IOS system core behavior pick-up unit and method based on hook
Technical field
The present invention relates to a kind of technology that detects i Phone operating system iOS critical behavior, exactly, relate to a kind of iOS system core behavior pick-up unit and method based on hook hook, belong to the technical field of the software security in information security.
Background technology
At present, the iOS critical behavior testing tool based on hook is little.The open source software of prior art also only includes: Introspy.Instrospy-iOS is carried out to brief introduction below: it is the upper instrument for detection of dynamic software action, assessment software security of a iOS.This instrument is divided into two parts: behaviortrace device and behavioural analysis device.Wherein, behaviortrace device is arranged in iOS terminal, the critical behavior that obtains designated software by the application programming interface API (Application Programming Interface) of hook critical behavior, these API comprise: encryption and decryption, IPC, data storage and network connection etc.Finally by the information recording of these function calls and be permanently stored in database.Behavioural analysis device is mounted in PC equipment, be using behaviortrace device generate database file as input, carry out after analyzing and processing, generate the result form of specified format (as xml, html) in this locality, and in result form, enumerate out all critical behaviors of carrying out in this designated software implementation.
Now, relevant iOS system core behavior detection field, the research that scientific research personnel both domestic and external carries out is all little, the pick-up unit of moulding phoenix feathers and unicorn horns especially.At present, iOS system core behavior detection method only has one: sensitive document monitoring.The basic ideas of this sensitive document monitoring are the sensitive documents in reading database and mate.Because all sensitive document databases in iOS system are all sqlite databases, can as access general data file, access it.So, the common operation steps of sensitive document monitoring is: the content (as note data storehouse) that first reads sensitive document database, then every setting a period of time, again read this sensitive document database, and read content is mated with former reading of content or result, obtain up-to-date file modification, judge whether to have triggered responsive behavior.
At present, only iOS system core behavior detection method is all that to monitor file operation be main, although also can capture the critical behavior of system,, its limitation is still larger.Such as:
(1) real-time detecting is not strong: it is that current iOS system core behavior detects the most general method using that the system core behavior based on monitoring file detects.Its main thought is exactly constantly to compare the content in sensitive document, for judging the critical behavior of system.
For example: by the sms.db file under constantly read/private/var/mobile/Library/SMS/ catalogue, judge whether the new data writing.If have, think and triggered system transmission, received note.But this method does not have real-time, after cannot sending in note, accepting, result just detected immediately.
(2) cost is high, efficiency is low: will relate to and read the multi-mode operation such as file, matching files because read sensitive document, time cost and other costs are too high.If file is very large, greatly reduce the efficiency of detection.
At present, on iOS platform, Malware is many, for example: Kaspersky Lab in 2012 have found the malicious application of a Find of being named as & Call, it can be in the situation that user cannot discover, and user communication record and short message content is sent to the server of appointment.Within 2014, Stefan Esser has found unflod malicious plugins, and it can obtain user's application identities appID (application identification) and password, and sends it to given server.These Malwares can be in the unwitting situation of user, the critical behavior of triggering system, as: stealthily send note, network or call etc., caused very large threat to privacy of user and property safety.Therefore, whether scientific and technical personnel in the industry both domestic and external, in the time paying close attention to detection of dynamic running software, trigger the detection technique of the critical behavior of Apple Macintosh operating system iOS.
Summary of the invention
In view of this, the object of this invention is to provide a kind of iOS system core behavior pick-up unit and method based on hook, the system core behaviors such as the present invention can Real-Time Monitoring phone, note, networking, geographic position, it is the function triggering by all system core behaviors of hook technical intercept, obtain the relevant information of critical behavior, and send to server, then by the system safety hazards detecting to user report.
In order to achieve the above object, the invention provides a kind of Apple Macintosh operating system iOS critical behavior pick-up unit based on hook, it is characterized in that: described device is the critical behavior of catching in real time iOS system by the application programming interface API of hook critical behavior (Application Programming Interface), for monitoring the setting critical behavior of apple terminal i OS system, obtain the information relevant to this critical behavior, and at service end real-time exhibition to user, or save as result form, audit and assessment for user; This device is by the behaviortrace module that is separately positioned on iOS terminating layer, and is positioned at PC mechanical floor, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavioural analysis module totally four parts compositions; Wherein:
Behaviortrace module, for detecting in real time the setting critical behavior of setting apple terminal i OS system: first receive the beginning detection signal of being sent by the communication unit of behavioural analysis module, and caught in real time the setting critical behavior API that sets iOS terminal i OS system by the hook unit in behavior tracing module, obtain parameter and the rreturn value of these API, encapsulate after these information according to setting form again, by web socket socket communication, the information having encapsulated is returned to behavioural analysis module and process;
Subscriber Interface Module SIM, is responsible for and customer interaction information: on the one hand accept user and detect the request of iOS default critical behavior, send commencing signal and critical behavior type to be detected then to behavioural analysis module; Receive on the other hand the system core behavioural information that security risk reporting modules is returned, and show to user;
Behavioural analysis module, for receiving and resolve the critical behavior information sending from apple terminal: the communication unit of this module receives after the type of detection from Subscriber Interface Module SIM, just beginning detection signal is sent to behaviortrace module, and by the return message of the behaviortrace module receiving, be transmitted to data analysis unit processing; Data analysis unit is first carried out " decapsulation " processing to the return message receiving, and obtains after result, sends this result to safety analysis unit and carries out after subsequent analysis, then be transmitted to security risk reporting modules;
Security risk reporting modules, is responsible for according to the analysis processing result of behavioural analysis module, the iOS system core behavioural information of discovery is integrated into one and comprises that xml and html set the result form of form, is stored in this locality, for user's examination & verification and analysis; Send the system core behavioural information of discovery to Subscriber Interface Module SIM, for showing user simultaneously.
In order to achieve the above object, the present invention also provides a kind of detection method of the iOS system core behavior pick-up unit based on hook, it is characterized in that: described method comprises following operation steps:
Step 1, PC terminating layer arranges detected parameters and sensing range: user arranges behind the ip address and port numbers and critical behavior thereof that needs the apple terminal detecting in PC terminal, and this pick-up unit starts startup work;
Step 2, the behaviortrace module of iOS terminating layer is utilized hook technology for detection and is extracted parameter and the rreturn value of each responsive application programming interface API (Application Programming Interface), sends to the behavioural analysis module of PC mechanical floor;
Step 3, the behavioural analysis module of PC mechanical floor receives after the parameter and rreturn value of each sensitive API, the Treatment Analysis of classifying;
Step 4, the safety analysis unit in behavioural analysis module completes after the safety analysis of critical behavior, sends analysis result to security risk reporting modules, and is stored in the local file of setting form; Send analysis result to Subscriber Interface Module SIM simultaneously, according to different critical behaviors, be illustrated in respectively on different interfaces.
The present invention is based on the iOS system core behavior pick-up unit of hook technology, can monitor the setting iOS system core behavior in apple terminal, obtain and the relevant information of this critical behavior, and show in real time user in service end, or save as form, submit to user and audit and assessment.Its innovation advantage is as follows:
(A) real-time that system core behavior detects: because the detection mechanism of this device is based on hook mechanism, compared with other pick-up units, the advantage of this device maximum is that real-time is good.For example: once as long as the note behavior of system is triggered, pick-up unit of the present invention just can detect the behavior immediately, and gets addressee, sender and the information content.Compared with direct monitoring short message database, the efficiency of this pick-up unit is higher, has very strong real-time.
(B) what system core behavior detected is comprehensive: no matter how third party software pretends, and when finally it wants executive system critical behavior, all obtains the primary API of calling system.The API of all hook in pick-up unit of the present invention is the primary API of system, and compared with other pick-up units, the scope that apparatus of the present invention detect is more deep, has ensured that system core behavior detects comprehensive.
(C) detection of multiple systems critical behavior and expansion capacity: at present, other instruments can only be supported specific behavior, such as instrospy can only detect file operation, http networking etc.Pick-up unit of the present invention is to Apple Macintosh operating system iOS critical behavior implementing monitoring based on hook.But hook is again based on MobileSubstrate framework, as long as determined after the API of critical behavior triggering, MobileHooker just can catch this iOS system core behavior, just can increase corresponding API according to user's request, thereby increases the detection support of more iOS system core behavior.At present, the present invention can support the detection of system core behaviors more than 5 classes, the especially detection to mobile phone short message system action, and other instruments all cannot be realized at present.This device can also constantly add new system core behavior as detecting target.
(D) support multiple operating system: other software security instruments relatively, pick-up unit of the present invention can support all system core behaviors more than apple terminal i OS6 to implement to detect in real time.
(E) examining report diversity: pick-up unit of the present invention can, after the behavior of iOS system core is detected, generate respectively the examining report of html form and xml form automatically, is easy to book of final entry management; And, can in needs, generate the consolidated return of testing result, conveniently comprehensively consult, analyze.
In a word, the present invention has good popularizing application prospect.
Brief description of the drawings
Fig. 1 is the structure composition diagram that the present invention is based on the Apple Macintosh operating system iOS critical behavior pick-up unit of hook.
Fig. 2 is the detection method operation steps process flow diagram that the present invention is based on the Apple Macintosh operating system iOS critical behavior pick-up unit of hook.
Fig. 3 is the behaviortrace module operation flow chart of steps in iOS critical behavior pick-up unit of the present invention.
Fig. 4 is the behavioural analysis module operation flow chart of steps in iOS critical behavior pick-up unit of the present invention.
Fig. 5 is the operation steps process flow diagram in iOS critical behavior pick-up unit embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with drawings and Examples, the present invention is described in further detail.
The present invention is based on the iOS system core behavior pick-up unit of hook, it is the critical behavior that captures in real time iOS system by the application programming interface API of hook critical behavior, for monitoring the setting critical behavior of apple terminal i OS system, and extract the information relevant with this critical behavior, send to again PC foreground service end, real-time exhibition is to user, or generation result form, audits and analyzes for user.
The setting critical behavior of the iOS system that at present, pick-up unit support of the present invention detects is as shown in the table:
Behavior title |
Behavioural information |
Risk class |
Phone |
Both call sides number, state and the duration of call |
5 |
Note |
Short message receiving-transmitting both sides number and short message content thereof |
5 |
Url connects |
Web page address url field and tie-time |
5 |
Geographic position |
Apply Names and the access time in access geographic position |
4 |
Address list |
The Apply Names of accessing address list and access time |
4 |
Photograph album |
Apply Names and the access time of access photograph album |
4 |
Bluetooth |
Whether change application and the change time of bluetooth state, bluetooth state |
3 |
Referring to Fig. 1, introduce the structure composition of iOS system core behavior pick-up unit of the present invention: be provided with the behaviortrace module that is separately positioned on iOS terminating layer, and be positioned at PC mechanical floor, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavioural analysis module totally four parts.Wherein:
Behaviortrace module, its function is to detect in real time the setting critical behavior of setting apple terminal i OS system: first receive the beginning detection signal of being sent by the communication unit of behavioural analysis module, and caught in real time the setting critical behavior API that sets iOS terminal i OS system by the hook unit in behavior tracing module, obtain parameter and the rreturn value of these API, encapsulate after these information according to setting form again, by web socket (socket) communication, the information having encapsulated is returned to behavioural analysis module and process.
Subscriber Interface Module SIM, its function is to be responsible for and customer interaction information: on the one hand accept user and detect the request of iOS default critical behavior, send commencing signal and critical behavior type to be detected then to behavioural analysis module; Receive on the other hand the system core behavioural information that security risk reporting modules is returned, and show to user.
Behavioural analysis module, its function is to receive and resolve the critical behavior information sending from apple terminal: the communication unit of this module receives after the type of detection from Subscriber Interface Module SIM, just beginning detection signal is sent to behaviortrace module, and by the return message of the behaviortrace module receiving, be transmitted to data analysis unit processing.Data analysis unit is first carried out " decapsulation " processing to the return message receiving, and obtains after result, sends this result to safety analysis unit and carries out after subsequent analysis, then be transmitted to security risk reporting modules.
Security risk reporting modules, its function is according to the analysis processing result of behavioural analysis module, the iOS system core behavioural information of discovery is integrated into one and comprises that xml and html set the result form of form, is stored in this locality, for user's examination & verification and analysis; Send the system core behavioural information of discovery to Subscriber Interface Module SIM, for showing user simultaneously.
Referring to Fig. 2, introduce the following concrete operation step of the detection method of the iOS system core behavior pick-up unit that the present invention is based on hook:
Step 1, PC terminating layer arranges detected parameters and sensing range: user is in PC terminal by " setting " option, and configuration needs behind the ip address and port numbers and critical behavior thereof of the apple terminal detecting, and this pick-up unit just starts startup work.
In this step, arrange need detect this apple terminal the behavior of iOS system core as shown above, repeat no more here.
Step 2, the behaviortrace module of iOS terminating layer is utilized hook technology for detection and is extracted parameter and the rreturn value of each responsive application programming interface API (Application Programming Interface), sends to the behavioural analysis module of PC mechanical floor.The content of operation following (shown in Figure 3) of this step 2:
(21) critical behavior that behaviortrace module arranges according to step 1, in the configuration file under be written into/Library/MobileSubstrate/DynamicLibraries/ catalogue, is used to specify the reach of dynamic link library.
(22) behaviortrace module is utilized the MobileLoader in MobileSubstrate framework, and the dynamic link library of writing is voluntarily injected into setting program, so that in the time starting these setting programs, dynamic link library is also written into internal memory simultaneously.
(23) after the corresponding API of critical behavior triggers, the MobileHooker in MobileSubstrate framework uses the function of writing voluntarily to remove to replace original API.
(24) function for replacing at these, adopts the method for keyword coupling to extract API parameter and the rreturn value of each critical behavior, and sends these parameters and rreturn value to data processing unit.
(25) data processing unit, according to different critical behaviors, adopts corresponding distinct methods from these parameters information relevant to critical behavior with extraction rreturn value.
(26) data processing unit adopts respectively corresponding different pieces of information method for packing according to dissimilar, and packaged data are sent to communication unit.
(27) communication unit adopts socket communication that the good data of behaviortrace module package are sent to behavioural analysis module.
Step 3, the behavioural analysis module of PC mechanical floor receives after the parameter and rreturn value of each sensitive API, the Treatment Analysis of classifying.The concrete operations of this step 3 the contents are as follows (shown in Figure 4):
(31) communication unit of behavioural analysis module receives parameter and the rreturn value of each sensitive API that behaviortrace module detects, sends data analysis unit to.
(32) first decapsulation of data analysis unit, obtains after the details of each iOS system core behavior, then is sent to safety analysis unit.
(33) safety analysis unit carries out analyzing and processing according to setting the iOS system core behavior configuring in rule to testing result: the respectively corresponding safety analysis unit of every kind of iOS system core behavior (comprising: phone, note, url, photograph album, address list, geographic position, bluetooth etc.), then the safety analysis unit being belonged to by this critical behavior carries out respective handling.
Step 4, the safety analysis unit in behavioural analysis module completes after the safety analysis of critical behavior, sends analysis result to security risk reporting modules, and is stored in the local file of setting form; Send analysis result to Subscriber Interface Module SIM simultaneously, according to different critical behaviors, be illustrated in respectively on different interfaces.
The present invention has carried out Multi simulation running and has implemented test, below the test situation of brief description embodiment:
As the unit of test and appraisal mechanism and final deployment software product, because it does not understand the flow process of software development, although can find the potential threat in its software using with static detection method, but, rate of false alarm is high, and can not in the time of running software, judge, the safe operation of these units has been caused to great threat.But, use pick-up unit of the present invention effectively to address this problem.This pick-up unit is monitored the running status of iOS system software in real time by hook mechanism, capture system core behavior in the very first time, then the critical behavior capturing is analyzed, audited and locates, and generates result form.Test and appraisal mechanism and relevant unit can be produced directly, judge accurately this software by the result form generating.
Fig. 5 is the application flow block scheme of an embodiment of pick-up unit of the present invention.
The test findings of emulation embodiment of the present invention is successfully, has realized goal of the invention.