CN107180188A - It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain - Google Patents

It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain Download PDF

Info

Publication number
CN107180188A
CN107180188A CN201710237625.3A CN201710237625A CN107180188A CN 107180188 A CN107180188 A CN 107180188A CN 201710237625 A CN201710237625 A CN 201710237625A CN 107180188 A CN107180188 A CN 107180188A
Authority
CN
China
Prior art keywords
register
stain
operand
polluted
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710237625.3A
Other languages
Chinese (zh)
Other versions
CN107180188B (en
Inventor
余顺争
吴达玳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Sun Yat Sen University
Original Assignee
National Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Sun Yat Sen University filed Critical National Sun Yat Sen University
Priority to CN201710237625.3A priority Critical patent/CN107180188B/en
Publication of CN107180188A publication Critical patent/CN107180188A/en
Application granted granted Critical
Publication of CN107180188B publication Critical patent/CN107180188B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Abstract

The invention discloses a kind of system analyzed and extracted to the plaintext of encryption application based on dynamic stain, including stain data source locating module, dynamic stain analysis module, instruction analysis module and internal memory behavior analysis module, wherein:Stain data source locating module, the memory address of middle encrypted message is called for obtaining system, and the mark of stain data source is carried out to it;Dynamic stain analysis module, for following the trail of the data source for the mark that has a stain, and therefrom inversely obtains the instruction perform track operated on it;Instruction analysis module, for analysis instruction perform track, distinguishes message decryption and the Message processing stage of stain data;Internal memory behavior analysis module, for obtaining stain data in message decryption phase progress write operation and in the memory address of Message processing stage progress read operation, and the cleartext information from the memory address after extraction decryption.The present invention improves the Safety monitoring to encryption application by extracting cleartext information in encryption application.

Description

It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain
Technical field
, should to encryption based on dynamic stain analysis more particularly, to one kind the present invention relates to technical field of network security The system that plaintext is extracted.
Background technology
In recent years, with the high speed development of internet, application program occurs thousands ofly daily, and for the peace that communicates Entirely, cryptographic protocol can be used again between the application program and server end of most of client.Cryptographic protocol is except common, mark Accurate application layer protocol, such as also there are a large amount of privately owned cryptographic protocols in HTTPS, SFTP.For using these cryptographic protocols client For the computer user for holding software, they are not aware that what it is in the encrypted message handled by backstage, so as to not know it Some concealed actions whether are had, such as steals the individual privacy information inside computer, download some harmful codes automatically With point to third party website etc., these actions are all the vital interests for hurting computer user.
Therefore, if for these use cryptographic protocol client software, can resolving inversely go out handled by it plus The cleartext information of secret report text, analysis that so just can be to cryptographic protocol clear content and the resolving inversely of cryptographic protocol form, So as to improve the Safety monitoring to encryption application.
The content of the invention
The present invention is to overcome at least one defect described in above-mentioned prior art there is provided one kind based on dynamic stain analysis pair The system that the plaintext of encryption application is extracted.
It is contemplated that at least solving above-mentioned technical problem to a certain extent.
The primary and foremost purpose of the present invention is to provide a kind of the bright of the encrypted message of resolving inversely its processing in application to encryption Literary information, to improve the Safety monitoring to encryption application.
In order to solve the above technical problems, technical scheme is as follows:One kind should to encryption based on dynamic stain analysis The system that plaintext is extracted, including stain data source locating module, dynamic stain analysis module, instruction analysis module and internal memory Behavioural analysis module, wherein:Stain data source locating module, the system for intercepting encryption application is called, and acquisition system is called The memory address of middle encrypted message, and the mark of stain data source is carried out to it;Dynamic stain analysis module, has dirt for following the trail of The data source of point mark, and the instruction perform track operated on it is inversely obtained from stain data source;Instruction analysis mould Block, the acquired instruction perform track that stain data are operated for parsing, distinguish the message decryption of stain data with The Message processing stage;Internal memory behavior analysis module, for being believed according to the memory read-write behavior of encrypted message in encryption call instruction Breath, obtains stain data and carries out write operation in message decryption phase and the memory address of read operation is carried out in the Message processing stage, And the cleartext information after decryption is extracted from the memory address.
Preferably, the tracking to the data source for the mark that has a stain includes the stain tracking, purpose behaviour that source operand is internal memory Count and chased after for the stain tracking, the stain tracking that source operand is register and the stain that destination operand is register of internal memory Track, the dynamic stain analysis module includes:Source operand is the judging unit of internal memory, for judging source in encryption call instruction Whether operand includes the memory address of encrypted message;Source operand is the stain tracing unit of internal memory, if for source operand It is judged as YES for the judging unit of internal memory, then carries out source operand and followed the trail of for the stain of internal memory;Destination operand is sentenced for internal memory Disconnected unit, if be judged as NO for source operand for the judging unit of internal memory, judges destination operand in encryption call instruction Whether the memory address of encrypted message is included;Destination operand is the stain tracing unit of internal memory, if being for destination operand The judging unit of internal memory is judged as YES, then carries out destination operand and followed the trail of for the stain of internal memory;Source operand is sentenced for register Disconnected unit, if be no for the judging unit that destination operand is internal memory, judges that the source operand in encryption call instruction is No is register;Source operand is the stain tracing unit of register, if sentencing for source operand for the judging unit of register It is yes to break, then carries out source operand and followed the trail of for the stain of register;Destination operand is the judging unit of register, if for source When operand is judged as NO for the judging unit of register, judge whether destination operand is register in encryption call instruction; Destination operand is the stain tracing unit of register, if being judged as YES for destination operand for the judging unit of register, Destination operand is then carried out to follow the trail of for the stain of register.
Preferably, it is not present when source operand is internal memory including situation and destination operand that destination operand is register Situation, the source operand includes for the stain tracing unit of internal memory:First tracing record subelement, if for memory marker To have polluted, register tagging is when having polluted, then tracing record encrypts call instruction;If it is dirt to be additionally operable to memory marker Dye, when register tagging is uncontaminated, then tracing record encrypts call instruction;If being additionally operable to memory marker to have polluted, purpose When operand is not present, then tracing record encrypts call instruction;First follows the trail of mark subelement, if being dirty for memory marker Dye, when register tagging is uncontaminated, then follows the trail of and marks the register to have polluted;If being additionally operable to memory marker to be uncontaminated, Register tagging is followed the trail of to have polluted, then marks the register to be uncontaminated.
Preferably, including situation and source operand that source operand is register it is immediate when destination operand is internal memory Situation, the destination operand includes for the stain tracing unit of internal memory:Second tracing record subelement, if for register Labeled as having polluted, memory marker is when having polluted, then tracing record encrypts call instruction;If being additionally operable to register tagging for Pollution, when memory marker is uncontaminated, then tracing record encrypts call instruction;Second follows the trail of mark subelement, if for depositing Device when memory marker is uncontaminated, is then followed the trail of labeled as having polluted and marks interior save as to pollute;If being additionally operable to register tagging To be uncontaminated, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated;If the source of being additionally operable to is counted as immediate, interior Deposit labeled as having polluted, then follow the trail of mark this it is interior save as it is uncontaminated.
Preferably, do not deposited including situation and destination operand that destination operand is register when source operand is register Situation, the source operand includes for the stain tracing unit of register:3rd tracing record subelement, if being posted for source Storage is labeled as having polluted, and destination register is labeled as having polluted, then tracing record encrypts call instruction;If being additionally operable to source deposit Device is labeled as having polluted, and destination register is labeled as uncontaminated, then tracing record encryption call instruction;If being additionally operable to source register Labeled as having polluted, destination operand is not present, then tracing record encryption call instruction;3rd follows the trail of mark subelement, is used for If source register is labeled as having polluted, destination register then follows the trail of mark destination register to have polluted labeled as uncontaminated;If Source register is labeled as uncontaminated, and destination register follows the trail of mark destination register labeled as having polluted, then to be uncontaminated.
Preferably, when destination operand is register, there is the situation that source operand is immediate, the destination operand Include for the stain tracing unit of register:4th follows the trail of mark subelement, if being immediate, purpose deposit for source operand It is uncontaminated that device, which follows the trail of mark destination register labeled as having polluted, then,.
Preferably, the instruction analysis module includes instruction resolution unit, message decryption and the discrimination unit of Message processing, Wherein:Resolution unit is instructed, the Position Approximate for determining message decryption and the instruction of Message processing;At message decryption and message The discrimination unit of reason, for result determined by combined command resolution unit, specifically message is determined using sliding window technique Decryption and the instruction of Message processing.
Preferably, the internal memory behavior analysis module includes memory read-write behavior unit, acquiring unit and extraction unit, its In:Memory read-write behavior unit, for defining a global variable, and dynamically tracking encryption is using the distribution to internal memory and releases Put, storage allocation is then added in global variable, releasing memory is then removed in global variable;Acquiring unit, in message solution In the close stage, if there is instruction internally to deposit into row write operation, find the core buffer in global variable, and by its status indication To have polluted, in the Message processing stage, if there is instruction internally to deposit into row read operation, the memory buffer is found in global variable Area, if the status indication of the core buffer obtains the memory address to have polluted;Extraction unit, for from acquired Memory address extracts the cleartext information after decryption.
Compared with prior art, the beneficial effect of technical solution of the present invention is:For soft using the client of cryptographic protocol Part there is provided the system that a kind of plaintext to encryption application is extracted, so just can to the analysis of cryptographic protocol clear content and The resolving inversely of cryptographic protocol form, so as to improve the Safety monitoring to encryption application.
Brief description of the drawings
Fig. 1 is the functional block diagram of an embodiment of the present application;
Fig. 2 is the refinement functional block diagram of the dynamic stain analysis module of the present invention;
Fig. 3 is the refinement functional block diagram that the source operand of the present invention is the stain tracing unit of internal memory;
Fig. 4 is the refinement functional block diagram for the stain tracing unit that the object of the invention operand is internal memory;
Fig. 5 is the refinement functional block diagram for the stain tracing unit that source operand of the present invention is register;
Fig. 6 is the refinement functional block diagram of instruction analysis module of the present invention;
Fig. 7 is the refinement functional block diagram of the internal memory behavior analysis module of the present invention;
Fig. 8 is dynamic stain analysis module schematic flow sheet of the invention;
Fig. 9 is internal memory behavior analysis module schematic flow sheet of the invention;
Figure 10 is the line chart constructed by instruction resolution unit in the outdoor scene test of the present invention;
Figure 11 is message decryption and the scatter diagram constructed by the discrimination unit of Message processing in the outdoor scene test of the present invention.
Embodiment
Accompanying drawing being given for example only property explanation, it is impossible to be interpreted as the limitation to this patent;It is attached in order to more preferably illustrate the present embodiment Scheme some parts to have omission, zoom in or out, do not represent the size of actual product;Same or analogous label correspondence is identical Or similar part;To those skilled in the art, in accompanying drawing some known features and its explanation may omit be can be with Understand.
Technical scheme is described further with reference to the accompanying drawings and examples.
As shown in figure 1, the invention discloses a kind of system analyzed and extracted to the plaintext of encryption application based on dynamic stain, Including stain data source locating module 01, dynamic stain analysis module 02, instruction analysis module 03 and internal memory behavior analysis module 04, wherein:Stain data source locating module 01, the encryption call instruction for intercepting total system is obtained in encryption call instruction The memory address of encrypted message, and the mark of stain data source is carried out to it;Dynamic stain analysis module 02, has dirt for following the trail of The data source of point mark, and the instruction perform track operated on it is inversely obtained from stain data source;Instruction analysis mould Block 03, for parsing the acquired instruction perform track operated to stain data, distinguishes the message decryption of stain data With the Message processing stage;Internal memory behavior analysis module 04, for the memory read-write row according to encrypted message in encryption call instruction For information, obtain stain data and carry out write operation in message decryption phase and carry out in the Message processing stage internal memory of read operation Location, and the cleartext information from the memory address after extraction decryption.
In the present embodiment, the present invention finds the encrypted message decryption of encryption application memory by dynamic stain analytical technology The internal memory of plaintext afterwards, so as to extract the plaintext after decryption.Therefore the present invention extracts the plaintext of encryption application, be easy to pair plus The analysis of close agreement clear content and the resolving inversely of cryptographic protocol form, improve the Safety monitoring to encryption application.
Need to be illustratively that the system that stain data source locating module 01 is used to intercept encryption application is called, and is obtained System calls middle encryption to apply the initial address and size of the stored memory when reading encrypted message, and the memory address is carried out The mark of stain data source.Specific execution flow is as follows:1) hooking system service call, if the system call as from filec descriptor or The system for reading data in web socket is called, then carries out next step analysis;Otherwise hooking system service call again is returned;2) position Acquisition encryption is applied in stain data source, the input parameter called from the system and return parameters stores when reading encrypted message The initial address and size of internal memory, and the mark of stain data source is carried out to the memory address.
Including source operand it is interior to the tracking of the data source of the mark that has a stain further as shown in Fig. 2-5 and Fig. 8 The stain that the stain that the stain deposited is followed the trail of, destination operand is internal memory is followed the trail of, source operand is register is followed the trail of and purpose operation Number is followed the trail of for the stain of register, and the dynamic stain analysis module 02 includes:Source operand is the judging unit 021 of internal memory, The memory address of encrypted message whether is included for judging to encrypt source operand in call instruction;Source operand is the stain of internal memory Tracing unit 022, if being judged as YES for source operand for the judging unit of internal memory, carries out the stain that source operand is internal memory Follow the trail of;Destination operand is the judging unit 023 of internal memory, if be judged as NO for source operand for the judging unit of internal memory, Judge to encrypt the memory address whether destination operand in call instruction includes encrypted message;Destination operand is the stain of internal memory Tracing unit 024, if being judged as YES for destination operand for the judging unit of internal memory, it is internal memory to carry out destination operand Stain is followed the trail of;Source operand is the judging unit 025 of register, if being no for the judging unit that destination operand is internal memory When, judge whether the source operand encrypted in call instruction is register;Source operand is the stain tracing unit of register 026, if being judged as YES for source operand for the judging unit of register, carry out source operand and chased after for the stain of register Track;Destination operand is the judging unit 027 of register, if being judged as NO for source operand for the judging unit of register When, judge whether destination operand is register in encryption call instruction;Destination operand is the stain tracing unit of register 028, if being judged as YES for destination operand for the judging unit of register, carry out the stain that destination operand is register Follow the trail of.
Further, do not deposited including situation and destination operand that destination operand is register when source operand is internal memory Situation, the source operand includes for the stain tracing unit 022 of internal memory:First tracing record subelement 0221, is used for If memory marker is has polluted, register tagging is when having polluted, then tracing record encrypts call instruction;If being additionally operable to internal memory mark It is designated as having polluted, when register tagging is uncontaminated, then tracing record encrypts call instruction;If it is dirt to be additionally operable to memory marker Dye, when destination operand is not present, then tracing record encrypts call instruction;First follows the trail of mark subelement 0222, if for interior Deposit labeled as having polluted, when register tagging is uncontaminated, then follows the trail of and mark the register to have polluted;If being additionally operable to internal memory mark It is designated as uncontaminated, register tagging is followed the trail of to have polluted, then marks the register to be uncontaminated.
Further, including situation and source operand that source operand is register for immediately when destination operand is internal memory Several situations, the destination operand includes for the stain tracing unit 024 of internal memory:Second tracing record subelement 0241, is used If in register tagging to have polluted, memory marker is when having polluted, then tracing record encrypts call instruction;If being additionally operable to deposit Device is labeled as having polluted, and when memory marker is uncontaminated, then tracing record encrypts call instruction;Second follows the trail of mark subelement 0242, if for register tagging to have polluted, when memory marker is uncontaminated, then following the trail of and marking interior save as to pollute;Also If for register tagging to be uncontaminated, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated;If being additionally operable to source Count as immediate, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated.
Further, when source operand is register including situation and destination operand that destination operand is register not The situation of presence, the source operand includes for the stain tracing unit 026 of register:3rd tracing record subelement 0261, If for source register labeled as having polluted, destination register is labeled as having polluted, then tracing record encrypts call instruction;Also use If in source register labeled as having polluted, destination register is labeled as uncontaminated, then tracing record encryption call instruction;It is additionally operable to If source register is labeled as having polluted, destination operand is not present, then tracing record encryption call instruction;3rd follows the trail of mark Unit 0262, if for source register labeled as having polluted, destination register then follows the trail of mark purpose deposit labeled as uncontaminated Device is to have polluted;If source register is labeled as uncontaminated, destination register follows the trail of mark destination register labeled as having polluted, then To be uncontaminated.
Further, when destination operand is register, there is the situation that source operand is immediate, the purpose operation Number includes for the stain tracing unit 028 of register:4th follows the trail of mark subelement, if being immediate, mesh for source operand Register tagging mark destination register is followed the trail of to have polluted, then to be uncontaminated.
In the present embodiment, with dynamic stain analytical technology, the stain tracking to source operand for internal memory, purpose are passed through Operand is that the stain tracking, the stain tracking that source operand is register and the stain that destination operand is register of internal memory are chased after This four situations of track obtain the only instruction perform track that is operated to stain data.
It is specific that to perform flow following (describe for convenience, 1 represents and polluted, 0 represent uncontaminated):1) source operand is interior The stain deposited is followed the trail of
When source operand is internal memory, there are two kinds of situations:Destination operand is register (such as mov rdx, qword Ptr [rsp]), in the absence of destination operand (such as cmp al, byte ptr [rbx+rdx*1]), specific processing is as follows:
If a) interior save as 1, register is 1, then records this instruction.
If b) interior save as 1, register is 0, then it is 1 to mark this register, and records this instruction.
If c) interior save as 1, no destination operand then records this instruction.
If d) interior save as 0, register is 1, then it is 0 to mark this register.
If e) interior save as 0, register is 0, then without any operation.
If f) interior save as 0, no destination operand, then without any operation.
2) destination operand is followed the trail of for the stain of internal memory
When destination operand is internal memory, there are two kinds of situations:Source operand is register (such as mov qword ptr [rsp], rdx), source operand be immediate (such as mov byte ptr [rsp], 0xfa), specific processing is as follows:
If a) register is 1,1 is inside saved as, then records this instruction.
If b) register is 1,0 is inside saved as, then marks and 1 is saved as in this, and record this instruction.
If c) register is 0,1 is inside saved as, then marks and 0 is saved as in this.
If d) register is 0,0 is inside saved as, then without any operation.
If e) source operand is immediate, 1 is inside saved as, then marks and 0 is saved as in this.
If f) source operand is immediate, 0 is inside saved as, then without any operation.
3) source operand is followed the trail of for the stain of register
1) and 2) after above the, step is performed, when source operand is register, also in the presence of two kinds of situations:Purpose is operated Number is for register (such as mov rdx, rcx), without destination operand (such as cmp al, 0x2), and specific processing is as follows:
A) traversal institute active registers, are 1 if there is source register, destination register is 1, then record this instruction.
B) traversal institute active registers, are 1 if there is source register, destination register is 0, then marks destination register For 1, and record this instruction.
C) traversal institute active registers, are 1 if there is source register, and no destination operand then records this instruction.
D) traversal institute active registers, if institute's active registers are 0, destination register is 1, then marks purpose deposit Device is 0.
E) traversal institute active registers, if institute's active registers are 0, destination register is 0, then without any behaviour Make.
F) traversal institute active registers, if institute's active registers are 0, no destination operand, then without any operation.
4) destination operand is followed the trail of for the stain of register
After 1), 2) He 3) step is performed above the, when destination operand is register, also there is a kind of situation:Source Operand is immediate (such as mov al, 0x2), and specific processing is as follows:
If a) source operand is immediate, destination register is 1, then it is 0 to mark this register.
If b) source operand is immediate, destination register is 0, then without any operation.
As shown in Fig. 6 and Fig. 9, further, the instruction analysis module 03 includes instruction resolution unit 031, message solution The close discrimination unit 032 with Message processing, wherein:Resolution unit 031 is instructed, the finger for determining message decryption and Message processing The Position Approximate of order;Message decrypts the discrimination unit 032 with Message processing, for determined by combined command resolution unit 031 As a result, message decryption and the instruction of Message processing are determined come specific using sliding window technique.
In the present embodiment, instruction analysis module 03 is used for analysis instruction perform track, is referred to by using arithmetical operation class The percentage instructed with logical operation class, time window technology is made to distinguish " message decryption " and " Message processing " stage, specifically Perform flow as follows:
(1) calculate the instruction of arithmetical operation class and logical operation class instructs the percentage for accounting for and always instructing.Such as, n-th of finger Order, before just calculating in n instruction, the instruction of arithmetical operation class and logical operation class instruct the percentage for accounting for and always instructing.Thus, x Axle is instruction number, and y-axis is that arithmetical operation class is instructed and logical operation class instructs the percentage for accounting for and always instructing, and obtains a broken line Figure.In this line chart, between highs and lows, turn of " message decryption " and " Message processing " between the stage must be included Break.
(2) instruction between the instruction of peak and the instruction of minimum point is directed to, is calculated using sliding window technique Arithmetical operation class is instructed and logical operation class instructs and accounts for the percentage that the window instructs number, and sliding window technique refers to:Maintain one The individual window for including fixed instruction quantity, the instruction of calculation window internal arithmetic class and the instruction of logical operation class account for the sliding window The percentage of number is instructed, the window moves an instruction since instructing first, often and calculated once.Thus, to instruct number as X Axle, is instructed using arithmetical operation class and logical operation class instructs the percentage for accounting for window instruction number as Y-axis, obtains a scatterplot Figure, learns through experiment test:In this scatter diagram, when this percentage is less than some threshold value, then in previous sliding window Instruction has more than half to belong to the instruction functions called in this encryption application, and the instruction functions are exactly at message decryption and message Turning point between the reason stage.Studied by many experiments, sliding window is set as that 30 are specified number, threshold value setting by the present invention It is optimal for 50%.
Outdoor scene is tested:Instruction line chart as shown in Figure 10, the figure is that certain encryption application processing of present invention monitoring HTTPS adds When secret report is literary, the turning point for showing message decryption and Message processing in the line chart of resolution unit generation, figure is instructed in function Between gcm_ghash_avx and function ngx_http_process_request.The broken line first built in instruction resolution unit 031 The Position Approximate of message decryption and the instruction of Message processing is determined in figure between function gcm.. and ngx.., and as shown in figure 11 Instruction scatter diagram, the figure be the present invention monitoring certain encryption application processing HTTPS encrypted messages when, message decryption and Message processing Discrimination unit generation scatter diagram, the turning point for showing message decryption and Message processing in figure is function gcm_ghash_avx. Result determined by combined command resolution unit 031, then the scatterplot built with the discrimination unit 032 of Message processing is decrypted in message Specifically determine instruction in figure.
Further, the internal memory behavior analysis module 04 includes memory read-write behavior unit 041, the and of acquiring unit 042 Extraction unit 043, wherein:Memory read-write behavior unit 041, for defining a global variable, and dynamically tracking encryption application Distribution and release to internal memory, storage allocation are then added in global variable, and releasing memory is then removed in global variable;Obtain single Member 042, in message decryption phase, if there is instruction internally to deposit into row write operation, the internal memory being found in global variable and is delayed Area is rushed, and by its status indication to have polluted, in the Message processing stage, if thering is instruction internally to deposit into row read operation, in the overall situation The core buffer is found in variable, if the status indication of the core buffer obtains the memory address to have polluted;Extract Unit 043, for extracting the cleartext information after decryption from acquired memory address.
In the present embodiment, internal memory behavior analysis module 04 is used for the read-write behavioural information for analyzing internal memory, finds in " message Decryption " the stage carries out write operation and carries out the internal memory of read operation in " Message processing " stage, so as to extract bright after decryption Literary information.Specific execution flow is as follows:
1) tracking of random memory
Define in a global variable memoryList and dynamically distribution and release of the tracking encryption application to internal memory, distribution Deposit and then add in global variable memoryList, releasing memory is then removed in global variable memoryList.
2) analysis in " message decryption " stage
If there is instruction internally to deposit into row write operation, the core buffer is found in global variable memoryList, and It is 1 (pollution) by its status indication.Because encryption is applied when encrypted message is decrypted, the plaintext after it is decrypted must It can be stored in core buffer.
3) analysis in " Message processing " stage
If there is instruction internally to deposit into row write operation, the core buffer is found in global variable memoryList, and It is 0 (uncontaminated) by its status indication.Because it must be that upper single order is read from internal memory that encryption, which was applied in " Message processing " stage, Section " message decryption " obtained plaintext is simultaneously handled accordingly, if the internal memory is to be written into data, it is then not possible to be to decrypt The position of stored in clear afterwards.
If there is instruction internally to deposit into row read operation, the core buffer is found in global variable memoryList, if The state of the core buffer is that 1 (pollution) then outputs it.Internal memory for carrying out read operation in " Message processing " stage, Need be illustratively, it is only necessary to first core buffer being read is paid close attention to, because the core buffer is exactly to store The position of plaintext after decryption.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not pair The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description To make other changes in different forms.There is no necessity and possibility to exhaust all the enbodiments.It is all this Any modifications, equivalent substitutions and improvements made within the spirit and principle of invention etc., should be included in the claims in the present invention Protection domain within.

Claims (8)

1. a kind of analyze the system extracted to the plaintext of encryption application based on dynamic stain, it is characterised in that including stain data Source locating module, dynamic stain analysis module, instruction analysis module and internal memory behavior analysis module, wherein:
Stain data source locating module, the system for intercepting encryption application is called, and acquisition system calls the interior of middle encrypted message Address is deposited, and the mark of stain data source is carried out to it;
Dynamic stain analysis module, for following the trail of the data source for the mark that has a stain, and is inversely obtained to it from stain data source The instruction perform track operated;
Instruction analysis module, for parsing the acquired instruction perform track operated to stain data, distinguishes stain number According to message decryption and the Message processing stage;
Internal memory behavior analysis module, for the memory read-write behavioural information according to encrypted message in encryption call instruction, obtains dirty Point data carries out write operation in message decryption phase and the memory address of read operation is carried out in the Message processing stage, and from the internal memory The cleartext information after decryption is extracted in address.
2. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that right The tracking of data source of mark of having a stain includes that stain that source operand is internal memory is followed the trail of, the stain that destination operand is internal memory is chased after The stain that track, source operand are the stain tracking of register and destination operand is register is followed the trail of, the dynamic stain analysis Module includes:
Source operand is the judging unit of internal memory, for judging to encrypt whether source operand in call instruction includes encrypted message Memory address;
Source operand is the stain tracing unit of internal memory, if being judged as YES for source operand for the judging unit of internal memory, is entered Row source operand is followed the trail of for the stain of internal memory;
Destination operand is the judging unit of internal memory, if be judged as NO for source operand for the judging unit of internal memory, is judged Whether destination operand includes the memory address of encrypted message in encryption call instruction;
Destination operand is the stain tracing unit of internal memory, if being judged as YES for destination operand for the judging unit of internal memory, Destination operand is then carried out to follow the trail of for the stain of internal memory;
Source operand is the judging unit of register, if be no for the judging unit that destination operand is internal memory, judges to add Whether the source operand in close call instruction is register;
Source operand is the stain tracing unit of register, if being judged as YES for source operand for the judging unit of register, Source operand is then carried out to follow the trail of for the stain of register;
Destination operand is the judging unit of register, if be judged as NO for source operand for the judging unit of register, Judge whether destination operand is register in encryption call instruction;
Destination operand is the stain tracing unit of register, if being judged as destination operand for the judging unit of register It is then to carry out destination operand to follow the trail of for the stain of register.
3. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that source Including the non-existent situation of situation and destination operand that destination operand is register when operand is internal memory, the source operation Number includes for the stain tracing unit of internal memory:
First tracing record subelement, if for memory marker to have polluted, register tagging is when having polluted, then tracing record Encrypt call instruction;If being additionally operable to memory marker to have polluted, when register tagging is uncontaminated, then tracing record encryption is called Instruction;If being additionally operable to memory marker to have polluted, when destination operand is not present, then tracing record encrypts call instruction;
First follows the trail of mark subelement, if for memory marker to have polluted, when register tagging is uncontaminated, then following the trail of mark The register is to have polluted;If it is uncontaminated to be additionally operable to memory marker, register tagging is followed the trail of to have polluted, then and marks the deposit Device is uncontaminated.
4. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that mesh Operand be that the situation and source operand of register are the situation of immediate including source operand when being internal memory, the purpose behaviour Count includes for the stain tracing unit of internal memory:
Second tracing record subelement, if for register tagging to have polluted, memory marker is when having polluted, then tracing record Encrypt call instruction;If being additionally operable to register tagging to have polluted, when memory marker is uncontaminated, then tracing record encryption is called Instruction;
Second follows the trail of mark subelement, if for register tagging to have polluted, when memory marker is uncontaminated, then following the trail of mark Interior save as has been polluted;If being additionally operable to register tagging to be uncontaminated, memory marker follows the trail of mark to have polluted, then, and this interior is saved as It is uncontaminated;If the source of being additionally operable to is counted as immediate, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated.
5. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that source Including the non-existent situation of situation and destination operand that destination operand is register when operand is register, the source behaviour Count includes for the stain tracing unit of register:
3rd tracing record subelement, if for source register labeled as having polluted, destination register is then chased after labeled as having polluted Track recording of encrypted call instruction;If being additionally operable to source register labeled as having polluted, destination register is then followed the trail of labeled as uncontaminated Recording of encrypted call instruction;If being additionally operable to source register labeled as having polluted, destination operand is not present, then tracing record is encrypted Call instruction;
3rd follows the trail of mark subelement, if for source register labeled as having polluted, destination register is then chased after labeled as uncontaminated Track mark destination register is to have polluted;If source register is labeled as uncontaminated, destination register is then followed the trail of labeled as having polluted It is uncontaminated to mark destination register.
6. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that mesh Operand when being register, there is the situation that source operand is immediate, the destination operand chases after for the stain of register Track unit includes:
4th follows the trail of mark subelement, if being immediate for source operand, destination register then follows the trail of mark labeled as having polluted It is uncontaminated to remember destination register.
7. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that institute Stating instruction analysis module includes instruction resolution unit, message decryption and the discrimination unit of Message processing, wherein:
Resolution unit is instructed, the Position Approximate for determining message decryption and the instruction of Message processing;
Message decrypts the discrimination unit with Message processing, for result determined by combined command resolution unit, using sliding window Vocal imitation skill specifically to determine message decryption and the instruction of Message processing.
8. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that institute Stating internal memory behavior analysis module includes memory read-write behavior unit, acquiring unit and extraction unit, wherein:
Memory read-write behavior unit, for defining a global variable, and dynamically tracking encryption is using the distribution to internal memory and releases Put, storage allocation is then added in global variable, releasing memory is then removed in global variable;
Acquiring unit, in message decryption phase, if there is instruction internally to deposit into row write operation, this to be found in global variable Core buffer, and by its status indication to have polluted, in the Message processing stage, if there is instruction internally to deposit into row read operation, The core buffer is found in global variable, if the status indication of the core buffer is has polluted, with obtaining the internal memory Location;
Extraction unit, for extracting the cleartext information after decryption from acquired memory address.
CN201710237625.3A 2017-04-12 2017-04-12 System for extracting plaintext applied to encryption based on dynamic taint analysis Active CN107180188B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710237625.3A CN107180188B (en) 2017-04-12 2017-04-12 System for extracting plaintext applied to encryption based on dynamic taint analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710237625.3A CN107180188B (en) 2017-04-12 2017-04-12 System for extracting plaintext applied to encryption based on dynamic taint analysis

Publications (2)

Publication Number Publication Date
CN107180188A true CN107180188A (en) 2017-09-19
CN107180188B CN107180188B (en) 2020-06-09

Family

ID=59831952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710237625.3A Active CN107180188B (en) 2017-04-12 2017-04-12 System for extracting plaintext applied to encryption based on dynamic taint analysis

Country Status (1)

Country Link
CN (1) CN107180188B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112149136A (en) * 2020-09-23 2020-12-29 北京顶象技术有限公司 loT device firmware vulnerability detection method and system and electronic device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8260711B1 (en) * 2008-12-03 2012-09-04 Symantec Corporation Systems and methods for managing rights of data via dynamic taint analysis
CN104506484A (en) * 2014-11-11 2015-04-08 中国电子科技集团公司第三十研究所 Proprietary protocol analysis and identification method
CN104850781A (en) * 2014-02-17 2015-08-19 中国科学院信息工程研究所 Method and system for dynamic multilevel behavioral analysis of malicious code

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8260711B1 (en) * 2008-12-03 2012-09-04 Symantec Corporation Systems and methods for managing rights of data via dynamic taint analysis
CN104850781A (en) * 2014-02-17 2015-08-19 中国科学院信息工程研究所 Method and system for dynamic multilevel behavioral analysis of malicious code
CN104506484A (en) * 2014-11-11 2015-04-08 中国电子科技集团公司第三十研究所 Proprietary protocol analysis and identification method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘豫: "基于动态污点分析的恶意代码通信协议逆向分析方法", 《电子学报》 *
王变琴: "未知网络应用流量的自动提取方法", 《通信学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112149136A (en) * 2020-09-23 2020-12-29 北京顶象技术有限公司 loT device firmware vulnerability detection method and system and electronic device

Also Published As

Publication number Publication date
CN107180188B (en) 2020-06-09

Similar Documents

Publication Publication Date Title
Huang et al. Tracking ransomware end-to-end
Ko et al. Progger: An efficient, tamper-evident kernel-space logger for cloud data provenance tracking
Momen et al. Did app privacy improve after the GDPR?
AU2014237406B2 (en) Method and apparatus for substitution scheme for anonymizing personally identifiable information
US11916920B2 (en) Account access security using a distributed ledger and/or a distributed file system
CN104281808B (en) A kind of general Android malicious act detection methods
CN108521405B (en) Risk control method and device and storage medium
CN106960156B (en) Data encryption and access method and device based on application program
Block et al. Linux memory forensics: Dissecting the user space process heap
CN109271798A (en) Sensitive data processing method and system
Taubmann et al. TLSkex: Harnessing virtual machine introspection for decrypting TLS communication
CN109428776B (en) Website traffic monitoring method and device
CN110647321A (en) Method, device and equipment for playing back operation flow and storage medium
US20120284532A1 (en) Method and system for recovering cryptographic operations and/or secrets
CN104778123A (en) Method and device for detecting system performance
CN111767537A (en) Tamper verification method of application program based on IOS (operating system) and related equipment
Binns Tracking on the Web, Mobile and the Internet of Things
CN110781061A (en) Method and device for recording user behavior link
CN107180188A (en) It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain
CN112597525B (en) Data processing method and device based on privacy protection and server
CN111259275A (en) Data tracking method, equipment and storage medium
CN103745170B (en) The processing method and processing device of data in magnetic disk
US20060190725A1 (en) Method and system for measuring productivity based on computer activities
Chang et al. Forensic artefact discovery and attribution from android cryptocurrency wallet applications
CN104104659A (en) Communication fingerprint extraction method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant