CN117574366A - Intelligent active software protection method based on application layer function system call set - Google Patents
Intelligent active software protection method based on application layer function system call set Download PDFInfo
- Publication number
- CN117574366A CN117574366A CN202311499664.2A CN202311499664A CN117574366A CN 117574366 A CN117574366 A CN 117574366A CN 202311499664 A CN202311499664 A CN 202311499664A CN 117574366 A CN117574366 A CN 117574366A
- Authority
- CN
- China
- Prior art keywords
- function
- system call
- program
- call set
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 11
- 238000013507 mapping Methods 0.000 claims abstract description 6
- 230000005856 abnormality Effects 0.000 claims abstract description 4
- 238000010276 construction Methods 0.000 claims abstract 3
- 230000003068 static effect Effects 0.000 claims description 8
- 238000000638 solvent extraction Methods 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003028 elevating effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/37—Compiler construction; Parser generation
Abstract
The invention provides an intelligent active software protection method based on an application layer function system call set, which comprises two stages of normal mode construction and program abnormality judgment of a standard system call set. Compiling the source code and a function call graph corresponding to the source code in a normal mode construction stage of a standard system call set; then, a mapping table from the library functions to the system calls is generated based on the analysis of the library, and finally a legal system call set of each application function is generated and recorded as a normal mode of the software. In the program abnormality judging stage, the software program is instrumented, and the instrumentation is performed at the inlet and the outlet of each function. When the software program is actually executed, a system call sequence is obtained, function division is carried out, the system call sequence is compared with a normal mode of a standard system call set, if the system call called by each function exists in the corresponding standard system call set, the software is considered to run normally, otherwise, the software is considered to be abnormal.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an intelligent active software protection method for limiting system call in fine granularity in a linux environment.
Background
Because of the existence of certain program-specific defects, computer programs can exhibit unexpected behavior during runtime, which can not only perform the intended function, but also exhibit unexpected execution conditions. Such unexpected program behavior is light and may impair the intended function of the program, and heavy and may cause the program to crash, making it unable to function properly. In more serious cases, security-related program flaws may be exploited by malicious programs, exposing the program host machine to attack. The intrusion of the malicious software is mostly completed through the system call, so that limiting the use of the system call is an important method for preventing the malicious software.
Program analysis methods are classified into dynamic analysis methods and static analysis methods. The static analysis method can acquire the possible execution state of the program without running the program to be analyzed, and is favorable for automating and rapidly analyzing the program. In large projects, a large amount of inter-process information and complex intra-process information exist, and the inter-process information and the intra-process information can be rapidly acquired through static analysis. Accurate in-process information better improves the accuracy of static analysis.
Most intrusion detection systems are based on two approaches: 1. by observing their behavior on known inputs, a behavioral model of a program or system is generated, and they require the generation of a rule base. In both cases, these systems monitor the execution of the deployed program or the system and raise an alarm when execution deviates.
By calling the interface through the system, the program running in the user mode can be switched to the kernel mode to access the kernel program, the data information to be transferred is written into the register, and the kernel program returns to the user mode after the kernel program processes the user request. Testing the system call interface is therefore an extremely efficient way of discovering operating system vulnerabilities.
Studies have shown that short sequence system calls performed by running processes can well identify normal and abnormal operating characteristics of several common UNIX programs. Normal behavior is collected in two ways: 1. in a real-time user environment, the normal mode of the program is used as much as possible. 2. In a real-time user environment, by tracking the actual execution of a program.
The system call is an entry for accessing the kernel resource, and provides a point for an attacker to attack while providing great convenience for the user to access the kernel, and the attacker usually acquires the resource or the elevating authority by constructing corresponding parameters to utilize the system attack, thereby achieving the purpose of attack. Accordingly, making the corresponding restrictions on system calls is critical to the security of the application.
Disclosure of Invention
The invention provides a concept of generating a function-level system call restriction set for an application program to reduce a usable system call set in each stage, obtains a legal system call set of each application function based on static analysis, and utilizes a instrumentation technique to divide the dynamically executed system call sequence into functions. The intelligent active protection method is suitable for intelligent active protection of software and is used for detecting abnormal behaviors of programs.
The object of the invention is achieved by at least one of the following technical solutions.
An intelligent active software protection method based on an application layer function system call set comprises the following steps:
based on the LLVM compiler, control flow graphs for each generic function call can be directly generated.
Control flow graphs for C or C++ code may be generated based on LLVM. The program is first compiled into LLVM IR and then call graphs are generated using opt. In the call graph, all functions and their required library functions are included, as well as call relationships between functions, and in general, library functions are mostly "leaf" nodes.
The system call is typically invoked through a Libc library that provides the corresponding wrapper function (e.g., a write Libc function call sys_write system call). We map each exported Libc function to its associated system call by first generating a call graph of the entire library and then augmenting it with information about the system call for each function as a "leaf" on the generated call graph.
We will use an algorithm to form a legal set of system calls for each application function, based on the exact function call graph and the mapping of library functions to system calls.
In our scheme, not only is the system call used by the application program captured, but also the stage to which the application program runs can be judged, i.e. the current program is known to run in which application function, in order to solve the problem, instrumentation is performed at each function in and out, but a simple insertion form such as printf can have the problem of calling a plurality of system calls and a buffer to interfere with normal judgment, so that the linux kernel is modified and a custom system call is added, so that the actual running position of the program can be quickly judged, and the capturing of other system calls can not be interfered.
Strace is a tool for capturing signals generated when a process is executed (i.e. tracking a system call generated by the process, including parameters, return values and time consumed by execution), and when dynamic analysis is performed, the system call called when the program is dynamically executed is captured through the Strace tool, and the whole system function call sequence is divided into short sequences corresponding to functions according to instrumentation information.
And comparing the divided short sequences with a normal mode of a standard system call set according to the divided short sequences, if the system call called by each function exists in the corresponding standard system call set, considering that the software runs normally, otherwise, judging that the software is attacked or executed abnormally, triggering a software behavior abnormality warning at the moment, and entering an active protection mode.
Drawings
FIG. 1 is a schematic diagram of a source code program
FIG. 2 is a schematic diagram of a function call graph
FIG. 3 is a diagram of the visual equivalence of a function call graph
FIG. 4 is a collection of legal system calls and library functions for application functions
FIG. 5 is a legal set of system calls for an application function
FIG. 6 is a schematic diagram of a system call captured by a space
FIG. 7 is a simplified example program
Fig. 8 is a related control flow graph.
Claims (1)
1. An intelligent active software protection method based on an application layer function system call set is characterized by comprising the following steps:
stage one, standard system call set normal mode construction stage:
step A, static analysis generates a control flow graph of a common function call:
based on the LLVM compiler, control flow graphs for each generic function call can be directly generated.
Step B, static analysis generates a mapping table of library functions to system calls:
based on static analysis of the library, a mapping relation between library functions in the library and system calls can be obtained, and a mapping table is obtained.
Step C, merging to obtain legal system call sets of each application function:
and (C) calculating legal system call sets of each application function in the application program based on the function call graphs and the mapping tables obtained in the step A and the step B.
Stage two, program abnormality determination stage:
step D, program pile inserting:
instrumentation is performed at the beginning and end of the entry function and the entry function of each function of the program directly or indirectly invoking the function to facilitate subsequent partitioning of the system function invocation sequence into each function.
Step E, the program dynamically executes and acquires a system function call sequence:
and acquiring a system function call sequence when the program is executed by using a space, and dividing the whole system function call sequence into a system call set corresponding to each function according to the instrumentation information.
Step F, judging whether the program is abnormal or not:
and C, comparing the system call set of each function with the set obtained in the step C according to the system call set divided in the step E, if the system call set of each function exists in the legal system call set of the corresponding function, judging that the software runs normally, if the system call set exceeds the legal system call set, judging that the software is attacked or is abnormal in execution, triggering a software behavior abnormality warning at the moment, and entering an active protection mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311499664.2A CN117574366A (en) | 2023-11-10 | 2023-11-10 | Intelligent active software protection method based on application layer function system call set |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311499664.2A CN117574366A (en) | 2023-11-10 | 2023-11-10 | Intelligent active software protection method based on application layer function system call set |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117574366A true CN117574366A (en) | 2024-02-20 |
Family
ID=89892804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311499664.2A Pending CN117574366A (en) | 2023-11-10 | 2023-11-10 | Intelligent active software protection method based on application layer function system call set |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117574366A (en) |
-
2023
- 2023-11-10 CN CN202311499664.2A patent/CN117574366A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| CN106055385B (en) | The system and method for monitoring virtual machine process, the method for filtering page fault exception | |
| US20070067623A1 (en) | Detection of system compromise by correlation of information objects | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| KR20090017598A (en) | Iterative static and dynamic software analysis | |
| US20060085156A1 (en) | Method and system for predicting memory leaks from unit testing | |
| KR20120031745A (en) | Malware auto-analysis system and method using kernel call-back mechanism | |
| CN101599113A (en) | Driven malware defence method and device | |
| CN116257848A (en) | Memory horse detection method | |
| CN114428733A (en) | Kernel data competition detection method based on static program analysis and fuzzy test | |
| CN109857520B (en) | Semantic reconstruction improvement method and system in virtual machine introspection | |
| CN110941534A (en) | Method and system for detecting third-party code call of web application | |
| Giuffrida et al. | Practical automated vulnerability monitoring using program state invariants | |
| CN112632547A (en) | Data processing method and related device | |
| CN114328168A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| US20140095936A1 (en) | System and Method for Correct Execution of Software | |
| JP2005234661A (en) | Access policy creation system, method and program | |
| CN117574366A (en) | Intelligent active software protection method based on application layer function system call set | |
| KR101724412B1 (en) | Apparatus for analysis application using expansion code and method usnig the same | |
| CN111143851B (en) | Detection method and system suitable for kernel object address leakage of operating system | |
| Kim et al. | Source code analysis for static prediction of dynamic memory usage | |
| CN116502239B (en) | Memory vulnerability detection method, device, equipment and medium for binary program | |
| CN114070580B (en) | Anti-serialization attack detection method, device, electronic equipment, medium and program | |
| CN113609487B (en) | Method for detecting backdoor code through static analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |