IOS system critical behavior detection means and method based on hook
Technical field
The present invention relates to a kind of technology of detection i Phone operating system iOS critical behavior, exactly, is related to one kind
IOS system critical behavior detection means and method based on hook hook, belongs to the technology neck of the software security in information security
Domain.
Background technology
At present, the iOS critical behaviors detection instrument based on hook is little.The open source software of prior art is also only included:
Introspy.Brief introduction is carried out to Instrospy-iOS below:It is to be used for dynamic detection software action on a iOS, assess soft
The instrument of part safety.The instrument is divided into two parts:Behaviortrace device and behavior analyzer.Wherein, behaviortrace device is arranged on iOS
In terminal, by application programming interface API (the Application Programming of hook critical behaviors
Interface) obtaining the critical behavior of designated software, these API include:Encryption and decryption, IPC, data storage and network connection
Deng.Finally by the information record of these function calls and it is permanently stored in data base.Behavior analyzer is mounted in PC equipment
In, it is, using the database file of behaviortrace device generation as input, after being analyzed process, to be locally generated specified format
The result form of (such as xml, html), and in result form, the institute performed during the designated software implementation procedure is set out is relevant
Key behavior.
Now, relevant iOS system critical behavior detection field, the research that scientific research personnel both domestic and external carries out are all little, into
The detection means of type is even more phoenix feathers and unicorn horns.At present, iOS system critical behavior detection method only has one kind:Sensitive document is monitored.Should
The basic ideas of sensitive document monitoring are the sensitive documents in reading database and are matched.It is all in due to iOS system
Sensitive document data base is sqlite data bases, can access it as accessing general data file.So, sensitive document
Monitoring usual operating procedure be:The content (such as note data storehouse) of sensitive document data base is read first, then every setting
For a period of time, sensitive document data base is re-read, and the content for being read is carried out with former reading of content or result
Matching, obtains newest file modification, judges whether to trigger sensitive behavior.
At present, only iOS system critical behavior detection method is all to monitor based on file operation, although can also be captured
To the critical behavior of system, but, its limitation is still than larger.Such as:
(1) real-time for detecting is not strong:It is current iOS system key row based on the system core behavioral value of monitoring file
To detect the most common method for using.Its main thought is exactly constantly to compare the content in sensitive document, for judging system
Critical behavior.
For example:By the sms.db files under continuous reading/private/var/mobile/Library/SMS/ catalogues,
Determine whether the new data for writing.If having, then it is assumed that trigger system and send, have received note.But, this method does not have
There is real-time, it is impossible in short message sending, after receiving, be just immediately detected result.
(2) high cost, efficiency are low:Because reading sensitive document to be related to read the multi-mode operations such as file, matching files, when
Between cost it is too high with other costs.If file is very big, the efficiency of detection is greatly reduced.
At present, on iOS platforms, Malware is many, for example:Kaspersky Lab are found that a being named as within 2012
The malicious application of Find&Call, it can in the case where user cannot discover, by user communication record and short message content send to
The server specified.Stefan Esser are found that unflod malicious plugins within 2014, and it is obtained in that the application identities of user
AppID (application identification) and password, and send it to given server.These Malwares are all
In the case of user is unwitting, the critical behavior of system can be triggered, such as:Note is stealthily sent, is networked or is called, given
Privacy of user and property safety cause very big threat.Therefore, scientific and technical personnel in the industry both domestic and external are in concern dynamic detection
During running software, if the detection technique of the critical behavior of triggering Apple Macintosh operating system iOS.
The content of the invention
In view of this, it is an object of the invention to provide a kind of iOS system critical behavior detection means and side based on hook
Method, the present invention can be with the system core behaviors such as real-time monitoring phone, note, networking, geographical position, and it is blocked by hook technologies
The function of all system core behavior triggerings is cut, the relevant information of critical behavior is obtained, and is sent to server, then will detect
The system safety hazards come are to user report.
In order to achieve the above object, the invention provides a kind of Apple Macintosh operating system iOS critical behaviors based on hook are examined
Survey device, it is characterised in that:Described device is the application programming interface API (Application by hook critical behaviors
Programming Interface) captured in real time iOS system critical behavior, for monitoring the setting of Fructus Mali pumilae terminal i OS system
Critical behavior, obtains the information related to the setting critical behavior, and in service end real-time exhibition to user, or save as knot
Retribution table, so that user is audited and is assessed;The device be by the behaviortrace module for being separately positioned on iOS terminating layers, with
And positioned at PC mechanical floors, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavior analysiss module totally four portions
Part is constituted;Wherein:
Behaviortrace module, sets the setting critical behavior of Fructus Mali pumilae terminal i OS system for real-time detection:First receive by going
For the beginning detection signal that the communication unit of analysis module is sent, and by the hook unit captured in real time in behavior tracing module
The setting critical behavior API of setting iOS terminal i OS systems, obtains the parameter and return value of these API, according still further to setting form
After encapsulating these information, the information for having encapsulated is returned at behavior analysiss module by web socket socket communications
Reason;
Subscriber Interface Module SIM, is responsible for and customer interaction information:On the one hand receive user's detection iOS system setting critical behavior
Request, then send commencing signal and setting critical behavior type to be detected to behavior analysiss module;On the other hand receive
The iOS system setting critical behavior information that security risk reporting modules are returned, and show to user;
Behavior analysiss module, for receiving and parsing through the setting critical behavior information come from the transmission of Fructus Mali pumilae terminal:The mould
The communication unit of block is received after the detection type of Subscriber Interface Module SIM, will just be started detection signal and is sent to behaviortrace
Module, and by the return information of the behaviortrace module for receiving, it is transmitted to data analysis unit process;Data analysis unit elder generation
Return information to receiving carries out " decapsulation " process, after obtaining result, sends the result to safety analysis
After unit carries out subsequent analysis, security risk reporting modules are relayed to;
Security risk reporting modules, are responsible for according to the analysis processing result of behavior analysiss module, it may be found that iOS system set
Critical behavior information integration is determined into a result form that form is set including xml and html, be stored in locally, so that user examines
Core and analysis;The iOS system that will be seen that simultaneously sets critical behavior information transmission to Subscriber Interface Module SIM, for showing use
Family.
In order to achieve the above object, present invention also offers a kind of iOS system critical behavior detection means based on hook
Detection method, it is characterised in that:Methods described includes following operative step:
Step 1, PC terminating layers arrange detection parameter and detection range:User arranges the Fructus Mali pumilae end for needing detection in PC terminals
Behind the ip addresses at end and port numbers and its critical behavior, the detection means starts to start work;
Step 2, the behaviortrace module of iOS terminating layers is using hook technology for detection and each sensitive application program of extraction
The parameter and return value of DLL API (Application Programming Interface), is sent to PC mechanical floors
Behavior analysiss module;
Step 3, after the behavior analysiss module of PC mechanical floors receives the parameter and return value of each sensitive API, is carried out point
Class Treatment Analysis;
Step 4, after the safety analysis unit in behavior analysiss module completes the safety analysis of critical behavior, by analysis result
Send security risk reporting modules to, and be stored in the local file of setting form;Send analysis result to user simultaneously
Interface module, according to different critical behaviors, is illustrated on different interfaces respectively.
IOS system critical behavior detection means of the present invention based on hook technologies, can monitor the setting in Fructus Mali pumilae terminal
IOS system critical behavior, obtains the relevant information with the critical behavior, and shows user, Huo Zhebao in real time in service end
Form is saved as, user is submitted to and is audited and assessed.Its innovation advantage is as follows:
(A) real-time of system core behavioral value:As the detection mechanism of the device is based on hook mechanism, with other
Detection means is compared, and the maximum advantage of the device is that real-time is good.For example:As long as the note behavior of system is once triggered, this
Invention detection means can just be immediately detected the behavior, and get addressee, sender and information content.Compared with direct monitoring
Note data storehouse, the detection means it is in hgher efficiency, with very strong real-time.
(B) system core behavioral value is comprehensive:No matter how third party software pretends, and final its wants execution system to close
During key behavior, the primary API of calling system is all obtained.The API of all hook in detection means of the present invention is that system is primary
API, compared with other detection means, the scope of apparatus of the present invention detection is more deep, it is ensured that system core behavioral value it is complete
Face property.
(C) detection of multiple systems critical behavior and expansion capacity:At present, other instruments can only support specific behavior,
Such as instrospy can only detect file operation, http networkings etc..Detection means of the present invention is to be to Fructus Mali pumilae operation based on hook
System iOS critical behavior implementing monitorings.But hook is based on MobileSubstrate frameworks, as long as determining critical behavior again
After the API of triggering, MobileHooker can just capture the iOS system critical behavior, it becomes possible to increase correspondence according to user's request
API, so as to increase more iOS system critical behaviors detection support.At present, the present invention has been able to support more than 5 classes
System core behavior detection, the especially detection to mobile phone short message system action is that current other instruments cannot all be realized
's.The device can also constantly add new system core behavior as detection target.
(D) support multiple operating system:With respect to other software security tool, detection means of the present invention can support Fructus Mali pumilae terminal
Real-time detection is implemented in all system core behaviors of more than iOS6.
(E) examining report multiformity:Detection means of the present invention can be after to the detection of iOS system critical behavior, respectively certainly
The dynamic examining report for generating html forms and xml forms, it is easy to which the book of final entry is managed;Also, inspection can be generated when needing
Survey the comprehensive report of result, convenient comprehensive access, analysis.
In a word, the present invention has good popularizing application prospect.
Description of the drawings
Fig. 1 is structure composition figure of the present invention based on the Apple Macintosh operating system iOS critical behavior detection means of hook.
Fig. 2 is detection method operation step of the present invention based on the Apple Macintosh operating system iOS critical behavior detection means of hook
Rapid flow chart.
Fig. 3 is the behaviortrace module operating procedure flow chart in iOS critical behaviors detection means of the present invention.
Fig. 4 is the behavior analysiss module operating procedure flow chart in iOS critical behaviors detection means of the present invention.
Fig. 5 is the operating procedure flow chart in iOS critical behaviors detection means embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, with reference to the accompanying drawings and examples to the present invention
It is described in further detail.
IOS system critical behavior detection means of the present invention based on hook, is the application program by hook critical behaviors
Critical behavior of the DLL API captured in real time to iOS system, for monitoring the setting critical behavior of Fructus Mali pumilae terminal i OS system,
And the information related to the critical behavior is extracted, and PC foregrounds service end is then forwarded to, real-time exhibition is to user, or generates knot
Retribution table, so that user is audited and is analyzed.
At present, detection means of the present invention supports that the setting critical behavior of the iOS system of detection is as shown in the table:
Behavior title |
Behavioural information |
Risk class |
Phone |
Both call sides number, state and the duration of call |
5 |
Note |
Short message receiving-transmitting both sides number and its short message content |
5 |
Url connects |
Web page address url fields and Connection Time |
5 |
Geographical position |
Access the Apply Names and access time in geographical position |
4 |
Address list |
The Apply Names and access time of accessing address list |
4 |
Photograph album |
Access the Apply Names and access time of photograph album |
4 |
Bluetooth |
Whether bluetooth state, the application of bluetooth state and change time are changed |
3 |
Referring to Fig. 1, the structure composition of iOS system critical behavior detection means of the present invention is introduced:It is provided with and is separately positioned on iOS
The behaviortrace module of terminating layer, and positioned at PC mechanical floors, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules
With behavior analysiss module totally four parts.Wherein:
Behaviortrace module, its function are the setting critical behaviors that real-time detection sets Fructus Mali pumilae terminal i OS system:First receive
Detection signal being sent by the communication unit of behavior analysiss module, and it is real-time by the hook units in behavior tracing module
The setting critical behavior API of capture setting iOS terminal i OS systems, obtains the parameter and return value of these API, according still further to setting
After form encapsulates these information, the information for having encapsulated is returned to by behavior analysiss module by web socket (socket) communication
Processed.
Subscriber Interface Module SIM, its function are responsible for and customer interaction information:On the one hand receive user's detection iOS system setting
The request of critical behavior, then sends commencing signal and critical behavior type to be detected to behavior analysiss module;On the other hand
The system core behavioural information that security risk reporting modules are returned is received, and is shown to user.
Behavior analysiss module, its function are to receive and parse through the critical behavior information come from the transmission of Fructus Mali pumilae terminal:The mould
The communication unit of block is received after the detection type of Subscriber Interface Module SIM, will just be started detection signal and is sent to behaviortrace
Module, and by the return information of the behaviortrace module for receiving, it is transmitted to data analysis unit process.Data analysis unit elder generation
Return information to receiving carries out " decapsulation " process, after obtaining result, sends the result to safety analysis
After unit carries out subsequent analysis, security risk reporting modules are relayed to.
Security risk reporting modules, its function are the analysis processing results according to behavior analysiss module, it may be found that iOS systems
Into one, system critical behavior information integration includes that xml and html sets the result form of form, be stored in locally, so that user examines
Core and analysis;The system core behavioural information that will be seen that simultaneously sends Subscriber Interface Module SIM to, for showing user.
Referring to Fig. 2, following tool of the present invention based on the detection method of the iOS system critical behavior detection means of hook is introduced
Body operating procedure:
Step 1, PC terminating layers arrange detection parameter and detection range:User is in PC terminals by " setting " option, configuration
After needing ip addresses and port numbers and its critical behavior of the Fructus Mali pumilae terminal of detection, the detection means begins to start work.
In the step, arrange need detection the Fructus Mali pumilae terminal iOS system critical behavior as shown above, here no longer
Repeat.
Step 2, the behaviortrace module of iOS terminating layers is using hook technology for detection and each sensitive application program of extraction
The parameter and return value of DLL API (Application Programming Interface), is sent to PC mechanical floors
Behavior analysiss module.The operation content of the step 2 is following (shown in Figure 3):
(21) critical behavior that behaviortrace module is arranged according to step 1, is written into/Library/
In configuration file under MobileSubstrate/DynamicLibraries/ catalogues, for specifying the effect of dynamic link library
Scope.
(22) behaviortrace module utilizes the MobileLoader in MobileSubstrate frameworks, by what is voluntarily write
Dynamic link library is injected into setting program, so that when these setting programs are started, dynamic link library is also written into internal memory simultaneously.
(23) after the API corresponding to critical behavior is triggered, the MobileHooker in MobileSubstrate frameworks makes
Go to replace original API with the function voluntarily write.
(24) it is used in the function replaced at these, the API of each critical behavior is extracted using the method for Keywords matching
Parameter and return value, and send these parameters and return value to data processing unit.
(25) data processing unit is according to different critical behaviors, using corresponding distinct methods from these parameters and return
The information related to critical behavior is extracted in value.
(26) data processing unit is respectively adopted correspondingly different data method for packing according to different type, will be packaged
Data is activation is to communication unit.
(27) behaviortrace module packaged data is activation is given behavior analysiss mould using socket communications by communication unit
Block.
Step 3, after the behavior analysiss module of PC mechanical floors receives the parameter and return value of each sensitive API, is carried out point
Class Treatment Analysis.The concrete operations content of the step 3 is following (shown in Figure 4):
(31) communication unit of behavior analysiss module receives the parameter of each sensitive API that behaviortrace module is detected
And return value, send data analysis unit to.
(32) data analysis unit is decapsulated first, after obtaining the details of each iOS system critical behavior, then by its
Send safety analysis unit to.
(33) safety analysis unit is analyzed to testing result according to the iOS system critical behavior configured in setting rule
Process:Every kind of iOS system critical behavior (includes:Phone, note, url, photograph album, address list, geographical position, bluetooth etc.) respectively
One safety analysis unit of correspondence, then respective handling is carried out by the safety analysis unit that the critical behavior belongs to.
Step 4, after the safety analysis unit in behavior analysiss module completes the safety analysis of critical behavior, by analysis result
Send security risk reporting modules to, and be stored in the local file of setting form;Send analysis result to user simultaneously
Interface module, according to different critical behaviors, is illustrated on different interfaces respectively.
Inventions have been Multi simulation running implements test, the test situation of embodiment is briefly described as follows:
As test and appraisal mechanism and the unit of final deployment software product, due to which and the flow process of software development is not known about,
Although the potential threat in its software for being used can be found using static detection method, rate of false alarm is high, and can not
Judge in running software, greatly threat is caused to the safe operation of these units.However, using detection means of the present invention
This problem can be efficiently solved.The detection means monitors the running status of iOS system software in real time by hook mechanism,
System core behavior is captured in the very first time, then the critical behavior for capturing is analyzed, audits and is positioned, generate result
Form.The result form that test and appraisal mechanism and relevant unit can pass through to generate directly, is accurately judged to software generation.
Fig. 5 is the application flow block diagram of one embodiment of detection means of the present invention.
The result of the test of the emulation embodiment of the present invention is successful, realizes goal of the invention.