CN108694320A - The method and system of sensitive application dynamic measurement under a kind of more security contexts - Google Patents
The method and system of sensitive application dynamic measurement under a kind of more security contexts Download PDFInfo
- Publication number
- CN108694320A CN108694320A CN201810459608.9A CN201810459608A CN108694320A CN 108694320 A CN108694320 A CN 108694320A CN 201810459608 A CN201810459608 A CN 201810459608A CN 108694320 A CN108694320 A CN 108694320A
- Authority
- CN
- China
- Prior art keywords
- function
- subgraph
- sensitive application
- graph
- function call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Abstract
The present invention relates to a kind of method and system of sensitive application dynamic measurement under more security contexts, static analysis, generating function calling figure and each control flow graph are carried out to program source code, to build trusted path feature set;Pitching pile pretreatment is carried out to program source code;The dynamic route of acquisition is detached in security domain, obtains function call subgraph and function control stream subgraph;Function call subgraph and function calling figure is matched using security domain, it is ensured that function call subgraph is the subgraph of function call graph;Then function stream subgraph and function controlling stream graph is controlled using security domain to match.The present invention carries out dynamic measurement to execution integrality of the sensitive application in trusted path implementation procedure, ensures the program execution on trusted path in sequence.
Description
Technical field
The present invention relates to a kind of method and system of sensitive application dynamic measurement under more security contexts, belong to mobile terminal behaviour
Make the dynamic measurement field of system and crucial application.
Background technology
With the fast development of development of Mobile Internet technology and mobile intelligent terminal, terminal operating system and key are applied
Integrity protection is paid more and more attention, and the model and implementation of various integrity protection occurs.In system and application operation
During, attacker can invade the code section of modification program, because the code section of program is once changed, entire journey
The function of sequence will change.For example, for the method for code revision, malicious process first disguises oneself as target process deception behaviour
Make system, enables oneself to obtain the permission for modifying to the content of target process address space;Then target process is changed
The attribute of address space partial page;Then it modifies to the content of pages for storing code, completes malicious process and wish to realize
Function;Process code is finally revised as the apperance that do not changed.The main object of the present invention be dynamic realtime find and
Report utilizes credible isolation environment ICE, hardware isolated environment for the complete sexual assault of the process run in system
TrustZone, function call graph and controlling stream graph realize believable dynamic measurement.
Pitching pile refers to being inserted into some probes in a program on the basis of holding program original logic integrality, these spies
The purpose of needle is to acquire the information of function and code segment.Pitching pile technology can be used for the execution route of logging program runtime code,
To understand the executive condition of code.
Staticametric, that is, it is that application generates a metric to utilize hash algorithm, in application start-up course, according to the degree
Judge whether the successful match of magnitude application it is credible whether.
Dynamic measurement is exactly the behavioural characteristic by Static Analysis Technology or Dynamic Execution extraction application, is then answering
It is matched using behavior and with behavioural characteristic with real time monitoring in actual moving process, successful match then indicates that it is credible to apply
, matching is unsuccessful, judges insincere using behavior.
ARM TrustZone hardware isolated technologies build common performing environment and credible performing environment two in mobile terminal
A independent running environment, and the switching of the monitoring mode of processor two environment of offer and data transmission are provided.It is common to execute
Environment and credible performing environment are mutually isolated, ensure that the safety operated in credible performing environment, effectively realize application system
High sensitive traffic is isolated with general service.
TrustICE isolated computing environments realize the security domain separation on physical memory using memory digital watermark, work as ICE
When operation, region of memory is located at common world, other ICE and normal operating system are in suspended state;When ICE is hung up
When, region of memory is added to the safer world memory of TrustZone, other ICE and normal operating system can not access.
Security isolation function is changed to software realization by TrustICE by hardware realization, ensures that trusted computing base will not be with sensitive application
Increase and increase, and reduces the deployment difficulty of TrustZone security applications.
Function call graph, every directed edge in figure represent existing priority call relation between node (function), i.e., such as
Fruit node u is called before node v, then there is the directed edge that node v is directed toward from node u, and u is to call node, v be by
Call node.
Controlling stream graph, the execution precedence relationship inside representative function between basic block and control flow relation, each function
There are one controlling stream graphs, and controlling stream graph is made of code basic block.
Sensitive application itself is concentrated mainly on to the dynamic measurement of sensitive application in the prior art, is not deep into as sensitivity
Using the system framework layer for providing service;The safety of the trusted computing base of dynamic measurement and the efficiency of dynamic measurement need to be carried
It is high;Dynamic measurement is mostly based on function call path, and the precision of dynamic measurement is to be improved.
Invention content
The technology of the present invention solves the problems, such as:Overcome dynamic measurement range, safety, efficiency and the precision of the prior art
Deficiency, a kind of method and system of sensitive application dynamic measurement under more security contexts are provided, to sensitive application in trusted path
Execution integrality in implementation procedure carries out dynamic measurement, ensures the program execution on trusted path in sequence;It is executing
Ensure that program is not tampered because of loophole in the process execute sequence, call other codes;Other codes should not use this sensitivity and answer
Code in.
Technical solution of the invention is:The method and system of sensitive application dynamic measurement under a kind of more security contexts,
Using the TrustICE isolated computing environments based on TrustZone hardware isolated technologies to sensitive application and its system framework layer
It executes and carries out dynamic measurement, dynamic measurement feature set includes two ranks of function call graph and controlling stream graph, is not only expanded dynamic
State metrics range, and improve safety, efficiency and the precision of dynamic measurement.
According to design scheme provided by the present invention, a kind of method of sensitive application dynamic measurement under more security contexts, packet
Containing following steps:
Step 1, trusted path feature set structure carry out static analysis to the source code of program, generating function calling figure and
Control flow graph, to build trusted path feature set;The trusted path feature set is by security domain in program startup stage
Staticametric is carried out, ensures the safety of trusted path feature set;The security domain refers to TrustICE (Trust Isolated
Computing Environments, believable isolated computing environment), by TrustZone, (safer world, one kind being based on hardware
Isolation environment) hardware isolated conditions warrant, i.e., more security contexts;
Step 2, dynamic route acquisition carry out pitching pile pretreatment to program source code and utilize peace in program start-up course
Universe executes staticametric, ensures that pitching pile point is not tampered with;In program operation process, dynamic route is obtained according to pitching pile point,
Including branch's call relation in actual function call relation and function;
Step 3, dynamic route separation, detach in the dynamic route that security domain obtains step 3, obtain function call
Subgraph and function control stream subgraph;
Step 4, credible real-time calculating, using security domain by function call subgraph and the step 1 in step 3 can letter
Number calling figure is matched, it is ensured that function call subgraph is the subgraph of trusted function calling figure;Then utilize security domain by step 3
The control stream subgraph of middle executed function is matched with the trusted function controlling stream graph in step 1, it is ensured that the control of each function
System stream subgraph is the subgraph of trusted function controlling stream graph.
Security domain in above-mentioned steps refers to TrustICE isolated computing environments, is substantially by TrustZone hardware
What isolation environment ensured, so the present invention relates to more security contexts.A kind of software that TrustICE is equivalent to TrustZone is real
Existing, actual motion ensures that the code size of safer world will not increase with increasing for security application, while nothing in common world
Need frequent switching safer world and common world, it is possible to reduce the time of safety operation.
The trusted path feature set structure of the step 1 specifically comprises the following steps:
Step 1.1, function call graph generate, and carry out static analysis to sensitive application and system framework layer, generate respectively quick
The function call graph of the function call graph and system framework layer of induction, then connection generate a complete function call graph;
The system framework layer is the basis of application and development, and application program is also to realize its Core Feature by this layer;
Step 1.2, control flow graph generate, and static analysis are carried out to sensitive application and system framework layer, to each letter
Number generating function controlling stream graph;
Step 1.3, trusted path feature set secure storage calculate the cryptographic Hash of function call graph and control flow graph,
And TrustICE security contexts are stored in, ensure the integrality of trusted path feature set.
The dynamic route acquisition of the step 2 specifically comprises the following steps:
Step 2.1, the selection of pitching pile point, pile function design and pitching pile, using each function in source code as a pitching pile
Unit, for each pitching pile unit, using the starting point of function, control logic critical code section, function end point as pitching pile point;
Pile function is designed, and pile function is inserted into the pitching pile point of selection;
Step 2.2, pitching pile information storage and staticametric calculate the sensitive application and system framework layer of completing pitching pile and breathe out
Uncommon value is simultaneously stored in TrustICE security contexts, and in system start-up phase, staticametric is carried out to system framework layer;It is answered in sensitivity
With startup stage, staticametric is carried out to sensitive application;
Step 2.3, dynamic route obtain, during system and application operation, when recording measurement according to pitching pile point information
Between dynamic route in piece, which includes the execution information of function execution information and function inner control logic.
The dynamic route separation of the step 3 specifically comprises the following steps:
Step 3.1, the separation of function call subgraph, according to function starting point and the pitching pile of end point point information, from dynamic road
Function is extracted in diameter and executes stream, generates the function call subgraph in measuring period piece;
Step 3.2, function control stream subgraph separation, according to the pitching pile point information of function control logic critical code section, from
It is extracted in dynamic route and executes control stream inside function, generate the function control stream subgraph in measuring period piece.
The credible real-time calculating of the step 4 specifically comprises the following steps:
Step 4.1, function call graph matching, by step 3.1 kinematic function call subgraph with it is credible in step 1.1
Function call graph is matched, if function call subgraph is the subgraph of trusted function calling figure, continues step 4.2;It is no
Then, report program executes sequencing problem, terminates to wait for measurement application.
Step 4.2, control flow graph matching, will be in the kinematic function control stream subgraph and step 1.2 in step 3.2
Trusted function controlling stream graph is matched, if function control stream subgraph is the subgraph of trusted function controlling stream graph, program is can
Letter executes on path;Otherwise, executive problem inside report program terminates to wait for measurement application.
The matching algorithm of the step 4.1 and step 4.2 is real by the real-time computing engines in TrustICE security contexts
It is existing.
The system of sensitive application dynamic measurement under a kind of more security contexts of the present invention, including:Trusted path feature set structure
Model block, dynamic route acquisition module, dynamic route separation module, credible real-time calculating route matching module;
Trusted path feature set builds module, before sensitive application publication and use, to sensitive application and system framework
Layer source code carries out static analysis, respectively generating function calling figure and control flow graph, they together constitute trusted path
Feature set, the safety of this feature collection and integrality are ensured by TrustICE;The module specifically includes function call graph generation, letter
The generation of number controlling stream graph, function call graph and control flow graph staticametric;First to sensitive application and system framework layer into
Row static analysis generates the function call graph of the function call graph and system framework layer of sensitive application respectively, and then connection generates
One complete function call graph;Then static analysis is carried out to sensitive application and system framework layer, letter is generated to each function
Number controlling stream graph;Hash calculation finally is carried out to function call graph and control flow graph, is started in system and sensitive application
When, TrustICE will carry out staticametric using the cryptographic Hash to path feature set, to ensure its integrality and safety,
As trusted path feature set.
Dynamic route acquisition module, before sensitive application publication and use, to the source of sensitive application and system framework layer
Code carries out pitching pile pretreatment;In sensitive application operational process, sensitive application inside and system frame are recorded according to pitching pile information
The Dynamic Execution information of rack-layer function;The mold includes selection pitching pile point, design pile function and pitching pile, to sensitive application and is
Ccf layer of uniting carries out staticametric, dynamic route acquisition;First using each function in source code as a pitching pile unit, needle
To each pitching pile unit, using the starting point of function, control logic critical code section, function end point as pitching pile point;Design stake
Function, and pile function is inserted into the pitching pile point of selection;Then the sensitive application and system framework layer of completing pitching pile are calculated
Cryptographic Hash is simultaneously stored in TrustICE security contexts, staticametric is carried out to system framework layer in system start-up phase, in sensitivity
Staticametric is carried out to sensitive application using startup stage;During system and application operation, recorded according to pitching pile point information
Dynamic route in measuring period piece.
Dynamic route separation module is believed according to the pile function preserved in the dynamic route of dynamic route acquisition module acquisition
Breath, extraction operation when function call subgraph and function control stream subgraph, function control stream subgraph mainly for cycle, recurrence and
Branch is split;The specific implementation process of dynamic route separation executes in TrustICE, to ensure the function call generated
The integrality and safety of subgraph and function control stream subgraph;
Credible real-time calculating route matching module, trusted path feature set includes the function call graph obtained by static analysis
And control flow graph, dynamic route acquisition module and dynamic route separation module are recorded and have been detached quick in practical implementation
Induction with and system framework layer execute sequence, function call subgraph and function control stream subgraph are generated, in module utilization
Above- mentioned information carry out dynamic route matching, judge actual function execution route whether be trusted path feature set subset, mainly
The matching of matching and function control stream subgraph including function call graph subgraph illustrates actually to execute if matching is unsuccessful
Exception call has occurred in journey.
Compared with the prior art, the present invention has the following advantages:
(1) method that dynamic measurement is carried out to sensitive application based on trusted context is devised, based on pitching pile technology, function tune
With the security context of figure, control flow graph and software realization, security monitoring is carried out to sensitive application and system framework layer and is moved
Attitude amount expands the range of dynamic measurement, improves the safety of dynamic measurement.
(2) characteristic for making full use of TrustICE carries out sensitive application and system framework layer the staticametric after pitching pile
And dynamic measurement when operation, the safer world and common world of frequent switching TrustZone hardware isolated environment are not needed,
While ensureing dynamic measurement safety, the efficiency of dynamic measurement is improved.
(3) associative function calling figure and control flow graph execute two layers of measurement, improve the precision of dynamic measurement, solve
Certainly simple carries out dynamic measurement can not detect the problem of whether usability of program fragments is called or distorts using function call.
Description of the drawings
Fig. 1 is the general frame schematic diagram of the present invention;
Fig. 2 is that the trusted path feature set of the present invention builds schematic diagram;
Fig. 3 is that the dynamic route of the present invention acquires schematic diagram;
Fig. 4 is the credible real-time calculating route matching schematic diagram of the present invention.
Specific implementation mode
The method and system that sensitive application dynamic measures under a kind of more security contexts of the present invention is to sensitive application and its system
The execution route of ccf layer in the process of implementation carries out dynamic measurement, ensures that program executes on trusted path in sequence,
Ensure that program is not tampered because of loophole in implementation procedure execute sequence, call other codes, other codes should not use quick
Code in induction use.The present invention is corresponded to using the TrustICE isolated computing environments based on TrustZone hardware isolated technologies
Execution carries out dynamic measurement, and measures characteristic collection includes two ranks of function call graph and controlling stream graph.It is of the invention based on this
Have many advantages, such as to have that safe, accuracy is high, efficient.
To keep the purpose of the present invention, advantage and technical solution clearer, below by way of specific implementation, and combine attached
Figure, the present invention is described in more detail.
Fig. 1 describes the general frame of program implementation on the whole, includes mainly following four partial content:
One, trusted path feature set is built
Before sensitive application publication and use, static analysis is carried out to sensitive application and system framework layer identification code, respectively
Generating function calling figure and control flow graph, they together constitute trusted path feature set, the safety of this feature collection and
Integrality is ensured by TrustICE.
The building process of trusted path feature set is made a concrete analysis of with reference to Fig. 2.
(1) function call graph generates.For the installation package file of application program, static analysis tools FlowDroid is used
Generate the function call graph of application program.Due to the not single main method (main) of Android (Android), so structure calls
Figure cannot simply start with from main method, but each component has life cycle, so FlowDroid is right by " emulating main method "
Life cycle is emulated, tracking function invocation path.To system framework layer, android system frame is analyzed using PScout
Layer source code, also needs to simulate main method tracking function invocation path.Finally, by application program function call graph and system framework
Layer calling figure connects, and connection is according to the function call and readjustment for being application program and system framework layer.
(2) control flow graph generates.Static analysis is carried out to sensitive application and system framework layer, uses static analysis tools
Soot creates a controlling stream graph to each method of each class in application program installation package file and system framework layer source code.
(3) function call graph and control flow graph staticametric.Function call graph and control flow graph are breathed out
It is uncommon to calculate, hash algorithm such as SHA-1, MD5 of use.Above-mentioned calculating process is executed by TrustICE trusted contexts, cryptographic Hash
It is preserved by TrustICE, when system and sensitive application start, TrustICE will utilize the cryptographic Hash to path feature set
Carry out staticametric becomes trusted path feature set to ensure its integrality and safety.
Two, dynamic route acquires
Before sensitive application publication and use, the source code pitching pile of sensitive application and system framework layer is pre-processed;Quick
In induction operational process, the Dynamic Execution information of sensitive application inside and system framework layer functions is recorded according to pitching pile information.
The realization method of dynamic route acquisition is specifically introduced with reference to Fig. 3.
(1) selection pitching pile point, design pile function and pitching pile.Included by sensitive application and system framework layer program's source code
Each function is as basic unit, for each basic unit, by the starting point of function, control logic critical code section, function
End point is as pitching pile point.The starting point of function and end point can be uniquely identified into a function as pitching pile point, also may be used
To identify the current state of function.For example, the entrance of a function is had recorded in dynamic route, but next record
It is not the exit point of the function, really the entrance of another function, then illustrate that the call relation between function has occurred, still
Function itself is simultaneously not finished.Control logic keyword can be identified as pitching pile point and executed in what order inside function.Example
Such as, the entrance of function f1 is had recorded in dynamic route, followed by if keywords are genuine pitching pile point, followed by function f2
Entrance, then illustrate function f2 by selecting branch condition to be called by function f1 for genuine situation.Function starting point and end
The pile function and function name pointed out is one-to-one, it should include category information, function return value information, the function belonging to function
Name information and parameter list information;Pile function at control logic key code is corresponded with branch code section, it should be wrapped
Containing current control logic information, such as loop control, Branch control, control is true, control is false.Finally, by designed stake
Function is inserted into selected pitching pile point, and to after pitching pile sensitive application and system framework layer calculate cryptographic Hash, the above process by
TrustICE trusted contexts execute, and corresponding cryptographic Hash is also stored by TrustICE.
(2) staticametric is carried out to sensitive application and system framework layer.When system framework layer starts, it is based on security context
Safety startup of system under supporting carries out staticametric to system framework layer using TrustICE trusted contexts, confirms current system
The pitching pile of system ccf layer is not tampered with;When sensitive application starts, static state degree equally is carried out to sensitive application using TrustICE
Amount, it is ensured that the pitching pile of current sensitive application is not tampered with.
(3) dynamic route acquires.When sensitive application is run, integrality dynamic measurement behavior (is referred to according to the metric point of setting
The opportunity of generation), the dynamic route of the upper metric point of record to (measuring period piece) between the metric point, and utilize TrustICE
Trusted context carries out secure storage.
Three, dynamic route detaches
The cardinal principle of dynamic route separation is according to the pile function information preserved in dynamic route in second part, extraction
Practical execution flow inside function calling relationship and function when operation, execution control stream inside function is mainly for following
Ring, recurrence and branch are split.Lower mask body introduces the realization method of dynamic route separation, and whole process is in TrustICE
It executes, to ensure integrality and the safety of the function call subgraph generated and function control stream subgraph:
(1) for the call relation between function, due to all there is pitching pile function in starting point and end point, we utilize
The characteristic of stack first-in last-out records the current state and information of function.For example, certain function f1 has invoked other functions f2, although
After f1 functions are executed prior to f2 functions, but only the execution of f2 functions terminates, the end pitching pile point of f1 functions is got to.Most
Throughout one's life at function call graph in each edge indicate a function calling relationship, wherein side starting point indicate call function f1, side
Terminal indicate the function f2 of being called.
(2) for the control flow relation inside function, since the information in control logic code segment may indicate that current control
Logic keys and condition processed are true and false, can therefrom extract control stream information:
1. selecting control logic
If encountering selection keyword, in primary practical execute, only a branch can execute, thus without into
Row separation, can directly handle next block structure;
2. cycle control logic
When encountering cycle keyword, if true stake point (condition is genuine pitching pile point) is encountered, by the true stake point and cycle
The stack top element of true stake point is compared, if identical, explanation is previous cycle, records in the process and compares each cycle
When path do not repeat to add the path if identical as existing path, if there is different paths, then the path is added
Into circulating path;If current pitching pile point is different from stack top element, illustrate to enter next cycle, recursive call cyclic module
Block function.
3. recursion control logic
When encountering the true stake point of function, the stack top element in the true stake point stack of pitching pile point and function is compared, if phase
Together, path when illustrating that recurrence has occurred in the function, record in the process and comparing each recurrence, if with existing path phase
Together, it does not repeat to add the path, if there is different paths, then the path be added in circulating path.
The practical execution flow between each edge representative function internal code block in the control flow graph ultimately generated.
Four, credible real-time calculating route matching
First part generates trusted path feature set, the function call graph and control flow graph obtained by static analysis
Composition, second and Part III record and detached the function call of sensitive application and system framework layer in practical implementation,
Function call subgraph and function control stream subgraph are generated, so in this part dynamic route can be carried out using above- mentioned information
Matching, judges whether actual function execution route is the subset of trusted path feature set, if it is not, illustrating practical implementation
Exception call has occurred.
The credible realization method for implementing to calculate route matching is specifically introduced with reference to Fig. 4.
(1) in a measuring period piece, judge that current function calls whether subgraph is contained in first with TrustICE
Function call graph in trusted path feature set, if successful match, into (2);Otherwise, illustrating may in sensitive application implementation procedure
There are abnormal function calling, i.e. program by other code calls or has invoked other codes, at this time should report exceptions, eventually
Only sensitive application prevents the leakage of sensitive information;
(2) in the case where function call graph fits through, continue the matching of function control stream subgraph, utilize
TrustICE judges whether the control flow graph for each function being called in above-mentioned calling figure subgraph is contained in the function
Trusted function controlling stream graph, if so, continuing to execute the measurement of next measuring period piece;Otherwise, illustrate that sensitive application executes
In the process there may be exception is executed inside function, such as it is inserted into abnormality code section, has invoked abnormality code section, equally answer at this time
This report abnormal conditions terminate sensitive application, prevent the leakage of sensitive information.
So the dynamic measurement in the present invention can be under the support of the credible performing environments of TrustICE, with the degree of setting
Amount timeslice is unit, it is ensured that execution of the program on trusted path.
Above example is provided just for the sake of the description purpose of the present invention, and is not intended to limit the scope of the present invention.This
The range of invention is defined by the appended claims.Do not depart from spirit and principles of the present invention and the various equivalent replacements made and
Modification, should all cover within the scope of the present invention.
Claims (7)
1. a kind of method of sensitive application dynamic measurement under more security contexts, which is characterized in that include the following steps:
Step 1 carries out static analysis, generating function calling figure and control flow graph to the source code of program, to which structure can
Believe route characteristic collection;The trusted path feature set carries out staticametric by security domain in program startup stage, ensures credible road
The safety of diameter feature set;The security domain refers to TrustICE by TrustZone hardware isolated conditions warrants, i.e., more safety collars
Border;
Step 2 carries out pitching pile pretreatment to program source code, and in program start-up course, staticametric is executed using security domain,
Ensure that the pitching pile point in the source code of program is not tampered with;In program operation process, according to the pitching pile in the source code of program
Point obtains dynamic route;The dynamic route includes branch's call relation in actual function call relation and function;
Step 3, in security domain, the dynamic route obtained to step 2 detaches, and obtains function call subgraph and function control stream
Subgraph;
Step 4 is matched the function call subgraph in step 3 with the function call graph generated in step 1 using security domain,
Ensure that the function call subgraph in step 3 is the subgraph of function call graph in step 1;It then will be in step 3 using security domain
Function control stream subgraph is matched with the control flow graph in step 1, it is ensured that the function control stream subgraph in step 3 is step
The subgraph of each control flow graph in rapid 1, function call subgraph and function control stream subgraph match success, then illustrate that sensitivity is answered
Execution sequence is not tampered with, that is, it is no abnormal to realize credible real-time calculating progress dynamic measurement;The sensitive application
It refer to the application program for needing to ensure that execution sequence is not tampered with.
2. the method for sensitive application dynamic measurement under more security contexts according to claim 1, it is characterised in that:The step
In rapid 1, structure trusted path feature set comprises the following steps:
Step 1.1 carries out static analysis to sensitive application and system framework layer, generate respectively sensitive application function call graph and
The function call graph of system framework layer, then connection generate a complete function call graph;
Step 1.2 carries out static analysis to sensitive application and system framework layer, to each function generating function controlling stream graph;
Step 1.3, the cryptographic Hash for calculating function call graph and control flow graph, and TrustICE security contexts are stored in, it protects
Demonstrate,prove the integrality of trusted path feature set.
3. the method for sensitive application dynamic measurement under more security contexts according to claim 1, it is characterised in that:The step
In rapid 2, obtains dynamic route and comprise the following steps:
Step 2.1, using each function in program source code as a pitching pile unit, for each pitching pile unit, by function
Starting point, control logic critical code section, function end point is as pitching pile point;Pile function is designed, and pile function is inserted into
In the pitching pile point of selection;
Step 2.2, the sensitive application to completing pitching pile and system framework layer calculate cryptographic Hash and are stored in TrustICE safety collars
Border carries out quiet measurement in the os starting stage that sensitive application is relied on to system framework layer;Start rank in sensitive application
Section carries out staticametric to sensitive application;
In step 2.3, the operating system relied in sensitive application and sensitive application operational process, recorded according to pitching pile point information
Dynamic route in measuring period piece, the dynamic route include that function execution information and function inner control logic execute letter
Breath.
4. the method for sensitive application dynamic measurement under more security contexts according to claim 1, it is characterised in that:The step
In rapid 3, dynamic route separation comprises the following steps:
Step 3.1, according to function starting point and the pitching pile of end point point information, from dynamic route extracting function executes stream, gives birth to
At the function call subgraph in measuring period piece;
Step 3.2, the pitching pile point information according to function control logic critical code section are held from being extracted in dynamic route inside function
Row control stream generates the function control stream subgraph in measuring period piece.
5. the method for sensitive application dynamic measurement under more security contexts according to claim 1, it is characterised in that:The step
In rapid 4, credible real-time calculating comprises the following steps:
Step 4.1 matches the function call subgraph in step 3 with the function call graph in step 1, if function call is sub
Figure is the subgraph of function call graph, then continues step 4;Otherwise, report program executes sequencing problem, terminates sensitive application;
Step 4.2 matches kinematic function control stream subgraph in step 3 with the control flow graph in step 1, if function
Control stream subgraph is the subgraph of control flow graph, then program executes on trusted path;Otherwise, it executes and asks inside report program
Topic terminates sensitive application.
6. the method for sensitive application dynamic measurement under more security contexts according to claim 5, it is characterised in that:The step
Rapid 4.1 and step 4.2 in, matched method is realized by real-time computing engines in TrustICE security contexts.
7. the system of sensitive application dynamic measurement under a kind of more security contexts, which is characterized in that including:Trusted path feature set structure
Model block, dynamic route acquisition module, dynamic route separation module, credible real-time calculating route matching module;
Trusted path feature set builds module, before sensitive application publication and use, to sensitive application and system framework layer source
Code carries out static analysis, respectively generating function calling figure and control flow graph, they together constitute trusted path feature
Collection, the safety of this feature collection and integrality are ensured by TrustICE;
Dynamic route acquisition module, before sensitive application publication and use, to the source code of sensitive application and system framework layer
Carry out pitching pile pretreatment;In sensitive application operational process, sensitive application inside and system framework layer are recorded according to pitching pile information
The Dynamic Execution information of function;
Dynamic route separation module is carried according to the pile function information preserved in the dynamic route of dynamic route acquisition module acquisition
Function call subgraph and function control stream subgraph, function control stream subgraph when operation is taken to be carried out for cycle, recurrence and branch
It splits;The specific implementation process of dynamic route separation executes in TrustICE, to ensure the function call subgraph and letter that generate
The integrality of number control stream subgraph and safety;
Credible real-time calculating route matching module, trusted path feature set include the function call graph obtained by static analysis and letter
Number controlling stream graph, dynamic route acquisition module and dynamic route separation module record and have detached sensitivity in practical implementation and answer
Sequence is executed with system framework layer, generates function call subgraph and function control stream subgraph, which first determines whether letter
Number call subgraphs whether be function call graph subset, if it is not, then abnormal tune has occurred in the practical implementation of sensitive application
With;If so, continue discriminant function control stream subgraph whether be control flow graph subset, if it is not, then sensitive application
Practical implementation exception call has occurred;If it is, the practical implementation of sensitive application is normal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810459608.9A CN108694320B (en) | 2018-05-15 | 2018-05-15 | Method and system for measuring sensitive application dynamic under multiple security environments |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810459608.9A CN108694320B (en) | 2018-05-15 | 2018-05-15 | Method and system for measuring sensitive application dynamic under multiple security environments |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108694320A true CN108694320A (en) | 2018-10-23 |
| CN108694320B CN108694320B (en) | 2020-09-15 |
Family
ID=63846538
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810459608.9A Expired - Fee Related CN108694320B (en) | 2018-05-15 | 2018-05-15 | Method and system for measuring sensitive application dynamic under multiple security environments |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108694320B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936479A (en) * | 2019-03-18 | 2019-06-25 | 浙江大学 | Control plane failure diagnostic system and its implementation based on Differential Detection |
| CN109933986A (en) * | 2019-03-08 | 2019-06-25 | 北京椒图科技有限公司 | Malicious code detecting method and device |
| CN112100054A (en) * | 2020-08-12 | 2020-12-18 | 北京大学 | Data management and control oriented program static analysis method and system |
| CN114327791A (en) * | 2022-03-03 | 2022-04-12 | 阿里云计算有限公司 | Virtualization-based trusted computing measurement method, device, equipment and storage medium |
| CN114611106A (en) * | 2022-03-10 | 2022-06-10 | 昆明理工大学 | Program control flow proving method based on multi-target particle swarm algorithm |
| CN115221051A (en) * | 2022-07-12 | 2022-10-21 | 北京大学 | Program instrumentation method and device for verifying data API execution process |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2486482A1 (en) * | 2009-10-08 | 2012-08-15 | Irdeto Canada Corporation | A system and method for aggressive self-modification in dynamic function call systems |
| CN103473171A (en) * | 2013-08-28 | 2013-12-25 | 北京信息科技大学 | Coverage rate dynamic tracking method and device based on function call paths |
-
2018
- 2018-05-15 CN CN201810459608.9A patent/CN108694320B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2486482A1 (en) * | 2009-10-08 | 2012-08-15 | Irdeto Canada Corporation | A system and method for aggressive self-modification in dynamic function call systems |
| CN103473171A (en) * | 2013-08-28 | 2013-12-25 | 北京信息科技大学 | Coverage rate dynamic tracking method and device based on function call paths |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109933986A (en) * | 2019-03-08 | 2019-06-25 | 北京椒图科技有限公司 | Malicious code detecting method and device |
| CN109933986B (en) * | 2019-03-08 | 2022-02-15 | 北京椒图科技有限公司 | Malicious code detection method and device |
| CN109936479A (en) * | 2019-03-18 | 2019-06-25 | 浙江大学 | Control plane failure diagnostic system and its implementation based on Differential Detection |
| CN109936479B (en) * | 2019-03-18 | 2020-09-01 | 浙江大学 | Control plane fault diagnosis system based on differential detection and implementation method thereof |
| CN112100054A (en) * | 2020-08-12 | 2020-12-18 | 北京大学 | Data management and control oriented program static analysis method and system |
| CN112100054B (en) * | 2020-08-12 | 2021-07-20 | 北京大学 | Data management and control oriented program static analysis method and system |
| CN114327791A (en) * | 2022-03-03 | 2022-04-12 | 阿里云计算有限公司 | Virtualization-based trusted computing measurement method, device, equipment and storage medium |
| CN114611106A (en) * | 2022-03-10 | 2022-06-10 | 昆明理工大学 | Program control flow proving method based on multi-target particle swarm algorithm |
| CN114611106B (en) * | 2022-03-10 | 2024-04-09 | 昆明理工大学 | Program control flow proving method based on multi-target particle swarm algorithm |
| CN115221051A (en) * | 2022-07-12 | 2022-10-21 | 北京大学 | Program instrumentation method and device for verifying data API execution process |
| CN115221051B (en) * | 2022-07-12 | 2023-06-09 | 北京大学 | Program instrumentation method and device for verifying execution process of data API |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108694320B (en) | 2020-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108694320A (en) | The method and system of sensitive application dynamic measurement under a kind of more security contexts | |
| Feng et al. | Mobidroid: A performance-sensitive malware detection system on mobile platform | |
| Yu et al. | Deescvhunter: A deep learning-based framework for smart contract vulnerability detection | |
| CN107092518A (en) | A kind of Compilation Method for protecting mimicry system of defense software layer safe | |
| US7962952B2 (en) | Information processing apparatus that executes program and program control method for executing program | |
| CN110225029B (en) | Injection attack detection method, device, server and storage medium | |
| CN105989283A (en) | Method and device for recognizing virus variant | |
| CN104866764B (en) | A kind of Android phone malware detection method based on object reference figure | |
| CN105205398B (en) | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours | |
| US11847223B2 (en) | Method and system for generating a list of indicators of compromise | |
| CN110022311A (en) | A kind of cloud outsourcing service leaking data safety test use-case automatic generating method based on attack graph | |
| CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
| CN110298173A (en) | The detection Malware hiding by the delay circulation of software program | |
| US20240143739A1 (en) | Intelligent obfuscation of mobile applications | |
| Pendleton et al. | A dataset generator for next generation system call host intrusion detection systems | |
| CN111931185A (en) | Java anti-serialization vulnerability detection method and component | |
| Ni et al. | Real-time detection of malicious behavior in android apps | |
| CN105447349A (en) | Method and device for protecting derived symbol in so file | |
| Stirparo et al. | In-memory credentials robbery on android phones | |
| CN108763924B (en) | Method for controlling access authority of untrusted third party library in android application program | |
| CN103093147B (en) | A kind of method identifying information and electronic installation | |
| CN112287357B (en) | Control flow verification method and system for embedded bare computer system | |
| CN103824018B (en) | A kind of executable file processing method and executable file monitoring method | |
| CN106127054A (en) | A kind of system-level safety protecting method towards smart machine control instruction | |
| CN106295336A (en) | Malware detection methods and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200915 Termination date: 20210515 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |