CN109697339A - A kind of Android application method for security protection based on dynamic virtual instruction map - Google Patents
A kind of Android application method for security protection based on dynamic virtual instruction map Download PDFInfo
- Publication number
- CN109697339A CN109697339A CN201710981989.2A CN201710981989A CN109697339A CN 109697339 A CN109697339 A CN 109697339A CN 201710981989 A CN201710981989 A CN 201710981989A CN 109697339 A CN109697339 A CN 109697339A
- Authority
- CN
- China
- Prior art keywords
- instruction
- android application
- android
- dynamic
- customized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 101
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 239000011159 matrix material Substances 0.000 claims description 30
- 230000003068 static effect Effects 0.000 description 7
- 230000009466 transformation Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012857 repacking Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a kind of Android application method for security protection based on dynamic virtual instruction map.Invention defines customized fictitious order collection and virtual machine interpreters; it is operated by order confusion and Dalvik instruction set is transformed to customized fictitious order collection; dynamic mapping is carried out to the mapping relations between instruction set when being executed; and transformed instruction is explained and executed by customized virtual machine interpreter, to realize to the key method in Android application and execute the protection of logic.Meanwhile Android application code based on customized fictitious order collection and its corresponding virtual machine interpreter are embedded in Android application, because without possessing Root authority or modifying to Android first floor system.The present invention key method in Android application can be effectively protected with logic offer is executed; that improves application program obscures degree and unreadable property; the time and space complexity that attacker implements conversed analysis and code dump attack can be effectively improved, realizes the security hardening of Android application.
Description
Technical field
The present invention relates to a kind of Android application software method for security protection, are based particularly on dynamic virtual instruction map
Android application protection method, the advantage in conjunction with of both fictitious order and customized interpreter adequately protects Android
The safety of application software.
Background technique
Google company captures rapidly intelligent movable mobile phone in release android system in 2007 in recent years
Market becomes current most popular mobile phone operating system, and the data provided according to communication traffic mechanism for monitoring Statcounter are aobvious
Show, in March, 2017, Android became global first big operating system more than Windows for the first time, and accounting 37.93% has been more than micro-
The 37.91% of soft Windows system.
Although the source code open source characteristic of android system brings certain convenience to developer to a certain extent,
But the characteristic also brings security risk to Android application.The security mechanism of android system itself be a kind of granularity compared with
Thick security mechanism, attacker can by decompiling, static analysis, dynamic analysis, beat again packet etc. technologies to application program into
Row malicious modification, meanwhile, Android application market is very different, it is difficult to manage, causing Android to apply becomes Malware
The severely afflicated area spread unchecked seriously compromises the interests of user.
Attacker is static analysis and dynamic analysis for the main means of Android application implementation attack at present.It is static
Analysis is that attacker analyzes application program under the premise of not running program to obtain the core code of program and execution
Logic is distorted to carry out malice to application program.Currently, main static analysis tools have dex2jar, jd-gui,
Jadx, enjarify, Apktool etc. can be answered after being analyzed using these tools the DEX file in application program
With the source code of program, and Android application program is mostly to be write by Java language, due to Java language have it is abundant
Semantic information, it is easy to be understood by attacker, lead to the exposure of application program core code.Dynamic analysis then need attacker to transport
Row application program, and its desired information is obtained by the implementation procedure of tracing program.In general, dynamic analysis
Major way is memory Dump, can will be mapped to the program of memory headroom original plaintext code and data when program is run
Dump is got up.
Currently, the existing guard method for Android application mainly has Code obfuscation, completeness check, DEX shell adding
Deng although these methods can not can be resisted completely and be attacked to a certain extent to Android using play a protective role
The static analysis and dynamic analysis for the person of hitting.In addition, the principle of these safety encryptions is relatively more fixed, attacker once understands it
Principle can crack accordingly it.More seriously, these methods can not effectively settlement procedure operation when it is interior
Dump problem is deposited, causes the clear text file retained in memory to be easy to be obtained by attacker by core dump technology, and then to bright
File is analyzed.
Summary of the invention
The purpose of the present invention is to provide a kind of Android application method for security protection based on dynamic virtual instruction set,
By extracting the key method instruction in Android application program in DEX file, and it is obscured and dynamic mapping, into
And execution is explained using customized virtual machine interpreter, so that the explanation around original Dalvik virtual machine executed
Journey, to achieve the purpose that protect Android application program.
Realizing the technical solution of the object of the invention is: a kind of safe guarantor of Android application based on dynamic virtual instruction set
Maintaining method, comprising the following steps:
Step 1 determines that the method to be protected in Android application program, a part of method are provided by developer, another portion
It is divided into the method for accessing system sensitive resource in application program, two parts method is generated into a key method set;
Step 2, according to the key method set generated in step 1, the method that key method is extracted from DEX file refers to
Enable, parameter type, return to Value Types, register number, i.e., according to corresponding offset by the information of key method from class data
It is extracted in area;
Step 3 obscures operation, including two parts to the instruction of the key method extracted in step 2 implementation: first, it is right
All instructions carry out the unification on format length in Dalvik virtual machine;Second, by analyzing in each application software to go out together
The existing higher instruction of frequency, is combined and is defined as new fictitious order together;Generation and original-party after obscuring operation
Method instructs different fictitious orders;
Step 4, dynamic random generate the permutation matrix of program instruction;
Step 5 is implemented dynamic to the key method instruction after obscuring in step 3 using the permutation matrix generated in step 4 and is become
It changes;Every a line and each one and only one nonzero element of column in permutation matrix are operated instruction using the principle of matrix multiple
Columns in permutation matrix representated by code in that row element where nonzero element is transformed as the operation code as a result, simultaneously
Save the mapping relations between original method instruction and fictitious order;
Step 6, for step 3 generate fictitious order, executed using customized interpreter through obscuring with it is transformed
Fictitious order;
Step 7, by step 5 generate original method instruction fictitious order between mapping relations, step 6 generate from
It defines interpreter to be stored in dynamic link library file, and this document is embedded or is integrated into Android application program.
Compared with prior art, the present invention its remarkable advantage is: the information such as instructing from Android the method for key method
Extracted in DEX file in application program, Mobile state instruction map of going forward side by side so that in attacker's static analysis program without
Method gets the effective information of corresponding key method.
The present invention devises a set of fictitious order collection, by unifying the command length of original Dalvik instruction set, and it is right
The shorter instruction of those command lengths is filled at random, and be added to it is new obscure instruction so that attacker without
Method attacks program instruction by the way of statistical analysis.
For the fictitious order collection of generation, the present invention devises customized interpreter and is used to explain execution fictitious order, empty
The execution of pseudoinstruction without android system Dalvik virtual machine.
Fictitious order collection and customized interpreter are embedded into Android application program by the present invention, are not necessarily at runtime
Modify Android first floor system.
It runs the Android application program after overprotection and does not need Root authority.
Detailed description of the invention
Fig. 1 is that the present invention is based on the system architecture diagrams of the Android application method for security protection of dynamic virtual instruction map.
Fig. 2 is that the present invention is based on overall process streams in the Android application method for security protection of dynamic virtual instruction map
Journey schematic diagram.
Specific embodiment
The present invention is based on the Android application method for security protection of dynamic virtual instruction set to include the following steps:
1, determine that the protected object in Android application program, protected object are the key methods in Android application program,
Wherein key method includes two parts, and first part is provided by developer, and developer provides them and thinks which method exists
In program operation process it is particularly significant needs be protected, second part is provided by the present invention, the present invention to application program into
Row analysis simultaneously will access the method for system sensitive resource as key method.
2, according to the key method set obtained in step 1, the method instruction of key method is extracted from DEX file
Etc. information.Key method is the class method for belonging to some class in program, its relevant information is stored in affiliated class in DEX file
Class data field in, the information of key method is extracted from class data field according to corresponding offset.
3, operation is obscured to the instruction implementation of the key method extracted in step 2, order confusion operation in the present invention
Including two parts, first, to finger all in Dalvik virtual machine on the basis of through analysis and research Dalvik instruction format
Enable the unification carried out on format length.Second, the higher instruction of the frequency of occurrences together is instructed in each application software by analyzing, it will
A combination thereof is defined as new fictitious order together.
4, dynamic random generates permutation matrix, and permutation matrix is a kind of special matrix, it is the side being only made of 0 and 1
Block matrix, and every a line of permutation matrix and it is each column all just only one 1, remaining element is all 0.
5, dynamic mapping is implemented to the method instruction after obscuring in step 3 using the permutation matrix generated in step 4.Instruction
Between transformation essence be operation code in instruction transformation, the operation code in instruction is exactly the mark that this instructs, according to permutation matrix
Characteristic (every a line with each column one and only one nonzero element) and principle for being multiplied of associate(d) matrix, present invention provide that in benefit
Columns when being converted with permutation matrix in that row element of permutation matrix represented by operation code where nonzero element is the behaviour
Result after making code conversion.
6, for step 5 generate fictitious order, the present invention devise customized interpreter be used to execute through obscuring with
Transformed method instruction, the Dalvik virtual machine interpreter which carries independently of Android possess a set of
It is directed to the exclusive interpretive program of fictitious order collection.
7, the fictitious order collection that step 5 generates and the customized interpreter that step 6 generates are stored in dynamic link library text
In part, and this document is embedded or is integrated into Android application program.
The principle of the present invention is: DEX file is the executable file under Android Dalvik virtual machine, which includes
The data and operational order that application program is related to during operation.In the compilation process of Android application program, Java
Source code is compiled as Class file first, is then one by all Class integrating documents by Android dx tool
DEX file, thus all methods in Android application development process are stored in DEX file.Normally executing
When some method in Android application program, Dalvik virtual machine can be carried out every instruction according to the instruction array of method
It explains and executes.However, Dalvik instruction is easy to be cracked by attacker, causes attacker that can carry out malice to it and distort, into
And jeopardize the safety of Android application.Guard method proposed by the present invention by Android apply in key method the letter such as instruction
Breath is extracted from DEX file, and is obscured and dynamic mapping to the Dalvik instruction in method, is mapped as making by oneself
The fictitious order of justice, explains execution to the fictitious order sequence after dynamic mapping using customized virtual machine interpreter,
To the Dalvik virtual machine relatively fragile around safety, Android is improved using the safety of itself and its implementation procedure.
1 and 2 the invention will be further described with reference to the accompanying drawing.
The present invention is based on the Android application method for security protection of dynamic virtual instruction map, are made of following steps:
1 carries out decompiling operation to original APK file first, after obtaining DEX file and the decompiling in application program
Smali formatted file.
2 determine the key method in protected object, that is, application program, and the key method in the present invention includes two aspects,
On the one hand it is provided by developer, developer thinks which method is the core of application program during application development
Heart logic or during operation vital method, using these methods as key method.The another aspect present invention passes through
Whether the Smali file foundation in static analysis step 1 accesses system sensitive resource to differentiate that a method is key side
Method, if this method has accessed system sensitive resource so it is assumed that this method is key method.
3, according to the key method set generated in step 2, extract method instruction of key method etc. from DEX file
Information, and method instruction is obscured.Specific step is as follows:
(1): in application program using to all data include data in the DEX file that is stored in of attribute information of method
Area, key method is the class method for belonging to some class in program, its relevant information is stored in the class of affiliated class in DEX file
Data field, the information extraction of this method is gone out according to offset address of the key method in its class data field.
(2): the instruction all to Dalvik is filled on the basis of through analysis and research Dalvik instruction format, is made
All instructions length having the same that call instruction is concentrated.
(3): instructing the higher instruction of the frequency of occurrences together in application software for XRF analysis, be combined and be defined as one together
New obscures instruction.
4 carry out dynamic mapping, dynamic mapping to the operation code obscured in instruction generated in step 3 using permutation matrix
Operation code mapping relations are inconsistent after referring to transformation every time, the specific steps are as follows:
(1): dynamic generation permutation matrix, due to the characteristic of permutation matrix, as long as the position of nonzero element is given birth to after determining
At permutation matrix.The present invention generates dynamic permutation matrix by determining the position of nonzero element at random.
(2): carrying out instruction map using the permutation matrix generated, the transformation between instructing essentially refers to operation code in order
Transformation, the operation code in instruction are exactly the mark of this instruction, according to its operation code are this instruction dispatch pair in interpreter
The interpretive program answered modifies its operation code and is equivalent to execute different interpretive programs.According to characteristic (every a line of permutation matrix
With each one and only one nonzero element of column) and the principle that is multiplied of associate(d) matrix, present invention provide that utilizing permutation matrix change
The columns where nonzero element when changing in that row element of permutation matrix represented by operation code is after the operation code conversion
Result.
The 5 customized interpreters of design are used to explain execution fictitious order.Customized interpreter passes through in execution method one by one
Fictitious order, execution is then explained to it for one interpretive program of each instruction dispatch, after execution return knot
Fruit, to realize the semanteme of this method in original application program.
6 are stored in customized interpreter and fictitious order in dynamic link library file, and by the dynamic link library file
It is put into Android application program, and it is carried out after repacking back compiling generation protection together with the DEX file after extraction
APK file.
Claims (2)
1. a kind of Android application method for security protection based on dynamic virtual instruction set, it is characterised in that:
Step 1 determines that the method to be protected in Android application program, a part of method are provided by developer, another portion
It is divided into the method for accessing system sensitive resource in application program, two parts method is generated into a key method set;
Step 2, according to the key method set generated in step 1, the method that key method is extracted from DEX file refers to
Enable, parameter type, return to Value Types, register number, i.e., according to corresponding offset by the information of key method from class data
It is extracted in area;
Step 3 obscures operation, including two parts to the instruction of the key method extracted in step 2 implementation: first, it is right
All instructions carry out the unification on format length in Dalvik virtual machine;Second, by analyzing in each application software to go out together
The existing higher instruction of frequency, is combined and is defined as new fictitious order together;Generation and original-party after obscuring operation
Method instructs different fictitious orders;
Step 4, dynamic random generate the permutation matrix of program instruction;
Step 5 is implemented dynamic to the key method instruction after obscuring in step 3 using the permutation matrix generated in step 4 and is become
It changes;Every a line and each one and only one nonzero element of column in permutation matrix are operated instruction using the principle of matrix multiple
Columns in permutation matrix representated by code in that row element where nonzero element is transformed as the operation code as a result, simultaneously
Save the mapping relations between original method instruction and fictitious order;
Step 6, for step 3 generate fictitious order, executed using customized interpreter through obscuring with it is transformed
Fictitious order;
Step 7, by step 5 generate original method instruction fictitious order between mapping relations, step 6 generate from
It defines interpreter to be stored in dynamic link library file, and this document is embedded or is integrated into Android application program.
2. the Android application method for security protection according to claim 1 based on dynamic virtual instruction set, feature exist
In the Dalvik virtual machine interpreter that: the customized interpreter is carried independently of Android, possesses and a set of be directed to virtual finger
Enable the exclusive interpretive program of collection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710981989.2A CN109697339A (en) | 2017-10-20 | 2017-10-20 | A kind of Android application method for security protection based on dynamic virtual instruction map |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710981989.2A CN109697339A (en) | 2017-10-20 | 2017-10-20 | A kind of Android application method for security protection based on dynamic virtual instruction map |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109697339A true CN109697339A (en) | 2019-04-30 |
Family
ID=66226186
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710981989.2A Pending CN109697339A (en) | 2017-10-20 | 2017-10-20 | A kind of Android application method for security protection based on dynamic virtual instruction map |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109697339A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112052459A (en) * | 2020-08-05 | 2020-12-08 | 北京智游网安科技有限公司 | Code virtualization encryption method, terminal and storage medium |
CN112052460A (en) * | 2020-08-05 | 2020-12-08 | 北京智游网安科技有限公司 | DEX file virtualization encryption method, computer equipment and storage medium |
CN112163195A (en) * | 2020-10-14 | 2021-01-01 | 北京邮电大学 | Novel virtual machine software protection method based on stack hiding |
CN112395614A (en) * | 2020-11-27 | 2021-02-23 | 南京理工大学 | Android application program virtualization protection method based on LLVM |
CN113254890A (en) * | 2021-06-01 | 2021-08-13 | 中电万维信息技术有限责任公司 | Android software protection device based on diversity of virtual machines and use method thereof |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103324872A (en) * | 2013-07-12 | 2013-09-25 | 上海交通大学 | Android application program protective method and system based on order confusion |
CN103544414A (en) * | 2013-10-25 | 2014-01-29 | 苏州通付盾信息技术有限公司 | Deep code obfuscation method for Android system applications |
CN104573424A (en) * | 2013-10-23 | 2015-04-29 | 中国银联股份有限公司 | Application protection system and method |
CN105975816A (en) * | 2015-12-25 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for code protection based on virtual technology under mobile terminal |
CN106096338A (en) * | 2016-06-07 | 2016-11-09 | 西北大学 | A kind of have the virtualization software guard method that data stream is obscured |
-
2017
- 2017-10-20 CN CN201710981989.2A patent/CN109697339A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103324872A (en) * | 2013-07-12 | 2013-09-25 | 上海交通大学 | Android application program protective method and system based on order confusion |
CN104573424A (en) * | 2013-10-23 | 2015-04-29 | 中国银联股份有限公司 | Application protection system and method |
CN103544414A (en) * | 2013-10-25 | 2014-01-29 | 苏州通付盾信息技术有限公司 | Deep code obfuscation method for Android system applications |
CN105975816A (en) * | 2015-12-25 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for code protection based on virtual technology under mobile terminal |
CN106096338A (en) * | 2016-06-07 | 2016-11-09 | 西北大学 | A kind of have the virtualization software guard method that data stream is obscured |
Non-Patent Citations (1)
Title |
---|
刘佳佳等: "一种基于虚拟机定制的应用保护方法研究", 《技术研究》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112052459A (en) * | 2020-08-05 | 2020-12-08 | 北京智游网安科技有限公司 | Code virtualization encryption method, terminal and storage medium |
CN112052460A (en) * | 2020-08-05 | 2020-12-08 | 北京智游网安科技有限公司 | DEX file virtualization encryption method, computer equipment and storage medium |
CN112163195A (en) * | 2020-10-14 | 2021-01-01 | 北京邮电大学 | Novel virtual machine software protection method based on stack hiding |
CN112163195B (en) * | 2020-10-14 | 2022-08-05 | 北京邮电大学 | Virtual machine software protection method based on stack hiding |
CN112395614A (en) * | 2020-11-27 | 2021-02-23 | 南京理工大学 | Android application program virtualization protection method based on LLVM |
CN112395614B (en) * | 2020-11-27 | 2023-07-28 | 南京理工大学 | LLVM-based Android application program virtualization protection method |
CN113254890A (en) * | 2021-06-01 | 2021-08-13 | 中电万维信息技术有限责任公司 | Android software protection device based on diversity of virtual machines and use method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109697339A (en) | A kind of Android application method for security protection based on dynamic virtual instruction map | |
CN108614960B (en) | JavaScript virtualization protection method based on front-end byte code technology | |
CN106096338B (en) | A kind of virtualization software guard method obscured with data flow | |
Balachandran et al. | Control flow obfuscation for android applications | |
CN103324872B (en) | Based on the guard method of Android application program and the system of order confusion | |
CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
CN108733988A (en) | The guard method of executable program on Android platform | |
CN106126981B (en) | Software security means of defence based on the replacement of virtual function table | |
CN105260659B (en) | A kind of kernel level code reuse type attack detection method based on QEMU | |
CN107729725A (en) | A kind of Android applications hardened system and method based on virtual machine instructions modification | |
CN104866734B (en) | A kind of guard method of DEX file and device | |
CN108681457A (en) | The Android application program guard methods explained with residual code based on code sinking | |
CN108733379B (en) | Android application reinforcement method based on DEX byte code extraction mapping confusion | |
WO2016094840A2 (en) | System, method & computer readable medium for software protection via composable process-level virtual machines | |
CN109684794B (en) | Code protection virtual machine KVM system realization method, device, computer equipment and storage medium | |
CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
CN110210190A (en) | A kind of Code obfuscation method based on secondary compilation | |
CN109344612A (en) | The active defense method and system inversely attacked for program code static analysis | |
CN112163195B (en) | Virtual machine software protection method based on stack hiding | |
Lu et al. | DeepAutoD: Research on distributed machine learning oriented scalable mobile communication security unpacking system | |
CN107480476A (en) | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method | |
Arthur et al. | Getting in control of your control flow with control-data isolation | |
CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
Araujo et al. | Compiler-instrumented, Dynamic {Secret-Redaction} of Legacy Processes for Attacker Deception | |
WO2021022927A1 (en) | Webpage script code protection method and apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190430 |
|
RJ01 | Rejection of invention patent application after publication |