CN112069467B - Flower instruction confusion information safety control method, system and device for resisting disassembly - Google Patents
Flower instruction confusion information safety control method, system and device for resisting disassembly Download PDFInfo
- Publication number
- CN112069467B CN112069467B CN202010965422.8A CN202010965422A CN112069467B CN 112069467 B CN112069467 B CN 112069467B CN 202010965422 A CN202010965422 A CN 202010965422A CN 112069467 B CN112069467 B CN 112069467B
- Authority
- CN
- China
- Prior art keywords
- instruction
- flower
- instruction sequence
- register
- jump
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 230000011218 segmentation Effects 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 abstract description 8
- 230000003111 delayed effect Effects 0.000 abstract description 4
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a flower instruction confusion information safety control method and a flower instruction confusion information safety control system for resisting disassembly, firstly, a register indirect addressing jump flower instruction sequence is inserted into an ARM assembly code, branch information is constructed, and the branch information is hidden through indirect addressing; secondly, setting a calculation flower instruction sequence to indirectly address and calculate the complexity of the register so as to further hide branch information; and finally, adding an unexecutable garbage instruction sequence by using the metadata to resist a delayed resynchronization mechanism of linear scanning disassembly. The flower instruction built by the invention for hiding the instruction to be protected can confuse the recursive scanning of the disassembler, and can resist the linear scanning of the disassembler and the dynamic trace debugging of an attacker by combining the jump flower instruction and the junk flower instruction.
Description
Technical Field
The invention relates to the fields of information safety, software protection and software, in particular to a flower instruction confusion information safety control method and system for resisting disassembly.
Background
With the development of embedded technology, the ARM processor quickly occupies the mobile communication market due to the characteristics of small size, low power consumption, high performance and the like, and the ARM processor is mostly adopted in mobile devices such as android smart phones, tablets and the like. Meanwhile, program attacks against the ARM processor are increasingly prominent, such as ARM instruction disassembly, control flow analysis, dynamic debugging and the like. Therefore, how to protect the program security based on the ARM processor becomes a hot spot of software protection research. At present, instruction confusion protection is mainly performed on disassembling malicious analysis from bottom layer machine codes to assembly instructions, and common confusion technologies include equivalent instruction replacement, instruction disordering, instruction overlapping and the like. However, these instruction obfuscation algorithms are based on the X86 architecture for variable-length instructions and are not applicable to the ARM architecture for fixed-length instructions. In addition, most of the current researches on the confusion of jump flower instructions still stay at the JMP and BF direct jump stage, the jump flower instructions adopt a direct addressing mode, jump addresses are fixed and are easy to identify, and recursive scanning disassembly cannot be resisted.
In order to solve the technical defects, under the condition of keeping the semantic of the program unchanged, the invention fully utilizes the relative addressing of the jump instruction, not only realizes the control flows of judgment, circulation, subprogram calling and the like, but also can provide program control flow transformation and processor state switching, and has great effect on improving the safety of the ARM architecture program. Therefore, when the jump instructions in the ARM instruction set are analyzed, the ARM assembly flower instruction confusion algorithm based on register indirect addressing jump is provided by combining the structural characteristics of the multi-core ARM architecture, and the confusion construction methods including equivalent deformation calculation flower instructions, unexecutable garbage flower instructions and the like are included, so that the safety of important algorithm instructions in the application program is remarkably improved on the ARM architecture.
Disclosure of Invention
1. Objects of the invention
The invention aims to solve the technical problem of resisting malicious disassembly and reverse attack on an ARM architecture.
The invention aims to resist ARM disassembly.
2. The technical scheme adopted by the invention
The invention discloses a flower instruction confusion information safety control method for resisting disassembly, which comprises the following steps:
firstly, inserting a jump flower instruction sequence indirectly addressed by a register into an ARM assembly code, constructing branch information and hiding the branch information through indirect addressing;
secondly, setting a calculation flower instruction sequence to indirectly address and calculate the complexity of the register so as to further hide branch information;
and finally, adding an unexecutable garbage instruction sequence by using the metadata to resist a delayed resynchronization mechanism of linear scanning disassembly.
Preferably, the method comprises the following steps:
step 1, constructing branch information through a jump flower instruction sequence;
step 3, the indirect addressing of the register is complicated;
the branch path moving target bit is an indirect addressing address of a register, and the assignment of the branch path moving target bit is generated by calculating a flower instruction sequence; another branch path is constructed by randomly inserting a sequence of non-executable spam instructions.
Preferably, the disassembled flower instruction sequence is constructed for the address entry of the non-executable spam instruction, thereby combining the disassembled flower instruction sequence with the subsequent code.
Preferably, the step 1 of taking the branch instruction as the target instruction for protection specifically includes:
102, setting the instruction sequence after the division position as an instruction sequence to be moved, namely a branch instruction sequence;
preferably, the step 2 of indirectly addressing and hiding the branch information by using the register specifically includes: one available register is selected as the register addressed by the indirect jump.
Preferably, the indirect addressing of the register is complicated in step 3, specifically:
301, assigning a value to a register through an ADR instruction;
And 308, randomly constructing an unexecutable spam instruction sequence according to the metadata, and adding the spam instruction sequence after the jump instruction.
The invention provides a flower instruction confusion system for resisting disassembly, which stores a program and realizes the method when the program is executed by a processor.
The invention provides a flower instruction confusion device for resisting disassembly, which comprises:
a memory;
one or more processors, and
one or more programs stored in the memory and configured to be executed by the one or more processors, the programs, when executed by the processors, implementing a method of flower instruction obfuscation information security control.
3. Advantageous effects adopted by the present invention
The flower instruction built by the invention for hiding the instruction to be protected can confuse the recursive scanning of the disassembler, and can resist the linear scanning of the disassembler and the dynamic trace debugging of an attacker by combining the jump flower instruction and the junk flower instruction.
Drawings
FIG. 1 is a comparison of the instruction sequence of the present invention and the prior art.
FIG. 2 is a flow chart of the present invention.
FIG. 3 is a flow chart of an embodiment of the present invention.
FIG. 4 is a flow chart of a further embodiment of the present invention.
FIG. 5 is a flow chart of a set branch of the present invention.
FIG. 6 is a flowchart of the indirect address selection and garbage added instruction of the register of the present invention.
Detailed Description
The technical solutions in the examples of the present invention are clearly and completely described below with reference to the drawings in the examples of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without inventive step, are within the scope of the present invention.
The present invention will be described in further detail with reference to the accompanying drawings.
Example 1
As shown in fig. 1-2, the invention provides a flower instruction confusion information security control method for resisting disassembly, which specifically comprises the following steps:
firstly, inserting a jump flower instruction sequence indirectly addressed by a register into an ARM assembly code, constructing branch information and hiding the branch information;
secondly, constructing a junk flower instruction sequence behind the jump flower instruction sequence;
finally, the indirect addressing register is obfuscated by a jump flower instruction sequence, specifically:
reserving the positions of a flower calculation instruction sequence, a flower skip instruction sequence and a rubbish flower instruction sequence;
the marked new jump position is obtained by integrating the set position, the indirect register position, the flower instruction sequence and the garbage flower instruction sequence are dynamic values, and the relative position of the jump instruction sequence is also a dynamic value.
As shown in fig. 3, step 1, constructing branch information by a jump flower instruction;
since the value of Rx is calculated by calculating the flower instruction sequence M, the disassembler cannot determine the value of the register Rx when performing the disassembler, and therefore cannot identify the entry information of the branch path S, which causes an error in recursive scanning and disassembler.
Step 3, the branch path moving target bit is an indirect address selection of a register, and the assignment of the branch path moving target bit is generated through flower instruction sequence calculation; another branch path is constructed by randomly inserting a sequence of non-executable spam instructions.
Since the address at the non-executable spam instruction N is a legal destination address and the added BX Rx is a legal jump instruction, the disassembler constructs a disassembled flower instruction sequence for the address entry of the non-executable spam instruction, thereby combining the disassembled flower instruction sequence with the following code, and making the linear scanning disassembler result in errors.
Example 2
As shown in fig. 4, step 1, constructing branch information by a BX jump instruction (jump flower instruction in ARM instruction system), complicates the control flow of a program;
step 3, comprising step 3-1: indirect calculation of the register by using the calculation flower instruction sequence M complicates indirect addressing of the register, further hides branch path information, and flower instructions may utilize various instructions: some stacking techniques, location operations, etc. of jmp, call, ret; step 3-2: the aim of confusing the disassembler is achieved by adding an unexecutable garbage instruction N by using metadata in a pseudo branch of a program structure to resist a delayed resynchronization mechanism of linear scanning disassembly.
The specific target instruction taking the branch instruction as protection in the step 1 is as follows:
referring to FIG. 5, step 101, selecting a partition position P according to a protected target instruction;
the step 2 of indirectly addressing the hidden branch information by using the Rx register specifically includes: the register Rx available at P is selected as the register addressed by the indirect jump.
As shown in fig. 6, the indirect addressing of the register is complicated in step 3, specifically:
301, assigning a value to an Rx register through an ADR instruction;
step 302 sets the position after the ADR instruction to currS.
Step 308, add register addressing indirect jump instruction, Bx Rx, after calculating the flower instruction sequence M.
And 309, randomly constructing an unexecutable spam instruction sequence N according to the metadata, and adding the spam instruction sequence N after the jump instruction.
In the above algorithm, the branch is constructed using the BX instruction. Wherein a branch path is constructed by moving the instruction sequence S. Since the address at S is the register Rx indirect address. The value of Rx is calculated by calculating the flower instruction sequence M, and the disassembler cannot determine the value of Rx when performing disassembler, so that the entry information of the branch path S cannot be identified, which causes an error in recursive scanning and disassembler.
In addition, another branch path is constructed by randomly inserting the non-executable spam instruction sequence N. Since the address of the non-executable spam instruction N is a legal destination address and the added BX Rx is a legal jump instruction, the disassembler must disassemble the flower instruction N, so that the flower instruction N is combined with the following code S, and the linear scanning disassembler results in errors.
Firstly, inserting a jump flower instruction sequence of register indirect addressing into ARM assembly codes, constructing and hiding branch information, constructing a garbage flower instruction behind the jump instruction, and then confusing the indirect addressing register through the jump flower instruction sequence.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (4)
1. A flower instruction confusion information safety control method for resisting disassembly is characterized in that:
step 1, constructing a branch instruction through a jump flower instruction sequence; the step 1 of taking the branch instruction as the protected target instruction specifically includes:
step 101, selecting a segmentation position according to a protected target instruction;
102, setting the instruction sequence after the division position as an instruction sequence to be moved, namely a branch instruction sequence;
step 2, indirectly addressing and hiding branch information by using a register; the step 2 of indirectly addressing the hidden branch information by using the register specifically includes: selecting an available register as a register addressed by indirect jump;
step 3, the indirect addressing of the register is complicated; the step 3 complicates indirect register addressing, specifically:
301, assigning a value to a register through an ADR instruction;
step 302, setting the position after the ADR instruction as the current position;
step 303, reserving the positions of the floral command sequence and the spam command sequence;
step 304, marking a new jump position, wherein the new jump position is the sum of the current position and the length of the register, the jump flower instruction sequence and the junk flower instruction sequence; the lengths of the skip flower instruction sequence and the junk flower instruction sequence are dynamic values, and the relative positions of the skip flower instruction sequence are not fixed;
step 305, moving the instruction sequence to a new jump position;
step 306, selecting one or more currently available registers, calculating a flower instruction sequence based on an indirect structure, wherein the register value is a new jump position, and inserting the flower instruction sequence into the register;
step 307, adding a register addressing indirect jump instruction after the flower instruction sequence is calculated;
and 308, randomly constructing an unexecutable spam instruction sequence according to the metadata, and adding the spam instruction sequence after the jump instruction.
2. The method for controlling safety of flower instruction confusion information against disassembly according to claim 1, wherein: the address entry for the non-executable spam flower instruction is structured to disassemble the flower instruction sequence, thereby combining the disassembled flower instruction sequence with the code thereafter.
3. A system for obfuscating floral instructions against disassembly, comprising: for performing the method of any one of claims 1-2.
4. An apparatus for confounding floral instructions against disassembly, comprising:
the method comprises the following steps:
a memory;
one or more processors, and
one or more programs stored in the memory and configured to be executed by the one or more processors, the programs, when executed by the processors, implementing the floral instruction obfuscation information security control method of any one of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010965422.8A CN112069467B (en) | 2020-09-15 | 2020-09-15 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010965422.8A CN112069467B (en) | 2020-09-15 | 2020-09-15 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112069467A CN112069467A (en) | 2020-12-11 |
| CN112069467B true CN112069467B (en) | 2022-02-01 |
Family
ID=73696679
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010965422.8A Active CN112069467B (en) | 2020-09-15 | 2020-09-15 | Flower instruction confusion information safety control method, system and device for resisting disassembly |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112069467B (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106960140A (en) * | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | Virtual machine instructions obscure method and device, virtual machine protection system |
| CN106548049A (en) * | 2016-12-09 | 2017-03-29 | 武汉斗鱼网络科技有限公司 | A kind of code process method and apparatus |
| CN108334756B (en) * | 2017-01-20 | 2020-05-12 | 武汉斗鱼网络科技有限公司 | Interference method and device for decompiling recursive descent type analyzer |
-
2020
- 2020-09-15 CN CN202010965422.8A patent/CN112069467B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112069467A (en) | 2020-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104054061B (en) | In order to forbid that the Dynamic Execution returning directed programming stops | |
| CN108345773B (en) | Code protection method and device based on virtual machine, electronic equipment and storage medium | |
| CN107924366B (en) | Apparatus and method for controlling instruction execution behavior | |
| US7647458B1 (en) | Garbage collection | |
| JP6189039B2 (en) | Data processing apparatus and method using secure domain and low secure domain | |
| CN105046117A (en) | Code virtualization software protection system realizing instruction set randomization | |
| US10795679B2 (en) | Memory access instructions that include permission values for additional protection | |
| US10311229B1 (en) | Mitigating timing side-channel attacks by obscuring alternatives in code | |
| RU2012149004A (en) | INCREASE IN THE NUMBER OF GENERAL REGISTERS AVAILABLE FOR TEAMS | |
| US10868665B1 (en) | Mitigating timing side-channel attacks by obscuring accesses to sensitive data | |
| US20190286818A1 (en) | Methods and systems for defending against cyber-attacks | |
| CN109543368B (en) | Cross-platform source code virtualization protection method based on intermediate language interpreter | |
| US11307856B2 (en) | Branch target variant of branch-with-link instruction | |
| CN112069467B (en) | Flower instruction confusion information safety control method, system and device for resisting disassembly | |
| Fu et al. | Code reuse attack mitigation based on function randomization without symbol table | |
| CN106127054A (en) | A kind of system-level safety protecting method towards smart machine control instruction | |
| CN107506644B (en) | Security protection method for implicit constant threat in dynamically generated code | |
| Shao et al. | fASLR: Function-based ASLR for resource-constrained IoT systems | |
| CN110162967A (en) | A kind of memory timing error means of defence based on MPX | |
| US11860996B1 (en) | Security concepts for web frameworks | |
| KR102544801B1 (en) | Method and system to protecting against data-reuse attacks | |
| CN112069466A (en) | Code obfuscation information security control method, system and device based on mode switching | |
| Swearingen et al. | Hardware Speculation Vulnerabilities and Mitigations | |
| US20200133674A1 (en) | Circuitry and method | |
| Moreira et al. | Go With the FLOW: Fine-Grained Control-Flow Integrity for the Kernel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |