CN107180188A - It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain - Google Patents
It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain Download PDFInfo
- Publication number
- CN107180188A CN107180188A CN201710237625.3A CN201710237625A CN107180188A CN 107180188 A CN107180188 A CN 107180188A CN 201710237625 A CN201710237625 A CN 201710237625A CN 107180188 A CN107180188 A CN 107180188A
- Authority
- CN
- China
- Prior art keywords
- register
- stain
- operand
- polluted
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a kind of system analyzed and extracted to the plaintext of encryption application based on dynamic stain, including stain data source locating module, dynamic stain analysis module, instruction analysis module and internal memory behavior analysis module, wherein:Stain data source locating module, the memory address of middle encrypted message is called for obtaining system, and the mark of stain data source is carried out to it;Dynamic stain analysis module, for following the trail of the data source for the mark that has a stain, and therefrom inversely obtains the instruction perform track operated on it;Instruction analysis module, for analysis instruction perform track, distinguishes message decryption and the Message processing stage of stain data;Internal memory behavior analysis module, for obtaining stain data in message decryption phase progress write operation and in the memory address of Message processing stage progress read operation, and the cleartext information from the memory address after extraction decryption.The present invention improves the Safety monitoring to encryption application by extracting cleartext information in encryption application.
Description
Technical field
, should to encryption based on dynamic stain analysis more particularly, to one kind the present invention relates to technical field of network security
The system that plaintext is extracted.
Background technology
In recent years, with the high speed development of internet, application program occurs thousands ofly daily, and for the peace that communicates
Entirely, cryptographic protocol can be used again between the application program and server end of most of client.Cryptographic protocol is except common, mark
Accurate application layer protocol, such as also there are a large amount of privately owned cryptographic protocols in HTTPS, SFTP.For using these cryptographic protocols client
For the computer user for holding software, they are not aware that what it is in the encrypted message handled by backstage, so as to not know it
Some concealed actions whether are had, such as steals the individual privacy information inside computer, download some harmful codes automatically
With point to third party website etc., these actions are all the vital interests for hurting computer user.
Therefore, if for these use cryptographic protocol client software, can resolving inversely go out handled by it plus
The cleartext information of secret report text, analysis that so just can be to cryptographic protocol clear content and the resolving inversely of cryptographic protocol form,
So as to improve the Safety monitoring to encryption application.
The content of the invention
The present invention is to overcome at least one defect described in above-mentioned prior art there is provided one kind based on dynamic stain analysis pair
The system that the plaintext of encryption application is extracted.
It is contemplated that at least solving above-mentioned technical problem to a certain extent.
The primary and foremost purpose of the present invention is to provide a kind of the bright of the encrypted message of resolving inversely its processing in application to encryption
Literary information, to improve the Safety monitoring to encryption application.
In order to solve the above technical problems, technical scheme is as follows:One kind should to encryption based on dynamic stain analysis
The system that plaintext is extracted, including stain data source locating module, dynamic stain analysis module, instruction analysis module and internal memory
Behavioural analysis module, wherein:Stain data source locating module, the system for intercepting encryption application is called, and acquisition system is called
The memory address of middle encrypted message, and the mark of stain data source is carried out to it;Dynamic stain analysis module, has dirt for following the trail of
The data source of point mark, and the instruction perform track operated on it is inversely obtained from stain data source;Instruction analysis mould
Block, the acquired instruction perform track that stain data are operated for parsing, distinguish the message decryption of stain data with
The Message processing stage;Internal memory behavior analysis module, for being believed according to the memory read-write behavior of encrypted message in encryption call instruction
Breath, obtains stain data and carries out write operation in message decryption phase and the memory address of read operation is carried out in the Message processing stage,
And the cleartext information after decryption is extracted from the memory address.
Preferably, the tracking to the data source for the mark that has a stain includes the stain tracking, purpose behaviour that source operand is internal memory
Count and chased after for the stain tracking, the stain tracking that source operand is register and the stain that destination operand is register of internal memory
Track, the dynamic stain analysis module includes:Source operand is the judging unit of internal memory, for judging source in encryption call instruction
Whether operand includes the memory address of encrypted message;Source operand is the stain tracing unit of internal memory, if for source operand
It is judged as YES for the judging unit of internal memory, then carries out source operand and followed the trail of for the stain of internal memory;Destination operand is sentenced for internal memory
Disconnected unit, if be judged as NO for source operand for the judging unit of internal memory, judges destination operand in encryption call instruction
Whether the memory address of encrypted message is included;Destination operand is the stain tracing unit of internal memory, if being for destination operand
The judging unit of internal memory is judged as YES, then carries out destination operand and followed the trail of for the stain of internal memory;Source operand is sentenced for register
Disconnected unit, if be no for the judging unit that destination operand is internal memory, judges that the source operand in encryption call instruction is
No is register;Source operand is the stain tracing unit of register, if sentencing for source operand for the judging unit of register
It is yes to break, then carries out source operand and followed the trail of for the stain of register;Destination operand is the judging unit of register, if for source
When operand is judged as NO for the judging unit of register, judge whether destination operand is register in encryption call instruction;
Destination operand is the stain tracing unit of register, if being judged as YES for destination operand for the judging unit of register,
Destination operand is then carried out to follow the trail of for the stain of register.
Preferably, it is not present when source operand is internal memory including situation and destination operand that destination operand is register
Situation, the source operand includes for the stain tracing unit of internal memory:First tracing record subelement, if for memory marker
To have polluted, register tagging is when having polluted, then tracing record encrypts call instruction;If it is dirt to be additionally operable to memory marker
Dye, when register tagging is uncontaminated, then tracing record encrypts call instruction;If being additionally operable to memory marker to have polluted, purpose
When operand is not present, then tracing record encrypts call instruction;First follows the trail of mark subelement, if being dirty for memory marker
Dye, when register tagging is uncontaminated, then follows the trail of and marks the register to have polluted;If being additionally operable to memory marker to be uncontaminated,
Register tagging is followed the trail of to have polluted, then marks the register to be uncontaminated.
Preferably, including situation and source operand that source operand is register it is immediate when destination operand is internal memory
Situation, the destination operand includes for the stain tracing unit of internal memory:Second tracing record subelement, if for register
Labeled as having polluted, memory marker is when having polluted, then tracing record encrypts call instruction;If being additionally operable to register tagging for
Pollution, when memory marker is uncontaminated, then tracing record encrypts call instruction;Second follows the trail of mark subelement, if for depositing
Device when memory marker is uncontaminated, is then followed the trail of labeled as having polluted and marks interior save as to pollute;If being additionally operable to register tagging
To be uncontaminated, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated;If the source of being additionally operable to is counted as immediate, interior
Deposit labeled as having polluted, then follow the trail of mark this it is interior save as it is uncontaminated.
Preferably, do not deposited including situation and destination operand that destination operand is register when source operand is register
Situation, the source operand includes for the stain tracing unit of register:3rd tracing record subelement, if being posted for source
Storage is labeled as having polluted, and destination register is labeled as having polluted, then tracing record encrypts call instruction;If being additionally operable to source deposit
Device is labeled as having polluted, and destination register is labeled as uncontaminated, then tracing record encryption call instruction;If being additionally operable to source register
Labeled as having polluted, destination operand is not present, then tracing record encryption call instruction;3rd follows the trail of mark subelement, is used for
If source register is labeled as having polluted, destination register then follows the trail of mark destination register to have polluted labeled as uncontaminated;If
Source register is labeled as uncontaminated, and destination register follows the trail of mark destination register labeled as having polluted, then to be uncontaminated.
Preferably, when destination operand is register, there is the situation that source operand is immediate, the destination operand
Include for the stain tracing unit of register:4th follows the trail of mark subelement, if being immediate, purpose deposit for source operand
It is uncontaminated that device, which follows the trail of mark destination register labeled as having polluted, then,.
Preferably, the instruction analysis module includes instruction resolution unit, message decryption and the discrimination unit of Message processing,
Wherein:Resolution unit is instructed, the Position Approximate for determining message decryption and the instruction of Message processing;At message decryption and message
The discrimination unit of reason, for result determined by combined command resolution unit, specifically message is determined using sliding window technique
Decryption and the instruction of Message processing.
Preferably, the internal memory behavior analysis module includes memory read-write behavior unit, acquiring unit and extraction unit, its
In:Memory read-write behavior unit, for defining a global variable, and dynamically tracking encryption is using the distribution to internal memory and releases
Put, storage allocation is then added in global variable, releasing memory is then removed in global variable;Acquiring unit, in message solution
In the close stage, if there is instruction internally to deposit into row write operation, find the core buffer in global variable, and by its status indication
To have polluted, in the Message processing stage, if there is instruction internally to deposit into row read operation, the memory buffer is found in global variable
Area, if the status indication of the core buffer obtains the memory address to have polluted;Extraction unit, for from acquired
Memory address extracts the cleartext information after decryption.
Compared with prior art, the beneficial effect of technical solution of the present invention is:For soft using the client of cryptographic protocol
Part there is provided the system that a kind of plaintext to encryption application is extracted, so just can to the analysis of cryptographic protocol clear content and
The resolving inversely of cryptographic protocol form, so as to improve the Safety monitoring to encryption application.
Brief description of the drawings
Fig. 1 is the functional block diagram of an embodiment of the present application;
Fig. 2 is the refinement functional block diagram of the dynamic stain analysis module of the present invention;
Fig. 3 is the refinement functional block diagram that the source operand of the present invention is the stain tracing unit of internal memory;
Fig. 4 is the refinement functional block diagram for the stain tracing unit that the object of the invention operand is internal memory;
Fig. 5 is the refinement functional block diagram for the stain tracing unit that source operand of the present invention is register;
Fig. 6 is the refinement functional block diagram of instruction analysis module of the present invention;
Fig. 7 is the refinement functional block diagram of the internal memory behavior analysis module of the present invention;
Fig. 8 is dynamic stain analysis module schematic flow sheet of the invention;
Fig. 9 is internal memory behavior analysis module schematic flow sheet of the invention;
Figure 10 is the line chart constructed by instruction resolution unit in the outdoor scene test of the present invention;
Figure 11 is message decryption and the scatter diagram constructed by the discrimination unit of Message processing in the outdoor scene test of the present invention.
Embodiment
Accompanying drawing being given for example only property explanation, it is impossible to be interpreted as the limitation to this patent;It is attached in order to more preferably illustrate the present embodiment
Scheme some parts to have omission, zoom in or out, do not represent the size of actual product;Same or analogous label correspondence is identical
Or similar part;To those skilled in the art, in accompanying drawing some known features and its explanation may omit be can be with
Understand.
Technical scheme is described further with reference to the accompanying drawings and examples.
As shown in figure 1, the invention discloses a kind of system analyzed and extracted to the plaintext of encryption application based on dynamic stain,
Including stain data source locating module 01, dynamic stain analysis module 02, instruction analysis module 03 and internal memory behavior analysis module
04, wherein:Stain data source locating module 01, the encryption call instruction for intercepting total system is obtained in encryption call instruction
The memory address of encrypted message, and the mark of stain data source is carried out to it;Dynamic stain analysis module 02, has dirt for following the trail of
The data source of point mark, and the instruction perform track operated on it is inversely obtained from stain data source;Instruction analysis mould
Block 03, for parsing the acquired instruction perform track operated to stain data, distinguishes the message decryption of stain data
With the Message processing stage;Internal memory behavior analysis module 04, for the memory read-write row according to encrypted message in encryption call instruction
For information, obtain stain data and carry out write operation in message decryption phase and carry out in the Message processing stage internal memory of read operation
Location, and the cleartext information from the memory address after extraction decryption.
In the present embodiment, the present invention finds the encrypted message decryption of encryption application memory by dynamic stain analytical technology
The internal memory of plaintext afterwards, so as to extract the plaintext after decryption.Therefore the present invention extracts the plaintext of encryption application, be easy to pair plus
The analysis of close agreement clear content and the resolving inversely of cryptographic protocol form, improve the Safety monitoring to encryption application.
Need to be illustratively that the system that stain data source locating module 01 is used to intercept encryption application is called, and is obtained
System calls middle encryption to apply the initial address and size of the stored memory when reading encrypted message, and the memory address is carried out
The mark of stain data source.Specific execution flow is as follows:1) hooking system service call, if the system call as from filec descriptor or
The system for reading data in web socket is called, then carries out next step analysis;Otherwise hooking system service call again is returned;2) position
Acquisition encryption is applied in stain data source, the input parameter called from the system and return parameters stores when reading encrypted message
The initial address and size of internal memory, and the mark of stain data source is carried out to the memory address.
Including source operand it is interior to the tracking of the data source of the mark that has a stain further as shown in Fig. 2-5 and Fig. 8
The stain that the stain that the stain deposited is followed the trail of, destination operand is internal memory is followed the trail of, source operand is register is followed the trail of and purpose operation
Number is followed the trail of for the stain of register, and the dynamic stain analysis module 02 includes:Source operand is the judging unit 021 of internal memory,
The memory address of encrypted message whether is included for judging to encrypt source operand in call instruction;Source operand is the stain of internal memory
Tracing unit 022, if being judged as YES for source operand for the judging unit of internal memory, carries out the stain that source operand is internal memory
Follow the trail of;Destination operand is the judging unit 023 of internal memory, if be judged as NO for source operand for the judging unit of internal memory,
Judge to encrypt the memory address whether destination operand in call instruction includes encrypted message;Destination operand is the stain of internal memory
Tracing unit 024, if being judged as YES for destination operand for the judging unit of internal memory, it is internal memory to carry out destination operand
Stain is followed the trail of;Source operand is the judging unit 025 of register, if being no for the judging unit that destination operand is internal memory
When, judge whether the source operand encrypted in call instruction is register;Source operand is the stain tracing unit of register
026, if being judged as YES for source operand for the judging unit of register, carry out source operand and chased after for the stain of register
Track;Destination operand is the judging unit 027 of register, if being judged as NO for source operand for the judging unit of register
When, judge whether destination operand is register in encryption call instruction;Destination operand is the stain tracing unit of register
028, if being judged as YES for destination operand for the judging unit of register, carry out the stain that destination operand is register
Follow the trail of.
Further, do not deposited including situation and destination operand that destination operand is register when source operand is internal memory
Situation, the source operand includes for the stain tracing unit 022 of internal memory:First tracing record subelement 0221, is used for
If memory marker is has polluted, register tagging is when having polluted, then tracing record encrypts call instruction;If being additionally operable to internal memory mark
It is designated as having polluted, when register tagging is uncontaminated, then tracing record encrypts call instruction;If it is dirt to be additionally operable to memory marker
Dye, when destination operand is not present, then tracing record encrypts call instruction;First follows the trail of mark subelement 0222, if for interior
Deposit labeled as having polluted, when register tagging is uncontaminated, then follows the trail of and mark the register to have polluted;If being additionally operable to internal memory mark
It is designated as uncontaminated, register tagging is followed the trail of to have polluted, then marks the register to be uncontaminated.
Further, including situation and source operand that source operand is register for immediately when destination operand is internal memory
Several situations, the destination operand includes for the stain tracing unit 024 of internal memory:Second tracing record subelement 0241, is used
If in register tagging to have polluted, memory marker is when having polluted, then tracing record encrypts call instruction;If being additionally operable to deposit
Device is labeled as having polluted, and when memory marker is uncontaminated, then tracing record encrypts call instruction;Second follows the trail of mark subelement
0242, if for register tagging to have polluted, when memory marker is uncontaminated, then following the trail of and marking interior save as to pollute;Also
If for register tagging to be uncontaminated, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated;If being additionally operable to source
Count as immediate, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated.
Further, when source operand is register including situation and destination operand that destination operand is register not
The situation of presence, the source operand includes for the stain tracing unit 026 of register:3rd tracing record subelement 0261,
If for source register labeled as having polluted, destination register is labeled as having polluted, then tracing record encrypts call instruction;Also use
If in source register labeled as having polluted, destination register is labeled as uncontaminated, then tracing record encryption call instruction;It is additionally operable to
If source register is labeled as having polluted, destination operand is not present, then tracing record encryption call instruction;3rd follows the trail of mark
Unit 0262, if for source register labeled as having polluted, destination register then follows the trail of mark purpose deposit labeled as uncontaminated
Device is to have polluted;If source register is labeled as uncontaminated, destination register follows the trail of mark destination register labeled as having polluted, then
To be uncontaminated.
Further, when destination operand is register, there is the situation that source operand is immediate, the purpose operation
Number includes for the stain tracing unit 028 of register:4th follows the trail of mark subelement, if being immediate, mesh for source operand
Register tagging mark destination register is followed the trail of to have polluted, then to be uncontaminated.
In the present embodiment, with dynamic stain analytical technology, the stain tracking to source operand for internal memory, purpose are passed through
Operand is that the stain tracking, the stain tracking that source operand is register and the stain that destination operand is register of internal memory are chased after
This four situations of track obtain the only instruction perform track that is operated to stain data.
It is specific that to perform flow following (describe for convenience, 1 represents and polluted, 0 represent uncontaminated):1) source operand is interior
The stain deposited is followed the trail of
When source operand is internal memory, there are two kinds of situations:Destination operand is register (such as mov rdx, qword
Ptr [rsp]), in the absence of destination operand (such as cmp al, byte ptr [rbx+rdx*1]), specific processing is as follows:
If a) interior save as 1, register is 1, then records this instruction.
If b) interior save as 1, register is 0, then it is 1 to mark this register, and records this instruction.
If c) interior save as 1, no destination operand then records this instruction.
If d) interior save as 0, register is 1, then it is 0 to mark this register.
If e) interior save as 0, register is 0, then without any operation.
If f) interior save as 0, no destination operand, then without any operation.
2) destination operand is followed the trail of for the stain of internal memory
When destination operand is internal memory, there are two kinds of situations:Source operand is register (such as mov qword ptr
[rsp], rdx), source operand be immediate (such as mov byte ptr [rsp], 0xfa), specific processing is as follows:
If a) register is 1,1 is inside saved as, then records this instruction.
If b) register is 1,0 is inside saved as, then marks and 1 is saved as in this, and record this instruction.
If c) register is 0,1 is inside saved as, then marks and 0 is saved as in this.
If d) register is 0,0 is inside saved as, then without any operation.
If e) source operand is immediate, 1 is inside saved as, then marks and 0 is saved as in this.
If f) source operand is immediate, 0 is inside saved as, then without any operation.
3) source operand is followed the trail of for the stain of register
1) and 2) after above the, step is performed, when source operand is register, also in the presence of two kinds of situations:Purpose is operated
Number is for register (such as mov rdx, rcx), without destination operand (such as cmp al, 0x2), and specific processing is as follows:
A) traversal institute active registers, are 1 if there is source register, destination register is 1, then record this instruction.
B) traversal institute active registers, are 1 if there is source register, destination register is 0, then marks destination register
For 1, and record this instruction.
C) traversal institute active registers, are 1 if there is source register, and no destination operand then records this instruction.
D) traversal institute active registers, if institute's active registers are 0, destination register is 1, then marks purpose deposit
Device is 0.
E) traversal institute active registers, if institute's active registers are 0, destination register is 0, then without any behaviour
Make.
F) traversal institute active registers, if institute's active registers are 0, no destination operand, then without any operation.
4) destination operand is followed the trail of for the stain of register
After 1), 2) He 3) step is performed above the, when destination operand is register, also there is a kind of situation:Source
Operand is immediate (such as mov al, 0x2), and specific processing is as follows:
If a) source operand is immediate, destination register is 1, then it is 0 to mark this register.
If b) source operand is immediate, destination register is 0, then without any operation.
As shown in Fig. 6 and Fig. 9, further, the instruction analysis module 03 includes instruction resolution unit 031, message solution
The close discrimination unit 032 with Message processing, wherein:Resolution unit 031 is instructed, the finger for determining message decryption and Message processing
The Position Approximate of order;Message decrypts the discrimination unit 032 with Message processing, for determined by combined command resolution unit 031
As a result, message decryption and the instruction of Message processing are determined come specific using sliding window technique.
In the present embodiment, instruction analysis module 03 is used for analysis instruction perform track, is referred to by using arithmetical operation class
The percentage instructed with logical operation class, time window technology is made to distinguish " message decryption " and " Message processing " stage, specifically
Perform flow as follows:
(1) calculate the instruction of arithmetical operation class and logical operation class instructs the percentage for accounting for and always instructing.Such as, n-th of finger
Order, before just calculating in n instruction, the instruction of arithmetical operation class and logical operation class instruct the percentage for accounting for and always instructing.Thus, x
Axle is instruction number, and y-axis is that arithmetical operation class is instructed and logical operation class instructs the percentage for accounting for and always instructing, and obtains a broken line
Figure.In this line chart, between highs and lows, turn of " message decryption " and " Message processing " between the stage must be included
Break.
(2) instruction between the instruction of peak and the instruction of minimum point is directed to, is calculated using sliding window technique
Arithmetical operation class is instructed and logical operation class instructs and accounts for the percentage that the window instructs number, and sliding window technique refers to:Maintain one
The individual window for including fixed instruction quantity, the instruction of calculation window internal arithmetic class and the instruction of logical operation class account for the sliding window
The percentage of number is instructed, the window moves an instruction since instructing first, often and calculated once.Thus, to instruct number as X
Axle, is instructed using arithmetical operation class and logical operation class instructs the percentage for accounting for window instruction number as Y-axis, obtains a scatterplot
Figure, learns through experiment test:In this scatter diagram, when this percentage is less than some threshold value, then in previous sliding window
Instruction has more than half to belong to the instruction functions called in this encryption application, and the instruction functions are exactly at message decryption and message
Turning point between the reason stage.Studied by many experiments, sliding window is set as that 30 are specified number, threshold value setting by the present invention
It is optimal for 50%.
Outdoor scene is tested:Instruction line chart as shown in Figure 10, the figure is that certain encryption application processing of present invention monitoring HTTPS adds
When secret report is literary, the turning point for showing message decryption and Message processing in the line chart of resolution unit generation, figure is instructed in function
Between gcm_ghash_avx and function ngx_http_process_request.The broken line first built in instruction resolution unit 031
The Position Approximate of message decryption and the instruction of Message processing is determined in figure between function gcm.. and ngx.., and as shown in figure 11
Instruction scatter diagram, the figure be the present invention monitoring certain encryption application processing HTTPS encrypted messages when, message decryption and Message processing
Discrimination unit generation scatter diagram, the turning point for showing message decryption and Message processing in figure is function gcm_ghash_avx.
Result determined by combined command resolution unit 031, then the scatterplot built with the discrimination unit 032 of Message processing is decrypted in message
Specifically determine instruction in figure.
Further, the internal memory behavior analysis module 04 includes memory read-write behavior unit 041, the and of acquiring unit 042
Extraction unit 043, wherein:Memory read-write behavior unit 041, for defining a global variable, and dynamically tracking encryption application
Distribution and release to internal memory, storage allocation are then added in global variable, and releasing memory is then removed in global variable;Obtain single
Member 042, in message decryption phase, if there is instruction internally to deposit into row write operation, the internal memory being found in global variable and is delayed
Area is rushed, and by its status indication to have polluted, in the Message processing stage, if thering is instruction internally to deposit into row read operation, in the overall situation
The core buffer is found in variable, if the status indication of the core buffer obtains the memory address to have polluted;Extract
Unit 043, for extracting the cleartext information after decryption from acquired memory address.
In the present embodiment, internal memory behavior analysis module 04 is used for the read-write behavioural information for analyzing internal memory, finds in " message
Decryption " the stage carries out write operation and carries out the internal memory of read operation in " Message processing " stage, so as to extract bright after decryption
Literary information.Specific execution flow is as follows:
1) tracking of random memory
Define in a global variable memoryList and dynamically distribution and release of the tracking encryption application to internal memory, distribution
Deposit and then add in global variable memoryList, releasing memory is then removed in global variable memoryList.
2) analysis in " message decryption " stage
If there is instruction internally to deposit into row write operation, the core buffer is found in global variable memoryList, and
It is 1 (pollution) by its status indication.Because encryption is applied when encrypted message is decrypted, the plaintext after it is decrypted must
It can be stored in core buffer.
3) analysis in " Message processing " stage
If there is instruction internally to deposit into row write operation, the core buffer is found in global variable memoryList, and
It is 0 (uncontaminated) by its status indication.Because it must be that upper single order is read from internal memory that encryption, which was applied in " Message processing " stage,
Section " message decryption " obtained plaintext is simultaneously handled accordingly, if the internal memory is to be written into data, it is then not possible to be to decrypt
The position of stored in clear afterwards.
If there is instruction internally to deposit into row read operation, the core buffer is found in global variable memoryList, if
The state of the core buffer is that 1 (pollution) then outputs it.Internal memory for carrying out read operation in " Message processing " stage,
Need be illustratively, it is only necessary to first core buffer being read is paid close attention to, because the core buffer is exactly to store
The position of plaintext after decryption.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not pair
The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description
To make other changes in different forms.There is no necessity and possibility to exhaust all the enbodiments.It is all this
Any modifications, equivalent substitutions and improvements made within the spirit and principle of invention etc., should be included in the claims in the present invention
Protection domain within.
Claims (8)
1. a kind of analyze the system extracted to the plaintext of encryption application based on dynamic stain, it is characterised in that including stain data
Source locating module, dynamic stain analysis module, instruction analysis module and internal memory behavior analysis module, wherein:
Stain data source locating module, the system for intercepting encryption application is called, and acquisition system calls the interior of middle encrypted message
Address is deposited, and the mark of stain data source is carried out to it;
Dynamic stain analysis module, for following the trail of the data source for the mark that has a stain, and is inversely obtained to it from stain data source
The instruction perform track operated;
Instruction analysis module, for parsing the acquired instruction perform track operated to stain data, distinguishes stain number
According to message decryption and the Message processing stage;
Internal memory behavior analysis module, for the memory read-write behavioural information according to encrypted message in encryption call instruction, obtains dirty
Point data carries out write operation in message decryption phase and the memory address of read operation is carried out in the Message processing stage, and from the internal memory
The cleartext information after decryption is extracted in address.
2. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that right
The tracking of data source of mark of having a stain includes that stain that source operand is internal memory is followed the trail of, the stain that destination operand is internal memory is chased after
The stain that track, source operand are the stain tracking of register and destination operand is register is followed the trail of, the dynamic stain analysis
Module includes:
Source operand is the judging unit of internal memory, for judging to encrypt whether source operand in call instruction includes encrypted message
Memory address;
Source operand is the stain tracing unit of internal memory, if being judged as YES for source operand for the judging unit of internal memory, is entered
Row source operand is followed the trail of for the stain of internal memory;
Destination operand is the judging unit of internal memory, if be judged as NO for source operand for the judging unit of internal memory, is judged
Whether destination operand includes the memory address of encrypted message in encryption call instruction;
Destination operand is the stain tracing unit of internal memory, if being judged as YES for destination operand for the judging unit of internal memory,
Destination operand is then carried out to follow the trail of for the stain of internal memory;
Source operand is the judging unit of register, if be no for the judging unit that destination operand is internal memory, judges to add
Whether the source operand in close call instruction is register;
Source operand is the stain tracing unit of register, if being judged as YES for source operand for the judging unit of register,
Source operand is then carried out to follow the trail of for the stain of register;
Destination operand is the judging unit of register, if be judged as NO for source operand for the judging unit of register,
Judge whether destination operand is register in encryption call instruction;
Destination operand is the stain tracing unit of register, if being judged as destination operand for the judging unit of register
It is then to carry out destination operand to follow the trail of for the stain of register.
3. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that source
Including the non-existent situation of situation and destination operand that destination operand is register when operand is internal memory, the source operation
Number includes for the stain tracing unit of internal memory:
First tracing record subelement, if for memory marker to have polluted, register tagging is when having polluted, then tracing record
Encrypt call instruction;If being additionally operable to memory marker to have polluted, when register tagging is uncontaminated, then tracing record encryption is called
Instruction;If being additionally operable to memory marker to have polluted, when destination operand is not present, then tracing record encrypts call instruction;
First follows the trail of mark subelement, if for memory marker to have polluted, when register tagging is uncontaminated, then following the trail of mark
The register is to have polluted;If it is uncontaminated to be additionally operable to memory marker, register tagging is followed the trail of to have polluted, then and marks the deposit
Device is uncontaminated.
4. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that mesh
Operand be that the situation and source operand of register are the situation of immediate including source operand when being internal memory, the purpose behaviour
Count includes for the stain tracing unit of internal memory:
Second tracing record subelement, if for register tagging to have polluted, memory marker is when having polluted, then tracing record
Encrypt call instruction;If being additionally operable to register tagging to have polluted, when memory marker is uncontaminated, then tracing record encryption is called
Instruction;
Second follows the trail of mark subelement, if for register tagging to have polluted, when memory marker is uncontaminated, then following the trail of mark
Interior save as has been polluted;If being additionally operable to register tagging to be uncontaminated, memory marker follows the trail of mark to have polluted, then, and this interior is saved as
It is uncontaminated;If the source of being additionally operable to is counted as immediate, memory marker followed the trail of to have polluted, then mark this it is interior save as it is uncontaminated.
5. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that source
Including the non-existent situation of situation and destination operand that destination operand is register when operand is register, the source behaviour
Count includes for the stain tracing unit of register:
3rd tracing record subelement, if for source register labeled as having polluted, destination register is then chased after labeled as having polluted
Track recording of encrypted call instruction;If being additionally operable to source register labeled as having polluted, destination register is then followed the trail of labeled as uncontaminated
Recording of encrypted call instruction;If being additionally operable to source register labeled as having polluted, destination operand is not present, then tracing record is encrypted
Call instruction;
3rd follows the trail of mark subelement, if for source register labeled as having polluted, destination register is then chased after labeled as uncontaminated
Track mark destination register is to have polluted;If source register is labeled as uncontaminated, destination register is then followed the trail of labeled as having polluted
It is uncontaminated to mark destination register.
6. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 2, it is characterised in that mesh
Operand when being register, there is the situation that source operand is immediate, the destination operand chases after for the stain of register
Track unit includes:
4th follows the trail of mark subelement, if being immediate for source operand, destination register then follows the trail of mark labeled as having polluted
It is uncontaminated to remember destination register.
7. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that institute
Stating instruction analysis module includes instruction resolution unit, message decryption and the discrimination unit of Message processing, wherein:
Resolution unit is instructed, the Position Approximate for determining message decryption and the instruction of Message processing;
Message decrypts the discrimination unit with Message processing, for result determined by combined command resolution unit, using sliding window
Vocal imitation skill specifically to determine message decryption and the instruction of Message processing.
8. the system extracted to the plaintext of encryption application is analyzed based on dynamic stain as claimed in claim 1, it is characterised in that institute
Stating internal memory behavior analysis module includes memory read-write behavior unit, acquiring unit and extraction unit, wherein:
Memory read-write behavior unit, for defining a global variable, and dynamically tracking encryption is using the distribution to internal memory and releases
Put, storage allocation is then added in global variable, releasing memory is then removed in global variable;
Acquiring unit, in message decryption phase, if there is instruction internally to deposit into row write operation, this to be found in global variable
Core buffer, and by its status indication to have polluted, in the Message processing stage, if there is instruction internally to deposit into row read operation,
The core buffer is found in global variable, if the status indication of the core buffer is has polluted, with obtaining the internal memory
Location;
Extraction unit, for extracting the cleartext information after decryption from acquired memory address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710237625.3A CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710237625.3A CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107180188A true CN107180188A (en) | 2017-09-19 |
CN107180188B CN107180188B (en) | 2020-06-09 |
Family
ID=59831952
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710237625.3A Active CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107180188B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112149136A (en) * | 2020-09-23 | 2020-12-29 | 北京顶象技术有限公司 | loT device firmware vulnerability detection method and system and electronic device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8260711B1 (en) * | 2008-12-03 | 2012-09-04 | Symantec Corporation | Systems and methods for managing rights of data via dynamic taint analysis |
CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
CN104850781A (en) * | 2014-02-17 | 2015-08-19 | 中国科学院信息工程研究所 | Method and system for dynamic multilevel behavioral analysis of malicious code |
-
2017
- 2017-04-12 CN CN201710237625.3A patent/CN107180188B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8260711B1 (en) * | 2008-12-03 | 2012-09-04 | Symantec Corporation | Systems and methods for managing rights of data via dynamic taint analysis |
CN104850781A (en) * | 2014-02-17 | 2015-08-19 | 中国科学院信息工程研究所 | Method and system for dynamic multilevel behavioral analysis of malicious code |
CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
Non-Patent Citations (2)
Title |
---|
刘豫: "基于动态污点分析的恶意代码通信协议逆向分析方法", 《电子学报》 * |
王变琴: "未知网络应用流量的自动提取方法", 《通信学报》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112149136A (en) * | 2020-09-23 | 2020-12-29 | 北京顶象技术有限公司 | loT device firmware vulnerability detection method and system and electronic device |
Also Published As
Publication number | Publication date |
---|---|
CN107180188B (en) | 2020-06-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Huang et al. | Tracking ransomware end-to-end | |
Ko et al. | Progger: An efficient, tamper-evident kernel-space logger for cloud data provenance tracking | |
Momen et al. | Did app privacy improve after the GDPR? | |
AU2014237406B2 (en) | Method and apparatus for substitution scheme for anonymizing personally identifiable information | |
US11916920B2 (en) | Account access security using a distributed ledger and/or a distributed file system | |
CN104281808B (en) | A kind of general Android malicious act detection methods | |
CN108521405B (en) | Risk control method and device and storage medium | |
CN106960156B (en) | Data encryption and access method and device based on application program | |
Block et al. | Linux memory forensics: Dissecting the user space process heap | |
CN109271798A (en) | Sensitive data processing method and system | |
Taubmann et al. | TLSkex: Harnessing virtual machine introspection for decrypting TLS communication | |
CN109428776B (en) | Website traffic monitoring method and device | |
CN110647321A (en) | Method, device and equipment for playing back operation flow and storage medium | |
US20120284532A1 (en) | Method and system for recovering cryptographic operations and/or secrets | |
CN104778123A (en) | Method and device for detecting system performance | |
CN111767537A (en) | Tamper verification method of application program based on IOS (operating system) and related equipment | |
Binns | Tracking on the Web, Mobile and the Internet of Things | |
CN110781061A (en) | Method and device for recording user behavior link | |
CN107180188A (en) | It is a kind of that the system extracted to the plaintext of encryption application is analyzed based on dynamic stain | |
CN112597525B (en) | Data processing method and device based on privacy protection and server | |
CN111259275A (en) | Data tracking method, equipment and storage medium | |
CN103745170B (en) | The processing method and processing device of data in magnetic disk | |
US20060190725A1 (en) | Method and system for measuring productivity based on computer activities | |
Chang et al. | Forensic artefact discovery and attribution from android cryptocurrency wallet applications | |
CN104104659A (en) | Communication fingerprint extraction method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |