CN108259493A - A kind of Secure protocol message building method - Google Patents
A kind of Secure protocol message building method Download PDFInfo
- Publication number
- CN108259493A CN108259493A CN201810040484.0A CN201810040484A CN108259493A CN 108259493 A CN108259493 A CN 108259493A CN 201810040484 A CN201810040484 A CN 201810040484A CN 108259493 A CN108259493 A CN 108259493A
- Authority
- CN
- China
- Prior art keywords
- function
- message
- protocol message
- cell
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/06—Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a kind of efficient Secure protocol message building method, first, it is proposed that the algorithm that the function mark of the safety-related function in implementing for the security protocol obtained using function Hook Technique is parsed, the parsing of complete pairing functions mark;Then, it is proposed that the building method of protocol message, based on the model propose based on Secure protocol message building method.Message constructing include needing to be replaced the positioning of protocol message cell, safe function of being held as a hostage output reconstruct, replace the protocol message cell being replaced needed in former protocol message.Because meeting current application reality based on the security protocol Journal of Sex Research with high safety that can obtain security protocol client implementation hypothesis, this method is based on the hypothesis and constructs Secure protocol message, also meets current research reality.Because the present invention is to construct Secure protocol message in code level, technical solution is feasible and with higher accuracy and high efficiency.
Description
Technical field
The invention belongs to field of information security technology, are related to a kind of Secure protocol message building method, and in particular to a kind of
Efficient Secure protocol message building method.
Background technology
Important component of the security protocol as cyberspace safety is the key that Logistics networks space safety and spirit
Soul.So to the safety for running on the security protocol in computer network, communication network and distributed system carry out analysis with
Verification, finds its logic error and security breaches, most important to Logistics networks space safety.
Implement (safety from Security Protocol Design, the analysis of security protocol abstract norm safety and verification, to security protocol
Protocol code), in terms of people are concentrated mainly on the safety analysis to security protocol abstract norm and verification, practicability is poor.
In recent years, people were to the final form of expression of security protocol:Security protocol is implemented more and more interested.Because no matter any peace
Full agreement, to play a role, it is necessary to carry out security protocol implementation, therefore be analyzed its safety and pacified to Logistics networks space
It is of great significance entirely.Security protocol implementation is not only more complicated than its abstract norm in itself, but also in security protocol implementation process,
Because the specialized capability level of programmer is uneven, can not ensure not introducing logic error either code error, and then may make
Implement into security protocol inconsistent with its abstract norm.In addition, it is many practice have shown that, even if being proved safety to formalization method
Security protocol, in implementation process, it is also possible to introduce new safety problem because of artificial error, become no longer to pacify
Entirely.It can be seen that it is far from being enough only to carry out safety analysis research in face of it in security protocol abstract model layer, it is necessary to
The safety implemented to security protocol is studied, and is implemented with the security protocol being very practical, this is to ensure letter
Cease the important component of the basic premise, even more cyberspace safety of cyberspace safety.Security protocol is implemented main at present
By artificial understanding and extraction.Code is implemented by program analysis and understanding, needs its semantic feature of accurate understanding and meaning, by
In the limitation of priori pattern, have led to security protocol and implement the error understood.In addition, some proprietary protocols are ensureing itself
The functions such as customized encryption/decryption letter are used while specification, just there are patterns for the foundation of the priori pattern of these functions
The defects of imperfect, this, which understands the semantic feature of security protocol implementation and standardization, also results in larger difficulty, and then to dividing
The safety that analysis security protocol is implemented also produces very big challenge.
Security protocol implementation is implemented two parts and is formed by security protocol client implementation and secure protocol service device end.Currently
Research be mainly based respectively on it is following three hypothesis:1. the client implementation of security protocols and server end implementation cannot all obtain;
2. the client implementation of security protocols and server end implementation can obtain;3. the client implementation of security protocols can obtain.Root
According to current real network security application, researcher implements at the hardly possible secure protocol service device end that obtains.So from being pacified
Implement, obtain two hypothesis of security protocol client implementation and the implementation of secure protocol service device end to analyze in full protocol server end
Security protocol property with high safety, application value are smaller with meaning.
Based on above 3 hypotheses, to security protocol, property analysis with high safety is main at present applies program analysis
(code analysis), network path (net-trace), instruction analysis, software test and model extraction method.Correlative study works
There are following main problems:
1), implement to understand not comprehensive, inaccuracy to security protocol, cause analysis result inaccurate;
2), to be abstracted accuracy rate to the specification that security protocol is implemented a bit not high.
Invention content
In order to solve the above technical problem, the present invention provides a kind of efficient Secure protocol message building methods.
The technical solution adopted in the present invention is:A kind of efficient Secure protocol message building method, it is characterised in that:It is first
Message constructing model is first established, function mark is then based on and carries out protocol message construction;
Described to establish message constructing model, setting fun () function first is monitored by function hook method
JavaScript function, arg be the corresponding parameter of fun () function, argmFor the parameter after modification, SgIt is that fun () function is repaiied
Change the output valve obtained after parameter re-executes, TnIt is original protocol message for the message cell, M in protocol message, MgFor structure
The protocol message obtained after making;Then the workflow of the model includes following sub-step:
Step A1:Use argmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
Step A2:Re-execute fun (argm) obtain new function output Sg, SgFor corresponding to position in alternate message cell
The message cell blocks T putn;
Step A3:The message cell, T for needing to be replaced are navigated in message Mn(n=1,2,3..., n);Then it obtains
New message Mg, the MgThe construction message that message is exactly;
Described to carry out protocol message construction based on function mark, specific implementation includes following sub-step:
Step B1:The function mark that function hook method is used to obtain is parsed, obtains function name funnameAnd function
The stack architecture of parameter arg;
Step B2:Modification respective function parameter obtains new function output, call function parameter arg in stack architecture and
Function name funname, change arg and obtain argm, then re-execute funnameCorresponding function obtains new function output Sg;
Step B3:In the client protocol message M of interception, positioning needs the message cell-T being replacedn, then from M
T is deleted in messagen, then the S obtained in step B2gValue is embedded into former TnPosition just obtains new message Mg, this disappears
Breath i.e. construction message.
The present invention carries out cell parsings first, to the Secure protocol message of intercepting and capturing, it is proposed that suitable for the peace of practical application
Full protocol message analytical algorithm, which targetedly parses Secure protocol message, to unnecessary in protocol message
The protocol message for carrying out minimum cell parsings carries out cell parsings, has higher efficiency;Then, function safe to use is original
Output carries out alignment with the function mark after parsing, to need the protocol message cell being replaced in this location protocol message,
Function output is carried out complete sequence comparison by the process with cell blocks, has very high-accuracy;Secondly, implement from security protocol
Hand carries out accurately monitoring, tracking and function by using function Hook Technique to the safety-related function that security protocol is implemented
Output reconstruct is started with here from security protocol implementation, and the information such as parameter, output to safety-related function are accurately monitored,
As a result it is accurate;Then, the cell that the needs positioned are replaced is substituted using the output of the safe function of reconstruct, just obtains structure
The Secure protocol message made, the message are sent to secure protocol service device end.
During the entire process of the present invention, to security protocol implement carry out code level analysis and processing, to protocol message into
The parsing of row minimum unit cell and accurately cell are positioned, and to security protocol, relevant minimum unit is collected, divides
Analysis and processing, have very high efficiency and accuracy rate.
Description of the drawings
Fig. 1 is the message constructing model of the embodiment of the present invention;
Fig. 2 is the function mark analytical algorithm of the embodiment of the present invention;
Fig. 3 is that the piecemeal of the protocol message by taking HTTP 1.1 as an example in the embodiment of the present invention divides schematic diagram;
Fig. 4 is the positioning for the replacement message blocks that the safe function of the embodiment of the present invention is exported when directly forming protocol message block
Schematic diagram;
Fig. 5 is that the protocol message that the safe function output of the embodiment of the present invention is directly formed under protocol message block situation constructs
Schematic diagram;
Fig. 6 is that the function that is hooked of the embodiment of the present invention exports replacing when forming protocol message block after the processing of other functions
Change the positioning schematic diagram of message blocks;
Fig. 7 is that the function output that is hooked of the embodiment of the present invention forms protocol message cell after the processing of other functional transformations
When protocol message organigram.
Specific embodiment
Understand for the ease of those of ordinary skill in the art and implement the present invention, with reference to the accompanying drawings and embodiments to this hair
It is bright to be described in further detail, it should be understood that implementation example described herein is merely to illustrate and explain the present invention, not
For limiting the present invention.
In order to analyze the implementation for the security protocol disposed based on B/S pattern lower network application systems (agreement deployment code)
Safety, it is proposed that the method based on message constructing carries out security protocol property analysis with high safety.Herein, message constructing is meant certainly
For dynamic metaplasia into legal security protocol client message, which is addressed to secure protocol service device end.Below to server-side
Response message is analyzed, and thus analyzes security protocol property with high safety.
Protocol message is constructed, establishes message constructing model, it is specific as shown in Figure 1.
Fun is the JavaScript function monitored by function Hook Technique in Fig. 1, and arg is the corresponding parameter of the function,
argmFor the parameter (Modified argument) after modification, Sg(Generated statement) is the modification of fun functions
The output valve (return value) that parameter obtains after re-executing, TnIt is original protocol message for the message cell, M in protocol message,
Mg is the protocol message obtained after constructing.
The flow of entire model is as follows:
(1) first, arg is usedmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
(2) then, fun (arg are re-executedm) obtain new function output Sg, the SgFor right in alternate message cell
Answer the message cell blocks T of positionn;
(3) finally, the message cell, T for needing to be replaced are navigated in message Mn(n=1,2,3..., n), then
To new message Mg, the MgThe construction message that message is exactly, it is sent to secure protocol service device end.
Based on the model, the present embodiment proposes the protocol message building method based on function mark.This method is mainly used for
Solve the problems, such as that message constructing part (Message Generated) generates construction message, the protocol message then constructed is sent out
Toward server end.The key step of this method is as follows:
(1) first, the function mark that function Hook Technique is used to obtain is parsed, obtains function name funnameAnd function
The stack architecture of parameter arg;
(2) then, modification respective function parameter obtains new function output, call function parameter arg in stack architecture and
Function name funname, change arg and obtain argm, then re-execute funnameCorresponding function obtains new function output (as schemed
S in 1g);
(3) finally, in the client protocol message M of interception, positioning current embodiment require that the message cell being replaced,
Tn, then T is deleted from M messagen, then the S obtained in (2)gValue is embedded into former TnPosition just obtains new message
Mg, the message i.e. construction message.
The present embodiment has related generally to the construction of efficient protocol message, because of the function obtained by function Hook Technique
Mark is original function mark data, not convenient for the applicable data structure of the present invention.In order to be gathered around in protocol message construction process
There is better suited data structure, need to carry out standardization dissection process to it.As can be known from Fig. 1, the protocol message building method
Also relate to the replacement of message cell, and message cell that first needs must be replaced before carrying out message cell and replacing it
It puts and is positioned, then the message cell of the position is abandoned, then the new function output that Modification growth function parameter is obtained is (as schemed
1 Sg) it is embedded into the position (T in such as Fig. 1 of deleted message cell2Message cell positions).It has thus obtained new
Message, such as the M in Fig. 1gMessage.It follows that the protocol message building method is broadly divided into the parsing of function mark and message structure
Make two parts.
First, function mark parses
The parsing of function mark is the important prerequisite part of protocol message construction because in message constructing part, need to obtain by
The new output of hook function, and what is newly exported generates then dependent on the parameter modification for being hooked function, the modification for being hooked function parameter is first
It first needs to parse the mark for being hooked function, obtains being hooked the function name and its parameter of function, then obtained according to its parameter
The parameter arg of modificationm.In message constructing part, obtained new function parameter arg is usedmSubstitute the initial parameter for being hooked function
Arg, based on this completion message constructing function.Therefore the safe function mark analytical algorithm proposed, as shown in Figure 2;
First, the execution mark of the safe function obtained by function Hook Technique is stored in journal file.Again to this
Journal file is traversed, until the end (1 row in Fig. 2 algorithms) of this document, the function mark of reading according to function name, letter
The form of number input and function output is expressed as safe function mark-API of phasei(in Fig. 2 algorithms shown in 2-3 rows).Then, if
Obtained function mark (API in algorithmi) not empty, then (in Fig. 2 algorithm 6 rows) are deposited into the stack architecture of foundation, directly
To in the not empty function mark deposit stack of all function return values.Function mark parsing part is just completed with this, analysis result is with stack
The form of structure preserves.
2nd, protocol message constructs
1st, a protocol message is obtained
Specific input data is inputted in security protocol client, client will generate a complete protocol message.
At it by transmission process, act on behalf of (Proxy) using go-between and intercept this message.Thus a complete agreement is just obtained to disappear
Breath.
2nd, parsing division is carried out to protocol message and obtains message cell
In protocol message, it is known as protocol message section comprising one section of protocol message character at most, is denoted as set P, message
Minimum unit is known as protocol message cell in block, is denoted as set T;By one or more protocol message cell in protocol message section
The protocol message part of composition, and the protocol message character that is included of the part or protocol message cell quantitatively disappear than agreement
Breath section is lacked, which is known as protocol message block, is denoted as set B, and T ∈ B ∈ P,
After protocol message is obtained, need to carry out the message cell parsing division operations, efficiently and accurately to position
Go out in protocol message the message cell blocks T for needing to be replacedn(n=1,2 ..., n).Protocol message parsing division operation needs to solve
Key problem certainly be protocol message cell parsing, i.e., in protocol message identify outbound message in end mark, delimiter and
Connector, to obtain the specific cell piecemeals of protocol message.
In protocol message, end-of-message character is " r " either " r n ", they are used to refer to certain protocol message
Terminate or branch is carried out to protocol message.Delimiter is used for distinguishing the different field or message section of different agreement message, common
Delimiter has "/" etc..In general, occur from protocol message initial position to first delimiter, the message word occurred therebetween
Section or message section are a protocol message section P, are between first protocol message delimiter and second protocol message delimiter
Second protocol message section further comprises smaller protocol message in message section P.It can complete to assist according to delimiter with this
The parsing for discussing the message section of message divides.
Protocol message block B is included by the message section P that the delimiter in identification protocol message divides, such message blocks is usual
It is to be formed by connecting by common protocol message connector.In general, it is then one between delimiter connector adjacent thereto
A protocol message block, while be also partly protocol message block between two connectors.The connection that this kind of message blocks pass through connector
Just larger protocol message block is constituted.Common connector have "", " & " and "=" etc..
Under normal conditions, also comprising composition unit minimum in entire protocol message in protocol message block, the present embodiment claims
For protocol message unit (cell), any protocol message symbol is not included in these cell, is a string of determining characters, is assisting
They can not carry out the cell parsing operations of protocol message again in view message.
In application scenarios in the present embodiment, directly carry out analysis protocol message with message delimiter and connector semanteme
There are great difficulty because by the client implementation of surface sweeping security protocol can obtain delimiter used in protocol message and
Connector, but cannot judge the type of these symbols, i.e., the semanteme of some symbol cannot be judged by scan protocols implementation
Feature.
Therefore the present embodiment carries out protocol message based on the number that some protocol message symbol occurs in protocol message
Cell parsing.First, security protocol client implementation is scanned, identifies additional character included in the implementation,
And the number occurred to each symbol counts;Then, the more symbol of the occurrence number in protocol message is subjected to descending
Arrangement, and successively separate the message block on the protocol symbol periphery more than occurrence number, just obtain protocol message section P;Then, exist
Each protocol message Duan Zhongzai just obtains protocol message block B by the way that the message symbol more than occurrence number is identified;Finally, after
Continuous to occurrence number in B, protocol message symbol in more ground is identified relatively and message blocks parse, until all message blocks are agreement
Thus message cell just completes the cell parsings of protocol message.
In order to simultaneously can efficiently complete protocol message parsing according to actual demand, in protocol message cell resolvings
In, certain message blocks are not necessarily to be parsed into the minimum cell of protocol message, can largely improve parsing side in this way
The efficiency of method.Such as in the HTTP Get protocol messages of Fig. 3, the IP address " 127.0.0.1 " in protocol message is not required to parse
Into " 127 ", " 0 ", " 0 " and " 1 ".Because in actually protocol message is answered, IP addresses are an entirety in protocol message, if right
It carries out the parsing of cell ranks, on the one hand can reduce the efficiency that protocol message parsing divides, on the other hand may also can make association
The positioning for discussing message cell generates mistake, so that in the function output that cannot complete reconstruct to needing to replace protocol message cell
Replacement.Such as when protocol message cell is positioned, target is in order to replace the corresponding values of pw in protocol message " 127 ", if finally
Safety-related function output is some the cell block formed in protocol message, and its value is " 127 ", the function output numerical value and IP
127 successful match in address then can carry out telltale mark, in protocol message cell to the cell where in protocol message 127
Just " 127 " field in IP address may be replaced during replacement process, security protocol client or centre will result in this
The result of message constructing method construct message failure that agent establishes connection failure with server or the present embodiment proposes.In order to
Avoid such mistake generation, therefore the present embodiment application in practice, to specific message cell certain in protocol message
Combination is parsed and is divided without cell.By taking HTTP1.1 versions as an example, the piecemeal parsing of protocol message is as shown in Figure 3;
(1) end-of-message character " r " in whole Get protocol messages or " r n " (" r " symbol presentation protocol message are identified
End, and after " r n " represents certain area protocol end of message, remaining protocol message separately takes a line to show), with this just
Certain partially complete message section P into protocol message;
(2) to P carry out cell dissection process, identification space character just parsed after protocol message cell-T1With treat into
One step parsing message blocks B2, wherein T1Content for Get methods, message blocks B2To need further parsing part;
(3) to B2Cell dissection process is carried out, identifies delimiter "/", protocol message cell-T2 is just obtained and pending disappears
Cease block B3, wherein T2For IP address, further parsing is not done here;
(4) to B3Progress cell dissection process, identification connector "", just obtain message cell-T3With pending message blocks
B4, T here3It is a specific entry address for login.jsp, does not do more careful cell parsings, i.e. nonrecognition protocol message
Symbol " ", which is parsed, is known as " login " and " jsp ".In this step, because "" and " & " be connector, therefore can know simultaneously
Both not.If during parsing, identification "" different from the sequencing of " ", it is parsed in same level, obtained result can area
Not, final cell analysis results but are not influenced;
(5) to B4Cell dissection process is carried out, distinguished symbol " & " obtains protocol message block B4And B5;
(6) again to B4And B5Cell dissection process is carried out, identification protocol message symbol "=" just obtains protocol message cell,
T4,T5,T6And T7;
(7) to T derived above1~T7Message blocks combine, and just obtain the message blocks shown in (b) in Fig. 3.
Based on the above method, the cell parsings of protocol message are just completed, (b) partly show protocol message in Fig. 3
Cell analysis results, wherein TnIt needs to complete to match with being hooked function and its correlation function output sequence when protocol message constructs
The step of, come in location protocol message to need the protocol message cell blocks being replaced with this.
3rd, it is replaced the construction of the positioning and safe function output of protocol message cell
There are two the main purposes of the part:First, it is positioned to needing to be replaced protocol message cell;It is second, right
The output for being hooked safe function is reconstructed.First, being accurately positioned needs to be replaced positions of the message cell in protocol message,
The position is marked, and removes the protocol message cell blocks of the position.Then, from the letter that function hook method is used to obtain
Number marks carry out analysis results in call is hooked function and its parameter, and change its parameter, rerun the function just obtain it is new
Function exports;Finally, substituted using obtained function output needs alternative message cell by positioning, thus just obtains new
Protocol message, the message are referred to as to construct protocol message.Protocol server end will be sent to after the construction protocol message.
The final purpose of the part is construction protocol message, and needs to complete before protocol message is constructed to protocol message
The middle positioning for needing to be replaced message cell, and the positioning for being replaced protocol message cell is divided into and is hooked the output of function and directly makees
Two kinds of situations of protocol message cell are formed after conversion process for the output that protocol message forms cell and is hooked function to beg for
By.Because in actual agreements implementation process, in order to meet the needs of practical situation, need to make accordingly the output of function
Adjustment and handle as form protocol message cell, such as function-output is hash hash, encryption and sign operation.
In latter, it is necessary first to be implemented, and mainly to safety-related letter by scanning security protocol client JavaScript
Number and its correlation function paid close attention to, then establish function and deal with relationship, the relationship only need consider deal with relationship downwards, i.e., from
Safety-related function starts, and concern handles functional-link of the output sequence of safe function as the input parameter of next function.
There is following relationship between these functions:
f1→f2→...→fn
In this relation, f1The output of function is as f2The input of function, fn-1Function output is as fnFunction inputs.
3.1 are hooked the output of function directly as protocol message cell
Under the situation, the output of safe function is directly as the cell in protocol message.First, using being hooked function most
Output is carried out by cell sequences match, and with having completed the protocol message of piecemeal cell parsings to the protocol message of successful match eventually
Cell makes marks.Then, protocol message cell is removed from protocol message.Finally, it is exported using the function that is hooked of reconstruct
Substitute removed protocol message cell positions.So far, protocol message construction complete.And the important prerequisite of message constructing is desirable
The protocol message cell being replaced is needed in first location protocol message, in the output for being hooked function directly forms protocol message
Certain cell in the case of, directly using function output sequence with complete cell parsing protocol message block carry out sequences match
Can be completed need to be replaced the positioning of message cell.
Under the situation, first, function and its original function parameter are hooked from function mark analysis result calling.Then, it performs
The function just obtains function output, reuses the output and divides the message cell blocks progress sequences match after parsing with agreement, and
Matching position is marked, needs the protocol message block being replaced in the protocol message cell for changing position.Specific steps
As shown in Figure 4:
In Fig. 4, f1For the safe function being hooked, arg1For the initial parameter of the function, sg1It is arg for the function parameter1
When output, sg1&&TnIt represents to use function f1Export sg1Sequences match is done with the protocol message cell of division, as a result
True represents successful match.Origin message are original agreement protocol message, Tn(n=1 2 ..., n) disappears for agreement
Message cell blocks after breath division.If sg in figure1With T2Successful match, then it represents that T2To need the protocol message block that is replaced,
Cell, that is, T of position2It will be removed.
After the completion of needing to be replaced protocol message cell positioning, generation agreement is constructed into message in next step, process is such as
Shown in Fig. 5;
In Fig. 5, argmFunction f for modification1Parameter, Generated Message for complete protocol message cell replace
The construction protocol message obtained after changing.
(1) first, it parses part calling from function mark and is hooked function f1And use the parameter arg of modificationmSubstitute original parameter
arg1As the function input parameters.
(2) then, f is re-executed1Function obtains new function output sg1。
(3) finally, using sg1The message cell blocks T positioned in alternative protocol message Origin Message2,
Just construction message, i.e. Generated Message are obtained.
In Fig. 5, no matter the number of f1 function parameters, argmDirectly replace initial parameter arg1.
3.2 outputs for being hooked function form protocol message cell after conversion process
Under the situation, the safe function output being hooked is by being used as protocol message after correlation function/method conversion process
Some cell, the position fixing process for being replaced protocol message cell is relative complex.First, scanning security protocol client implementation life
Into protocol message code, from the functional based method for being hooked function and searching downwards its output of processing, obtained with this downward from function is hooked
Function calling relationship.Then, function and its parameter are hooked by being called from function mark part, execution obtains being hooked function thereafter
Output, according to function call obtained in the previous step, obtain the output of the last one function of call relation.Finally, by the function
Output carries out sequences match with having completed the protocol message of cell parsings, meanwhile, and the protocol message after record matching cell
It puts.So far, the cell positions that protocol message need to be replaced are positioned.The signal of its process is as shown in Figure 6;
In Fig. 6, argn(n=2 ..., n) is with being hooked function parameter of the function there are call relation, sgn(n=2,
3 ..., n) be these functions output valve, sgn&&TnRepresent sgnWith protocol message cell blocks Tn(n=1,2 ..., n) progress
Match, value then represents successful match for true, that is, completes the positioning for needing to be replaced message cell in protocol message.
After it need to be replaced protocol message block and be successfully located, need to complete the construction to protocol message in next step.The feelings
Message constructing has differences with the message constructing being hooked under function output directly composition protocol message block situation under shape:First, from
Function mark parsing part, which is called, is hooked function and its parameter, and modify to its parameter, is obtained newly after reruning the function
Function-output;Then, using the output valve as next function of the incoming function calling relationship of input, the letter is re-executed
Number obtains new output valve, then using the output as next function of the incoming call relation of input, and obtains its output, with this
Regular iteration, until the last one function of function calling relationship.Finally, disappeared with the output valve alternative of the last one function
It needs to be replaced message cell blocks in breath, obtains new protocol message, as agreement construction message.Its detailed process such as Fig. 7 institutes
Show;
(1) first, it parses part calling from function mark and is hooked function f1, and use the parameter arg of modificationmSubstitute the function
Initial parameter arg1, re-execute the function and just obtain new f1Function exports sg1, the output valve will be used as input pass to down
In one function, such as f in figure2Function;
(2) then, sg1By as f2Parameter substitute f2Original middle parameter arg2In certain part, re-execute the function call
To new output sg2, it is passed to next function that function deals with relationship using as input parameter
(3) then, (2) step is repeated, until function fnParameter be function fn-1Output valve, the output sg of the functionn, it
For message cell blocks T in alternative message Origin Message2;
(4) finally, by sgnIt is put into T in Origin Message2The corresponding position of message cell just obtains new construction
Message Generated message, the message will be sent to secure protocol service device end.
In upper figure, if only there are one parameter, f for all functions of existence function call relationn-1The output of function can be direct
Substitute fnThe input parameter of function, then sgn-1=argn, the last one function output at this time can be directly needed in alternative message
The protocol message cell blocks substituted, i.e. arg in figuren=T2.If there are call relation function there are two or more than two ginseng
Number, argm=arg1, the f of modification1Function parameter can directly substitute initial parameter, and fn-1Function exports sgn-1F can only be used asnLetter
Some composition part in number parameter, i.e., The output of last function is used directly to alternative Origin
Some cell part of protocol message to be replaced is needed in Message message.
It should be understood that the part that this specification does not elaborate belongs to the prior art.
It should be understood that the above-mentioned description for preferred embodiment is more detailed, can not therefore be considered to this
The limitation of invention patent protection range, those of ordinary skill in the art are not departing from power of the present invention under the enlightenment of the present invention
Profit is required under protected ambit, can also be made replacement or deformation, be each fallen within protection scope of the present invention, this hair
It is bright range is claimed to be determined by the appended claims.
Claims (7)
1. a kind of Secure protocol message building method, it is characterised in that:Message constructing model is initially set up, is then based on function mark
Carry out protocol message construction;
Described to establish message constructing model, it is the JavaScript letters monitored by function hook method to set fun () function first
Number, arg be the corresponding parameter of fun () function, argmFor the parameter after modification, SgIt is that fun () function modification parameter is held again
The output valve obtained after row, TnIt is original protocol message for the message cell, M in protocol message, MgFor the agreement obtained after construction
Message;Then the workflow of the model includes following sub-step:
Step A1:Use argmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
Step A2:Re-execute fun (argm) obtain new function output Sg, SgFor corresponding position in alternate message cell
Message cell blocks Tn;
Step A3:The message cell, T for needing to be replaced are navigated in message Mn(n=1,2,3..., n);Then it obtains new
Message Mg, the MgThe construction message that message is exactly;
Described to carry out protocol message construction based on function mark, specific implementation includes following sub-step:
Step B1:The function mark that function hook method is used to obtain is parsed, obtains function name funnameAnd function parameter
The stack architecture of arg;
Step B2:Modification respective function parameter obtains new function output, calls the function parameter arg and function name in stack architecture
funname, change arg and obtain argm, then re-execute funnameCorresponding function obtains new function output Sg;
Step B3:In the client protocol message M of interception, positioning needs the message cell-T being replacedn, then from M message
Delete Tn, then the S obtained in step B2gValue is embedded into former TnPosition just obtains new message Mg, the message, that is, structure
Make message.
2. Secure protocol message building method according to claim 1, which is characterized in that using letter described in step B1
The function mark that number hook method obtains is parsed, and specific implementation includes following sub-step:
Step B1.1:The execution mark of the safe function obtained by function hook method is stored in journal file;
Step B1.2:The journal file is traversed, until the end of this document;The function mark of reading according to function name,
The form that function inputs and function exports is expressed as safe function mark-API of phasei;
Step B1.3:If obtained function mark is not empty, it is deposited into the stack architecture of foundation, until all functions
In the not empty function mark deposit stack of return value.
3. Secure protocol message building method according to claim 1, which is characterized in that the specific implementation of step B3 includes
Following sub-step:
Step B3.1:Obtain a protocol message;
Specific input data is inputted in security protocol client, client will generate a complete protocol message;At it
It by transmission process, acts on behalf of Proxy using go-between and intercepts this message, thus just obtain a complete protocol message;
Step B3.2:Parsing division is carried out to protocol message and obtains message cell;
In protocol message, it is known as protocol message section comprising most one section of protocol message character, is denoted as set P, in message blocks
Minimum unit is known as protocol message cell, is denoted as set T;It is made of in protocol message section one or more protocol message cell
Protocol message part, and the protocol message character that is included of the part or protocol message cell are quantitatively than protocol message section
Few, which is known as protocol message block, is denoted as set B, and T ∈ B ∈ P,
After protocol message is obtained, cell parsing division operations are carried out to the message, orienting needs to be replaced in protocol message
Message cell blocks Tn(n=1,2 ..., n) identifies end mark, delimiter and connection in outbound message that is, in protocol message
Symbol, to obtain the specific cell piecemeals of protocol message;
Step B3.3:It is replaced the reconstruct of the positioning and safe function output of protocol message cell;
First, positioning needs to be replaced positions of the message cell in protocol message, which is marked, and remove the position
The protocol message cell blocks put;Then, call function in analysis result is carried out from the function mark that function hook method is used to obtain
And its parameter, and its parameter is changed, it reruns the function and just obtains new function output;Finally, it is defeated using obtained function
Out substitute needs alternative message cell by positioning, thus just obtains new protocol message, which is to construct agreement
Message.
4. Secure protocol message building method according to claim 3, it is characterised in that:Obtaining described in step B3.2
After obtaining protocol message, cell parsing division operations are carried out to the message, are gone out in protocol message with some protocol message symbol
The cell parsings of protocol message are carried out based on existing number;Specific implementation includes following sub-step:
Step B3.2.1:Security protocol client implementation is scanned, identifies that particular protocol included in the implementation disappears
Symbol is ceased, and the number occurred to each symbol counts;
Step B3.2.2:The protocol message occurred in protocol message symbol is subjected to descending arrangement according to the number of its appearance, and
The message block on the protocol symbol periphery more than occurrence number is separated successively, just obtains protocol message section P;
Step B3.2.3:In each protocol message Duan Zhongzai by the way that the message symbol more than occurrence number is identified, just assisted
Discuss message blocks B;
Step B3.2.4:Continue that the more ground protocol message symbol relatively of occurrence number in B is identified and message blocks parse, Zhi Daosuo
It is protocol message minimum unit to have message blocks, thus just completes the cell parsings of protocol message.
5. Secure protocol message building method according to claim 3, it is characterised in that:In step B3.3, assisted in construction
It needs to complete to needing to be replaced the positioning of message cell in protocol message before view message, and is replaced protocol message cell's
Positioning, which is divided into, to be hooked the output of function directly as protocol message cell and is hooked the output of function and is formed after conversion process
Two kinds of situations of protocol message cell;
The output for being hooked function is directly as protocol message cell, specific implementation process:First using being hooked function
Final output disappears with having completed the protocol message progress of piecemeal cell parsings by cell sequences match, and to the agreement of successful match
Breath cell makes marks;Then, the protocol message cell of successful match is removed from protocol message;Finally, using the quilt of reconstruct
The output of hook function substitutes removed protocol message cell positions, protocol message construction complete;
The output for being hooked function forms protocol message cell after conversion process, and specific implementation process is:From function mark
Parsing part, which is called, is hooked function and its parameter, and modify to its parameter, and new output is obtained after reruning the function
Value;Then, using the output valve as next function of the incoming function calling relationship of input, re-execute the function obtain it is new
Output valve, then inputted using the output as next function of call relation, and obtains its output, with this regular iteration, until
The last one function of function calling relationship;Finally, with needed in the output valve alternative message of the last one function by for
Message cell blocks are changed, obtain new protocol message, as agreement construction message.
6. Secure protocol message building method according to claim 5, it is characterised in that:In step B3.3, when being hooked letter
Several output is directly as protocol message cell, on condition that needing to need the protocol message being replaced in first location protocol message
cell;First, function and its original function parameter are hooked from function mark analysis result calling;Then, the function is performed just to obtain
Function exports, and reuses the output and agreement and divides the message cell blocks after parsing and carries out sequences match, and to matching position into
Line flag needs the protocol message block being replaced in the protocol message cell for changing position.
7. Secure protocol message building method according to claim 5, it is characterised in that:In step B3.3, when being hooked letter
Several output forms protocol message cell after conversion process, on condition that needing to need what is be replaced in first location protocol message
Protocol message cell;First, scanning security protocol client implementation generation protocol message code, from being hooked at function lookup downwards
The functional based method of its output is managed, is obtained with this from being hooked the downward function calling relationship of function;Then, by from function mark part
Calling is hooked function and its parameter, performs the output for obtaining being hooked function thereafter, according to obtained function call, obtains calling and close
It is the output of the last one function;Finally, which is exported and carries out sequences match with having completed the protocol message of cell parsings,
Meanwhile and record matching after protocol message cell positions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810040484.0A CN108259493B (en) | 2018-01-16 | 2018-01-16 | A kind of Secure protocol message building method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810040484.0A CN108259493B (en) | 2018-01-16 | 2018-01-16 | A kind of Secure protocol message building method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108259493A true CN108259493A (en) | 2018-07-06 |
| CN108259493B CN108259493B (en) | 2019-09-10 |
Family
ID=62740932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810040484.0A Active CN108259493B (en) | 2018-01-16 | 2018-01-16 | A kind of Secure protocol message building method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108259493B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361710A (en) * | 2018-12-14 | 2019-02-19 | 中国人民解放军战略支援部队信息工程大学 | A kind of security protocol reconstructing method and device |
| CN113890904A (en) * | 2021-09-27 | 2022-01-04 | 新华三信息安全技术有限公司 | Message parsing method and device, computer equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1925488A (en) * | 2006-09-21 | 2007-03-07 | 上海交通大学 | Method for realizing safety protocol checking experimental system supporting large-scale and multiple users |
| CN101052946A (en) * | 2004-05-25 | 2007-10-10 | 反射网络公司 | A system and method for controlling access to an electronic message recipient |
| US20090075605A1 (en) * | 2007-09-13 | 2009-03-19 | Fujitsu Limited | Communication apparatus and network information collecting program |
| CN101478458A (en) * | 2009-01-20 | 2009-07-08 | 信息产业部电信传输研究所 | SIP protocol security test method |
| CN103399813A (en) * | 2013-06-30 | 2013-11-20 | 惠州市德赛西威汽车电子有限公司 | Embedded system offline trace analysis method based on Trace information |
| CN104142888A (en) * | 2014-07-14 | 2014-11-12 | 北京理工大学 | Regularization state machine model design method with stateful protocol |
| CN107273764A (en) * | 2017-06-28 | 2017-10-20 | 中南民族大学 | A kind of security verification method for the security protocol that Swift language is implemented |
-
2018
- 2018-01-16 CN CN201810040484.0A patent/CN108259493B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052946A (en) * | 2004-05-25 | 2007-10-10 | 反射网络公司 | A system and method for controlling access to an electronic message recipient |
| CN1925488A (en) * | 2006-09-21 | 2007-03-07 | 上海交通大学 | Method for realizing safety protocol checking experimental system supporting large-scale and multiple users |
| US20090075605A1 (en) * | 2007-09-13 | 2009-03-19 | Fujitsu Limited | Communication apparatus and network information collecting program |
| CN101478458A (en) * | 2009-01-20 | 2009-07-08 | 信息产业部电信传输研究所 | SIP protocol security test method |
| CN103399813A (en) * | 2013-06-30 | 2013-11-20 | 惠州市德赛西威汽车电子有限公司 | Embedded system offline trace analysis method based on Trace information |
| CN104142888A (en) * | 2014-07-14 | 2014-11-12 | 北京理工大学 | Regularization state machine model design method with stateful protocol |
| CN107273764A (en) * | 2017-06-28 | 2017-10-20 | 中南民族大学 | A kind of security verification method for the security protocol that Swift language is implemented |
Non-Patent Citations (4)
| Title |
|---|
| CHAKI S等: "An Automated Framework for Verifying Security Protocol", 《2009 22ND IEEE COMPUTER SECURITY FOUNDATIONS SYMPOSIUM》 * |
| 伊胜伟: "基于peach的工业控制网络协议安全分析", 《清华大学学报》 * |
| 孟博等: "安全协议实施安全性分析综述", 《山东大学学报》 * |
| 陈姝等: "结合特征点匹配及深度网络检测的运动跟踪", 《电子科技大学学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361710A (en) * | 2018-12-14 | 2019-02-19 | 中国人民解放军战略支援部队信息工程大学 | A kind of security protocol reconstructing method and device |
| CN113890904A (en) * | 2021-09-27 | 2022-01-04 | 新华三信息安全技术有限公司 | Message parsing method and device, computer equipment and storage medium |
| CN113890904B (en) * | 2021-09-27 | 2023-10-27 | 新华三信息安全技术有限公司 | Method, device, computer equipment and storage medium for message analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108259493B (en) | 2019-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493202B (en) | Login token generation and verification method and device and server | |
| Lichodzijewski et al. | Host-based intrusion detection using self-organizing maps | |
| Antunes et al. | Reverse engineering of protocols from network traces | |
| Mizutani | Incremental mining of system log format | |
| Kleber et al. | Survey of protocol reverse engineering algorithms: Decomposition of tools for static traffic analysis | |
| US20100215270A1 (en) | System and Methods for Automatically Accessing a Web Site on Behalf of a Client | |
| JP2017538376A (en) | System and method for detecting coverage channel network intrusion based on offline network traffic | |
| CN101741908A (en) | Identification method for application layer protocol characteristic | |
| US20210349988A1 (en) | Systems and methods for decentralized recovery of identity attributes | |
| CN112235266B (en) | Data processing method, device, equipment and storage medium | |
| Mao et al. | MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN109831422A (en) | A kind of encryption traffic classification method based on end-to-end sequence network | |
| CN108259493B (en) | A kind of Secure protocol message building method | |
| JPWO2006049072A1 (en) | Firewall inspection system and firewall information extraction system | |
| CN101753622A (en) | Method for extracting characteristics of application layer protocols | |
| CN116614251A (en) | Data security monitoring system | |
| CN114448654A (en) | Block chain-based distributed trusted audit security evidence storing method | |
| US20180205630A1 (en) | System and method for automated generation of web decoding templates | |
| CN115314268A (en) | Malicious encrypted traffic detection method and system based on traffic fingerprints and behaviors | |
| US20210390178A1 (en) | Information processing device and information processing program | |
| CN114254909A (en) | Risk management method and platform based on decision engine | |
| Antunes et al. | ReverX: Reverse engineering of protocols | |
| CN110460575A (en) | One kind can be realized security audit functional network Security Situation Awareness Systems | |
| Park et al. | Forensic investigation framework for cryptocurrency wallet in the end device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |