CN107180188B - System for extracting plaintext applied to encryption based on dynamic taint analysis - Google Patents
System for extracting plaintext applied to encryption based on dynamic taint analysis Download PDFInfo
- Publication number
- CN107180188B CN107180188B CN201710237625.3A CN201710237625A CN107180188B CN 107180188 B CN107180188 B CN 107180188B CN 201710237625 A CN201710237625 A CN 201710237625A CN 107180188 B CN107180188 B CN 107180188B
- Authority
- CN
- China
- Prior art keywords
- memory
- register
- taint
- marked
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a plaintext extraction system for encrypted application based on dynamic taint analysis, which comprises a taint data source positioning module, a dynamic taint analysis module, an instruction analysis module and a memory behavior analysis module, wherein the taint data source positioning module comprises a taint data source positioning module, a dynamic taint analysis module, an instruction analysis module and a memory behavior analysis module, and the instruction analysis module comprises a taint data source positioning module: the taint data source positioning module is used for acquiring the memory address of the encrypted message in the system call and marking the taint data source; the dynamic taint analysis module is used for tracking a data source with a taint mark and reversely acquiring an instruction execution track for operating the taint mark from the data source; the instruction analysis module is used for analyzing the instruction execution track and distinguishing the message decryption and message processing stages of the taint data; and the memory behavior analysis module is used for acquiring a memory address of the taint data which is subjected to writing operation in the message decryption stage and reading operation in the message processing stage, and extracting decrypted plaintext information from the memory address. The invention improves the security monitoring of the encryption application by extracting the plaintext information in the encryption application.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a system for extracting plaintext of encryption application based on dynamic taint analysis.
Background
In recent years, with the rapid development of the internet, applications appear in thousands of places every day, and for the purpose of communication security, an encryption protocol is used between the application of most clients and the server. Encryption protocols a number of proprietary encryption protocols are emerging in addition to common, standard application layer protocols such as HTTPS, SFTP. For computer users using these cryptographic protocol client software, they do not know what the cryptographic messages they process in the background, and therefore do not know if they have confidential actions, such as stealing personal privacy information in the computer, automatically downloading harmful codes, pointing to third-party websites, etc., which are all of the personal interests of the computer users.
Therefore, if the client software using the encryption protocol can reversely analyze the plaintext information of the encryption message processed by the client software, the analysis of the plaintext content of the encryption protocol and the reverse analysis of the format of the encryption protocol can be realized, and the security monitoring of the encryption application is improved.
Disclosure of Invention
The present invention overcomes at least one of the above-mentioned deficiencies of the prior art by providing a system for plaintext extraction for cryptographic applications based on dynamic taint analysis.
The present invention aims to solve the above technical problem at least to some extent.
It is a primary object of the present invention to provide a method for reverse parsing plaintext information of an encrypted message processed by an encryption application to improve security monitoring of the encryption application.
In order to solve the technical problems, the technical scheme of the invention is as follows: the utility model provides a system for plaintext extraction to encryption application based on dynamic taint analysis, includes taint data source orientation module, dynamic taint analysis module, instruction analysis module and memory behavior analysis module, wherein: the taint data source positioning module is used for intercepting system call of encryption application, acquiring a memory address of an encryption message in the system call and marking the taint data source; the dynamic taint analysis module is used for tracking a data source with a taint mark and reversely acquiring an instruction execution track for operating the taint mark from the taint data source; the instruction analysis module is used for analyzing the acquired instruction execution track for operating the taint data and distinguishing the message decryption and message processing stages of the taint data; and the memory behavior analysis module is used for acquiring a memory address of the stain data which is subjected to writing operation in the message decryption stage and reading operation in the message processing stage according to the memory read-write behavior information of the encrypted message in the encryption calling instruction, and extracting decrypted plaintext information from the memory address.
Preferably, the tracking of the data source with the dirty mark comprises the following steps of tracking the dirty of a source operand which is a memory, tracking the dirty of a destination operand which is the memory, tracking the dirty of a source operand which is a register and tracking the dirty of a destination operand which is the register, wherein the dynamic dirty analysis module comprises: the source operand is a memory judgment unit used for judging whether the source operand in the encryption calling instruction contains the memory address of the encryption message; the source operand is a stain tracing unit of the memory, and the stain tracing unit is used for tracing the stain of the memory as the source operand if the judgment unit judges that the source operand is the memory; the judgment unit is used for judging whether the destination operand in the encryption calling instruction contains the memory address of the encryption message or not if the judgment unit judges that the source operand is the memory is negative; the stain tracking unit with the destination operand as the memory is used for tracking the stain with the destination operand as the memory if the judgment unit with the destination operand as the memory judges that the stain tracking unit with the destination operand as the memory is yes; the judging unit is used for judging whether the source operand in the encryption calling instruction is the register or not if the judging unit is not used for judging whether the destination operand is the memory; the source operand is a stain tracing unit of the register, and the stain tracing unit is used for tracing the stain of the register as the source operand if the judging unit of the register as the source operand judges that the stain is the stain of the register as the source operand; the judging unit is used for judging whether the destination operand in the encryption calling instruction is the register or not if the judging unit judges that the source operand is the register is not; and the taint tracking unit is used for tracking the taint of which the destination operand is the register if the judging unit judges that the destination operand is the register is yes.
Preferably, when the source operand is a memory, the destination operand is a register and the destination operand is not present, and the taint tracking unit of the source operand is a memory includes: the first tracking recording subunit is used for tracking and recording the encryption calling instruction if the memory mark is polluted and the register mark is polluted; the encryption calling instruction is tracked and recorded if the memory is marked as polluted and the register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the memory mark is polluted and the destination operand does not exist; the first tracking marking subunit is used for tracking and marking the register as polluted if the memory is marked as polluted and the register is marked as uncontaminated; and if the memory mark is uncontaminated and the register mark is contaminated, the trace marks the register as uncontaminated.
Preferably, when the destination operand is a memory, the destination operand includes a case where the source operand is a register and a case where the source operand is an immediate, and the taint tracking unit of the destination operand is a memory includes: the second tracking recording subunit is used for tracking and recording the encryption calling instruction if the register is marked as polluted and the memory is marked as polluted; the encryption calling instruction is tracked and recorded if the register is marked as polluted and the memory is marked as not polluted; the second tracking marking subunit is used for tracking and marking the memory as polluted if the register is marked as polluted and the memory is marked as uncontaminated; the processor is also used for tracing and marking the memory as uncontaminated if the register is marked as uncontaminated and the memory is marked as contaminated; and if the source operation number is an immediate number and the memory is marked as polluted, the trace marks the memory as uncontaminated.
Preferably, when the source operand is a register, the method includes a case that the destination operand is a register and a case that the destination operand is not present, and the taint tracking unit of the source operand being a register includes: the third tracking record subunit is used for tracking and recording the encryption call instruction if the source register is marked as polluted and the destination register is marked as polluted; the encryption calling instruction is tracked and recorded if the source register is marked as polluted and the destination register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the source register is marked as polluted and the destination operand does not exist; a third trace-mark subunit, configured to trace and mark the destination register as contaminated if the source register is marked as contaminated and the destination register is marked as uncontaminated; if the source register is marked as uncontaminated and the destination register is marked as contaminated, then the trace marks the destination register as uncontaminated.
Preferably, when the destination operand is a register, there is a case where the source operand is an immediate, and the taint tracking unit of which the destination operand is a register includes: and a fourth trace flag subunit, configured to, if the source operand is an immediate and the destination register is marked as dirty, mark the destination register as dirty.
Preferably, the instruction analysis module includes an instruction parsing unit, and a distinguishing unit for message decryption and message processing, wherein: the instruction analysis unit is used for determining the approximate position of the instruction for message decryption and message processing; and the distinguishing unit for message decryption and message processing is used for specifically determining the instructions for message decryption and message processing by adopting a sliding window technology in combination with the result determined by the instruction analyzing unit.
Preferably, the memory behavior analysis module includes a memory read-write behavior unit, an obtaining unit, and an extracting unit, where: the memory read-write behavior unit is used for defining a global variable and dynamically tracking the allocation and release of the encryption application to the memory, the allocated memory is added into the global variable, and the released memory is removed from the global variable; an obtaining unit, configured to, in a message decryption stage, find the memory buffer in the global variable if there is an instruction to perform a write operation on the memory, and mark a state of the memory buffer as contaminated, in a message processing stage, find the memory buffer in the global variable if there is an instruction to perform a read operation on the memory, and obtain the memory address if the state of the memory buffer is marked as contaminated; and the extracting unit is used for extracting the decrypted plaintext information from the acquired memory address.
Compared with the prior art, the technical scheme of the invention has the beneficial effects that: aiming at client software using an encryption protocol, a system for extracting a plaintext of an encryption application is provided, so that the plaintext content of the encryption protocol can be analyzed and the format of the encryption protocol can be reversely analyzed, and the security monitoring of the encryption application is improved.
Drawings
FIG. 1 is a functional block diagram of an embodiment of the present invention;
FIG. 2 is a detailed functional block diagram of the dynamic taint analysis module of the present invention;
FIG. 3 is a detailed functional block diagram of the taint tracking unit with memory as source operands according to the present invention;
FIG. 4 is a block diagram of a detailed function of the stain tracking unit with the destination operand being memory according to the present invention;
FIG. 5 is a block diagram of a detailed function of the taint tracking unit with registers as source operands according to the present invention;
FIG. 6 is a block diagram of a detailed function of the command analysis module of the present invention;
FIG. 7 is a detailed functional block diagram of the memory behavior analysis module of the present invention;
FIG. 8 is a schematic flow diagram of a dynamic taint analysis module of the present invention;
FIG. 9 is a schematic flow diagram of a memory behavior analysis module according to the present invention;
FIG. 10 is a line graph constructed by the command parsing unit in the live-action test according to the present invention;
fig. 11 is a scatter diagram constructed by the distinguishing unit for message decryption and message processing in the live-action test according to the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent; for the purpose of better illustrating the embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; the same or similar reference numerals correspond to the same or similar parts; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The technical solution of the present invention is further described below with reference to the accompanying drawings and examples.
As shown in fig. 1, the present invention discloses a system for extracting plaintext based on dynamic taint analysis for encryption application, which includes a taint data source positioning module 01, a dynamic taint analysis module 02, an instruction analysis module 03, and a memory behavior analysis module 04, wherein: the taint data source positioning module 01 is used for intercepting an encryption calling instruction of a total system, acquiring a memory address of an encryption message in the encryption calling instruction, and marking a taint data source; the dynamic taint analysis module 02 is used for tracking a data source with a taint mark and reversely acquiring an instruction execution track for operating the taint mark from the taint data source; the instruction analysis module 03 is used for analyzing the acquired instruction execution track for operating the taint data and distinguishing the message decryption and message processing stages of the taint data; and the memory behavior analysis module 04 is configured to obtain a memory address at which the stain data is written in the message decryption stage and read in the message processing stage according to the memory read-write behavior information of the encrypted message in the encrypted call instruction, and extract decrypted plaintext information from the memory address.
In this embodiment, the present invention finds the internal memory for storing the plaintext after the encrypted message is decrypted by the encryption application through the dynamic taint analysis technology, so as to extract the decrypted plaintext. Therefore, the invention extracts the plaintext of the encryption application, is convenient for analyzing the plaintext content of the encryption protocol and reversely analyzing the format of the encryption protocol, and improves the security monitoring of the encryption application.
It should be noted that the taint data source locating module 01 is configured to intercept system call of the encryption application, obtain an initial address and a size of a memory of the encryption application when reading the encrypted packet in the system call, and mark the taint data source on the memory address. The specific execution flow is as follows: 1) intercepting a system call, and if the system call is a system call for reading data from a file descriptor or a network socket, performing the next analysis; otherwise, returning to re-intercept the system call; 2) and positioning a taint data source, acquiring an initial address and a size of a memory for storing the encrypted message by the encryption application when the encrypted message is read from the input parameter and the return parameter called by the system, and marking the taint data source on the memory address.
As shown in fig. 2-5 and 8, further, the tracking of data sources with taint marks includes taint tracking with source operands being memory, taint tracking with destination operands being memory, taint tracking with source operands being registers, and taint tracking with destination operands being registers, the dynamic taint analysis module 02 includes: a judging unit 021, in which the source operand is a memory, for judging whether the source operand in the encrypted call instruction contains the memory address of the encrypted message; a stain tracking unit 022, having a source operand of the memory, configured to track stains, having a source operand of the memory, if the determination unit determines that the source operand is the memory; a judging unit 023, where the destination operand is the memory, configured to judge whether the destination operand in the encryption call instruction includes the memory address of the encryption message if the judging unit that the source operand is the memory judges that the destination operand is the memory; a stain tracking unit 024, having a destination operand of the memory, configured to perform stain tracking on the destination operand of the memory if the determination unit that the destination operand is the memory determines that the determination unit determines that the destination operand is the memory; the judging unit 025, configured to judge whether the source operand in the encrypted call instruction is a register if the judging unit that the destination operand is the memory is negative; the taint tracking unit 026 with the source operand being the register is used for carrying out taint tracking with the source operand being the register if the judgment unit with the source operand being the register judges that the source operand being the register is yes; the determining unit 027, whose destination operand is a register, is configured to determine, if the determining unit whose source operand is a register determines that the destination operand is a register in the encryption call instruction; and the stain tracking unit 028 with the destination operand being a register is used for tracking the stain of the destination operand being a register if the judging unit with the destination operand being a register judges that the stain tracking unit is yes.
Further, when the source operand is a memory, the destination operand is a register, and the destination operand is not present, and the dirty tracking unit 022 for source operand is a memory, and includes: a first trace record subunit 0221, configured to trace record an encrypted call instruction if the memory is marked as contaminated and the register is marked as contaminated; the encryption calling instruction is tracked and recorded if the memory is marked as polluted and the register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the memory mark is polluted and the destination operand does not exist; a first tracking flag subunit 0222, configured to, if the memory flag is dirty and the register flag is not dirty, flag the register as dirty; and if the memory mark is uncontaminated and the register mark is contaminated, the trace marks the register as uncontaminated.
Further, the destination operand is a memory, including a case where the source operand is a register and a case where the source operand is an immediate, and the taint tracking unit 024 of the destination operand is a memory, including: a second trace recording subunit 0241, configured to trace record an encrypted call instruction if the register is marked as contaminated and the memory is marked as contaminated; the encryption calling instruction is tracked and recorded if the register is marked as polluted and the memory is marked as not polluted; a second trace flag subunit 0242, configured to, if the register is marked as contaminated and the memory is marked as uncontaminated, trace flag that the memory is contaminated; the processor is also used for tracing and marking the memory as uncontaminated if the register is marked as uncontaminated and the memory is marked as contaminated; and if the source operation number is an immediate number and the memory is marked as polluted, the trace marks the memory as uncontaminated.
Further, when the source operand is a register, the destination operand is a register, and the destination operand is not present, and the taint tracking unit 026 of the source operand being a register includes: a third trace recording subunit 0261, configured to trace, record and encrypt the call instruction if the source register is marked as contaminated and the destination register is marked as contaminated; the encryption calling instruction is tracked and recorded if the source register is marked as polluted and the destination register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the source register is marked as polluted and the destination operand does not exist; a third trace flag subunit 0262, configured to, if the source register is marked as contaminated and the destination register is marked as uncontaminated, mark the destination register as contaminated; if the source register is marked as uncontaminated and the destination register is marked as contaminated, then the trace marks the destination register as uncontaminated.
Further, when the destination operand is a register, there is a case where the source operand is an immediate, and the stain tracking unit 028 for the destination operand being a register includes: and a fourth trace flag subunit, configured to, if the source operand is an immediate and the destination register is marked as dirty, mark the destination register as dirty.
In this embodiment, an instruction execution trace that operates on only dirty data is obtained by performing four situations, namely, dirty trace with a source operand being a memory, dirty trace with a destination operand being a memory, dirty trace with a source operand being a register, and dirty trace with a destination operand being a register, by using a dynamic dirty analysis technique.
The specific implementation procedure is as follows (for convenience of description, 1 represents contaminated, and 0 represents uncontaminated): 1) memory taint tracking with source operands
When the source operand is memory, there are two cases: the destination operand is a register (e.g., movrdx, qwertr [ rsp ]), and no destination operand (e.g., cmp al, byte ptr [ rbx + rdx × 1]), and the specific processing is as follows:
a) if the memory is 1 and the register is 1, the instruction is recorded.
b) If the memory is 1 and the register is 0, then the register is marked as 1 and the instruction is recorded.
c) If the memory is 1 and there are no destination operands, the instruction is recorded.
d) If the memory is 0 and the register is 1, then the register is marked as 0.
e) If the memory is 0 and the register is 0, no operation is required.
f) If the memory is 0, there are no destination operands and no operation is needed.
2) Memory taint tracking with destination operand
When the destination operand is memory, there are two cases: the source operands are registers (such as mov qword ptr [ rsp ], rdx) and immediate numbers (such as mov byte ptr [ rsp ],0xfa), and the specific processing is as follows:
a) if the register is 1 and the memory is 1, the instruction is recorded.
b) If the register is 1 and the memory is 0, then the memory is marked as 1 and the instruction is recorded.
c) If the register is 0 and the memory is 1, then the memory is marked as 0.
d) If the register is 0 and the memory is 0, no operation is required.
e) If the source operand is an immediate and the memory is 1, then the memory is marked as 0.
f) If the source operand is an immediate and the memory is 0, no operation is required.
3) Taint tracking with source operands as registers
After the previous steps 1) and 2), when the source operand is a register, there are two cases: the destination operands are registers (e.g., mov rdx, rcx) and no destination operands (e.g., cmp al,0x2), and are processed as follows:
a) and traversing all the source registers, and if the source register is 1 and the destination register is 1, recording the instruction.
b) And traversing all the source registers, if the source register is 1 and the destination register is 0, marking the destination register as 1, and recording the instruction.
c) And traversing all the source registers, and recording the instruction if the source register is 1 and no destination operand exists.
d) And traversing all the source registers, and marking the target register as 0 if all the source registers are 0 and the target register is 1.
e) And traversing all the source registers, and if all the source registers are 0 and the destination register is 0, no operation is needed.
f) All source registers are traversed and if all source registers are 0, no destination operand is needed, no operation is needed.
4) Destination operand register taint tracking
After the previous steps 1), 2) and 3) are performed, there is also a case when the destination operand is a register: the source operand is an immediate (e.g. mov al,0x2), and the specific processing is as follows:
a) if the source operand is an immediate and the destination register is a 1, then this register is marked as a 0.
b) If the source operand is an immediate and the destination register is 0, no operation is required.
As shown in fig. 6 and fig. 9, the instruction analysis module 03 further includes an instruction parsing unit 031, and a packet decryption and packet processing distinguishing unit 032, where: an instruction parsing unit 031 configured to determine an approximate location of an instruction for message decryption and message processing; the packet decryption and packet processing differentiating unit 032 is configured to specifically determine the instruction for packet decryption and packet processing by using a sliding window technique according to the result determined by the instruction parsing unit 031.
In this embodiment, the instruction analysis module 03 is configured to analyze an instruction execution trajectory, and distinguish between "message decryption" and "message processing" stages by using percentage and time window techniques of an arithmetic operation class instruction and a logical operation class instruction, where a specific execution flow is as follows:
(1) and calculating the percentage of the arithmetic operation class instruction and the logic operation class instruction in the total instruction. For example, the nth instruction calculates the percentage of the arithmetic operation class instruction and the logic operation class instruction in the first n instructions in the total instruction. Thus, the x-axis is the number of instructions and the y-axis is the percentage of the arithmetic operation class instructions and the logical operation class instructions in the total instructions, resulting in a line graph. In this line graph, the turning point between the "message decryption" and "message processing" stages is necessarily included between the highest point and the lowest point.
(2) For the instructions between the instructions at the highest point and the instructions at the lowest point, calculating the percentage of the arithmetic operation instructions and the logic operation instructions in the window instructions by adopting a sliding window technology, wherein the sliding window technology is as follows: a window containing a fixed number of instructions is maintained, and the percentage of the number of instructions in the window, both arithmetic operation type instructions and logical operation type instructions, is calculated for each instruction that moves, starting with the first instruction. Therefore, by taking the number of instructions as an X axis and taking the percentage of the arithmetic operation type instructions and the logic operation type instructions in the number of instructions of the window as a Y axis, a scatter diagram is obtained, and experimental tests show that: in the scatter diagram, when the percentage is lower than a certain threshold, more than half of the instructions in the previous sliding window belong to the instruction function called in the encryption application, and the instruction function is a turning point between the message decryption stage and the message processing stage. Through a plurality of experimental studies, the sliding window is set to be 30 designated numbers, and the threshold value is set to be 50% as the best.
And (3) live-action testing: fig. 10 is a line chart of the instruction generated by the instruction parsing unit when monitoring that an encryption application processes an HTTPS encrypted message according to the present invention, where the turning point of message decryption and message processing is between the gcm _ ghash _ avx function and the ngx _ http _ process _ request function. First, it is determined in a line graph constructed by an instruction parsing unit 031 that an approximate position of an instruction for message decryption and message processing is between a gcm. In combination with the result determined by the instruction parsing unit 031, the instruction is specifically determined in the scatter diagram constructed by the differentiation unit 032 for message decryption and message processing.
Further, the memory behavior analysis module 04 includes a memory read-write behavior unit 041, an obtaining unit 042, and an extracting unit 043, where: the memory read-write behavior unit 041 is configured to define a global variable, dynamically track allocation and release of the encryption application to the memory, add the allocated memory to the global variable, and remove the released memory from the global variable; an obtaining unit 042, configured to, in a message decryption stage, find the memory buffer in the global variable and mark a state of the memory buffer as contaminated if there is an instruction to perform a write operation on the memory, in a message processing stage, find the memory buffer in the global variable if there is an instruction to perform a read operation on the memory, and obtain the memory address if the state of the memory buffer is marked as contaminated; and an extracting unit 043, configured to extract the decrypted plaintext information from the obtained memory address.
In this embodiment, the memory behavior analysis module 04 is configured to analyze the read-write behavior information of the memory, and find the memory that performs the write operation at the "message decryption" stage and performs the read operation at the "message processing" stage, so as to extract the decrypted plaintext information. The specific execution flow is as follows:
1) tracking memory allocation and release
Defining a global variable memoryList and dynamically tracking the allocation and release of the encryption application to the memory, wherein the allocated memory is added into the global variable memoryList, and the released memory is removed from the global variable memoryList.
2) Analysis of 'message decryption' stage
If there is an instruction to write to the memory, the memory buffer is found in the global variable memoryList and its status is marked as 1 (dirty). When the encryption application decrypts the encrypted message, the decrypted plaintext must be stored in the memory buffer.
3) Analysis of the "message processing" phase
If there is an instruction to write to the memory, the memory buffer is found in the global variable memoryList and its status is marked as 0 (uncontaminated). Because the encryption application must read the plaintext obtained from the previous message decryption stage from the memory and perform corresponding processing in the "message processing" stage, if the memory is written with data, the location of the decrypted plaintext cannot be the location where the decrypted plaintext is stored.
If there is an instruction to read the memory, the memory buffer is found in the global variable memoryList, and if the state of the memory buffer is 1 (dirty), the memory buffer is output. For the memory performing the read operation in the "message processing" stage, it needs to be explained that only the first read memory buffer needs to be concerned, because the memory buffer is the location for storing the decrypted plaintext.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (8)
1. The utility model provides a system for plaintext extraction to encryption application based on dynamic taint analysis, which is characterized in that, includes taint data source orientation module, dynamic taint analysis module, instruction analysis module and memory behavior analysis module, wherein:
the taint data source positioning module is used for intercepting system call of encryption application, acquiring a memory address of an encryption message in the system call and marking the taint data source;
the dynamic taint analysis module is used for tracking a data source with a taint mark and reversely acquiring an instruction execution track for operating the taint mark from the taint data source;
the instruction analysis module is used for analyzing the acquired instruction execution track for operating the taint data and distinguishing the message decryption and message processing stages of the taint data;
and the memory behavior analysis module is used for acquiring a memory address of the stain data which is subjected to writing operation in the message decryption stage and reading operation in the message processing stage according to the memory read-write behavior information of the encrypted message in the encryption calling instruction, and extracting decrypted plaintext information from the memory address.
2. The system for plaintext extraction for encrypted applications based on dynamic taint analysis as recited in claim 1, wherein the tracing of data sources with taint marks comprises taint tracing with source operands being memory, taint tracing with destination operands being memory, taint tracing with source operands being registers, and taint tracing with destination operands being registers, the dynamic taint analysis module comprising:
the source operand is a memory judgment unit used for judging whether the source operand in the encryption calling instruction contains the memory address of the encryption message;
the source operand is a stain tracing unit of the memory, and the stain tracing unit is used for tracing the stain of the memory as the source operand if the judgment unit judges that the source operand is the memory;
the judgment unit is used for judging whether the destination operand in the encryption calling instruction contains the memory address of the encryption message or not if the judgment unit judges that the source operand is the memory is negative;
the stain tracking unit with the destination operand as the memory is used for tracking the stain with the destination operand as the memory if the judgment unit with the destination operand as the memory judges that the stain tracking unit with the destination operand as the memory is yes;
the judging unit is used for judging whether the source operand in the encryption calling instruction is the register or not if the judging unit is not used for judging whether the destination operand is the memory;
the source operand is a stain tracing unit of the register, and the stain tracing unit is used for tracing the stain of the register as the source operand if the judging unit of the register as the source operand judges that the stain is the stain of the register as the source operand;
the judging unit is used for judging whether the destination operand in the encryption calling instruction is the register or not if the judging unit judges that the source operand is the register is not;
and the taint tracking unit is used for tracking the taint of which the destination operand is the register if the judging unit judges that the destination operand is the register is yes.
3. The system for plaintext extraction for encrypted applications based on dynamic taint analysis as claimed in claim 2, wherein the source operand being a memory comprises a destination operand being a register and a destination operand not being present, the taint tracking unit for the source operand being a memory comprises:
the first tracking recording subunit is used for tracking and recording the encryption calling instruction if the memory mark is polluted and the register mark is polluted; the encryption calling instruction is tracked and recorded if the memory is marked as polluted and the register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the memory mark is polluted and the destination operand does not exist;
the first tracking marking subunit is used for tracking and marking the register as polluted if the memory is marked as polluted and the register is marked as uncontaminated; and if the memory mark is uncontaminated and the register mark is contaminated, the trace marks the register as uncontaminated.
4. The system for plaintext extraction for encrypted applications based on dynamic taint analysis as claimed in claim 2, wherein the destination operand is a memory comprising a case where the source operand is a register and a case where the source operand is an immediate, the taint tracking unit for destination operand being a memory comprising:
the second tracking recording subunit is used for tracking and recording the encryption calling instruction if the register is marked as polluted and the memory is marked as polluted; the encryption calling instruction is tracked and recorded if the register is marked as polluted and the memory is marked as not polluted;
the second tracking marking subunit is used for tracking and marking the memory as polluted if the register is marked as polluted and the memory is marked as uncontaminated; the processor is also used for tracing and marking the memory as uncontaminated if the register is marked as uncontaminated and the memory is marked as contaminated; and if the source operation number is an immediate number and the memory is marked as polluted, the trace marks the memory as uncontaminated.
5. The system for plaintext extraction for encrypted application based on dynamic taint analysis as claimed in claim 2, wherein the source operand being a register comprises a destination operand being a register and a destination operand not being present, the taint tracking unit for the source operand being a register comprising:
the third tracking record subunit is used for tracking and recording the encryption call instruction if the source register is marked as polluted and the destination register is marked as polluted; the encryption calling instruction is tracked and recorded if the source register is marked as polluted and the destination register is marked as not polluted; the encryption calling instruction is also used for tracking and recording the encryption calling instruction if the source register is marked as polluted and the destination operand does not exist;
a third trace-mark subunit, configured to trace and mark the destination register as contaminated if the source register is marked as contaminated and the destination register is marked as uncontaminated; if the source register is marked as uncontaminated and the destination register is marked as contaminated, then the trace marks the destination register as uncontaminated.
6. The system for plaintext extraction for encrypted application based on dynamic taint analysis as claimed in claim 2, wherein when the destination operand is a register, there is a case where the source operand is an immediate, and the taint tracking unit where the destination operand is a register comprises:
and a fourth trace flag subunit, configured to, if the source operand is an immediate and the destination register is marked as dirty, mark the destination register as dirty.
7. The system for plaintext extraction for encrypted application based on dynamic taint analysis as claimed in claim 1, wherein the instruction analysis module comprises an instruction parsing unit, a message decryption and message processing distinguishing unit, wherein:
the instruction analysis unit is used for determining the approximate position of the instruction for message decryption and message processing;
and the distinguishing unit for message decryption and message processing is used for specifically determining the instructions for message decryption and message processing by adopting a sliding window technology in combination with the result determined by the instruction analyzing unit.
8. The system for plaintext extraction for encrypted applications based on dynamic taint analysis as claimed in claim 1, wherein the memory behavior analysis module comprises a memory read-write behavior unit, an obtaining unit and an extracting unit, wherein:
the memory read-write behavior unit is used for defining a global variable and dynamically tracking the allocation and release of the encryption application to the memory, the allocated memory is added into the global variable, and the released memory is removed from the global variable;
an obtaining unit, configured to, in a message decryption stage, find a memory buffer in a global variable and mark a state of the memory buffer as contaminated if there is an instruction to perform a write operation on a memory, and, in a message processing stage, find the memory buffer in the global variable if there is an instruction to perform a read operation on the memory, and obtain an address of the memory if the state of the memory buffer is marked as contaminated;
and the extracting unit is used for extracting the decrypted plaintext information from the acquired memory address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710237625.3A CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710237625.3A CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107180188A CN107180188A (en) | 2017-09-19 |
| CN107180188B true CN107180188B (en) | 2020-06-09 |
Family
ID=59831952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710237625.3A Active CN107180188B (en) | 2017-04-12 | 2017-04-12 | System for extracting plaintext applied to encryption based on dynamic taint analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107180188B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112149136A (en) * | 2020-09-23 | 2020-12-29 | 北京顶象技术有限公司 | loT device firmware vulnerability detection method and system and electronic device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8260711B1 (en) * | 2008-12-03 | 2012-09-04 | Symantec Corporation | Systems and methods for managing rights of data via dynamic taint analysis |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN104850781A (en) * | 2014-02-17 | 2015-08-19 | 中国科学院信息工程研究所 | Method and system for dynamic multilevel behavioral analysis of malicious code |
-
2017
- 2017-04-12 CN CN201710237625.3A patent/CN107180188B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8260711B1 (en) * | 2008-12-03 | 2012-09-04 | Symantec Corporation | Systems and methods for managing rights of data via dynamic taint analysis |
| CN104850781A (en) * | 2014-02-17 | 2015-08-19 | 中国科学院信息工程研究所 | Method and system for dynamic multilevel behavioral analysis of malicious code |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
Non-Patent Citations (2)
| Title |
|---|
| 基于动态污点分析的恶意代码通信协议逆向分析方法;刘豫;《电子学报》;20120430;第40卷(第4期);第661-668页 * |
| 未知网络应用流量的自动提取方法;王变琴;《通信学报》;20140630;第35卷(第7期);第164-171页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107180188A (en) | 2017-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109247065B (en) | Continuous flow identifier enabling different applications | |
| CN106960156B (en) | Data encryption and access method and device based on application program | |
| Vidyarthi et al. | Static malware analysis to identify ransomware properties | |
| Taubmann et al. | TLSkex: Harnessing virtual machine introspection for decrypting TLS communication | |
| US9838359B2 (en) | Separation of IoT network thing identification data at a network edge device | |
| CN113254408B (en) | Invisible mark adding method, device, medium and electronic equipment | |
| US11303658B2 (en) | System and method for data analysis and detection of threat | |
| CN107180188B (en) | System for extracting plaintext applied to encryption based on dynamic taint analysis | |
| JP6395986B2 (en) | Key generation source identification device, key generation source identification method, and key generation source identification program | |
| CN111030978B (en) | Malicious data acquisition method and device based on block chain and storage device | |
| WO2019184741A1 (en) | Application program information storing method and apparatus, and application program information processing method and apparatus | |
| TW202018562A (en) | Biological characteristic information processing method and apparatus based on block chain, and terminal device | |
| CN115098877A (en) | File encryption and decryption method and device, electronic equipment and medium | |
| US11546141B1 (en) | Cryptographic protection for portions of media | |
| WO2017121172A1 (en) | Tracking device and method for data flow in java code | |
| JP4690226B2 (en) | Information processing apparatus, confidential data monitoring method and program | |
| WO2016125205A1 (en) | Cryptographic block identification device, cryptographic block identification method, and cryptographic block identification program | |
| CN106778267B (en) | Method and system for intercepting encrypted virus applied to computer file | |
| Lin et al. | A method of multiple encryption and sectional encryption protocol reverse engineering | |
| CN114221816B (en) | Flow detection method, device, equipment and storage medium | |
| CN111832054B (en) | Transparent encryption and decryption method, system and storage medium based on multithreading environment | |
| JP6752347B1 (en) | Information processing equipment, computer programs and information processing methods | |
| Kedziora et al. | Improved threat models for the security of encrypted and deniable file systems | |
| Puhan et al. | Decrypted data detection algorithm based on dynamic dataflow analysis | |
| Pooryousef et al. | Proposing a new feature for structure-aware analysis of android malwares |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |