]. 网络与信息安全学报, 2017,3(2): 20-30.
	LI W M , ZOU D Q , SUN G Z . Successive memory image analysis method for malicious codes[J]. Chinese Journal of Network and Information Security, 2017,3(2): 20-30.
[4]	王健 . 基于完整性验证和壳的软件保护技术研究[D]. 太原:中北大学, 2018.
	WANG J . Research on software protection technology based on in-tegrity verification and shell[D]. Taiyuan:North China University, 2018.
[5]	杜春来, 孔丹丹, 王景中 ,等. 一种基于指令虚拟化的代码保护模型[J]. 信息网络安全, 2017(2): 22-28.
	DU C L , KONG D D , WANG J Z ,et al. A code protection model based on instruction virtualization[J]. Netinfo Security, 2017(2): 22-28.
[6]	BALACHANDRAN V , EMMANUEL S , KEONG N . Obfuscation by code fragmentation to evade reverse engineering[C]// 2014 IEEE International Conference on Systems,Man,and Cybernetics (SMC. 2014.
[7]	BALACHANDRAN V , KEONG N W , EMMANUEL S . Function level control flow obfuscation for software security[C]// Eighth International Conference on Complex,Intelligence and Software Intensive Systems. 2014: 133-140.
[8]	LASZLO T , KISS A . Obfuscating C++ programs via control flow flattening[R]. 2009.
[9]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfusca-torLLVM-software protection for the masses[C]// 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[10]	DAVIDSON J , HILL J , KNIGHT J . Protection of software-based survivability mechanisms[C]// 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2001: 193-193.
[11]	WANG C , HILL J , KNIGHT J . Software tamper resistance:obstructing static analysis of programs[J]. 2000:
[12]	WANG C . A security architecture for survivability mechanisms[D]. Virginia:University of Virginia,School of Engineering and Applied Science, 2000.
[13]	蒋华, 刘勇, 王鑫 . 基于控制流的代码混淆技术研究[J]. 计算机应用研究, 2013,30(3): 897-899.
	JIANG H , LIU Y , WANG X . Code confusion technology research based on control flow[J]. Application Research of Computers, 2013,30(3): 897-899.
[14]	王旭 . 基于目标代码的控制流混淆技术研究[D]. 北京:北京邮电大学, 2013.
	WANG X . Research on control flow obfuscation technology based on object code[D]. Beijing:Beijing University of Posts and Telecommunications, 2013.
[15]	王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019,5(6): 10-20.
	WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of network and information security, 2019,5(6): 10-20.
[16]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12.

Metrics

Recommended 0

No Suggested Reading articles found!

测试源码程序	代码行数	函数数量	功能描述
rsa	678	52	非对称加密算法
rc4	184	13	流加密算法，密钥长度可变，对称加密算法
MD5	115	10	密码哈希函数，产生一个128 bi（t 16 Byte）的哈希值
aes	279	25	区块长度固定为 128 bit，密钥长度是128矩阵加密算法
des	203	5	密钥加密的块算法，区块长度64 bit，密钥长度56 bit
sm4	259	20	分组加密算法，分组长度与密钥长度均为128 bit
sha256	125	18	密码哈希函数，产生一个256 bit的哈希值
gzip	4 514	144	文件压缩算法
huffman	225	21	可变字长编码方式
Huffcomprs	630	27	哈夫曼压缩算法

测试源码程序	碎片化前	碎片化后
rsa	52	0
rc4	45	0
MD5	46	0
aes	43	0
des	42	0
sm4	43	0
sha256	45	0
gzip	80	0
huffman	48	0
Huffcomprs	51	0

测试源码程序	碎片块数	函数调用表项数	间接调用比例（碎片化前）	间接调用比例（碎片化后）
rsa	37	37	10%	82%
rc4	4	4	40%	80%
MD5	3	3	33%	67%
aes	17	17	26%	76%
des	1	1	50%	67%
sm4	12	12	17%	69%
sha256	11	11	28%	49%
gzip	99	99	12%	78%
huffman	10	10	24%	54%
Huffcomprs	9	9	22%	56%

测试源码程序	碎片化前/ms	碎片化后/ms	时间开销增加比例
rsa	3 515	3 813	8.48%
rc4	15	16	6.67%
MD5	15	16	6.67%
aes	15	16	6.67%
des	31	32	3.23%
sm4	16	31	93.75%
sha256	15	16	6.67%
gzip	437	734	67.96%
huffman	31	47	51.62%
Huffcomprs	94	141	50.00%

Software protection technology based on code fragmentation

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 16

Related Articles 2

Metrics

Recommended 0

[1]	Fan GAO, Jian WANG, Jiqiang LIU. Research on link detection technology based on dynamic browser fingerprint [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 144-156.
[2]	Xiaobing XIONG,Hui SHU,Fei KANG. Method of diversity software protection based on fusion compilation [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 13-24.