CN106528403A - Software runtime monitoring method based on binary code implantation technology - Google Patents
Software runtime monitoring method based on binary code implantation technology Download PDFInfo
- Publication number
- CN106528403A CN106528403A CN201610877174.5A CN201610877174A CN106528403A CN 106528403 A CN106528403 A CN 106528403A CN 201610877174 A CN201610877174 A CN 201610877174A CN 106528403 A CN106528403 A CN 106528403A
- Authority
- CN
- China
- Prior art keywords
- function
- state
- execution step
- numbering
- basic block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3644—Software debugging by instrumenting at runtime
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a software runtime monitoring method based on a binary code implantation technology. The method comprises the following steps: (1) extracting a function calling relation; (2) extracting function built-in control flow information; (3) constructing a finite-state machine; (4) initializing a table TABbb; (5) initializing a table TABstart and a table TABret; (6) initializing integer variables Cur_F and Cur_B; (7) implanting codes; (8) monitoring a software running state; and (9) ending monitoring. The software runtime monitoring method has the characteristics of low overhead during running, and easiness in implementation.
Description
Technical field
The invention belongs to field of computer technology, the one kind further related in technical field of software security is entered based on two
The monitoring method during running software of code implantation processed.The present invention is for the PE formatted files or linux environment under windows environment
Under ELF format file, using static binary code implanted prosthetics, the running orbit of software is effectively monitored.
Background technology
With the development of computer technology, computer software has penetrated into the every field of national economy, and some are crucial
Software is once destroyed, and can cause threat economic and for security to user, therefore the safety issue of software is more and more convex
Show its importance.For the security breaches of specific software, run malicious code and be obtained in that the authority for accessing invalid data.Typical case
Security breaches include buffer-overflow vulnerability.
During running software, monitoring method is a kind of in the software actual motion stage, by obtaining the running state information of software
And track, and the expected running orbit gone out with ex ante analysis is compared, and judges a kind of technology of security during running software.
The control stream information of software, such as function call graph, controlling stream graph etc. are extracted using static analysis tools generally.
According to the type for intending analysis object code, software static analysis can be divided into the analysis based on source code and dividing based on binary code
Analysis.Directly source code program expression formula and data structure are analyzed for source code analysis;Binary analysis are in machine generation
Carry out in code level, analyze the intermediate expression of executable code.Analysis based on source code can only analyze source code file institute
Comprising control stream information, it is impossible to analyze the static library relied on by the software and the control stream information that dynamic library file is included.
Based on the analysis of binary code, the control stream information in software executable not only can be analyzed, this can also be analyzed
Some control stream informations that the dynamic library file relied on by software is included.
Track during running software can be obtained by code implanted prosthetics.Code implanted prosthetics is divided into the generation based on source code
Code is implanted into and is based on binary implantation.Wherein, dynamic implantation and static implantation are divided into again based on binary implanted prosthetics.With
Dynamic implantation is compared, and static state is completed before being implanted in program performing, thus the run-time overhead that static implantation is produced is less, while quiet
State implantation is realized relatively simple.
Patent " the parallelization security breaches detection side based on function call graph that BJ University of Aeronautics & Astronautics applies at which
Method " (number of patent application:201110417105.3, application publication number:A kind of leak detection method is disclosed in 102567200A).
The analysis method based on source code is the method used, the function call graph in source code file respective modules is generated, it is only right
The security breaches that source code file is present are detected.The weak point of the method is, it is impossible to which that analyzes that source code relied on is quiet
Control stream information in function calling relationship and function in state storehouse and dynamic library file respective modules, it is impossible to source code file
The static library and dynamic stock of dependence security breaches detected.
Patent " a kind of software probe side of software probe that Changzhou Yun Bo software engineering technologys Co., Ltd applies at which
Method " (number of patent application:201210054220.3, application publication number:Disclose a kind of to application software fortune in 102646068A)
The method that program flow information carries out real-time detection during row.The code implanted prosthetics based on source code is this process employs, can be with
Monitor in real time is carried out to software during operation in computer system.The weak point of the method is that neo-implanted code will be compiled
After could perform, it is impossible to avoid larger run-time overhead.
The content of the invention
It is an object of the invention to overcome the shortcomings of above-mentioned prior art, propose a kind of based on the soft of binary code implantation
Monitoring method when part runs.
For achieving the above object, thinking of the invention is to analyze monitored software using static binary analysis tool
The control stream information inside call relation and function between inner function, and generating function calling figure G (E, F) and controlling stream graph G
(B, E), then constructs a finite state machine FSM (Z, S, T, S0, A) using function call graph G (E, F), uses controlling stream graph G
(B, E) initializes form TABbb.Each function in state machine in each state difference respective function calling figure G (E, F),
A disarmed state is added in state machine simultaneously.Transition relationship in state machine between any two effective status represents correspondence letter
Valid function between number is called or function returns relation, and any illegal function call or return cause finite state machine to move
Move on to disarmed state.The line number that form TABbb is included is identical with basic number of blocks in respective function, and often row includes three fields:
(1) index of a basic block, the phase of the entry address of the relatively basic piece of place function in (2) basic block entry address is represented respectively
To side-play amount, the index of (3) basic block successor block.The dependence of monitor code will be included using static binary code implanting instrument
Storehouse is loaded in the process address space of monitored software, and the ad-hoc location in monitored software is implanted into the tune to monitoring function
Use sentence.When in monitored software running process generating functon call, function return or function in control rheology when, can call
Rely on the monitoring function in storehouse, monitoring function judged by looking into finite state machine and TABbb monitored running software whether with
The running orbit of ex ante analysis prediction is consistent.
Realize comprising the following steps that for the object of the invention:
(1) extract function calling relationship:
Using static binary analysis tool, monitored software executable and its function in dependence library file is extracted
Call relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents directed edge
Set, the set of all functions in F representative function calling figures G (E, F);
(2) extract function internal control stream information:
Using static binary analysis tool, basic block and the controlling stream of each function in function call graph G (E, F) is extracted
Information, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents oriented
The set on side, B represent the set of basic block in controlling stream graph G (B, E);
(3) construct a finite state machine:
(3a) in the nonempty finite set S of the state that state 0 is added to finite state machine;
(3b) each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i;
(3c) main () function in function call graph G (E, F) corresponding state 1 is assigned to into the initial of finite state machine
State S0;
(3d) to meeting fiThe function f of ∈ Fi, state i- is respectively added to into the state set S of finite state machine and limited
In end-state set A of state machine;
(3e) to fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then will be with
Lower state transition is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i,
Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering;
(3f) for all of NextState is empty state, its NextState is set to into state 0;
(4) initialize form TABbb:
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E,
F each function pair in) answers an initialized form TABbb, and wherein, the i-th row correspondence initialized in form TABbb is controlled
I-th basic block in flow graph G (B, E);Often row includes three fields index, offset, sucs, and field index represents i-th
The index of basic block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance
The relative displacement of address, field sucs represent the index of the successor basic blocks of i-th basic block;
(5) form TABstart and TABret are initialized:
(5a) after monitored software is loaded, obtain the entry address of all functions in function call graph G (E, F);
(5b) relevant information of i-th function is added in i-th row of form TABstart;Wherein, form
I-th function in the i-th row respective function calling figure G (E, F) in TABstart, often row comprising three fields addr,
Index, ptr, field addr represent the entry address of i-th function, and field index represents the function numbering of i-th function, word
Section ptr represents that i-th function pair answers the pointer of form TABbb;
(5c) value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is supervised
In control software implementation procedure, invoked function in number calling figure G (E, F);
(6) integer variable Cur_F and Cur_B are initialized:
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main ()
In function, the numbering 1 of first basic block is assigned to integer variable Cur_B;
(7) code implant:
(7a) using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into monitored soft
In the process address space of part;
(7b) the monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function;
(7c) code implanting instrument is utilized, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), point
Code implantation point in the monitored software of analysis;
(7d) call statement of construction is implanted to into corresponding code implantation point;
(8) monitoring software running status:
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if
It is, then execution step (8b), otherwise, execution step (8f);
(8b) according to function entrance address lookup table lattice TABstart, whether discriminant function entry address is in form TABstart
In, corresponding function numbering and positive integer 0 are passed to into finite state machine then if so, execution step (8c), otherwise, execution step
(9);
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, performs
Step (8e);
(8d) current state of finite state machine is set to into original state S0, execution step (8a);
(8e) judge that can finite state machine move to the corresponding state of reception numbering from current state, it is if so, then limited
State machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, performs
Step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if
It is, then execution step (8g), otherwise, execution step (8h);
(8g) address of next instruction after the instruction of function call call is added in TABret;By function call
The numbering of call instruction place functions, the index of place basic block are added in TABret, execution step (8a);
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then hold
Row step (8i), otherwise, execution step (8l);
(8i) judge whether the address value stored in last column in form TABret is 0, in this way, then execution step (9),
Otherwise, execution step (8j);
(8j) in discriminant function return instruction ret return address vaiue whether with store in last column in form TABret
Address value is consistent, if so, then execution step (8k), otherwise, execution step (9);
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges have
Can limit state machine move to the corresponding state of reception numbering from current state, and if so, then finite state machine moves to reception volume
Number corresponding state, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, form TABret
The basic block index value stored in middle last column is assigned to integer variable Cur_B, the last item note in Delete Table TABret
Record, execution step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block and enter
Relative displacement of the mouth point relative to the entrance of the function comprising the basic block;
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step
(8o);
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a);
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, if so, then should
The numbering of successor block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step (9);
(9) terminate monitoring.
The present invention has advantages below compared with prior art:
First, due to present invention employs static binary analysis tool, extract monitored software document and its rely on storehouse
Function calling relationship in file, and function calling relationship is stored Dao function call graph G (E, F) data structure in, extract letter
The control stream information based on basic block of each function in number calling figure G (E, F), not only can monitoring software executable file pair
The controlling stream answered, can be with the corresponding controlling stream of the relied on dynamic library file of monitoring software.Can only so as to overcome prior art
The deficiency is monitored by software source code file correspondence controlling stream so that the monitoring method of the present invention has more fully excellent
Point.
Second, as the present invention utilizes binary static code implanting instrument, the dynamic base comprising monitor code is added
It is downloaded in the process address space of monitored software, static analysis is carried out to software code only, finds out code implantation point, Er Qiejing
State implantation process is just completed at some point prior to execution of the software, produces the deficiency of higher run-time overhead so as to overcome prior art,
So that the present invention has run-time overhead low, the characteristics of realize relatively simple.
Specific embodiment
Description of the drawings
Fig. 1 is the overall flow figure of the present invention;
Fig. 2 is the flow chart of monitoring software running status step of the present invention.
Specific embodiment
The present invention will be further described below in conjunction with the accompanying drawings.
Referring to the drawings 1, the concrete steps of the present invention are further described.
Step 1, extracts function calling relationship.
Using static binary analysis tool, monitored software executable and its function in dependence library file is extracted
Call relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents directed edge
Set, the set of all functions in F representative function calling figures G (E, F).
Step 2, extracts function internal control stream information.
Using static binary analysis tool, basic block and the controlling stream of each function in function call graph G (E, F) is extracted
Information, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents oriented
The set on side, B represent the set of basic block in controlling stream graph G (B, E).
Step 3, constructs a finite state machine.
In the nonempty finite set S of the state that state 0 is added to finite state machine.
Each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i.
Main () function in function call graph G (E, F) corresponding state 1 is assigned to into the original state of finite state machine
S0。
To meeting fiThe function f of ∈ Fi, state i- is respectively added to into state set S and the finite state of finite state machine
In end-state set A of machine.
To fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then by following shape
State migration is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i,
Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering.
For all of NextState is empty state, its NextState is set to into state 0.
For function call graph G (E, F) comprising N number of function, this algorithm will construct the limited shape comprising N+1 state
State machine FSM (Z, S, T, S0, A), state 0 represent disarmed state, in remaining N number of state difference respective function calling figure G (E, F)
N number of function, the valid function between any two function is called or return relation can be mapped in state machine between corresponding states
Transition relationship, any illegal function call or return finite state machine can be caused to move to disarmed state;Wherein, Z is represented
The input alphabet of state machine, S represent the nonempty finite set of the state of state machine, and S0 represents the original state of state machine, A tables
Show the set of the end-state of state machine, T represents that function is closed in the state transition of state machine:S × Z → S, the input letter of state machine
Table Z includes two zeds0And Z1, Z0Take 0 or 1, Z1Take 1 positive integer in N.
Step 4, initializes form TABbb.
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E,
F each function pair in) answers an initialized form TABbb, and wherein, the i-th row correspondence initialized in form TABbb is controlled
I-th basic block in flow graph G (B, E);Often row includes three fields index, offset, sucs, and field index represents i-th
The index of basic block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance
The relative displacement of address, field sucs represent the index of the successor basic blocks of i-th basic block.
Step 5, initializes form TABstart and TABret.
After monitored software is loaded, the entry address of all functions in function call graph G (E, F) is obtained.
The relevant information of i-th function is added in i-th row of form TABstart;Wherein, in form TABstart
The i-th row respective function calling figure G (E, F) in i-th function, often row is comprising three fields addr, index, ptr, field
Addr represents the entry address of i-th function, and field index represents the function numbering of i-th function, and field ptr represents i-th
Function pair answers the pointer of form TABbb.
Value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is monitored soft
In part implementation procedure, invoked function in number calling figure G (E, F).
Step 6, initialization integer variable Cur_F and Cur_B.
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main ()
In function, the numbering 1 of first basic block is assigned to integer variable Cur_B.
Step 7, code implant.
Using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into into monitored software
In the process address space.
Monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function.
Using code implanting instrument, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), quilt is analyzed
Code implantation point in monitoring software.
Code implantation point includes:The entrance BPatch_entry of function, function exit point in function call graph G (E, F)
BPatch_exit, comprising basic in static state call instruction point BPatch_subroutine and controlling stream graph G (B, E) in function
The entrance BPatch_locBasicBlockEntry of block.
The call statement of construction is implanted to into corresponding code implantation point.
In function call graph G (E, F), the entrance BPatch_entry of function is implanted into function calling relationship legitimacy
The call statement of test function, the function of the function is:According to function entrance address lookup table lattice TABstart, if the address exists
Corresponding function numbering is passed to into finite state machine FSM then in TABstart, FSM is looking into the presence or absence of from current state to acceptance
The transition relationship of numbering corresponding states, if it is legal to be described function call.The entrance of function in function call graph G (E, F)
The implantation of point BPatch_exit points returns the call statement of relation legitimacy test function to function, and the function of the function is:According to
Function return addresses in ret instructions are tabled look-up lattice TABret, if the return address recorded in form TABret last columns is
0, illustrate that monitored software goes to the exit point of main () function in function call graph G (E, F), terminate to perform, otherwise, sentence
Whether the return address recorded in disconnected form TABret last columns is identical with the return address in ret instructions, if so, then will
The numbering of last column respective function passes to finite state machine FSM, and FSM is right with the presence or absence of numbering from current state to acceptance to look into
The transition relationship of state is answered, if it is legal for there is explanation function returning, otherwise terminates monitoring.In function call graph G (E, F)
Call statement of the call instruction point BPatch_subroutine implantation of function to return information storage function, when having performed
After call instructions, call can be instructed the address of next instruction, the function comprising this call instruction to number by the function, variable
Cur_F and Cur_B is stored in last column of form TABret.The entrance of basic block in controlling stream graph G (B, E)
BPatch_locBasicBlockEntry is implanted into the call statement to function internal control stream legitimacy test function, the function
Function be that basic block entrance is calculated for letter according to the entry address of the entry address of basic block and basic block place function
The relative displacement of number entrance, looks into the corresponding form TABbb of basic block place function further according to variable Cur_F and Cur_B,
If the side-play amount be Cur_B correspondence basic block successor block in the relative displacement of some, illustrate controlling stream change be conjunction
Method, the value of Cur_B is updated, otherwise, monitoring terminates.
Referring to the drawings 2, the flow process of monitoring software running status step of the present invention is further described.
Step 8, monitoring software running status.
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if
It is, then execution step (8b), otherwise, execution step (8f).
(8b) according to function entrance address lookup table lattice TABstart, whether discriminant function entry address is in form TABstart
In, corresponding function numbering and positive integer 0 are passed to into finite state machine then if so, execution step (8c), otherwise, execution step
9。
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, performs
Step (8e).
(8d) current state of finite state machine is set to into original state S0, execution step (8a).
(8e) judge that can finite state machine move to the corresponding state of reception numbering from current state, it is if so, then limited
State machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, performs
Step (8a), otherwise, finite state machine moves to disarmed state 0, execution step 9;
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if
It is, then execution step (8g), otherwise, execution step (8h).
(8g) address of next instruction after the instruction of function call call is added in TABret;By function call
The numbering of call instruction place functions, the index of place basic block are added in TABret, execution step (8a).
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then hold
Row step (8i), otherwise, execution step (8l).
(8i) judge whether the address value stored in last column in form TABret is 0, and in this way, then execution step 9, no
Then, execution step (8j).
(8j) in discriminant function return instruction ret return address vaiue whether with store in last column in form TABret
Address value is consistent, if so, then execution step (8k), otherwise, execution step 9.
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges have
Can limit state machine move to the corresponding state of reception numbering from current state, and if so, then finite state machine moves to reception volume
Number corresponding state, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, form TABret
The basic block index value stored in middle last column is assigned to integer variable Cur_B, the last item note in Delete Table TABret
Record, execution step (8a), otherwise, finite state machine moves to disarmed state 0, execution step 9.
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block and enter
Relative displacement of the mouth point relative to the entrance of the function comprising the basic block.
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step
(8o)。
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a).
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, if so, then should
The numbering of successor block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step 9.
Step 9, terminates monitoring.
Claims (1)
1. monitoring method during a kind of running software based on binary code implanted prosthetics, comprises the following steps that:
(1) extract function calling relationship:
Using static binary analysis tool, monitored software executable and its function call in dependence library file is extracted
Relation, and function calling relationship is stored Dao function call graph G (E, F) data structure in, wherein, E represents the set of directed edge,
The set of all functions in F representative function calling figures G (E, F);
(2) extract function internal control stream information:
Using static binary analysis tool, the basic block and controlling stream letter of each function in function call graph G (E, F) is extracted
Breath, and by the controlling stream information Store based on basic block in controlling stream graph G (B, E) data structure, wherein, E represents directed edge
Set, B represents the set of basic block in controlling stream graph G (B, E);
(3) construct a finite state machine:
(3a) in the nonempty finite set S of the state that state 0 is added to finite state machine;
(3b) each function in function call graph G (E, F) is numbered, wherein, i-th function numbering is i, is designated as fi;
(3c) main () function in function call graph G (E, F) corresponding state 1 is assigned to the original state of finite state machine
S0;
(3d) to meeting fiThe function f of ∈ Fi, state i- is respectively added to into state set S and the finite state of finite state machine
In end-state set A of machine;
(3e) to fi∈F、fjThe f of ∈ FiAnd fj, if there is from function fiPoint to function fjA directed edge, then by following shape
State migration is added in state transition function T:
Z0=0, Z1=j → Nextstate [i]=state j
Z0=1, Z1=i → Nextstate [j]=state i
Wherein, Z0And Z1The input letter of finite state machine is represented, Nextstate [i] represents the next state of state i,
Nextstate [j] represents the next state of state j, and i and j is function f respectivelyiWith function fjNumbering;
(3f) for all of NextState is empty state, its NextState is set to into state 0;
(4) initialize form TABbb:
Each function pair in function call graph G (E, F) is answered into a controlling stream graph G (B, E), by function call graph G (E, F)
Each function pair answer an initialized form TABbb, wherein, initialize form TABbb in the i-th row correspondence controlling stream graph
I-th basic block in G (B, E);Often row is comprising three fields index, offset, sucs, field index represent i-th it is basic
The index of block, field offset represent the entry address of i-th basic block relative to i-th basic block place function entrance address
Relative displacement, field sucs represents the index of the successor block basic block of i-th basic block;
(5) form TABstart and TABret are initialized:
(5a) after monitored software is loaded, obtain the entry address of all functions in function call graph G (E, F);
(5b) relevant information of i-th function is added in i-th row of form TABstart;Wherein, in form TABstart
The i-th row respective function calling figure G (E, F) in i-th function, often row is comprising three fields addr, index, ptr, field
Addr represents the entry address of i-th function, and field index represents the function numbering of i-th function, and field ptr represents i-th
Function pair answers the pointer of form TABbb;
(5c) value 0, -1, -1 is added in the first row of form TABret, the often row correspondence in form TABret is monitored soft
In part implementation procedure, invoked function in number calling figure G (E, F);
(6) integer variable Cur_F and Cur_B are initialized:
The numbering 1 of main () function in function call graph G (E, F) is assigned to into integer variable Cur_F, by the main () function
In the numbering 1 of first basic block be assigned to integer variable Cur_B;
(7) code implant:
(7a) using the static implanting instrument of binary code, the dynamic base comprising monitor code is loaded into into monitored software
In the process address space;
(7b) the monitoring function in dynamic base is searched according to function name, and constructs the call statement to monitoring function;
(7c) code implanting instrument is utilized, according to the information in function call graph G (E, F) and controlling stream graph G (B, E), analyzes quilt
Code implantation point in monitoring software;
(7d) call statement of construction is implanted to into corresponding code implantation point;
(8) monitoring software running status:
(8a) judge whether monitored software goes to the entry position of certain function in function call graph G (E, F), if so, then
Execution step (8b), otherwise, execution step (8f);
(8b) according to function entrance address lookup table lattice TABstart, discriminant function entry address whether in form TABstart,
If so, corresponding function numbering and positive integer 0 are passed to into finite state machine then, execution step (8c), otherwise, execution step (9);
(8c) judge whether the function numbering that finite state machine is received is 1, if so, then execution step (8d), otherwise, execution step
(8e);
(8d) current state of finite state machine is set to into original state S0, execution step (8a);
(8e) judge that can finite state machine move to the reception corresponding state of numbering from current state, if so, then finite state
Machine moves to the corresponding state of reception numbering, and the function number value obtained in step (8b) is assigned to Cur_F, execution step
(8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8f) judge whether monitored software goes in function call graph G (E, F) the call locations of instruction in function, if so, then
Execution step (8g), otherwise, execution step (8h);
(8g) address of next instruction after the instruction of function call call is added in TABret;Function call call is referred to
The numbering of place function, the index of place basic block is made to be added in TABret, execution step (8a);
(8h) judge whether monitored software goes to the exit point of function in function call graph G (E, F), if so, then perform step
Suddenly (8i), otherwise, execution step (8l);
(8i) judge whether the address value stored in last column in form TABret is 0, and in this way, then execution step (9), no
Then, execution step (8j);
(8j) in discriminant function return instruction ret return address vaiue whether with the address that stores in last column in form TABret
Value is consistent, if so, then execution step (8k), otherwise, execution step (9);
(8k) numbering and positive integer 1 of form TABret last column respective functions are passed to into finite state machine, judges limited shape
State function is no to move to the reception corresponding state of numbering from current state, if so, then finite state machine to move to reception numbering right
The state answered, and the numbering of form TABret last column respective functions is assigned to into integer variable Cur_F, in form TABret most
The basic block index value for storing in a line afterwards is assigned to integer variable Cur_B, the last item record in Delete Table TABret, holds
Row step (8a), otherwise, finite state machine moves to disarmed state 0, execution step (9);
(8l) in monitored software goes to controlling stream graph G (B, E) basic block entry position, calculate the basic block entrance
Relative to the relative displacement of the entrance of the function comprising the basic block;
(8m) judge whether the side-play amount calculated is 0, if so, then execution step (8n), otherwise, execution step (8o);
(8n) positive integer 1 is assigned to into variable Cur_B, execution step (8a);
(8o) judge the deviator be whether Cur_B correspondence basic blocks successor block in the side-play amount of, it is if so, then that this is follow-up
The numbering of block is assigned to integer variable Cur_B, otherwise execution step (8a), execution step (9);
(9) terminate monitoring.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610877174.5A CN106528403B (en) | 2016-10-08 | 2016-10-08 | Monitoring method when software based on binary code implanted prosthetics is run |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610877174.5A CN106528403B (en) | 2016-10-08 | 2016-10-08 | Monitoring method when software based on binary code implanted prosthetics is run |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106528403A true CN106528403A (en) | 2017-03-22 |
CN106528403B CN106528403B (en) | 2018-11-20 |
Family
ID=58333026
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610877174.5A Active CN106528403B (en) | 2016-10-08 | 2016-10-08 | Monitoring method when software based on binary code implanted prosthetics is run |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106528403B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107046490A (en) * | 2017-03-30 | 2017-08-15 | 上海斐讯数据通信技术有限公司 | Use the method and system of finite states machine control intelligent gateway, Control System of Intelligent |
CN107908955A (en) * | 2017-11-30 | 2018-04-13 | 华中科技大学 | A kind of control stream completeness protection method and system based on intermediate language analysis |
CN108446557A (en) * | 2018-03-12 | 2018-08-24 | 江苏中天科技软件技术有限公司 | Security threat active perception method based on defence honey jar |
CN113721928A (en) * | 2021-11-02 | 2021-11-30 | 成都无糖信息技术有限公司 | Binary analysis-based dynamic library clipping method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040226007A1 (en) * | 2003-05-09 | 2004-11-11 | Guarraci Brian J. | Instrumenting software for enhanced diagnosability |
CN101714118A (en) * | 2009-11-20 | 2010-05-26 | 北京邮电大学 | Detector for binary-code buffer-zone overflow bugs, and detection method thereof |
CN101968766A (en) * | 2010-10-21 | 2011-02-09 | 上海交通大学 | System for detecting software bug triggered during practical running of computer program |
CN103257913A (en) * | 2013-04-18 | 2013-08-21 | 西安交通大学 | System and method for detecting and removing fault of software in operation |
WO2014113367A1 (en) * | 2013-01-15 | 2014-07-24 | Taasera, Inc. | System for and a method of cognitive behavior recognition |
CN104636256A (en) * | 2015-02-17 | 2015-05-20 | 中国农业银行股份有限公司 | Memory access abnormity detecting method and memory access abnormity detecting device |
-
2016
- 2016-10-08 CN CN201610877174.5A patent/CN106528403B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040226007A1 (en) * | 2003-05-09 | 2004-11-11 | Guarraci Brian J. | Instrumenting software for enhanced diagnosability |
CN101714118A (en) * | 2009-11-20 | 2010-05-26 | 北京邮电大学 | Detector for binary-code buffer-zone overflow bugs, and detection method thereof |
CN101968766A (en) * | 2010-10-21 | 2011-02-09 | 上海交通大学 | System for detecting software bug triggered during practical running of computer program |
WO2014113367A1 (en) * | 2013-01-15 | 2014-07-24 | Taasera, Inc. | System for and a method of cognitive behavior recognition |
CN103257913A (en) * | 2013-04-18 | 2013-08-21 | 西安交通大学 | System and method for detecting and removing fault of software in operation |
CN104636256A (en) * | 2015-02-17 | 2015-05-20 | 中国农业银行股份有限公司 | Memory access abnormity detecting method and memory access abnormity detecting device |
Non-Patent Citations (1)
Title |
---|
郭长国等: ""一种分布式软件运行时监控机制"", 《计算机与数字工程》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107046490A (en) * | 2017-03-30 | 2017-08-15 | 上海斐讯数据通信技术有限公司 | Use the method and system of finite states machine control intelligent gateway, Control System of Intelligent |
CN107908955A (en) * | 2017-11-30 | 2018-04-13 | 华中科技大学 | A kind of control stream completeness protection method and system based on intermediate language analysis |
CN107908955B (en) * | 2017-11-30 | 2019-11-12 | 华中科技大学 | A kind of control stream completeness protection method and system based on intermediate language analysis |
CN108446557A (en) * | 2018-03-12 | 2018-08-24 | 江苏中天科技软件技术有限公司 | Security threat active perception method based on defence honey jar |
CN108446557B (en) * | 2018-03-12 | 2020-07-14 | 江苏中天科技软件技术有限公司 | Security threat active sensing method based on honeypot defense |
CN113721928A (en) * | 2021-11-02 | 2021-11-30 | 成都无糖信息技术有限公司 | Binary analysis-based dynamic library clipping method |
Also Published As
Publication number | Publication date |
---|---|
CN106528403B (en) | 2018-11-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Park et al. | Fuzzing javascript engines with aspect-preserving mutation | |
CN109478217B (en) | Kernel-based detection of target application functionality using offset-based virtual address mapping | |
CN111125716B (en) | Method and device for detecting Ethernet intelligent contract vulnerability | |
CN106528403A (en) | Software runtime monitoring method based on binary code implantation technology | |
Franks et al. | Cacheca: A cache language model based code suggestion tool | |
CN112800423A (en) | Binary code authorization vulnerability detection method | |
CN111475820A (en) | Binary vulnerability detection method and system based on executable program and storage medium | |
CN110673852B (en) | Method, system and equipment for realizing control flow flattening based on front end of compiler | |
Lin et al. | Graph-based seed object synthesis for search-based unit testing | |
CN108027748A (en) | Instruction set simulator and its simulator generation method | |
Ma et al. | Control flow obfuscation using neural network to fight concolic testing | |
Zhang et al. | Smart contract vulnerability detection method based on bi-lstm neural network | |
Basler et al. | Boom: Taking boolean program model checking one step further | |
Saumya et al. | Xstressor: Automatic generation of large-scale worst-case test inputs by inferring path conditions | |
Wang et al. | Juicing V8: A primary account for the memory forensics of the V8 JavaScript engine | |
CN102929614A (en) | Adjustable object program characteristic extracting method for detecting loophole | |
CN114840856B (en) | State-aware Internet of things trusted execution environment fuzzy test method and system | |
He et al. | Tamperproofing a software watermark by encoding constants | |
Zhang et al. | Daisy: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis | |
Zhang | A framework of vulnerable code dataset generation by open-source injection | |
Bedadala et al. | Generation of Call Graph for Java Higher Order Functions | |
Jeong et al. | A data type inference method based on long short-term memory by improved feature for weakness analysis in binary code | |
Shrivastava et al. | On-the-fly adaptation of source code models | |
Alvi et al. | Security pattern detection using ordered matrix matching | |
Xu et al. | A survey on binary code vulnerability mining technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |