CN105468970A - Tamper-proof method and system of Android application on the basis of defense network - Google Patents
Tamper-proof method and system of Android application on the basis of defense network Download PDFInfo
- Publication number
- CN105468970A CN105468970A CN201510846522.8A CN201510846522A CN105468970A CN 105468970 A CN105468970 A CN 105468970A CN 201510846522 A CN201510846522 A CN 201510846522A CN 105468970 A CN105468970 A CN 105468970A
- Authority
- CN
- China
- Prior art keywords
- node
- defence
- android application
- protected
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a tamper-proof method and system of an Android application on the basis of a defense network. The method comprises the following steps: constructing a defense node template library, analyzing an Android application program to be protected, generating a target node set, constructing defense association, generating a corresponding defense node living example according to user input, generating an initial defense network, and carrying out decompilation, file reconstruction and signature on the Android application program to be protected. The system is used for realizing the method. The method and the system are high in reliability, easy in expansion, low in expenditure, high in efficiency and automated in process, the integral processing flow of software protection is fixed and normalized, gives priority to automation and is assisted by little artificial participation, a processing period is short, and therefore, the method is completely suitable for the batch processing protection of a great quantity of applications.
Description
Technical field
The invention belongs to computer security technique field, be specifically related to a kind of tamper resistant method for Android platform application software.
Background technology
In recent years, along with the high speed development of mobile Internet, the scale of the network user is increasing, and the mobile terminal growing number of access is many.The mobile terminal that function becomes increasingly abundant, especially Android, replaced PC to become indispensable platform in people's work, life.Application software on mobile terminal, the development of mobile Internet and mobile terminal universal in play extremely important role, its field contained not only relates to social activity, amusement, also relates to office, communication, payment etc.No matter be manufacturer of company, or government department, increasing unit participate in mobile terminal software research and development, use and manage.
Being widely used in as while society brings huge interests of Android software, its safety problem brought also becomes increasingly conspicuous.In Android software often runs on " white box attack " environment (see list of references 1), assailant utilizes software to distort technological attack legal software, generate Malware, crack the illegal software such as version, piracy, have a strong impact on the economic interests of developer and the sound development of software industry, even threaten national security.Therefore, improve software security, strengthen Software tamper-resistance and become industry member and academia's urgent problem.
Still immature for the anti-tampering protection technology of Android application software at present; major technique has: 1. Code Obfuscation Security Technology; Proguard is researched and developed by Google the earliest; and provide in official development environment AndroidSDK; developer utilizes Proguard; can obscure Java source code, improve analysis difficulty, and then improve the anti-tamper ability of software self.But the variable name in code, function name, class name are just obscured by Proguard, just extend the cycle that assailant navigates to key message, can not stop distorting key message.2. encryption technology, current industrial community security provider, such as DexGuard and Bangcle (see list of references 3,4), provide to add shell for main reinforcing service for Android software, improve the difficulty of Android application conversed analysis.Add shell resist technology for these, JiaZhijun develops sheller Zjdroid (see list of references 5), effectively can attack the shell side case that adds of main flow.3. distort version detection technology, some scholars of academia are devoted to study the verification and measurement ratio how improving and distort version in recent years.Distort version detection scheme, mainly based on the coupling (see list of references 9) of code similarity system design (list of references 6,7,8) or component software, identify that whether application is the version after distorting.But the third party market of current Android reaches tens, more have and special issue the market of distorting version, therefore based on the protection scheme detected effect bad in actual applications.
List of references:
[1]SChow,PEisen,HJohnson,PVanOorschot.Awhite-boxDESimplementationforDRMapplications[J].Lecturenotesincomputerscience,2003,2696:1-15.
[2]ProGuard.http://developer.android.com/tools/help/proguard.html.
[3]DexGuard.http://www.guardsquare.com/software/dexguard-enterprise.
[4]Bangcle.http://www.bangcle.com/.
[5]ZjDroid.http://seclab.safe.baidu.com/opensec_detail_2.html.
[6]JCrussell.AttackofTheClones:DetectingClonedApplicationsonAndroidMarkets.ESORICS,Springer.2012.
[7]SHanna,LHuang.Juxtapp:Ascalablesystemfordetectingcodereuseamongandroidapplications.9thInternationalConference,DIMVA2012.
[8]Zhou,Wu.Zhou,Yajin.Detectingrepackagedsmartphoneapplicationsinthird-partyandroidmarketplaces.ProceedingsofthesecondACMconferenceonDataandApplicationSecurityandPrivacy.2012.
[9]Zhou,Wu.Zhou,Yajin.Grace,Michael.Fast,scalabledetectionofpiggybackedmobileapplications.ProceedingsofthethirdACMconferenceonDataandApplicationSecurityandPrivacy.2013.
[10]ThreatModel.https://msdn.microsoft.com/en-us/library/aa302419.aspx.
Summary of the invention
The defect existed for above-mentioned existing Android application software resist technology and deficiency; the object of the invention is to; a kind of Android application tamper resistant method based on protection net is provided; the method utilizes computer system; the APK file of application software under android system is protected, its protection intensity high, be easy to expansion.
In order to realize above-mentioned task, the present invention by the following technical solutions:
Based on an Android application tamper resistant method for protection net, comprise the following steps:
Step one, structure defence node template storehouse
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Step 2, the parsing of Android application program to be protected
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described;
Step 3, generates destination node set
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
Step 4, structure defence association
Between structure destination node and defence node, defend node and defend the incidence relation between node;
Step 5, according to user's input, generates corresponding defence node instance
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
Step 6, generates and initialization protection net
According to the defence association constructed in step 4, the defence node instance generated in integrating step five, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
Step 7, carries out decompiling, file restructure and signature to Android application program to be protected.
Further, defend in node template storehouse in described step one, the code of each defence node includes three parts: trigger module, main functional modules and key message module, wherein, trigger module is used for triggering main functional modules when exception being detected, main functional modules is responsible for performing anti-tamper function, and key message module is for recording the key message of this defence node unit.
Further, in described step 4, between structure destination node and defence node, defend the concrete grammar of the incidence relation between node and defence node as follows:
During structure incidence relation, demand fulfillment following constraint condition a to c:
A. each destination node is at least protected by a defence node J_Guard;
B. each defence node is at least protected by defence node J_Guard and N_Guard of two except self;
When c.Android application program performs, the defence node performing defencive function must perform in time near the protected node execution time;
For condition a, the defence node that Offered target node has function defencive function with at least one associates;
For condition b, protect each defence Node configuration at least two defence node, one of them is J_Guard, and be responsible for the trigger module of protection defence node, wherein another is N_Guard, is responsible for the main functional modules of protection defence node;
For condition c, each destination node or defence node are when selecting the defence node of protection oneself, and when answering selective gist program to run, protected node performs the nearer defence node in front and back and defends node as it;
Particularly, the functional realiey of Android application program is made up of function one by one, and when the program is run, multiple function performs successively according to regular hour order, these functions constitute a function call chain, and in same function call chain, two functions are close on the execution time; Remember that the function number between two functions is called jumping figure, then jumping figure is less, and the execution interval of two functions is shorter, and therefore each destination node or defence sensor selection problem and the minimum defence node of its jumping figure defend node as it.
Based on an Android application tamper resistant systems for protection net, this system comprises the structure connected successively and defends node template library module, Android application program parsing module, generates destination node collection modules, constructs and defend relating module, generation correspondence defence node instance module, generation also initialization protection net module and decompiling, file restructure and signature blocks; Wherein:
Structure defence node template library module is used for realizing following functions:
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Android application program parsing module is used for realizing following functions:
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described;
Generate destination node collection modules to be used for realizing following functions:
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
Structure defence relating module is used for realizing following functions:
Between structure destination node and defence node, defend node and defend the incidence relation between node;
Generate corresponding defence node instance module to be used for realizing following functions:
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
Generate also initialization protection net module to be used for realizing following functions:
According to the defence association of structure, in conjunction with the defence node instance generated, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
Decompiling, file restructure and signature blocks are used for realizing following functions:
Decompiling, file restructure and signature are carried out to Android application program to be protected.
The present invention compared with prior art has following technical characterstic:
1. reliability is high, the nested protection of API node in protection net, without isolated node, makes assailant directly cannot distort critical code section.In addition, the protection net structure that randomization makes each application embedded is different, and the attack knowledge of assailant can not be reused.
2. being easy to expansion, by regulating the size of KeyValue preset value, making the scale of protection net have controllability, support the crucial API of artificial interpolation simultaneously, be convenient to the diversity and the complicacy that strengthen protected effect.
3. low expense, high-level efficiency, the logic of protection scheme is mainly realized by the native layer that execution efficiency is high, the performance cost making to protect rear software to increase and space expense very little.
4. process automation, the bulk treatment flow process of software protection is fixed, is standardized, and mainly to be automated as master, is aided with less artificial participation, adds that treatment cycle is short, is therefore applicable to the batch processing protection of widely applying completely.
Accompanying drawing explanation
Fig. 1 is the overall flow figure of the inventive method;
Fig. 2 is the structural representation of defence unit masterplate;
Fig. 3 is that in D_Guard node, JavaHook realizes principle schematic;
Fig. 4 is protection net tectonic framework schematic diagram of the present invention;
Fig. 5 defends the exemplary plot of incidence relation between unit;
Fig. 6 is APK restructuring procedure schematic diagram after protection;
Fig. 7 is the code schematic diagram of D_Guard.
Embodiment
One, method concrete steps describe in detail
Defer to technique scheme, as shown in Figure 1, the invention provides a kind of Android application tamper resistant method based on protection net, comprise the following steps:
Step one, structure defence node template storehouse
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Protection net in this programme; refer to the reticulate texture performing certain particular security functionality; usual reticulate texture is made up of the limit of a group node and connected node; in the protection net of this programme; node comprises destination node to be protected and performs the defence node of defense function, and the limit connecting defence node is these internodal protection associations.
Defence node refers to the safe unit performing particular tamper-evident protection for intended target, is one of important composition member of protection net, usually can be embedded in protected target with the form of code segment and data, and monitoring is distorted and threatened and respond.
Defence node, except containment objective node, also needs to consider other defence nodes of protection, according to the constitute and function of defence node, and the structure of the node that is on the defensive, and the code of the defence node built is stored in defence node template storehouse:
In defence node template storehouse, the code of each defence node includes three parts: trigger module, main functional modules and key message module, wherein, trigger module is used for triggering main functional modules when exception being detected, main functional modules is responsible for performing anti-tamper function, and key message module is for recording the key message of this defence node unit.
The code that three kinds are stored in the defence node in template base is given in the present embodiment
Be divided into three class defence nodes in this programme, therefore defend node template storehouse to be responsible for depositing the basic code of three class defence nodes, concrete defence node is provided when constructing for protection net and has assisted initialization; This three class templates Structure composing is as shown in table 1 below:
In table 1 template base, three kinds of defence node structures describe
As shown in Figure 2, consider the reverse of Java layer and distort difficulty lower, in this programme, use C to realize the main functional modules of defence node, and provide JNI interface to call for trigger module, this enhance the tamper-resistance of key function in defence node.
In this programme, by this three class defence node called after J_Guard, N_Guard and D_Guard successively, the composition structure of node and specific implementation is defendd to describe in detail to this three class below:
(1) node J_Guard template is defendd
J_Guard refers to and is responsible for specifying Java code segment to carry out the safe unit of anti-tampering protection to Android application.Trigger module is realized by Java code (or smali code), is responsible for triggering main functional modules.Realize, with the binding changing Java function, being performed when Java function performs by being inserted in a Java layer functions body.Code example is as follows:
What adopt in above-mentioned example is smali code, for the Android application program to be protected that can obtain source code, directly can insert trigger module in Java source code.For the application to be protected that cannot obtain source code, to after its decompiling, the smali code of trigger module can be inserted in the smali code file of gained.
Main functional modules, by C codes implement, is responsible for performing anti-tamper function, is triggered by the trigger module of Java layer.Object of protection is the code of a Java layer functions.Anti-tamper realization is based on the completeness check to this Java function.Major steps outline extracts the bytecode of Java function when being and performing, and calculates hash value, detects this hash value and whether equals predetermined value.
Key message module is used for the key message of minute book unit, and these information can be initialised when protection net constructs.Comprise element number, the Java function ID of binding, the ID of effective object Java function and the proof test value of this function.
(2) node N_Guard template is defendd
Defence node N_Guard, refers to the safe unit of being responsible for other defence nodes being carried out to anti-tampering protection, it mainly for be the native function part of all defence nodes.N_Guard is also made up of trigger module, main functional modules, key message module three part.
Trigger module is realized by Java, is responsible for the main functional modules calling native layer.It realizes, with the binding of this Java function, being triggered when performing with this Java function by being inserted in a Java layer functions perform bulk.
Main functional modules, still by C codes implement, is responsible for performing anti-tamper function.Different from the main functional modules in J_Guard, its effective object is a native function.
The key message of key message module in charge minute book unit, these information comprise element number, the ID of the ID of the Java function of binding, effective object Native function and this function proof test value.
(3) node D_Guard template is defendd
Defence node D_Guard; refer to the safe unit of being responsible for the dex executable file in Android application being carried out to anti-tampering protection; because trigger module in all defence nodes is all in dex; therefore by the anti-tampering protection to dex file, the protection to defence node trigger module can be realized.
D_Guard is made up of trigger module, main functional modules, key message module three part equally.Wherein, trigger module, by Java codes implement, is responsible for triggering main functional modules, different from J_Guard and N_Guard, it is that non-immediate inserts realization and the binding of this Java function by calling of JavaAPI in replacement Java function, is triggered when it performs with this Java function.Main functional modules, by C codes implement, is responsible for performing anti-tamper function, and performs the function of the JavaAPI that the module that is triggered is replaced.Effective object is dex executable file in APK.The key message of key message module minute book unit, these information comprise element number, the ID of the Java function of binding, the proof test value of dex file.
Main functional modules has two parts content, and one is the anti-tampering protection for dex, realizes based on to the completeness check of dex file.Two is realize the function that Java layer is replaced (Hook), and as shown in Figure 3, the main thought of realization is the mode utilizing the machine-processed native provided of AndroidJNI to call Java function, completes the process of similar Java method Hook.Utilize this process, can effectively prevent from realizing attacking by directly deleting or replace so file.
The research and experiment of Java layer functions Hook in applying Android for a long time, most of Java function all can by Hook, and table 2 lists the Java function related in this programme.
Table 2 can the Java function list of Hook
For first function Java/io/FileWriter/<init>, the code of D_Guard as shown in Figure 7:
Step 2, the parsing of Android application program to be protected
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described; Detailed process is:
Fig. 4 is protection net organigram, as shown in step in figure (1), structure protection net, first can resolve the APK of input or DEX file wherein, generate the function call graph of this application, this function call graph is stored as a text, file content is a list, a function node in each respective function calling graph of list, by four-tuple < function name, function ID, predecessor function ID, successor function ID> is described.
Step 3, generates destination node set
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
In this programme, destination node refers in intended application software the one section of region needing anti-tampering protection, is generally a function or code segment.As shown in Figure 4, step (2) represents after generating function calling graph, according to function call graph and function set to be protected, generates destination node set.Wherein, function set to be protected is defined by the user, and each of set is the function name of this application Key Functions to be protected.Each of the destination node set generated is the function ID that function to be protected is corresponding.
Step 4, structure defence association
Between structure destination node and defence node, defend node and defend the incidence relation between node;
As shown in Figure 4, step (3) represents the function call graph that input step (1) (2) generate and destination node set, the algorithm in utilizing protection net construction algorithm to combine, each internodal incidence relation in structure protection net.Algorithm comprises two classes, and one is the algorithm associated between structure destination node with defence node; Two is structure defence node and the algorithm associated between defence node.Because between step (3) interior joint, incidence relation there is certain randomness, therefore repeat step (3) and one group of mutually different set of relationship can be obtained.Set of relationship each be expressed as tlv triple < node ID, place, trigger point function ID, corresponding defence node ID >, is stored in XML file in a text form.
Improve defence node security, can carry out from two aspects.One is improve the reverse of node self and distort difficulty.In step one, this programme utilizes AndroidJNI mechanism, is moved to reverse and distorts the higher native layer of difficulty by the Core Feature code of defence node from the Java layer that security is lower by the mode that C rewrites.On the other hand, by structure protection net, certain incidence relation can be set up between defence node, make to give mutual protection between defence node.So-called association, is exactly select suitable position (function body) to be on the defensive the process of node deployment in the application, or refers to the process building protection relation in the application between existing defence node.
Protection net is made up of two kinds of nodes, and one is the destination node needing in program to protect, and is designated as g; Another kind is the defence node performing defencive function.Internodal incidence relation, refers to two internodal unidirectional protection relations, generally includes two classes, and the first kind points to corresponding destination node by defence node, is designated as G->g; Equations of The Second Kind refers to and points to by defence node other defence nodes needing protection, is designated as G->G '; As shown in Figure 5, in figure, G represents defence node to protection net example, and g represents destination node, and internodal unidirectional line represents protection relation.
During structure incidence relation, demand fulfillment following constraint condition a to c:
A. each destination node is at least protected by a defence node J_Guard;
B. each defence node is at least protected by defence node J_Guard and N_Guard of two except self;
When c.Android application program performs, the defence node performing defencive function must perform in time near the protected node execution time;
For condition a, the destination node in protection net is generally a self-defined Java function in Android application, and the defence node (i.e. J_Guard) that Offered target node has function defencive function with at least one associates;
For condition b, according to defending joint structure process in step one, the code section of each defence node comprises the trigger module of java layer and the main functional modules of native layer, therefore in order to prevent defence station code to be tampered, protect each defence Node configuration at least two defence node, one of them is J_Guard, is responsible for the trigger module of protection defence node, wherein another is N_Guard, is responsible for the main functional modules of protection defence node;
For condition c, each destination node or defence node, when selecting the defence node of protection oneself, need the response promptness considering defencive function.So-called response promptness, refer to when protected node is distorted, corresponding defence node can monitor this attack timely and respond.Therefore, when answering option program to run, protected node performs the nearer defence node in front and back and defends node as it.
According to 3 constraint conditions of structure incidence relation, design the construction algorithm of protection net, specific design is as follows with realization:
Suppose there be M destination node in application, then the in-degree (In-degree) of each destination node g is at least 1, is designated as g
iN(i)>=1, i ∈ M;
Suppose N number of defence node in application, then the in-degree (In-degree) of each defence node G is at least 2, and wherein for each in-degree, at least one terminal is J_Guard node, and at least one terminal is N_Guard node, is designated as G
iN(i)=G
iN-JGuard(i)+G
iN-NGuard(i)>=2, i ∈ N, wherein G
iN-JGuard(i)>=1andG
iN-NGuard(i)>=1.In three kinds of defence nodes, except D_Guard, for J_Guard and N_Guard node, the out-degree (Out-degree) of each node is at least 1, is designated as G
oUT(i)>=1, wherein
Known according to step one, for D_Guard node, can perform a kind of Hook function, different according to the Java function of Hook in node, D_Guard has different types.Therefore; the particular type of D_Guard node is relevant with actual protected application with quantity; this quantity also can carry out manual shift as the case may be simultaneously; such as in application, the point of invocation number of Java function Java/io/FileWriter/<init> is 20; if arrange should the D_Guard transformation of function be 5, then only Hook process is carried out to any 5 place's points of invocation in original program.
For how to meet constraint condition c, propose a kind of settling mode based on function call chain herein, method is as follows:
The functional realiey of Android application program is made up of function one by one, when the program is run, multiple function performs successively according to regular hour order, and these functions constitute a function call chain, and in same function call chain, two functions are close on the execution time; Remember that the function number between two functions is called jumping figure, then jumping figure is less, and the execution interval of two functions is shorter, and therefore each destination node or defence sensor selection problem and the minimum defence node of its jumping figure defend node as it.
According to the above concrete analysis to 3 constraint conditions, main algorithm during protection net structure is as follows:
The Deployment Algorithm of defence node D_Guard is as follows:
For the foundation protecting relation between defence node, its association algorithm is as follows:
Step 5, according to user's input, generates corresponding defence node instance
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
In order to ensure that protection net is with good expansibility, protection net structural scheme allows the scale regulating protection net by changing defence number of nodes herein.Fig. 4 step (4) represents according to user-defined defence node species and number, the code of the defence node of corresponding kind is selected in defence node template storehouse, generate corresponding defence node instance, the trigger module of example realizes being stored in .smali code file, and main functional modules realizes and key message module realizes being stored in the code file of .c suffix.
Step 6, generates and initialization protection net
According to the defence association constructed in step 4, the defence node instance generated in integrating step five, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
As Fig. 4, step (5) represents the defence node instance that between the protection net interior nodes that integrating step (3) obtains, incidence relation collection and step (4) generate, the initialization of the net that is on the defensive.Concrete initialization procedure comprises: first can the group node incidence relation set that obtains of analyzing step (3); obtain each node serial number; corresponding trigger module bound functions ID; then the hash value of the corresponding containment objective of each defence node is calculated; finally modify according to the key message module of above information to defence node instance each in the .c file generated in step 5, and compiling generates so library file.
Step 7, carries out decompiling, file restructure and signature to Android application program to be protected.
Utilize decompiling engine APKTool or Baksmali, the dex file of decompiling APK to be protected, obtain corresponding smali code file; As shown in Figure 6, defence node smali instruction to be filled under the smali file that step 7 obtains in corresponding smali command file, in the file libs simultaneously decompiling source APK in so library file implantation step 7 obtained (if libs file does not exist, newly-built libs file, APK structure is see document 11).APKTool is utilized to be reconstructed the APK after generating protection and to sign to it. the present invention gives tacit consent to testkey.py8 and the testkey.x509.pem file utilizing Android source code to provide and carries out APK signature.Also allow the keystore loading developer to carry out APK signature simultaneously.
Present invention also offers a kind of system for realizing said method:
Based on an Android application tamper resistant systems for protection net, this system comprises the structure connected successively and defends node template library module, Android application program parsing module, generates destination node collection modules, constructs and defend relating module, generation correspondence defence node instance module, generation also initialization protection net module and decompiling, file restructure and signature blocks; Wherein:
Structure defence node template library module is used for realizing following functions:
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Android application program parsing module is used for realizing following functions:
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described;
Generate destination node collection modules to be used for realizing following functions:
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
Structure defence relating module is used for realizing following functions:
Between structure destination node and defence node, defend node and defend the incidence relation between node;
Generate corresponding defence node instance module to be used for realizing following functions:
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
Generate also initialization protection net module to be used for realizing following functions:
According to the defence association of structure, in conjunction with the defence node instance generated, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
Decompiling, file restructure and signature blocks are used for realizing following functions:
Decompiling, file restructure and signature are carried out to Android application program to be protected.
Two, experimental verification and analysis
In this programme, verify from the validity of protection scheme, efficiency, feasibility three aspects.
1. protection scheme efficiency analysis and checking
This part will based on DREAD risk analysis model (list of references 10); carry out analysis to application surface before and after protection to the risk size faced during same Tampering attack to quantize; by the contrast of two value-at-risks; the validity of checking protection scheme; namely application software value-at-risk after protection reduces, then show that protection scheme enhances the security of application software.
DREAD model is a kind of security threat analysis framework of classics, is proposed by Microsoft, is used for carrying out venture analysis, assessment, quantification to application threat, such as, security consideration etc. during web application design.DREAD algorithm can calculate a value-at-risk usually; as the reference of risk ranking; this value-at-risk is the mean value of five attributes; comprise: potential hazard (DamagePotential); reusability (Reproducibility); utilizability (Exploitability); affected user scale (AffectedUsers); disguised (Discoverability), respectively with abbreviation D, R; E; A, D represent, the value-at-risk RiskValue computing formula based on DREAM is as follows:
RiskValue=(D+R+E+A+D)/5(1)
From formula above, RiskValue is the numerical value between 0 ~ 10, and RiskValue value is higher, and the risk that representative threatens is larger
(1) venture analysis before protection
(1-1)DamagePotential
DamagePotential represents the potential hazard of this threat, the degree of the harm that namely may cause after leak is utilized, and shows as the addressable degree to the domestic-investment product of application or sensitive information, and the system privileges rank obtained.Degree can be weighed with 0 ~ 10, and such as 0 indicates without harm, and 5 represent that individual asset can be endangered, and 10 represent that whole application or assets face threat.
Due to Android application be in white box attack context under, therefore assailant is exposed to by reverse most of code of application and the data of can making, simultaneously assailant is easy to obtain the authority of code in illegal operation application and data, and then intervenes execution flow process and the service logic of application.Therefore apply for general Android, its potential hazard distorting threat is higher, i.e. D=6 ~ 8.
(1-2)Reproducibility
Reproducibility and reusability, be used for describing assailant and threaten based on certain, target is started to the difficulty of repeat attack process.The degree of reusability can be weighed with 0 ~ 10, such as 0 represent substantially can not or very difficult repeat attack, 5 represent that assailants can repeat attacks, but are restricted, such as number of times, time etc.10 represent that assailant can offensive attack, even robotization arbitrarily.
Tampering attack is carried out to Android application, because it attacks face, attack process and attack means are substantially fixing, meet certain pattern, Android application structure is regular simultaneously, therefore the difficulty of assailant's repeat attack process is lower, for same application different editions, even also can carry out the attack of robotization to different Android application.In addition, apply for general Android, simple protection can not effectively stop assailant's repeat attack process and accumulation attack knowledge, finally completes attack.Therefore general Android is applied, distort repeatable R=8 ~ 10 of threat.
(1-3)Exploitability
Exploitability represents the utilizability of threat, namely utilizes the complexity of this threat offensive attack.Utilizability degree is weighed with 0 ~ 10, and such as 0 represents that the successful utilization of this threat needs abundant attack knowledge, skill, attack experience to carry out complicated analysis, needs specific attack tool or environment to assist simultaneously; 5 represent based on general attack technology or the experience of attack, and being aided with conventional instrument can complete attack; 10 represent the beginner possessing basic attack knowledge and part attack technology, assist in the lower short time can complete attack at the attack tool of routine.
Android system was popularized gradually in recent years, and it suffers the Android number of applications of Tampering attack but to present explosive growth, in the assailant of offensive attack, not only had many veteran senior assailants, more had many beginners.One of major reason of this situation is caused to be because study starts being not difficult of Tampering attack in the current Android application lacking protection; there is a large amount of attack tools simultaneously; for beginner; it just can grasp attack method at short notice, is enough to distort general Android application.Therefore threat is distorted, its utilizability E=8 ~ 10 for Android application.
(1-4)AffectedUsers
One of important attribute when AffectedUsers is also the venture analysis threatened, the scale of the user that it affects under representing this threat.Usually also weigh with 0 ~ 10, numeral is lower, represents that affected userbase is less.
Android platform application publication channel is numerous, except GooglePlay, user can also from 360 assistants, the third-party application shop down load application such as pea pods, in recent years, Android user application constantly increases, and by the first season in 2015, any active ues scale in only domestic third party's mobile phone application shop has reached 4.2 hundred million [x].In the application of carrying in these lower, be no lack of the application be tampered, particularly in third-party application shop, meanwhile, great majority application faces the threat be tampered, and directly has influence on the user downloading and installing these application.Therefore, A can be taken as 8 ~ 10. herein
(1-5)Discoverability
Discoverability is namely disguised, specifically refers to for intended application, analyzes and locates the complexity of the leak of this threat of generation.Herein still using 0 ~ 10 as initially weighing scope, such as 0 representative is difficult to code analysis or seat offence point, and 5 expressions can trace into effective point of attack by part reasoning or debugging, and 10 expressions can directly obtain analyzable code and navigate to key distorts a little.
For most of Android application, it generates primarily of Java compiling, utilizes reverse instrument to obtain easily and has good readable code, such as Java code or smali code.Meanwhile, existing instrument is utilized, such as DDMS, AndroidStudio etc., can realize the dynamic debugging of Java layer or smali layer, therefore easily, get D=6 ~ 8 herein, expression easier can obtain program code and carry out analysis debugging, thus positioning tampering point.
(2) venture analysis after protection
For potential hazard (DamagePotential) aspect; although protection scheme does not stop assailant for the conversed analysis of AndroidAPK; but the main functional modules of D_Guard node is called the part Java in original program and is taken over; therefore the part actuating logic of Java layer is hidden; increase the analysis difficulty of assailant, reduce the potential hazard distorting threat.
For reusability (Reproducibility) aspect, because each node is subject to the protection of multiple and multiclass defence node, make assailant cannot adopt single attack method, the number of times of repeat attack and effect are limited.
For utilizability (Exploitability) aspect; in application after protection, protection net has and distorts perception and response function; and mutually protect between defence node; therefore complete the one-piece construction of attacking and needing first to analyze protection net, this needs assailant possess higher conversed analysis experience and spend the longer time.
For userbase (AffectedUsers) aspect, the application after protection can effectively prevent assailant from distorting, and therefore avoids the generation that application program distorts version from source, because this reducing the impact of distorting threat and causing.
For disguised (Discoverability) aspect, for single defence node, the module of configuration node is distributed to different running space, i.e. java layer and native layer, enhance the positioning difficulty of key message and code in program, improve disguise.
Analyze in conjunction with above, before and after protection application to distort threat risk value as shown in the table:
Table 3 distorts threat risk value list before and after protecting
Obviously, distorting of the application after protection threatens risk to be less than the front risk applied of protection, demonstrates the validity of protection scheme in the present invention.
2. protection scheme efficiency experimental verification
In order to verify the effect of protection scheme, the reinforcing business that simultaneously have selected current two main flow herein reinforces experimental subjects, and in software size, two aspects were tested the application after reinforcing and contrasted start-up time, and the contrast of software size is as follows:
Front and back application software size correlation data (KB) protected by table 4
From in upper table, the business compared to maturation reinforces business, the protection net protection scheme in the present invention, treats the size expense that protection software brings less, is in acceptable scope.
Start-up time tests: the start-up time of after after protecting original application, protection net herein, Bangcle protects, after 360 protections application tests; from toggle speed aspect checking protection scheme to applying the performance cost size brought; each sample application is tested 100 times and is calculated its average start-up time herein, and correlation data is as follows:
Table 5 is application software initiated time evaluation and test data (ms) before and after protecting
As can be known from the above table, reinforce business contrast with the business of maturation, the performance cost caused intended application based on the protection scheme of protection net of the present invention is less.
3. feasibility (compatibility) checking of protection scheme:
Because android system version is more; difference between version normally runs on application the height that the impact caused determines protection scheme feasibility; therefore; in order to verify the feasibility of protection scheme; whether the android system version that have selected 5 kinds of main flows is herein compatible for Test Application, and test result is as following table:
Rear application compatibility test data protected by table 6
As can be known from the above table, the android system version being applied in main flow after protection scheme protection in this patent can normally perform, and the protection scheme therefore based on protection net has good compatibility and feasibility.
Claims (4)
1., based on an Android application tamper resistant method for protection net, it is characterized in that, comprise the following steps:
Step one, structure defence node template storehouse
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Step 2, the parsing of Android application program to be protected
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described;
Step 3, generates destination node set
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
Step 4, structure defence association
Between structure destination node and defence node, defend node and defend the incidence relation between node;
Step 5, according to user's input, generates corresponding defence node instance
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
Step 6, generates and initialization protection net
According to the defence association constructed in step 4, the defence node instance generated in integrating step five, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
Step 7, carries out decompiling, file restructure and signature to Android application program to be protected.
2. as claimed in claim 1 based on the Android application tamper resistant method of protection net, it is characterized in that, defend in node template storehouse in described step one, the code of each defence node includes three parts: trigger module, main functional modules and key message module, wherein, trigger module is used for triggering main functional modules when exception being detected, and main functional modules is responsible for performing anti-tamper function, and key message module is for recording the key message of this defence node unit.
3. as claimed in claim 1 based on the Android application tamper resistant method of protection net, it is characterized in that, in described step 4, between structure destination node and defence node, defend the concrete grammar of the incidence relation between node and defence node as follows:
During structure incidence relation, demand fulfillment following constraint condition a to c:
A. each destination node is at least protected by a defence node J_Guard;
B. each defence node is at least protected by defence node J_Guard and N_Guard of two except self;
When c.Android application program performs, the defence node performing defencive function must perform in time near the protected node execution time;
For condition a, the defence node that Offered target node has function defencive function with at least one associates;
For condition b, protect each defence Node configuration at least two defence node, one of them is J_Guard, and be responsible for the trigger module of protection defence node, wherein another is N_Guard, is responsible for the main functional modules of protection defence node;
For condition c, each destination node or defence node are when selecting the defence node of protection oneself, and when answering selective gist program to run, protected node performs the nearer defence node in front and back and defends node as it;
Particularly, the functional realiey of Android application program is made up of function one by one, and when the program is run, multiple function performs successively according to regular hour order, these functions constitute a function call chain, and in same function call chain, two functions are close on the execution time; Remember that the function number between two functions is called jumping figure, then jumping figure is less, and the execution interval of two functions is shorter, and therefore each destination node or defence sensor selection problem and the minimum defence node of its jumping figure defend node as it.
4. one kind for realizing the system of method described in claim 1, it is characterized in that, this system comprises the structure connected successively and defends node template library module, Android application program parsing module, generates destination node collection modules, constructs and defend relating module, generation correspondence defence node instance module, generation also initialization protection net module and decompiling, file restructure and signature blocks; Wherein:
Structure defence node template library module is used for realizing following functions:
Defence node is be embedded into the code segment in protected Android application program, distorts threaten and respond for monitoring; Build defence node template storehouse, in template base, deposit the code of defence node;
Android application program parsing module is used for realizing following functions:
Android application program to be protected is resolved, generates the function call graph of this application program, and each node in function call graph is described;
Generate destination node collection modules to be used for realizing following functions:
In Android application program to be protected, choose interested region as destination node, and generate destination node set;
Structure defence relating module is used for realizing following functions:
Between structure destination node and defence node, defend node and defend the incidence relation between node;
Generate corresponding defence node instance module to be used for realizing following functions:
According to user-defined defence node species and data, in defence node template storehouse, select the code of the defence node of corresponding kind, generate corresponding defence node instance;
Generate also initialization protection net module to be used for realizing following functions:
According to the defence association of structure, in conjunction with the defence node instance generated, the initialization of the net that is on the defensive, this protection net comprises defence node and associates with destination node and defence;
Decompiling, file restructure and signature blocks are used for realizing following functions:
Decompiling, file restructure and signature are carried out to Android application program to be protected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510846522.8A CN105468970B (en) | 2015-11-27 | 2015-11-27 | A kind of Android application programs based on protection net are anti-to usurp method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510846522.8A CN105468970B (en) | 2015-11-27 | 2015-11-27 | A kind of Android application programs based on protection net are anti-to usurp method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105468970A true CN105468970A (en) | 2016-04-06 |
| CN105468970B CN105468970B (en) | 2018-01-19 |
Family
ID=55606656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510846522.8A Expired - Fee Related CN105468970B (en) | 2015-11-27 | 2015-11-27 | A kind of Android application programs based on protection net are anti-to usurp method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105468970B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106095667A (en) * | 2016-06-03 | 2016-11-09 | 西北大学 | A kind of method of quick positioning Android sensitive function corresponding driving document location |
| CN106648835A (en) * | 2016-12-26 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Method and system for detecting running of Android application program in Android simulator |
| CN111143853A (en) * | 2019-12-25 | 2020-05-12 | 支付宝(杭州)信息技术有限公司 | Application security assessment method and device |
| CN114301700A (en) * | 2021-12-31 | 2022-04-08 | 上海纽盾科技股份有限公司 | Method, device, system and storage medium for adjusting network security defense scheme |
| CN116522343A (en) * | 2023-07-05 | 2023-08-01 | 北京国御网络安全技术有限公司 | Native function attack defending method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| US8804608B1 (en) * | 2010-09-29 | 2014-08-12 | Lockheed Martin Corporation | Methods, apparatus, and systems for facilitating audio communications between disparate devices |
-
2015
- 2015-11-27 CN CN201510846522.8A patent/CN105468970B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8804608B1 (en) * | 2010-09-29 | 2014-08-12 | Lockheed Martin Corporation | Methods, apparatus, and systems for facilitating audio communications between disparate devices |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
Non-Patent Citations (1)
| Title |
|---|
| CHANG H, ATALLAH M J: "Protecting Software Code by Guards", 《LECTURE NOTES IN COMPUTER SCIENCE》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106095667A (en) * | 2016-06-03 | 2016-11-09 | 西北大学 | A kind of method of quick positioning Android sensitive function corresponding driving document location |
| CN106095667B (en) * | 2016-06-03 | 2018-08-10 | 西北大学 | A kind of corresponding method for driving document location of quick positioning Android sensitive functions |
| CN106648835A (en) * | 2016-12-26 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Method and system for detecting running of Android application program in Android simulator |
| CN111143853A (en) * | 2019-12-25 | 2020-05-12 | 支付宝(杭州)信息技术有限公司 | Application security assessment method and device |
| CN111143853B (en) * | 2019-12-25 | 2023-03-07 | 支付宝(杭州)信息技术有限公司 | Application security assessment method and device |
| CN114301700A (en) * | 2021-12-31 | 2022-04-08 | 上海纽盾科技股份有限公司 | Method, device, system and storage medium for adjusting network security defense scheme |
| CN114301700B (en) * | 2021-12-31 | 2023-09-08 | 上海纽盾科技股份有限公司 | Method, device, system and storage medium for adjusting network security defense scheme |
| CN116522343A (en) * | 2023-07-05 | 2023-08-01 | 北京国御网络安全技术有限公司 | Native function attack defending method and device |
| CN116522343B (en) * | 2023-07-05 | 2023-09-08 | 北京国御网络安全技术有限公司 | Native function attack defending method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105468970B (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chen et al. | An adaptive gas cost mechanism for ethereum to defend against under-priced dos attacks | |
| Wilander et al. | RIPE: Runtime intrusion prevention evaluator | |
| Jung et al. | Repackaging attack on android banking applications and its countermeasures | |
| Deng et al. | iris: Vetting private api abuse in ios applications | |
| CN105468970A (en) | Tamper-proof method and system of Android application on the basis of defense network | |
| KR20160054589A (en) | Malware and exploit campaign detection system and method | |
| Scandariato et al. | Predicting vulnerable classes in an android application | |
| Mao et al. | Detecting malicious behaviors in javascript applications | |
| Lim et al. | An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks. | |
| Song et al. | Appis: Protect android apps against runtime repackaging attacks | |
| CN109558207A (en) | The system and method for carrying out the log of the anti-virus scan of file are formed in virtual machine | |
| Pérez et al. | Lapse+ static analysis security software: Vulnerabilities detection in java ee applications | |
| Christophe et al. | Linvail: A general-purpose platform for shadow execution of JavaScript | |
| Santhanam et al. | Interactive visualization toolbox to detect sophisticated android malware | |
| Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
| Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
| CN102446253B (en) | Webpage trojan detection method and system | |
| Ahmadvand et al. | Practical integrity protection with oblivious hashing | |
| Di et al. | A hardware threat modeling concept for trustable integrated circuits | |
| Palma et al. | Automated security testing of Android applications for secure mobile development | |
| Peng et al. | Research on android malware detection and interception based on behavior monitoring | |
| CN113050927B (en) | Authority control method and device based on custom instruction and computer equipment | |
| CN113542204B (en) | Protection rule generation method and device and storage medium | |
| Maxwell et al. | Composition of Parent–Child cyberattack models | |
| Zhioua et al. | Framework for the formal specification and verification of security guidelines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180119 Termination date: 20201127 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |