CN106528403A - Software runtime monitoring method based on binary code implantation technology - Google Patents

Software runtime monitoring method based on binary code implantation technology Download PDF

Info

Publication number
CN106528403A
CN106528403A CN201610877174.5A CN201610877174A CN106528403A CN 106528403 A CN106528403 A CN 106528403A CN 201610877174 A CN201610877174 A CN 201610877174A CN 106528403 A CN106528403 A CN 106528403A
Authority
CN
China
Prior art keywords
function
state
execution step
numbering
basic block
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610877174.5A
Other languages
Chinese (zh)
Other versions
CN106528403B (en
Inventor
马建峰
帕尔哈提江·斯迪克
孙聪
孙召昌
吴奇烜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201610877174.5A priority Critical patent/CN106528403B/en
Publication of CN106528403A publication Critical patent/CN106528403A/en
Application granted granted Critical
Publication of CN106528403B publication Critical patent/CN106528403B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a software runtime monitoring method based on a binary code implantation technology. The method comprises the following steps: (1) extracting a function calling relation; (2) extracting function built-in control flow information; (3) constructing a finite-state machine; (4) initializing a table TABbb; (5) initializing a table TABstart and a table TABret; (6) initializing integer variables Cur_F and Cur_B; (7) implanting codes; (8) monitoring a software running state; and (9) ending monitoring. The software runtime monitoring method has the characteristics of low overhead during running, and easiness in implementation.

Description

Monitoring method during running software based on binary code implanted prosthetics
Technical field
The invention belongs to field of computer technology, the one kind further related in technical field of software security is entered based on two The monitoring method during running software of code implantation processed.The present invention is for the PE formatted files or linux environment under windows environment Under ELF format file, using static binary code implanted prosthetics, the running orbit of software is effectively monitored.
Background technology
With the development of computer technology, computer software has penetrated into the every field of national economy, and some are crucial Software is once destroyed, and can cause threat economic and for security to user, therefore the safety issue of software is more and more convex Show its importance.For the security breaches of specific software, run malicious code and be obtained in that the authority for accessing invalid data.Typical case Security breaches include buffer-overflow vulnerability.
During running software, monitoring method is a kind of in the software actual motion stage, by obtaining the running state information of software And track, and the expected running orbit gone out with ex ante analysis is compared, and judges a kind of technology of security during running software.
The control stream information of software, such as function call graph, controlling stream graph etc. are extracted using static analysis tools generally. According to the type for intending analysis object code, software static analysis can be divided into the analysis based on source code and dividing based on binary code Analysis.Directly source code program expression formula and data structure are analyzed for source code analysis;Binary analysis are in machine generation Carry out in code level, analyze the intermediate expression of executable code.Analysis based on source code can only analyze source code file institute Comprising control stream information, it is impossible to analyze the static library relied on by the software and the control stream information that dynamic library file is included. Based on the analysis of binary code, the control stream information in software executable not only can be analyzed, this can also be analyzed Some control stream informations that the dynamic library file relied on by software is included.
Track during running software can be obtained by code implanted prosthetics.Code implanted prosthetics is divided into the generation based on source code Code is implanted into and is based on binary implantation.Wherein, dynamic implantation and static implantation are divided into again based on binary implanted prosthetics.With Dynamic implantation is compared, and static state is completed before being implanted in program performing, thus the run-time overhead that static implantation is produced is less, while quiet State implantation is realized relatively simple.
Patent " the parallelization security breaches detection side based on function call graph that BJ University of Aeronautics & Astronautics applies at which Method " (number of patent application:201110417105.3, application publication number:A kind of leak detection method is disclosed in 102567200A). The analysis method based on source code is the method used, the function call graph in source code file respective modules is generated, it is only right The security breaches that source code file is present are detected.The weak point of the method is, it is impossible to which that analyzes that source code relied on is quiet Control stream information in function calling relationship and function in state storehouse and dynamic library file respective modules, it is impossible to source code file The static library and dynamic stock of dependence security breaches detected.
Patent " a kind of software probe side of software probe that Changzhou Yun Bo software engineering technologys Co., Ltd applies at which Method " (number of patent application:201210054220.3, application publication number:Disclose a kind of to application software fortune in 102646068A) The method that program flow information carries out real-time detection during row.The code implanted prosthetics based on source code is this process employs, can be with Monitor in real time is carried out to software during operation in computer system.The weak point of the method is that neo-implanted code will be compiled After could perform, it is impossible to avoid larger run-time overhead.
The content of the invention
It is an object of the invention to overcome the shortcomings of above-mentioned prior art, propose a kind of based on the soft of binary code implantation Monitoring method when part runs.
For achieving the above object, thinking of the invention is to analyze monitored software using static binary analysis tool The control stream information inside call relation and function between inner function, and generating function calling figure G (E, F) and controlling stream graph G (B, E), then constructs a finite state machine FSM (Z, S, T, S0, A) using function call graph G (E, F), uses controlling stream graph G (B, E) initializes form TABbb.Each function in state machine in each state difference respective function calling figure G (E, F), A disarmed state is added in state machine simultaneously.Transition relationship in state machine between any two effective status represents correspondence letter Valid function between number is called or function returns relation, and any illegal function call or return cause finite state machine to move Move on to disarmed state.The line number that form TABbb is included is identical with basic number of blocks in respective function, and often row includes three fields: (1) index of a basic block, the phase of the entry address of the relatively basic piece of place function in (2) basic block entry address is represented respectively To side-play amount, the index of (3) basic block successor block.The dependence of monitor code will be included using static binary code implanting instrument Storehouse is loaded in the process address space of monitored software, and the ad-hoc location in monitored software is implanted into the tune to monitoring function Use sentence.When in monitored software running process generating functon call, function return or function in control rheology when, can call Rely on the monitoring function in storehouse, monitoring function judged by looking into finite state machine and TABbb monitored running software whether with The running orbit of ex ante analysis prediction is consistent.
Realize comprising the following steps that for the object of the invention:
(1) extract function calling relationship:
Using static binary analysis tool, monitored software executable and its function in dependence library file is extracted Call relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents directed edge Set, the set of all functions in F representative function calling figures G (E, F);
(2) extract function internal control stream information:
Using static binary analysis tool, basic block and the controlling stream of each function in function call graph G (E, F) is extracted Information, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents oriented The set on side, B represent the set of basic block in controlling stream graph G (B, E);
(3) construct a finite state machine:
(3a) in the nonempty finite set S of the state that state 0 is added to finite state machine;
(3b) each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i;
(3c) main () function in function call graph G (E, F) corresponding state 1 is assigned to into the initial of finite state machine State S0;
(3d) to meeting fiThe function f of ∈ Fi, state i- is respectively added to into the state set S of finite state machine and limited In end-state set A of state machine;
(3e) to fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then will be with Lower state transition is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i, Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering;
(3f) for all of NextState is empty state, its NextState is set to into state 0;
(4) initialize form TABbb:
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E, F each function pair in) answers an initialized form TABbb, and wherein, the i-th row correspondence initialized in form TABbb is controlled I-th basic block in flow graph G (B, E);Often row includes three fields index, offset, sucs, and field index represents i-th The index of basic block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance The relative displacement of address, field sucs represent the index of the successor basic blocks of i-th basic block;
(5) form TABstart and TABret are initialized:
(5a) after monitored software is loaded, obtain the entry address of all functions in function call graph G (E, F);
(5b) relevant information of i-th function is added in i-th row of form TABstart;Wherein, form I-th function in the i-th row respective function calling figure G (E, F) in TABstart, often row comprising three fields addr, Index, ptr, field addr represent the entry address of i-th function, and field index represents the function numbering of i-th function, word Section ptr represents that i-th function pair answers the pointer of form TABbb;
(5c) value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is supervised In control software implementation procedure, invoked function in number calling figure G (E, F);
(6) integer variable Cur_F and Cur_B are initialized:
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main () In function, the numbering 1 of first basic block is assigned to integer variable Cur_B;
(7) code implant:
(7a) using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into monitored soft In the process address space of part;
(7b) the monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function;
(7c) code implanting instrument is utilized, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), point Code implantation point in the monitored software of analysis;
(7d) call statement of construction is implanted to into corresponding code implantation point;
(8) monitoring software running status:
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if It is, then execution step (8b), otherwise, execution step (8f);
(8b) according to function entrance address lookup table lattice TABstart, whether discriminant function entry address is in form TABstart In, corresponding function numbering and positive integer 0 are passed to into finite state machine then if so, execution step (8c), otherwise, execution step (9);
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, performs Step (8e);
(8d) current state of finite state machine is set to into original state S0, execution step (8a);
(8e) judge that can finite state machine move to the corresponding state of reception numbering from current state, it is if so, then limited State machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, performs Step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if It is, then execution step (8g), otherwise, execution step (8h);
(8g) address of next instruction after the instruction of function call call is added in TABret;By function call The numbering of call instruction place functions, the index of place basic block are added in TABret, execution step (8a);
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then hold Row step (8i), otherwise, execution step (8l);
(8i) judge whether the address value stored in last column in form TABret is 0, in this way, then execution step (9), Otherwise, execution step (8j);
(8j) in discriminant function return instruction ret return address vaiue whether with store in last column in form TABret Address value is consistent, if so, then execution step (8k), otherwise, execution step (9);
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges have Can limit state machine move to the corresponding state of reception numbering from current state, and if so, then finite state machine moves to reception volume Number corresponding state, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, form TABret The basic block index value stored in middle last column is assigned to integer variable Cur_B, the last item note in Delete Table TABret Record, execution step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block and enter Relative displacement of the mouth point relative to the entrance of the function comprising the basic block;
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step (8o);
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a);
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, if so, then should The numbering of successor block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step (9);
(9) terminate monitoring.
The present invention has advantages below compared with prior art:
First, due to present invention employs static binary analysis tool, extract monitored software document and its rely on storehouse Function calling relationship in file, and function calling relationship is stored Dao function call graph G (E, F) data structure in, extract letter The control stream information based on basic block of each function in number calling figure G (E, F), not only can monitoring software executable file pair The controlling stream answered, can be with the corresponding controlling stream of the relied on dynamic library file of monitoring software.Can only so as to overcome prior art The deficiency is monitored by software source code file correspondence controlling stream so that the monitoring method of the present invention has more fully excellent Point.
Second, as the present invention utilizes binary static code implanting instrument, the dynamic base comprising monitor code is added It is downloaded in the process address space of monitored software, static analysis is carried out to software code only, finds out code implantation point, Er Qiejing State implantation process is just completed at some point prior to execution of the software, produces the deficiency of higher run-time overhead so as to overcome prior art, So that the present invention has run-time overhead low, the characteristics of realize relatively simple.
Specific embodiment
Description of the drawings
Fig. 1 is the overall flow figure of the present invention;
Fig. 2 is the flow chart of monitoring software running status step of the present invention.
Specific embodiment
The present invention will be further described below in conjunction with the accompanying drawings.
Referring to the drawings 1, the concrete steps of the present invention are further described.
Step 1, extracts function calling relationship.
Using static binary analysis tool, monitored software executable and its function in dependence library file is extracted Call relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents directed edge Set, the set of all functions in F representative function calling figures G (E, F).
Step 2, extracts function internal control stream information.
Using static binary analysis tool, basic block and the controlling stream of each function in function call graph G (E, F) is extracted Information, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents oriented The set on side, B represent the set of basic block in controlling stream graph G (B, E).
Step 3, constructs a finite state machine.
In the nonempty finite set S of the state that state 0 is added to finite state machine.
Each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i.
Main () function in function call graph G (E, F) corresponding state 1 is assigned to into the original state of finite state machine S0。
To meeting fiThe function f of ∈ Fi, state i- is respectively added to into state set S and the finite state of finite state machine In end-state set A of machine.
To fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then by following shape State migration is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i, Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering.
For all of NextState is empty state, its NextState is set to into state 0.
For function call graph G (E, F) comprising N number of function, this algorithm will construct the limited shape comprising N+1 state State machine FSM (Z, S, T, S0, A), state 0 represent disarmed state, in remaining N number of state difference respective function calling figure G (E, F) N number of function, the valid function between any two function is called or return relation can be mapped in state machine between corresponding states Transition relationship, any illegal function call or return finite state machine can be caused to move to disarmed state;Wherein, Z is represented The input alphabet of state machine, S represent the nonempty finite set of the state of state machine, and S0 represents the original state of state machine, A tables Show the set of the end-state of state machine, T represents that function is closed in the state transition of state machine:S × Z → S, the input letter of state machine Table Z includes two zeds0And Z1, Z0Take 0 or 1, Z1Take 1 positive integer in N.
Step 4, initializes form TABbb.
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E, F each function pair in) answers an initialized form TABbb, and wherein, the i-th row correspondence initialized in form TABbb is controlled I-th basic block in flow graph G (B, E);Often row includes three fields index, offset, sucs, and field index represents i-th The index of basic block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance The relative displacement of address, field sucs represent the index of the successor basic blocks of i-th basic block.
Step 5, initializes form TABstart and TABret.
After monitored software is loaded, the entry address of all functions in function call graph G (E, F) is obtained.
The relevant information of i-th function is added in i-th row of form TABstart;Wherein, in form TABstart The i-th row respective function calling figure G (E, F) in i-th function, often row is comprising three fields addr, index, ptr, field Addr represents the entry address of i-th function, and field index represents the function numbering of i-th function, and field ptr represents i-th Function pair answers the pointer of form TABbb.
Value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is monitored soft In part implementation procedure, invoked function in number calling figure G (E, F).
Step 6, initialization integer variable Cur_F and Cur_B.
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main () In function, the numbering 1 of first basic block is assigned to integer variable Cur_B.
Step 7, code implant.
Using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into into monitored software In the process address space.
Monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function.
Using code implanting instrument, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), quilt is analyzed Code implantation point in monitoring software.
Code implantation point includes:The entrance BPatch_entry of function, function exit point in function call graph G (E, F) BPatch_exit, comprising basic in static state call instruction point BPatch_subroutine and controlling stream graph G (B, E) in function The entrance BPatch_locBasicBlockEntry of block.
The call statement of construction is implanted to into corresponding code implantation point.
In function call graph G (E, F), the entrance BPatch_entry of function is implanted into function calling relationship legitimacy The call statement of test function, the function of the function is:According to function entrance address lookup table lattice TABstart, if the address exists Corresponding function numbering is passed to into finite state machine FSM then in TABstart, FSM is looking into the presence or absence of from current state to acceptance The transition relationship of numbering corresponding states, if it is legal to be described function call.The entrance of function in function call graph G (E, F) The implantation of point BPatch_exit points returns the call statement of relation legitimacy test function to function, and the function of the function is:According to Function return addresses in ret instructions are tabled look-up lattice TABret, if the return address recorded in form TABret last columns is 0, illustrate that monitored software goes to the exit point of main () function in function call graph G (E, F), terminate to perform, otherwise, sentence Whether the return address recorded in disconnected form TABret last columns is identical with the return address in ret instructions, if so, then will The numbering of last column respective function passes to finite state machine FSM, and FSM is right with the presence or absence of numbering from current state to acceptance to look into The transition relationship of state is answered, if it is legal for there is explanation function returning, otherwise terminates monitoring.In function call graph G (E, F) Call statement of the call instruction point BPatch_subroutine implantation of function to return information storage function, when having performed After call instructions, call can be instructed the address of next instruction, the function comprising this call instruction to number by the function, variable Cur_F and Cur_B is stored in last column of form TABret.The entrance of basic block in controlling stream graph G (B, E) BPatch_locBasicBlockEntry is implanted into the call statement to function internal control stream legitimacy test function, the function Function be that basic block entrance is calculated for letter according to the entry address of the entry address of basic block and basic block place function The relative displacement of number entrance, looks into the corresponding form TABbb of basic block place function further according to variable Cur_F and Cur_B, If the side-play amount be Cur_B correspondence basic block successor block in the relative displacement of some, illustrate controlling stream change be conjunction Method, the value of Cur_B is updated, otherwise, monitoring terminates.
Referring to the drawings 2, the flow process of monitoring software running status step of the present invention is further described.
Step 8, monitoring software running status.
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if It is, then execution step (8b), otherwise, execution step (8f).
(8b) according to function entrance address lookup table lattice TABstart, whether discriminant function entry address is in form TABstart In, corresponding function numbering and positive integer 0 are passed to into finite state machine then if so, execution step (8c), otherwise, execution step 9。
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, performs Step (8e).
(8d) current state of finite state machine is set to into original state S0, execution step (8a).
(8e) judge that can finite state machine move to the corresponding state of reception numbering from current state, it is if so, then limited State machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, performs Step (8a), otherwise, finite state machine moves to disarmed state 0, execution step 9;
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if It is, then execution step (8g), otherwise, execution step (8h).
(8g) address of next instruction after the instruction of function call call is added in TABret;By function call The numbering of call instruction place functions, the index of place basic block are added in TABret, execution step (8a).
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then hold Row step (8i), otherwise, execution step (8l).
(8i) judge whether the address value stored in last column in form TABret is 0, and in this way, then execution step 9, no Then, execution step (8j).
(8j) in discriminant function return instruction ret return address vaiue whether with store in last column in form TABret Address value is consistent, if so, then execution step (8k), otherwise, execution step 9.
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges have Can limit state machine move to the corresponding state of reception numbering from current state, and if so, then finite state machine moves to reception volume Number corresponding state, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, form TABret The basic block index value stored in middle last column is assigned to integer variable Cur_B, the last item note in Delete Table TABret Record, execution step (8a), otherwise, finite state machine moves to disarmed state 0, execution step 9.
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block and enter Relative displacement of the mouth point relative to the entrance of the function comprising the basic block.
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step (8o)。
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a).
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, if so, then should The numbering of successor block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step 9.
Step 9, terminates monitoring.

Claims (1)

1. monitoring method during a kind of running software based on binary code implanted prosthetics, comprises the following steps that:
(1) extract function calling relationship:
Using static binary analysis tool, monitored software executable and its function call in dependence library file is extracted Relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents the set of directed edge, The set of all functions in F representative function calling figures G (E, F);
(2) extract function internal control stream information:
Using static binary analysis tool, the basic block and controlling stream letter of each function in function call graph G (E, F) is extracted Breath, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents directed edge Set, B represents the set of basic block in controlling stream graph G (B, E);
(3) construct a finite state machine:
(3a) in the nonempty finite set S of the state that state 0 is added to finite state machine;
(3b) each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i, is designated as fi
(3c) main () function in function call graph G (E, F) corresponding state 1 is assigned to the original state of finite state machine S0;
(3d) to meeting fiThe function f of ∈ Fi, state i- is respectively added to into state set S and the finite state of finite state machine In end-state set A of machine;
(3e) to fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then by following shape State migration is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i, Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering;
(3f) for all of NextState is empty state, its NextState is set to into state 0;
(4) initialize form TABbb:
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E, F) Each function pair answer an initialized form TABbb, wherein, initialize form TABbb in the i-th row correspondence controlling stream graph I-th basic block in G (B, E);Often row is comprising three fields index, offset, sucs, field index represent i-th it is basic The index of block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance address Relative displacement, field sucs represents the index of the successor block basic block of i-th basic block;
(5) form TABstart and TABret are initialized:
(5a) after monitored software is loaded, obtain the entry address of all functions in function call graph G (E, F);
(5b) relevant information of i-th function is added in i-th row of form TABstart;Wherein, in form TABstart The i-th row respective function calling figure G (E, F) in i-th function, often row is comprising three fields addr, index, ptr, field Addr represents the entry address of i-th function, and field index represents the function numbering of i-th function, and field ptr represents i-th Function pair answers the pointer of form TABbb;
(5c) value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is monitored soft In part implementation procedure, invoked function in number calling figure G (E, F);
(6) integer variable Cur_F and Cur_B are initialized:
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main () function In the numbering 1 of first basic block be assigned to integer variable Cur_B;
(7) code implant:
(7a) using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into into monitored software In the process address space;
(7b) the monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function;
(7c) code implanting instrument is utilized, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), analyzes quilt Code implantation point in monitoring software;
(7d) call statement of construction is implanted to into corresponding code implantation point;
(8) monitoring software running status:
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if so, then Execution step (8b), otherwise, execution step (8f);
(8b) according to function entrance address lookup table lattice TABstart, discriminant function entry address whether in form TABstart, If so, corresponding function numbering and positive integer 0 are passed to into finite state machine then, execution step (8c), otherwise, execution step (9);
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, execution step (8e);
(8d) current state of finite state machine is set to into original state S0, execution step (8a);
(8e) judge that can finite state machine move to the reception corresponding state of numbering from current state, if so, then finite state Machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, execution step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if so, then Execution step (8g), otherwise, execution step (8h);
(8g) address of next instruction after the instruction of function call call is added in TABret;Function call call is referred to The numbering of place function, the index of place basic block is made to be added in TABret, execution step (8a);
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then perform step Suddenly (8i), otherwise, execution step (8l);
(8i) judge whether the address value stored in last column in form TABret is 0, and in this way, then execution step (9), no Then, execution step (8j);
(8j) in discriminant function return instruction ret return address vaiue whether with the address that stores in last column in form TABret Value is consistent, if so, then execution step (8k), otherwise, execution step (9);
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges limited shape State function is no to move to the reception corresponding state of numbering from current state, if so, then finite state machine to move to reception numbering right The state answered, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, in form TABret most The basic block index value for storing in a line afterwards is assigned to integer variable Cur_B, the last item record in Delete Table TABret, holds Row step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block entrance Relative to the relative displacement of the entrance of the function comprising the basic block;
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step (8o);
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a);
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, it is if so, then that this is follow-up The numbering of block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step (9);
(9) terminate monitoring.
CN201610877174.5A 2016-10-08 2016-10-08 Monitoring method when software based on binary code implanted prosthetics is run Active CN106528403B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610877174.5A CN106528403B (en) 2016-10-08 2016-10-08 Monitoring method when software based on binary code implanted prosthetics is run

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610877174.5A CN106528403B (en) 2016-10-08 2016-10-08 Monitoring method when software based on binary code implanted prosthetics is run

Publications (2)

Publication Number Publication Date
CN106528403A true CN106528403A (en) 2017-03-22
CN106528403B CN106528403B (en) 2018-11-20

Family

ID=58333026

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610877174.5A Active CN106528403B (en) 2016-10-08 2016-10-08 Monitoring method when software based on binary code implanted prosthetics is run

Country Status (1)

Country Link
CN (1) CN106528403B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046490A (en) * 2017-03-30 2017-08-15 上海斐讯数据通信技术有限公司 Use the method and system of finite states machine control intelligent gateway, Control System of Intelligent
CN107908955A (en) * 2017-11-30 2018-04-13 华中科技大学 A kind of control stream completeness protection method and system based on intermediate language analysis
CN108446557A (en) * 2018-03-12 2018-08-24 江苏中天科技软件技术有限公司 Security threat active perception method based on defence honey jar
CN113721928A (en) * 2021-11-02 2021-11-30 成都无糖信息技术有限公司 Binary analysis-based dynamic library clipping method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040226007A1 (en) * 2003-05-09 2004-11-11 Guarraci Brian J. Instrumenting software for enhanced diagnosability
CN101714118A (en) * 2009-11-20 2010-05-26 北京邮电大学 Detector for binary-code buffer-zone overflow bugs, and detection method thereof
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
CN103257913A (en) * 2013-04-18 2013-08-21 西安交通大学 System and method for detecting and removing fault of software in operation
WO2014113367A1 (en) * 2013-01-15 2014-07-24 Taasera, Inc. System for and a method of cognitive behavior recognition
CN104636256A (en) * 2015-02-17 2015-05-20 中国农业银行股份有限公司 Memory access abnormity detecting method and memory access abnormity detecting device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040226007A1 (en) * 2003-05-09 2004-11-11 Guarraci Brian J. Instrumenting software for enhanced diagnosability
CN101714118A (en) * 2009-11-20 2010-05-26 北京邮电大学 Detector for binary-code buffer-zone overflow bugs, and detection method thereof
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
WO2014113367A1 (en) * 2013-01-15 2014-07-24 Taasera, Inc. System for and a method of cognitive behavior recognition
CN103257913A (en) * 2013-04-18 2013-08-21 西安交通大学 System and method for detecting and removing fault of software in operation
CN104636256A (en) * 2015-02-17 2015-05-20 中国农业银行股份有限公司 Memory access abnormity detecting method and memory access abnormity detecting device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郭长国等: ""一种分布式软件运行时监控机制"", 《计算机与数字工程》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046490A (en) * 2017-03-30 2017-08-15 上海斐讯数据通信技术有限公司 Use the method and system of finite states machine control intelligent gateway, Control System of Intelligent
CN107908955A (en) * 2017-11-30 2018-04-13 华中科技大学 A kind of control stream completeness protection method and system based on intermediate language analysis
CN107908955B (en) * 2017-11-30 2019-11-12 华中科技大学 A kind of control stream completeness protection method and system based on intermediate language analysis
CN108446557A (en) * 2018-03-12 2018-08-24 江苏中天科技软件技术有限公司 Security threat active perception method based on defence honey jar
CN108446557B (en) * 2018-03-12 2020-07-14 江苏中天科技软件技术有限公司 Security threat active sensing method based on honeypot defense
CN113721928A (en) * 2021-11-02 2021-11-30 成都无糖信息技术有限公司 Binary analysis-based dynamic library clipping method

Also Published As

Publication number Publication date
CN106528403B (en) 2018-11-20

Similar Documents

Publication Publication Date Title
Park et al. Fuzzing javascript engines with aspect-preserving mutation
CN109478217B (en) Kernel-based detection of target application functionality using offset-based virtual address mapping
CN111125716B (en) Method and device for detecting Ethernet intelligent contract vulnerability
CN106528403A (en) Software runtime monitoring method based on binary code implantation technology
Franks et al. Cacheca: A cache language model based code suggestion tool
CN112800423A (en) Binary code authorization vulnerability detection method
CN111475820A (en) Binary vulnerability detection method and system based on executable program and storage medium
CN110673852B (en) Method, system and equipment for realizing control flow flattening based on front end of compiler
Lin et al. Graph-based seed object synthesis for search-based unit testing
CN108027748A (en) Instruction set simulator and its simulator generation method
Ma et al. Control flow obfuscation using neural network to fight concolic testing
Zhang et al. Smart contract vulnerability detection method based on bi-lstm neural network
Basler et al. Boom: Taking boolean program model checking one step further
Saumya et al. Xstressor: Automatic generation of large-scale worst-case test inputs by inferring path conditions
Wang et al. Juicing V8: A primary account for the memory forensics of the V8 JavaScript engine
CN102929614A (en) Adjustable object program characteristic extracting method for detecting loophole
CN114840856B (en) State-aware Internet of things trusted execution environment fuzzy test method and system
He et al. Tamperproofing a software watermark by encoding constants
Zhang et al. Daisy: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis
Zhang A framework of vulnerable code dataset generation by open-source injection
Bedadala et al. Generation of Call Graph for Java Higher Order Functions
Jeong et al. A data type inference method based on long short-term memory by improved feature for weakness analysis in binary code
Shrivastava et al. On-the-fly adaptation of source code models
Alvi et al. Security pattern detection using ordered matrix matching
Xu et al. A survey on binary code vulnerability mining technology

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant