JP4675642B2 - Program obfuscation apparatus, method and program - Google Patents

Description

  The present invention relates to a program obfuscation apparatus, a method thereof, and a program that can efficiently modify a program so that it is difficult for a third party to understand.

  In recent years, various services using computers have been provided. At this time, the service provider provides the user with a program for using the service. Such a program is subjected to, for example, a process of concealing some secret information using an encryption key or the like. In such a case, it is necessary to modify the program so that it is difficult for an attacker to understand. This technique is called obfuscation.

Obfuscation is also used for applications that make program analysis difficult. For example, if a program has confidential data or a confidential algorithm, multiple pointer variables to functions are introduced so that the specification of the program is not changed in the source code so that problem analysis is difficult with a secure configuration. Also, an obfuscation method is known that inserts multiple statements that assign the function address to one of the function pointer variables, and converts the function call in the program to be called according to the value of the function pointer variable. (For example, refer to Patent Document 1).
JP 2003-337629 A

  However, according to the above-described prior art, when applying the obfuscation technique, the obfuscation process cannot be efficiently performed for the increase in safety and the file size, resulting in redundant obfuscation process. turn into. In addition, there has been a problem that sufficient safety cannot be secured against an increase in file size.

  The present invention has been made based on the above circumstances, and provides a program obfuscation apparatus, a method thereof, and a program for realizing efficient obfuscation by successively calculating safety using a novel evaluation method The purpose is to do.

In order to solve the above-described problem , a program obfuscation apparatus according to one aspect of the present invention includes a program that takes in a program before obfuscation and a requirement condition for safety evaluation defined by a user via an input device. An obfuscation process for generating and outputting a plurality of obfuscated programs by executing each of a plurality of obfuscation techniques prepared in advance with respect to the captured program before obfuscation using an input capturing unit and an arithmetic device Each time the obfuscation method is executed, the difference in the instruction unit between the obfuscated program and the captured pre-obfuscated program is evaluated, and when the required condition is satisfied It terminates execution obfuscation process by obfuscation processor, and obfuscation decision output unit for outputting the program after the obfuscation, and ingredients Bei, said obfuscation decision output unit, Evaluation of the difference based on a value obtained by subtracting from the integer 1 the value obtained by dividing the number of identical instructions among the instructions constituting the program before and after the obfuscation by the total number of instructions in the program after obfuscation It is characterized by performing .

Furthermore, in this program obfuscating apparatus, the obfuscation processor is the same obfuscation catheter method executed several times to assess the degree of increase of the value generated by the obfuscation decision output unit, said plurality of The most obfuscation method is selected from the obfuscation methods and the obfuscation process is executed.

  In the present invention, the obfuscation determination output unit compares the upper limit value according to the file size further fetched through the data input fetch unit, and when the file size is equal to or smaller than the upper limit value. The obfuscation process is terminated.

In order to solve the above-described problems, a program obfuscation method according to another aspect of the present invention is a program obfuscation apparatus including an input / output device and an arithmetic unit, which modifies a program so that it is difficult for a third party to understand. A program obfuscation method used in the above-described data input capturing step for capturing a program before obfuscation and a requirement condition for safety evaluation defined by a user via the input device, and the computing device using relates the captured before obfuscation program, and obfuscation step of running each of the plurality of obfuscated catheter technique prepared in advance, generates and outputs a plurality of programs obfuscated, the obfuscated catheter method Each time, the difference in the instruction unit between the obfuscated program and the captured pre-obfuscated program is evaluated, and the request Matter was terminated flame読化process by pre-Symbol obfuscation step when filled, have a, and obfuscation determination output step of outputting the program after the obfuscation, the obfuscation determination outputting step, the obfuscation The difference is evaluated based on a value obtained by subtracting from the integer 1 the value obtained by dividing the number of identical instructions by the total number of instructions in the program after obfuscation among the instructions constituting the program before and after conversion. It is characterized by that.
Further, in the program obfuscation method, the obfuscation step executes the same obfuscation method several times to evaluate the degree of increase in the value generated by the obfuscation determination output step, and the plurality of obfuscations The obfuscation process may be executed by selecting an optimal obfuscation technique among the techniques.

In order to solve the problem described above, another aspect of the present invention, the computer program obfuscation apparatus for modifying the program to a third party is hard to understand, safety defined by obfuscation previous program and user a data input capture process to capture the requirements for sexual evaluation, the relates obfuscated program before taken to execute each of the plurality of obfuscated catheter technique prepared in advance, obfuscated plurality of programs and obfuscation process of generating output, said each execution of the respective obfuscation catheter method, to evaluate the difference between the instruction unit of a program and the captured before obfuscation program after the obfuscation, the request terminates the obfuscation process when the condition is met, met the program is executed and obfuscation determination output process, the outputs of the program after the obfuscation The obfuscation determination output process subtracts, from the integer 1, a value obtained by dividing the same number of instructions constituting the program before and after the obfuscation by the total number of instructions in the obfuscated program. The difference is evaluated based on the obtained value.

According to the present invention, the obfuscation processing unit takes in the program before obfuscation via the data input capturing unit, executes obfuscation processing according to a plurality of obfuscation methods prepared in advance, and the obfuscation determination output unit Each time the obfuscation process is executed, a safety evaluation is performed. If the user-defined requirements for safety evaluation are achieved, the obfuscation process is terminated. If not, the obfuscation process is performed again. Execute. Further, when the user defines an upper limit of the file size, the obfuscation technique is recursively executed so that the safety evaluation value becomes the maximum within the upper limit. If the safety is achieved and the file size is less than or equal to the upper limit, the process is terminated. The safety evaluation in this case is evaluated as a difference in units of instructions with respect to the program before obfuscation.
As a result, the program before obfuscation is efficiently obfuscated and modified, so that the program can be protected, and a safe system can be constructed even if the file size increases.

FIG. 1 is a block diagram showing the program development obfuscation apparatus according to the embodiment of the present invention.
As shown in FIG. 1, the program obfuscation apparatus of the present invention includes a central control unit 1, a data input capturing unit 2, an obfuscation processing unit 3, a P value evaluation unit 4, and a Q value evaluation unit 5. And the obfuscation determination output unit 6.

The data input fetching unit 2 has a function of fetching a program before obfuscation, and requirements for safety evaluation and file size defined by the user via an input device (not shown). Other requirements may include processing time. In addition, the obfuscation processing unit 3 uses an arithmetic device (not shown) and relates each of a plurality of obfuscation techniques (obfuscation algorithms) prepared in advance with respect to the program before obfuscation captured by the data input capturing unit 2. Has the ability to generate and output multiple obfuscated programs when executed.
Further, each time the obfuscation algorithm is executed, the obfuscation determination output unit 6 evaluates the obfuscated program and the captured pre-obfuscated program by the difference in units of instructions, and the data input capturing unit 2 Has the function of ending the execution of the obfuscation process by the obfuscation processing unit 3 when the request condition fetched by is satisfied. The obfuscation determination output unit 6 also performs comparison with the upper limit value according to the file size further captured via the data input capture unit 2, and if the file size is less than or equal to the upper limit value, the obfuscation processing unit 3 End the obfuscation process and output the obfuscated program.

On the other hand, the P value evaluation unit 4 subtracts from the integer 1 the value obtained by dividing the number of identical instructions by the total number of instructions after obfuscation among the instructions constituting the program before and after obfuscation. The Q value evaluation unit 5 performs the evaluation of the difference based on the magnitude, and the degree of increase of the P value generated by the P value evaluation unit 4 when the obfuscation processing unit 3 executes the same obfuscation processing procedure several times. Then, the obfuscation processing unit 3 selects an optimum obfuscation algorithm from the plurality of obfuscation algorithms and executes the obfuscation process.
The central control unit 1 serves as a control center of the program obfuscation apparatus of the present invention, and includes the data input capturing unit 2, the obfuscation processing unit 3, the P value evaluation unit 4, the Q value evaluation unit 5, and the obfuscation determination output. Sequence control between the units 6 is performed.

Hereinafter, operations related to the embodiment of the present invention will be described with reference to FIG. 2 and FIG. 3. Here, a service that provides a user with a program having an expiration date and obtains a price is assumed.
The procedure for using this service is as follows. That is, first, the user accesses the program providing site, pays a price, and makes a content download request. On the other hand, in response to a download request from the user, the program providing site inputs the original program to the program obfuscation apparatus of the present invention to obtain an obfuscated program. Further, the program providing site returns a program subjected to the obfuscation process to the user.
As a result, the user can use the received obfuscation program. The received obfuscation program includes a function for checking the expiration date, and becomes unavailable after the expiration date.

FIG. 2 is a flowchart showing an example of the obfuscation technique (obfuscation algorithm) used in the embodiment of the present invention.
Here, the obfuscation processing unit 3 first generates a random number (S21), and inputs the generated random number into an N-bit output hash function to obtain an N-bit initial value (S22). Then, the initial value of N bits obtained here is divided into n by the number of obfuscation methods to be used (S23), another random number is combined with the divided bit string until 2N bits, and again Input to the hash function to obtain N-bit random numbers corresponding to the number of obfuscation methods (S24).

Subsequently, redundancy is introduced (S25 to S27). Specifically, in S25, the N-bit random number is divided into n × 1 × m bits, and an n-bit variable name declaration is added to the portion specified by m (redundancy introduction 1). In S26, the N-bit random number is divided into n × 1m × m × p, and an n-bit variable name declaration is added to the part specified by m. Further, a dummy process is generated and added to the calculation generated in the above process using the random number p. The generation method of the dummy process is in accordance with a change in a processing procedure to be described later (redundancy introduction 2).
Next, the N-bit random number is divided into a × b bits, selected from a dummy code samples prepared in advance using the value a, and inserted at the position specified by b (redundancy level). Introduction 3).

Next, the processing procedure is changed (S28, S29). Specifically, in S28, the N-bit random number is divided into s × t × u × v, the variable used in the program is designated by the value s, and the operation designated by t is designated as the designated variable u and Then, a process for performing the inverse operation is added to the location specified by v (change in process procedure 1).
Next, in S29, the N-bit random number is divided into e × f × g × h × i, the variable used in the program is designated by the value e, and the operation designated by f is designated as the designated variable g and Is input h times, and then the process of performing the inverse operation is added to the location specified by i (Processing procedure change 2).

FIG. 3 is a flowchart cited for explaining the operation of the program obfuscation apparatus according to the embodiment of the present invention, and also shows the processing procedure of the program of the present invention.
Prior to the description of the flowchart, an evaluation formula for safety evaluation used in the embodiment of the present invention will be described. The calculation executed by the P-value evaluation unit 4 is expressed by the following formula 1.

  Here, T is the number of instructions in the entire program after obfuscation, and α is the number of instructions that is the same in the original code and the code after obfuscation. In addition to the instruction unit, the same evaluation may be performed in byte units. Further, since the optimum obfuscation method is different for each program, the Q value evaluation unit 5 may perform evaluation by performing the following Equation 2 to determine a plurality of obfuscation algorithms prepared.

  Here, α ′ is the number of instructions that are the same in programs A ′ and A ″ obtained by executing obfuscation processing for a certain program A the same number of times. That is, it is evaluated how much the P value increases when the same obfuscation is performed many times. Also here, the same evaluation is performed in units of bytes in addition to units of instructions. The Q value may be averaged by using a plurality of obfuscation programs (A ″ ″, A ″ ″...).

Hereinafter, the operation of the program obfuscation apparatus according to the embodiment of the present invention shown in FIG. 1 will be described in detail with reference to the flowchart shown in FIG.
First, the user first obfuscates the program obfuscation apparatus of the present invention using an unillustrated input device (obfuscated program), the safety level (P value) to be achieved, the file size, etc. Enter the required conditions.
The program obfuscation apparatus fetches the obfuscated program and the required conditions via the data input fetch unit 2 (S31), and supplies them to the obfuscation processing unit 3 under the control of the central control unit 1. The obfuscation processing unit 3 creates a plurality of obfuscation programs using the respective obfuscation methods as a pre-evaluation operation, and evaluates the Q value obtained by the Q value evaluation unit 5 to obtain an optimal obfuscation algorithm (S32). .

Specifically, the obfuscation processing unit 3 first selects an appropriate obfuscation algorithm and executes the obfuscation algorithm using an arithmetic device (not shown) according to the flowchart shown in FIG. Here, the Q value evaluation unit 5 calculates whether or not the safety is achieved by calculating the Q value using the programs before and after the obfuscation. The evaluation formula here follows the above-mentioned formula 2.
Subsequently, the obfuscation determination output unit 6 calculates the P value according to the above equation 1 via the P value evaluation unit 4 and evaluates the safety (S34), and the safety according to the requirement (P value). If it has been achieved, the requirement condition as to whether or not the file size is appropriate is subsequently evaluated (S35). Here, if not appropriate, the process returns to the obfuscation process (S32) using the same obfuscation technique by the obfuscation processing unit 3 or the obfuscation process (S33) according to another obfuscation technique.
When returning to the processing of S32, the obfuscation algorithm to be executed next is determined again by evaluating the Q value for the obfuscated program.

  Next, in S35, if the file size is appropriate, the obfuscation determination output unit 6 outputs the obfuscated program. If not appropriate, the process returns to S32 or S33. When returning to the processing of S32, the obfuscation algorithm to be executed next is re-determined by evaluating the Q value for the obfuscated program.

As described above, according to the present invention, the program obfuscation apparatus fetches a program before obfuscation via the data input fetch unit, activates the obfuscation processing unit 3, and provides a plurality of obfuscation algorithms prepared in advance. The obfuscation process is executed according to the conditions, and the obfuscation determination output unit 6 performs the safety evaluation every time the obfuscation process is executed once, and the requirements for the safety evaluation defined by the user are achieved. If it has not been achieved, the obfuscation process is executed again, the above determination is repeated, and the optimum obfuscation program is finally output.
Further, when the user defines an upper limit of the file size, the obfuscation algorithm is recursively executed so that the safety evaluation value becomes the maximum within the upper limit. If the safety is achieved and the file size is less than or equal to the upper limit, the same process is terminated. The safety evaluation in this case is evaluated as a difference in units of instructions with respect to the program before obfuscation. As a result, the program can be protected for efficient obfuscation, so that the program can be protected, and a safe system can be constructed even if the file size increases.

  1 is executed by each of the central control unit 1, the data input capturing unit 2, the obfuscation processing unit 3, the P value evaluation unit 4, the Q value evaluation unit 5, and the obfuscation determination output unit 6 shown in FIG. The program obfuscation apparatus of the present invention can be realized by recording the procedure to be recorded on a computer-readable recording medium, causing the computer system to read and execute the program recorded on the recording medium. The computer system here includes an OS and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

It is the block diagram which expanded and showed the program obfuscation apparatus concerning embodiment of this invention. It is the figure which showed in a flowchart the example of the obfuscation technique (obfuscation algorithm) used in embodiment of this invention. It is the flowchart quoted in order to demonstrate operation | movement of the program obfuscation apparatus concerning embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Central control part, 2 ... Data input taking-in part, 3 ... Obfuscation processing part, 4 ... P value evaluation part, 5 ... Q value evaluation part, 6 ... Obfuscation determination output part

Claims (6)

A data input capturing unit that captures, via an input device, a pre-obfuscation program and a user-defined safety evaluation requirement;
Using an arithmetic device, an obfuscation processing unit that generates and outputs a plurality of obfuscated programs by executing each of a plurality of obfuscation techniques prepared in advance with respect to the captured program before obfuscation,
Each time the obfuscation method is executed, the difference in the instruction unit between the obfuscated program and the captured pre-obfuscated program is evaluated, and the obfuscation processing is performed when the required condition is satisfied. An obfuscation determination output unit that ends the obfuscation process by the unit and outputs the obfuscated program;
Was immediately Bei,
The obfuscation determination output unit
Of the instructions constituting the program before and after obfuscation, the difference is evaluated based on a value obtained by subtracting from the integer 1 a value obtained by dividing the same number of instructions by the total number of instructions in the obfuscated program. program obfuscation apparatus and performs. The obfuscation processing unit
The same obfuscation catheter method executed several times to assess the degree of increase of the value generated by the obfuscation decision output unit, the select the best obfuscation of the plurality of obfuscation techniques obfuscate The program obfuscation apparatus according to claim 1 , wherein the program obfuscation process is executed. (Old claim 4)
The obfuscation determination output unit
A comparison with the upper limit value is performed in accordance with a file size further fetched via the data input fetch unit, and the obfuscation process is terminated if the file size is equal to or smaller than the upper limit value. The program obfuscation apparatus according to claim 1 or 2 . A program obfuscation method used in a program obfuscation device including an input / output device and an arithmetic device, which modifies a program so that it is difficult for a third party to understand.
A data input capturing step for capturing a program before obfuscation and a requirement for safety evaluation defined by a user via the input device;
Using the computing device, a said captured before obfuscation program, and obfuscation step of running each of the plurality of obfuscated catheter technique prepared in advance, it generates and outputs a plurality of programs obfuscated,
Wherein each execution of the respective obfuscation catheter method, before Symbol obfuscated when evaluated differences in instruction units of said captured obfuscated program before the program after the obfuscation, satisfying the requirements reduction to terminate the flame読化processing in step, and obfuscation determination output step of outputting the program after the obfuscation,
I have a,
The obfuscation determination output step includes:
Of the instructions constituting the program before and after obfuscation, the difference is evaluated based on a value obtained by subtracting from the integer 1 a value obtained by dividing the same number of instructions by the total number of instructions in the obfuscated program. A program obfuscation method characterized by:   The obfuscation step comprises:
  The same obfuscation technique is executed several times to evaluate the degree of increase in the value generated by the obfuscation determination output step, and the most obfuscation technique is selected from the plurality of obfuscation techniques. The program obfuscation method according to claim 4, wherein processing is executed. To the computer of the program obfuscation device that modifies the program so that it is difficult for a third party to understand ,
A data input capture process that captures the program before obfuscation and the requirements for safety assessment defined by the user;
Relates the captured before obfuscation program, running each of the plurality of obfuscated catheter technique prepared in advance, and obfuscation process for generating and outputting a plurality of programs obfuscated,
Each execution of each of the obfuscation catheter method, the obfuscation when evaluated differences in instruction units of a program and the captured before obfuscation program after the obfuscation, satisfying the requirements An obfuscation determination output process for terminating the process and outputting the obfuscated program;
The a program to be executed,
The obfuscation determination output process includes:
Of the instructions constituting the program before and after obfuscation, the difference is evaluated based on a value obtained by subtracting from the integer 1 a value obtained by dividing the same number of instructions by the total number of instructions in the obfuscated program. The program characterized by performing.

Images