CN117251171B - Predicate basic block detection method and equipment in control flow graph - Google Patents
Predicate basic block detection method and equipment in control flow graph Download PDFInfo
- Publication number
- CN117251171B CN117251171B CN202311542195.8A CN202311542195A CN117251171B CN 117251171 B CN117251171 B CN 117251171B CN 202311542195 A CN202311542195 A CN 202311542195A CN 117251171 B CN117251171 B CN 117251171B
- Authority
- CN
- China
- Prior art keywords
- basic block
- basic
- control flow
- flow graph
- predicate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims abstract description 63
- 238000001914 filtration Methods 0.000 claims abstract description 18
- 238000010586 diagram Methods 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 3
- 238000003672 processing method Methods 0.000 claims description 2
- 238000004422 calculation algorithm Methods 0.000 abstract description 10
- 238000012216 screening Methods 0.000 abstract description 5
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3644—Software debugging by instrumenting at runtime
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a predicate basic block detection method and equipment in a control flow graph, wherein the predicate basic block detection method comprises the following steps: acquiring a basic block by using the constructed control flow graph; filtering basic blocks of a system method in the control flow graph to obtain a basic block set only containing user codes; and judging the basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph, the basic blocks contain conditional jump instructions, and the degree of emergence on the control flow graph is more than or equal to 2. The algorithm of the invention not only can rapidly and accurately extract the control flow diagram of the binary program, but also can eliminate the influence of the system method and the function call instruction on the basic rapid screening of predicates.
Description
Technical Field
The invention belongs to the technical field of software detection, and relates to a predicate basic block detection method and equipment in a control flow graph.
Background
The control flow graph (Control Flow Graph, CFG) is an abstract representation of a program, reflecting all possible execution paths of basic blocks in the program, and is an important part of binary program analysis. In the control flow graph, a basic block including a conditional statement and having a plurality of jump branches is referred to as a predicate basic block. In the program execution process, when the program is executed to one predicate basic block, the program specifically selects the basic block of the corresponding branch connection according to the conditional statement to continue to execute. The existence of the branch execution structure can complicate the execution flow of the program and increase the difficulty of program analysis. Opaque predicate obfuscation is to add predicate basic blocks with branch execution structures in a program, and the control flow graph of the obfuscated program is complicated by the predicate basic blocks, so that program analysis becomes more difficult. Thus, identifying and analyzing predicate basic blocks is a critical task to detect opaque predicates.
Application number 2016105417477 discloses a method for extracting a function call path based on a control flow graph, which comprises the steps of obtaining an intermediate code of a source code, analyzing the intermediate code to identify a code block in the intermediate code, and generating the control flow graph according to the intermediate code: nodes in the control flow graph are code blocks, and connecting lines between the nodes are function calling relations in the code blocks; analyzing the number of function calls contained in the nodes in the control flow graph to convert the control flow graph into a call relation graph of the functions. The method is used for extracting the function call path, and does not give detection of predicate basic blocks in the basic blocks.
Disclosure of Invention
The invention aims to provide a predicate basic block detection method and equipment in a control flow graph, which can effectively extract predicate basic blocks in the control flow graph of a binary program.
The technical solution for realizing the purpose of the invention is as follows:
a predicate basic block detection method in a control flow graph comprises the following steps:
s01: acquiring a basic block by using the constructed control flow graph;
s02: filtering basic blocks of a system method in the control flow graph to obtain a basic block set only containing user codes;
s03: and judging the basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph, the basic blocks contain conditional jump instructions, and the degree of emergence on the control flow graph is more than or equal to 2.
In a preferred embodiment, the step S03 further includes:
s31: judging whether a basic block of the control flow graph has function call or not;
s32: if the basic block has a function call instruction, a control flow diagram of the function is acquired, an ending block is found, and then the jump to call returns the connected basic block.
In the preferred technical scheme, the end block is found by adopting a depth-first traversal method.
In a preferred embodiment, the filtering method of the basic block of the system method in step S02 includes:
whether a system method exists in the basic block or not is judged by checking a 'Ijk _Sys_syscall' jump type, an identifier beginning with str, mem, strcpy, printf prefix, std::: vector, std::: map naming mode or std::: cout, std:: string naming space, and if the system method exists, the basic block is the basic block of the system method.
In a preferred embodiment, the filtering of the basic block of the system method in step S02 further includes:
and judging whether the basic block of the control flow graph is accessed, if not, accessing, and marking that the basic block is accessed.
The invention also discloses a predicate basic block detection device in the control flow graph, which comprises:
the basic block acquisition module acquires basic blocks by using the constructed control flow graph;
the user code basic block set calculation module is used for filtering basic blocks of the system method in the control flow graph to obtain a basic block set only containing user codes;
and the predicate basic block detection module is used for judging basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph, the basic blocks contain conditional jump instructions, and the output degree of the basic blocks on the control flow graph is more than or equal to 2.
In a preferred technical scheme, the predicate basic block detection module further includes a call instruction processing module, and the processing method includes:
s31: judging whether a basic block of the control flow graph has function call or not;
s32: if the basic block has a function call instruction, a control flow diagram of the function is acquired, an ending block is found, and then the jump to call returns the connected basic block.
In the preferred technical scheme, the end block is found by adopting a depth-first traversal method.
In a preferred embodiment, the filtering method of the basic block of the system method in step S02 includes:
whether a system method exists in the basic block or not is judged by checking a 'Ijk _Sys_syscall' jump type, an identifier beginning with str, mem, strcpy, printf prefix, std::: vector, std::: map naming mode or std::: cout, std:: string naming space, and if the system method exists, the basic block is the basic block of the system method.
The invention also discloses a computer storage medium, on which a computer program is stored, which when executed, implements the predicate basic block detection method in the control flow graph.
Compared with the prior art, the invention has the remarkable advantages that:
the algorithm of the invention not only can rapidly and accurately extract the control flow diagram of the binary program, but also can eliminate the influence of the system method and the function call instruction on the basic rapid screening of predicates.
Drawings
FIG. 1 is a flowchart of a predicate basic block detection method in a control flow graph of the present embodiment;
fig. 2 is a schematic block diagram of a predicate basic block detection device in a control flow graph of the present embodiment.
Detailed Description
The principle of the invention is as follows: filtering system method basic blocks in the control flow diagram basic blocks; judging whether the basic block of the control flow graph is accessed, if not, marking that the basic block is accessed; judging whether the basic block of the control flow graph has function call or not, if the basic block has function call, jumping to the basic block connected after call return; according to the characteristic that the basic block has a plurality of successes and the degree of output on the control flow graph is more than or equal to 2, and the basic block contains the condition of the conditional jump instruction. The predicate basic block can be extracted rapidly and accurately, and the influence of a system method and a function call instruction on the predicate basic rapid screening can be eliminated.
Example 1:
as shown in FIG. 1, the predicate basic block detection method in a control flow graph comprises the following steps:
s01: acquiring a basic block by using the constructed control flow graph;
s02: filtering basic blocks of a system method in the control flow graph to obtain a basic block set only containing user codes;
s03: and judging the basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph, the basic blocks contain conditional jump instructions, and the degree of emergence on the control flow graph is more than or equal to 2.
In a preferred embodiment, step S03 further includes:
s31: judging whether a basic block of the control flow graph has function call or not;
s32: if the basic block has a function call instruction, a control flow diagram of the function is acquired, an ending block is found, and then the jump to call returns the connected basic block.
In a preferred embodiment, the end block is found using a depth-first traversal method.
In a preferred embodiment, the filtering method of the basic block of the system method in step S02 includes:
whether a system method exists in the basic block or not is judged by checking a 'Ijk _Sys_syscall' jump type, an identifier beginning with str, mem, strcpy, printf prefix, std::: vector, std::: map naming mode or std::: cout, std:: string naming space, and if the system method exists, the basic block is the basic block of the system method.
In a preferred embodiment, the filtering of the basic block of the system method in step S02 further includes:
and judging whether the basic block of the control flow graph is accessed, if not, accessing, and marking that the basic block is accessed.
In another embodiment, a computer storage medium has a computer program stored thereon, which when executed implements the predicate basic block detection method described above in a control flow graph.
In yet another embodiment, as shown in fig. 2, a predicate basic block detection device in a control flow graph includes:
a basic block acquisition module 10 that acquires basic blocks using the constructed control flow graph;
the user code basic block set calculation module 20 filters basic blocks of the system method in the control flow graph to obtain a basic block set only containing user codes;
the predicate basic block detection module 30 determines a basic block in the user code basic block set, and if the basic block has a plurality of subsequent basic blocks in the control flow graph and the basic block contains a conditional jump instruction, and the degree of departure on the control flow graph is 2 or more, the basic block is determined as a predicate basic block.
Specifically, the following describes the workflow of the predicate basic block detection device in the control flow graph by taking a preferred embodiment as an example:
the algorithm uses the constructed control flow graph to acquire basic blocks, but the control flow graph contains basic blocks of the system method, and the algorithm only focuses on user code parts. In order to retain only basic blocks related to user code, the system method basic blocks in the control flow graph need to be filtered. By filtering the system method basic blocks, a basic block set only containing user codes can be obtained, so that the behaviors and logic of the user codes can be analyzed and processed more accurately. The optimization can help concentrate on basic block analysis of the user code part, and neglect the influence of the system method on the control flow graph, so that the analysis efficiency and accuracy are improved. Next, basic blocks in the basic block set of the user code are analyzed, if the basic block has a plurality of subsequent basic blocks in the control flow graph and the basic block contains a conditional jump instruction, the basic block is identified as a predicate basic block, the predicate basic block is added to a predicate basic block list, and finally, the predicate basic block list is output. In this process, if there is a function call instruction for the basic block, it is possible to boot back through to other functions. In order to eliminate the influence of other functions, the algorithm of the invention processes the calling instruction in the basic block. When a function call is encountered, a control flow graph of the function is acquired, an end block (a basic block containing a return instruction) is quickly found by adopting a depth-first traversal method, and then the call is jumped to and returned to the connected basic block. All predicate basic blocks in the program can be determined through the algorithm of the invention.
The algorithm description is shown in algorithm 1.
Algorithm 1: predicate basic block screening algorithm
Input control flow graph g= (V, E)
And (3) outputting: predicate basic block list predicteblocks
function predicateBlockFiltering(G)
predicteblocks [ ]// initialization predicate basic block list predicteblocks is an empty list.
blocks≡getblocks (G)// get all basic blocks in control flow graph G are stored in list blocks.
System method basic block in blocks
for basicBlock in blocks do
if basic lock is not accessed to then
Marking BasicbLock accessed
if basic lock presence function call then
Block≡jump to basic block connected after call return
Block addition to blocks
continue
end if
if basic block successor block > = 2 and block contains conditional jump instruction:
BasicbLock is added to predicteBlocks
end if
end if
end for// skip current loop, process next basic block
return predicateBlocks// return predicate basic block list predicteblocks
end function
The technical key points and the points to be protected of the invention are as follows: (1) Filtering system method basic blocks in the control flow diagram basic blocks; (2) Judging whether the basic block of the control flow graph is accessed, if not, marking that the basic block is accessed; (3) Judging whether the basic block of the control flow graph has function call or not, if the basic block has function call, jumping to the basic block connected after call return; (4) And screening out the predicate basic block according to the characteristic that the basic block has a plurality of successes and the degree of output on the control flow graph is more than or equal to 2 and the condition that the basic block contains a conditional jump instruction.
The filtering method of the basic block of the system method comprises the following steps: the judgment is carried out by checking information such as namespaces, package names or identifiers of functions or methods where the basic blocks are located.
Specifically, whether a system method exists in the basic block is judged by combining a jump type of 'Ijk _Sys_syscall', an identifier beginning with str, mem, strcpy, printf and other prefixes, std:: vector, std:: map and other naming modes, or std:: cout, std: string and other naming spaces.
By judging whether the basic blocks of the control flow graph are accessed or not, all the basic blocks in the control flow graph can be ensured to be detected, and omission is prevented.
The out-degree and in-degree are related concepts of the graph of the data structure. For a directed graph, the number of edge bars of a vertex is referred to as the degree of the vertex. In the control flow graph corresponding to the present invention, the number of the outgoing edges of the basic block is called the outgoing degree of the basic block.
The method for judging whether the basic block of the control flow graph has function call or not is judged by a call instruction. The call instruction is a call to a subroutine, which should be followed by a subroutine name or a procedure name. If a call instruction exists, a function call exists, otherwise, no function call exists.
The foregoing examples are preferred embodiments of the present invention, but the embodiments of the present invention are not limited to the foregoing examples, and any other changes, modifications, substitutions, combinations, and simplifications that do not depart from the spirit and principles of the present invention should be made therein and are intended to be equivalent substitutes within the scope of the present invention.
Claims (6)
1. A predicate basic block detection method in a control flow graph is characterized by comprising the following steps:
s01: acquiring a basic block by using the constructed control flow graph;
s02: filtering basic blocks of a system method in the control flow graph to obtain a basic block set only containing user codes; the filtering method of the system method basic block comprises the following steps:
judging whether a system method exists in the basic block or not by checking a 'Ijk _Sys_syscall' jump type, an identifier beginning with str, mem, strcpy, printf prefix, std:: vector, std:: map naming mode or std::: cout, std:: string naming space, and if so, judging the basic block as the basic block of the system method;
s03: judging whether a basic block of the control flow graph has function call or not; if the basic block has a function call instruction, acquiring a control flow diagram of the function, finding an end block, and then jumping to a call and returning to the connected basic block;
and judging the basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph, the basic blocks contain conditional jump instructions, and the degree of emergence on the control flow graph is more than or equal to 2.
2. The method for detecting a predicate basic block in a control flow graph according to claim 1, wherein the ending block is found by a depth-first traversal method.
3. The method for detecting a predicate basic block in a control flow graph according to claim 1, wherein the filtering of the system method basic block in step S02 further includes:
and judging whether the basic block of the control flow graph is accessed, if not, accessing, and marking that the basic block is accessed.
4. A predicate basic block detection device in a control flow graph, comprising:
the basic block acquisition module acquires basic blocks by using the constructed control flow graph;
the user code basic block set calculation module is used for filtering basic blocks of the system method in the control flow graph to obtain a basic block set only containing user codes; the filtering method of the system method basic block comprises the following steps:
judging whether a system method exists in the basic block or not by checking a 'Ijk _Sys_syscall' jump type, an identifier beginning with str, mem, strcpy, printf prefix, std:: vector, std:: map naming mode or std::: cout, std:: string naming space, and if so, judging the basic block as the basic block of the system method;
the predicate basic block detection module is used for judging basic blocks in the user code basic block set, and judging the basic blocks as predicate basic blocks if the basic blocks have a plurality of subsequent basic blocks in the control flow graph and contain conditional jump instructions, and the output degree of the basic blocks on the control flow graph is more than or equal to 2;
the predicate basic block detection module further comprises a call instruction processing module, and the processing method comprises the following steps:
s31: judging whether a basic block of the control flow graph has function call or not;
s32: if the basic block has a function call instruction, a control flow diagram of the function is acquired, an ending block is found, and then the jump to call returns the connected basic block.
5. The predicate basic block detection device of the control flow graph of claim 4, wherein the ending block is found using a depth-first traversal method.
6. A computer storage medium having stored thereon a computer program, wherein the computer program when executed implements the predicate basic block detection method in a control flow graph of any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311542195.8A CN117251171B (en) | 2023-11-20 | 2023-11-20 | Predicate basic block detection method and equipment in control flow graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311542195.8A CN117251171B (en) | 2023-11-20 | 2023-11-20 | Predicate basic block detection method and equipment in control flow graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117251171A CN117251171A (en) | 2023-12-19 |
| CN117251171B true CN117251171B (en) | 2024-04-12 |
Family
ID=89137320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311542195.8A Active CN117251171B (en) | 2023-11-20 | 2023-11-20 | Predicate basic block detection method and equipment in control flow graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117251171B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577242A (en) * | 2013-11-14 | 2014-02-12 | 中国科学院声学研究所 | Control flow graph reconstruction method for scheduled assembly codes |
| CN103617049A (en) * | 2013-12-19 | 2014-03-05 | 中国科学院声学研究所 | Code moving method based on complementary predicates |
| CN108830049A (en) * | 2018-05-09 | 2018-11-16 | 四川大学 | A kind of software similarity detection method based on dynamic controlling stream graph weight sequence birthmark |
| CN109101816A (en) * | 2018-08-10 | 2018-12-28 | 北京理工大学 | A kind of malicious code homology analysis method for calling controlling stream graph based on system |
| CN109447184A (en) * | 2018-11-28 | 2019-03-08 | 南京理工大学 | Android application network behavior classification method and system based on deep learning |
| CN113515745A (en) * | 2021-06-24 | 2021-10-19 | 北京中超伟业信息安全技术股份有限公司 | Method and system for Trojan horse detection |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100287534A1 (en) * | 2009-05-07 | 2010-11-11 | Microsoft Corporation | Test case analysis and clustering |
-
2023
- 2023-11-20 CN CN202311542195.8A patent/CN117251171B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577242A (en) * | 2013-11-14 | 2014-02-12 | 中国科学院声学研究所 | Control flow graph reconstruction method for scheduled assembly codes |
| CN103617049A (en) * | 2013-12-19 | 2014-03-05 | 中国科学院声学研究所 | Code moving method based on complementary predicates |
| CN108830049A (en) * | 2018-05-09 | 2018-11-16 | 四川大学 | A kind of software similarity detection method based on dynamic controlling stream graph weight sequence birthmark |
| CN109101816A (en) * | 2018-08-10 | 2018-12-28 | 北京理工大学 | A kind of malicious code homology analysis method for calling controlling stream graph based on system |
| CN109447184A (en) * | 2018-11-28 | 2019-03-08 | 南京理工大学 | Android application network behavior classification method and system based on deep learning |
| CN113515745A (en) * | 2021-06-24 | 2021-10-19 | 北京中超伟业信息安全技术股份有限公司 | Method and system for Trojan horse detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117251171A (en) | 2023-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101904911B1 (en) | Method for Automatically Detecting Security Vulnerability Based on Hybrid Fuzzing, and Apparatus thereof | |
| KR101981028B1 (en) | System for detecting security vulnerability based on binary, method and program thereof | |
| CN111400724B (en) | Operating system vulnerability detection method, system and medium based on code similarity analysis | |
| JP4693044B2 (en) | Source code vulnerability inspection device | |
| CN111967017B (en) | Method, device, terminal equipment and storage medium for generating dependency relationship | |
| Li et al. | Program tailoring: Slicing by sequential criteria | |
| CN112149136A (en) | loT device firmware vulnerability detection method and system and electronic device | |
| KR101979329B1 (en) | Method and apparatus for tracking security vulnerable input data of executable binaries thereof | |
| CN113468525A (en) | Similar vulnerability detection method and device for binary program | |
| CN108959936B (en) | Automatic utilization method of buffer overflow vulnerability based on path analysis | |
| CN114969762A (en) | Vulnerability information processing method, service device and vulnerability detection module | |
| CN117076338B (en) | Method and system for dynamically debugging Linux kernel based on kprobe | |
| CN117251171B (en) | Predicate basic block detection method and equipment in control flow graph | |
| CN116933267B (en) | Intelligent contract vulnerability detection method, system and equipment for symbol execution | |
| US11250127B2 (en) | Binary software composition analysis | |
| CN116431520A (en) | Test scene determination method, device, electronic equipment and storage medium | |
| CN113419960B (en) | Seed generation method and system for kernel fuzzy test of trusted operating system | |
| Szalay et al. | Towards better symbol resolution for C/C++ programs: A cluster-based solution | |
| CN115292203A (en) | Source code analysis method and device | |
| KR102344496B1 (en) | Method and apparatus for analysing function of malicious code | |
| CN112433943A (en) | Method, device, equipment and medium for detecting environment variable based on abstract syntax tree | |
| CN113392016A (en) | Protocol generation method, device, equipment and medium for processing program abnormal condition | |
| CN116305131B (en) | Static confusion removing method and system for script | |
| CN117349803B (en) | Code confusion method, device, electronic equipment and computer readable storage medium | |
| CN112612471B (en) | Code processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |