CN117707613A - Program code isomerism method, isomerism device, electronic equipment and storage medium - Google Patents
Program code isomerism method, isomerism device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117707613A CN117707613A CN202311803249.1A CN202311803249A CN117707613A CN 117707613 A CN117707613 A CN 117707613A CN 202311803249 A CN202311803249 A CN 202311803249A CN 117707613 A CN117707613 A CN 117707613A
- Authority
- CN
- China
- Prior art keywords
- basic blocks
- program code
- acquiring
- confusion
- key function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012545 processing Methods 0.000 claims abstract description 17
- 241001391944 Commicarpus scandens Species 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 56
- 238000004458 analytical method Methods 0.000 claims description 21
- 230000015654 memory Effects 0.000 claims description 16
- 238000000638 solvent extraction Methods 0.000 claims description 6
- 230000006399 behavior Effects 0.000 abstract description 4
- 238000006317 isomerization reaction Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 8
- 238000010276 construction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010230 functional analysis Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 239000002243 precursor Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012916 structural analysis Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Abstract
The invention provides a program code isomerism method, isomerism device, electronic equipment and storage medium, belonging to the technical field of software security. The isomerisation process comprises: acquiring a target attack surface of a program code which is easy to break through, and acquiring a key function which needs heterogeneous processing according to the target attack surface; generating an abstract syntax tree of a program code, acquiring tree structure information of a key function according to the abstract syntax tree, and dividing the corresponding key function into a plurality of basic blocks according to the tree structure information of the key function; acquiring a logic relation between basic blocks; obfuscating the basic block using a dynamic opaque predicate; and constructing clone bodies of subsequent basic blocks of the confusing basic blocks, confusing instructions of the clone bodies, and establishing connection between the clone bodies subjected to instruction confusing and the confusing basic blocks. The method and the device can actively defend unknown attack behaviors and improve the safety and reliability of the program codes.
Description
Technical Field
The invention belongs to the technical field of software security, and particularly relates to a program code isomerism method, isomerism device, electronic equipment and storage medium.
Background
With the rapid development of information technology, computer technology plays an increasingly important role in the processes of data generation, exchange, processing and the like, and meanwhile, is also faced with an increasingly serious security threat, wherein reverse engineering is a main way for programs to be attacked. With the development of reverse engineering technology, many tools for reverse engineering are presented, and many new technologies are also used in reverse engineering. The rapid development of reverse engineering brings great challenges to software protection, and an attacker deeply recognizes and researches the working principle and behavior rule of the source program code by means of disassembly, decompilation, dynamic single step debugging and the like, performs structural analysis and functional analysis on the source program code, explores the running logic inside the program, does not difficultly obtain loopholes in the source program, and finds a convenient attack path to obtain the wanted information.
The main method for protecting the program and defending the attack is to increase the attack difficulty, and the traditional software security field guarantees the software security in an extremely passive mode, and the passive defending is usually developed after the vulnerability is discovered.
Therefore, how to improve the security and reliability of program codes is a urgent problem to be solved.
Disclosure of Invention
The invention aims to solve the technical problem of providing a program code isomerism method, isomerism device, electronic equipment and storage medium for overcoming the defects in the prior art.
In order to solve the technical problems, the invention adopts the following technical scheme:
a method of heterogeneous program code, comprising: acquiring a target attack surface of a program code which is easy to break through, and acquiring a key function which needs heterogeneous processing according to the target attack surface; generating an abstract syntax tree of a program code, acquiring tree structure information of a key function according to the abstract syntax tree, and dividing the corresponding key function into a plurality of basic blocks according to the tree structure information of the key function; acquiring a logic relation between basic blocks; obfuscating the basic block using a dynamic opaque predicate; and constructing clone bodies of subsequent basic blocks of the confusing basic blocks, confusing instructions of the clone bodies, and establishing connection between the clone bodies subjected to instruction confusing and the confusing basic blocks.
Further, the method for acquiring the key function requiring heterogeneous processing according to the target attack surface comprises the following steps: and according to the relation between the program code and the system resource of the target attack surface, reversely finding out the functional module and the corresponding source code corresponding to the program through the system resource of the target attack surface, and accordingly identifying the key function needing heterogeneous processing in the program code.
Further, the method for obtaining the logic relation between the basic blocks comprises the following steps: performing logic relation and topological structure analysis on basic blocks based on tree structure information and program codes of key functions to acquire logic relation among the basic blocks; the logical relationship includes execution flow, data dependency, inheritance references.
Further, the method for confusing basic blocks using dynamic opaque predicates includes: and obtaining the number of the subsequent basic blocks of the target basic block according to the logic relation among the basic blocks, when the target basic block has only one subsequent basic block, constructing an confusion block by using dynamic opaque predicates, and inserting the constructed confusion block into the tail part of the target basic block.
Further, a method of building an obfuscation block using dynamic opaque predicates includes: and initializing an opaque predicate, randomly selecting a variable from a target basic block to be inserted to bind with the opaque predicate, and determining a subsequent jump path according to the operation result of the opaque predicate.
Further, the method for confusing instructions of the clone comprises the following steps: the instructions in the clone are disordered and opaque predicates are constructed according to the original jump rule of the instructions.
Further, the method for confusing instructions of the clone comprises the following steps: the original instruction is replaced by an instruction with the same meaning but a different syntax.
A heterogeneous device of program codes comprises an identification unit, a division unit, an analysis unit and a confusion unit; the identification unit is used for acquiring a target attack surface, through which the program code is easy to break, and acquiring a key function to be isomerized according to the target attack surface; the partitioning unit is used for generating an abstract syntax tree of the program code, acquiring tree structure information of the key function according to the abstract syntax tree, and partitioning the key function into a plurality of basic blocks according to the tree structure information of the key function; the analysis unit is used for acquiring the logic relation between the basic blocks; the confusion unit is used for using dynamic opaque predicates to confuse basic blocks, is used for confusing clone bodies of subsequent basic blocks of the basic blocks after confusion, and is used for establishing connection between the clone bodies after instruction confusion and the basic blocks after confusion. Further, the identification unit comprises a system resource module and a key function module; the system resource module is used for acquiring the connection between the program code and the system resource of the target attack surface; the key function module is used for reversely finding out a function module and a corresponding source code corresponding to the program through system resources of the target attack surface and identifying key functions needing heterogeneous processing in the program code.
Further, the analysis unit comprises a logic relation module; the logic relation module is used for carrying out logic relation and topological structure analysis on the basic blocks based on tree structure information and program codes of the key functions and obtaining the logic relation among the basic blocks; the logical relationship includes execution flow, data dependency, inheritance references.
Further, the confusion unit comprises a basic block confusion module; the basic block confusion module is used for acquiring the number of the subsequent basic blocks of the target basic block according to the logic relation among the basic blocks, constructing the confusion block by using dynamic opaque predicates when the target basic block has only one subsequent basic block, and inserting the constructed confusion block into the tail part of the target basic block.
Further, the basic block confusion module comprises a confusion block construction module; the confusion block constructing module is used for initializing opaque predicates, randomly selecting a variable from a target basic block to be inserted to bind with the opaque predicates, and determining a subsequent jump path according to the operation result of the opaque predicates.
Further, the confusion unit further comprises a clone confusion module; the clone confusion module is used for disturbing the order of instructions in the clone and constructing opaque predicates according to the original jump rule of the instructions; the clone obfuscation module is also configured to replace the original instruction with an instruction that is identical in meaning but different in syntax.
An electronic device includes a processor and a memory; the memory is configured to store executable instructions and the processor is configured to execute the instructions to implement the heterogeneous method.
A computer readable storage medium having instructions stored therein that, when executed, implement the heterogeneous method.
Compared with the prior art, the invention has the following beneficial effects:
firstly, acquiring key functions of a program code to be isomerized based on an attack face thought, performing complete lexical analysis and grammar analysis on the program code, extracting key function information, and dividing the key functions into a plurality of basic blocks; then analyzing the basic blocks based on the key function information to obtain the logic relationship among different basic blocks; and (3) using the dynamic opaque predicate confusion basic blocks, reconstructing clone bodies of subsequent basic blocks, and blurring the dependency relationship among the basic blocks through confusion of the clone bodies. Therefore, the invention can actively defend unknown attack behaviors and improve the safety and reliability of the program codes.
Based on the thought of the attack surface, the method and the device identify the most important and sensitive parts in the program code from the point of view of an attacker, thereby carrying out confusion and protection more pertinently; the invention carries out complete lexical analysis and grammar analysis on the program code, thereby extracting key function information more accurately and dividing the key function into a plurality of basic blocks; by obtaining logical relationships between different basic blocks, more targeted information can be provided for confusion and clone construction. By using dynamic opaque predicate confusion, the complexity of codes is increased, and the connection between basic blocks is obscured, so that the codes show unpredictable behaviors when being executed, the difficulty of reverse engineering is increased, and the safety of programs is enhanced.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings.
Fig. 1: the flow chart of embodiment 1 of the present invention;
fig. 2: an implementation process of embodiment 1 of the present invention is schematically shown;
fig. 3: the present invention uses schematic codes of dynamic opaque predicate confusion basic blocks;
fig. 4: schematic code of the basic block flattening method of the present invention;
fig. 5: schematic diagram of example 2 of the present invention;
fig. 6: schematic of example 3 of the present invention.
Detailed Description
For a better understanding of the present invention, the content of the present invention will be further clarified below with reference to the examples and the accompanying drawings, but the scope of the present invention is not limited to the following examples only. In the following description, numerous specific details are set forth in order to provide a more thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the invention may be practiced without one or more of these details.
Example 1: referring to fig. 1-4, an object of the present embodiment is to provide a heterogeneous method of program codes. As shown in fig. 1 and 2, the heterogeneous method includes:
s1, acquiring a target attack surface, through which the program code is easy to break, and acquiring a key function needing heterogeneous processing according to the target attack surface.
And measuring the attack surface of the program code to obtain the target attack surface of the program which is easy to break through. An attack surface is a potential security hole or attack path of a program, and an attacker can attack the program or the system by utilizing the attack surface.
The system resources which can be utilized by an attacker in the attack surface can be eliminated through program code isomerization, or the attack efficiency and cost ratio of the system resources in the attack surface can be reduced, so that the attack resistance can be improved. And according to the relation between the program code and the system resource of the target attack surface, reversely finding out the functional module and the corresponding source code corresponding to the program through the system resource of the target attack surface, and accordingly identifying the key function needing heterogeneous processing in the program code.
S2, generating an abstract syntax tree of the program code, acquiring tree structure information of the key function according to the abstract syntax tree, and dividing the key function into a plurality of basic blocks according to the tree structure information of the key function.
The method comprises the steps of carrying out complete lexical analysis and grammar analysis on a program code, generating an abstract grammar tree of the program code, obtaining tree structure information of a key function from the abstract grammar tree, and dividing the key function into a plurality of basic blocks according to the tree structure information (such as the dividing condition of a subsequent node) of the key function.
An abstract syntax tree (Abstract Syntax Tree, AST) is an abstract representation of the syntax structure of the source code, representing the syntax structure of the programming language in the form of a tree, each node on the tree representing a structure in the source code. The application adopts an open source compiler LLVM front end to generate an abstract syntax tree.
S3, carrying out logic relation and topological structure analysis on the basic blocks, and obtaining the logic relation among the basic blocks.
And analyzing the logic relationship and the topological structure of the basic blocks based on the tree structure information and the program codes of the key functions, and analyzing the one-way or two-way conversion relationship of skip, calling or sequential execution among the basic blocks to obtain the logic relationship of execution flow, data dependence, inheritance reference and the like among the corresponding basic blocks, wherein the subsequent basic blocks can be obtained according to a certain basic block.
S4, using the dynamic opaque predicate to confuse the basic block.
Based on the LLVM compiler tool chain prototype, an obfuscation module is introduced to obfuscate basic blocks. The confusion module is used for realizing confusion of the basic blocks by using opaque predicates; meanwhile, the confusion module also randomly selects the variable of the specific data type in the program and assigns the value of the variable to the opaque predicate, so that the dynamic property of the opaque predicate is realized.
The obfuscation module may employ Pass in the LLVM compiler, which refers to a stage or plug-in of the compiler for performing specific analysis and transformations at different stages of the compilation process.
Opaque predicate obfuscation refers to inserting opaque predicates as basic blocks into a control flow of a program. Opaque predicates refer to predicate expressions whose outputs have been determined during the obfuscation process, but it is difficult to calculate the value at a certain program point by static program analysis methods. By inserting opaque predicates into the control flow as part of the branching conditions, the intensity of control flow confusion can be increased, making it difficult for static program analysis to automatically calculate the output.
Specifically, the number of subsequent basic blocks of a target basic block is obtained according to a logic relation among basic blocks, when the target basic block only has one subsequent basic block, an confusion block is built by using dynamic opaque predicates, and the confusion block is inserted into the tail part of the target basic block, wherein the confusion block is used for the construction of the dynamic opaque predicates and the selection of a jump path. When the confusion block is constructed, firstly, the opaque predicate is initialized, secondly, a variable is randomly selected from the target basic block to be inserted to be bound with the opaque predicate, and finally, the opaque predicate is operated and the obtained result is used for selecting a follow-up jump path. The target basic block and the subsequently inserted confusion blocks together form a mixed basic block.
When the target basic block contains a plurality of subsequent basic blocks, then the obfuscated block is inserted into the head of the longer subsequent basic block.
FIG. 3 is a schematic diagram illustrating the use of dynamic opaque predicate obfuscation basic blocks, where obfBlock represents the obfuscation block and jmpVar represents the dynamic opaque predicate. In fig. 3, the original basic block has only one subsequent basic block (label 4), and a confusing block (label obfBlock) is inserted into the tail of the basic block (i.e., between the basic block and the subsequent basic block). The variable values in the binding basic blocks are randomly selected by the dynamic opaque predicates, and the dependency relationship among the basic blocks is obvious in the functions of the program originally, but the relationship is obscured by the introduction of the dynamic opaque predicates.
S5, constructing clone bodies of subsequent basic blocks of the basic blocks after confusion, carrying out confusion on instructions of the clone bodies, and establishing connection between the clone bodies after the confusion of the instructions and the basic blocks after confusion.
Acquiring a subsequent basic block of the confusing basic block according to the logic relation among the basic blocks, and constructing a clone body of the subsequent basic block; the instructions in the clone are then obfuscated using basic block flattening and equivalent instruction substitution; and finally, establishing the connection between the clone body after instruction confusion and the basic block after precursor confusion.
The obfuscation method for basic block flattening of clones includes: the instructions in the clone are put into a scheduling module (such as a switch statement) in a disordered order, opaque predicates are constructed according to the original jump rules of the instructions, and the destination address of the next jump is judged through the opaque predicates, so that the logic relation among basic blocks is blurred. The basic block flattening method can be referred to fig. 4.
The confusion method for carrying out equivalent instruction replacement on the clone body comprises the following steps: the original instruction is replaced by an instruction with the same meaning but a different syntax.
Example 2: an object of the present embodiment is to provide a program code isomerism device for performing the isomerism method as in embodiment 1. As shown in fig. 5, the heterogeneous device 200 includes: an identification unit 201, a division unit 202, an analysis unit 203, and a confusion unit 204.
The identifying unit 201 is configured to obtain a target attack surface where the program code is easy to break through, and obtain a key function that needs to be isomerized according to the target attack surface. Specifically, in combination with embodiment 1, the acquisition unit 201 is configured to execute step S1.
A partitioning unit 202, configured to generate an abstract syntax tree of the program code, obtain tree structure information of the key function according to the abstract syntax tree, and partition the key function into a plurality of basic blocks according to the tree structure information of the key function. In connection with embodiment 1, the dividing unit 202 is used to perform step S2.
An analysis unit 203, configured to analyze the basic blocks based on tree structure information of the key function, so as to obtain a logical relationship between the basic blocks. Specifically, in combination with embodiment 1, the analysis unit 203 is configured to perform step S3.
And a confusion unit 204, configured to use the dynamic opaque predicate to confusion basic blocks, to confusion the clone of the basic block subsequent to the basic block after confusion, and to associate the clone after instruction confusion with the basic block after confusion. Specifically, in connection with embodiment 1, the obfuscation unit 204 is configured to perform steps S4-S5.
The recognition unit 201 includes a system resource module and a key function module. The system resource module is used for acquiring the connection between the program code and the system resource of the target attack surface; the key function module is used for reversely finding out a function module and a corresponding source code corresponding to the program through system resources of the target attack surface and identifying key functions needing heterogeneous processing in the program code.
The analysis unit 203 comprises a logical relation module. The logic relation module is used for carrying out logic relation and topological structure analysis on the basic blocks based on tree structure information of the key functions and program codes, and is used for obtaining the logic relation among the basic blocks. The logical relationship includes execution flow, data dependency, inheritance references.
The obfuscation unit 204 includes a basic block obfuscation module. The basic block confusion module is used for acquiring the number of the subsequent basic blocks of the target basic block according to the logic relation among the basic blocks, constructing the confusion block by using dynamic opaque predicates when the target basic block has only one subsequent basic block, and inserting the constructed confusion block into the tail part of the target basic block.
The basic block confusion module comprises a confusion block construction module. The confusion block constructing module is used for initializing opaque predicates, randomly selecting a variable from a target basic block to be inserted to bind with the opaque predicates, and determining a subsequent jump path according to the operation result of the opaque predicates.
The obfuscation unit 204 also includes a clone obfuscation module. The clone confusion module is used for disturbing the order of instructions in the clone and constructing opaque predicates according to the original jump rule of the instructions. The clone obfuscation module is also configured to replace the original instruction with an instruction that is identical in meaning but different in syntax.
The specific manner in which the respective units perform the operations in the apparatus of the present embodiment has been described in detail in embodiment 1, and will not be described in detail here.
It should be understood by those skilled in the art that, for convenience and brevity, the embodiments of the apparatus are illustrated only by the division of each functional module or unit, and in practical application, the above-mentioned functional allocation may be implemented by different functional modules or units, that is, the internal structure of the apparatus is divided into different functional modules or units, so as to implement all or part of the functions described above.
Example 3: referring to fig. 6, an object of the present embodiment is to provide an electronic device 300, including at least one processor 301 and one or more memories 302 for storing instructions executable by the processor 301. The processor 301 is configured to execute the instructions in the memory 302 to implement the heterogeneous method described in embodiment 1.
The electronic device 300 further comprises a bus 304, the processor 301 and the memory 302 being interconnected by means of the bus 304 or otherwise.
The processor 301 is a central processing unit (central processing unit, CPU), a general purpose processor network processor (network processor, NP), a digital signal processor (digital signal processing, DSP), a microprocessor, a microcontroller, a programmable logic device (programmable logic device, PLD), or any combination thereof. The processor 301 may also be any other device having processing functions, such as, without limitation, a circuit, a device, or a software module. In one example, processor 301 may include one or more CPUs, such as CPU0 and CPU1 in fig. 6.
The memory 302 may be, without limitation, a read-only memory (ROM) or other type of static storage device capable of storing static information and/or instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device capable of storing information and/or instructions, and an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc (compact disc read-only memory, CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disc storage medium or other magnetic storage device, etc.
It is noted that the memory 302 may exist separately from the processor 301 or may be integrated with the processor 301. Memory 302 may be used to store instructions or program code or some data, etc. The memory 302 may be located within the electronic device 300 or external to the electronic device 300, without limitation.
As an alternative implementation, electronic device 300 also includes a communication interface 303. The communication interface 303 is a wired interface (or port) such as a fiber optic distributed data interface (fiber distributed data interface, FDDI), gigabit ethernet interface (GE), or the like. Alternatively, the communication interface 303 is a wireless interface. The communication interface 303 may be a module, a circuit, a communication interface, or any device capable of enabling communication. The communication interface 303 is used to communicate with other devices or other communication networks, which may be ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc.
As an alternative implementation, electronic device 300 also includes an input device 305 and an output device 306. Illustratively, the input device 305 is a keyboard, mouse, microphone, or joystick device, and the output device 306 is a display screen, speaker (spaker), or the like.
It should be noted that the electronic device 300 may be a desktop, a laptop, a web server, a mobile phone, a tablet, a wireless terminal, an embedded device, a chip system, or a device having a similar structure as in fig. 6. Further, the constituent structure shown in fig. 6 does not constitute a limitation of the terminal device, and the electronic device 300 may include more or less components than those shown in fig. 6, or may combine some components, or may be different in arrangement of components, in addition to those shown in fig. 6.
Example 4: an object of the present embodiment is to provide a computer-readable storage medium.
All or part of the flow in the above method embodiments may be implemented by computer instructions to instruct related hardware, where the program may be stored in the computer readable storage medium, and when the program is executed, the heterogeneous method described in embodiment 1 may be implemented.
The computer readable storage medium may be an internal storage unit of the electronic device of embodiment 3, such as a hard disk or a memory. The computer readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash card (flash card), etc. Further, the computer-readable storage medium may also include both the internal storage unit and the external storage device of the electronic device described above. The computer-readable storage medium is used to store a computer program and other programs and data required by an electronic device. The computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
In connection with the several embodiments provided herein, it should be understood that the provided apparatus and methods may be embodied in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the modules or units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or units or components may be combined or integrated into another apparatus, or some features may be omitted, or not performed.
In addition, in the embodiment of the present application, each functional module or unit may be integrated in one unit, or each module or unit may exist alone physically, or two or more modules or units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional modules.
The integrated units described above may be stored in a readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Finally, it is noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention, and that other modifications and equivalents thereof by those skilled in the art should be included in the scope of the claims of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (10)
1. A method of isomerising program code, comprising:
acquiring a target attack surface of a program code which is easy to break through, and acquiring a key function which needs heterogeneous processing according to the target attack surface;
generating an abstract syntax tree of a program code, acquiring tree structure information of a key function according to the abstract syntax tree, and dividing the corresponding key function into a plurality of basic blocks according to the tree structure information of the key function;
acquiring a logic relation between basic blocks;
obfuscating the basic block using a dynamic opaque predicate;
and constructing clone bodies of subsequent basic blocks of the confusing basic blocks, confusing instructions of the clone bodies, and establishing connection between the clone bodies subjected to instruction confusing and the confusing basic blocks.
2. The method for heterogeneous processing of program code according to claim 1, wherein the method for acquiring the key functions requiring heterogeneous processing according to the target attack surface comprises the steps of: and according to the relation between the program code and the system resource of the target attack surface, reversely finding out the functional module and the corresponding source code corresponding to the program through the system resource of the target attack surface, and accordingly identifying the key function needing heterogeneous processing in the program code.
3. The method of claim 1, wherein the method of obtaining logical relationships between basic blocks comprises: performing logic relation and topological structure analysis on basic blocks based on tree structure information and program codes of key functions to acquire logic relation among the basic blocks; the logical relationship includes execution flow, data dependency, inheritance references.
4. The heterogeneous method of program code of claim 1, wherein the method of obfuscating basic blocks using dynamic opaque predicates comprises: and obtaining the number of the subsequent basic blocks of the target basic block according to the logic relation among the basic blocks, when the target basic block has only one subsequent basic block, constructing an confusion block by using dynamic opaque predicates, and inserting the constructed confusion block into the tail part of the target basic block.
5. The heterogeneous method of program code of claim 4, wherein the method of constructing the confusion block using dynamic opaque predicates comprises: and initializing an opaque predicate, randomly selecting a variable from a target basic block to be inserted to bind with the opaque predicate, and determining a subsequent jump path according to the operation result of the opaque predicate.
6. The method of claim 1, wherein obfuscating instructions of a clone comprises: the instructions in the clone are disordered and opaque predicates are constructed according to the original jump rule of the instructions.
7. The method of claim 1, wherein obfuscating instructions of a clone comprises: the original instruction is replaced by an instruction with the same meaning but a different syntax.
8. A program code isomerism device, characterized by comprising an identification unit, a partitioning unit, an analysis unit and a confusion unit;
the identification unit is used for acquiring a target attack surface, through which the program code is easy to break, and acquiring a key function to be isomerized according to the target attack surface;
the partitioning unit is used for generating an abstract syntax tree of the program code, acquiring tree structure information of the key function according to the abstract syntax tree, and partitioning the key function into a plurality of basic blocks according to the tree structure information of the key function;
the analysis unit is used for acquiring the logic relation between the basic blocks;
the confusion unit is used for using dynamic opaque predicates to confuse basic blocks, is used for confusing clone bodies of subsequent basic blocks of the basic blocks after confusion, and is used for establishing connection between the clone bodies after instruction confusion and the basic blocks after confusion.
9. An electronic device comprising a processor and a memory; the memory is configured to store executable instructions and the processor is configured to execute the instructions to implement the heterogeneous method of any of claims 1-7.
10. A computer readable storage medium having instructions stored therein which, when executed, implement the heterogeneous method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311803249.1A CN117707613A (en) | 2023-12-26 | 2023-12-26 | Program code isomerism method, isomerism device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311803249.1A CN117707613A (en) | 2023-12-26 | 2023-12-26 | Program code isomerism method, isomerism device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117707613A true CN117707613A (en) | 2024-03-15 |
Family
ID=90158805
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311803249.1A Pending CN117707613A (en) | 2023-12-26 | 2023-12-26 | Program code isomerism method, isomerism device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117707613A (en) |
-
2023
- 2023-12-26 CN CN202311803249.1A patent/CN117707613A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112100054B (en) | Data management and control oriented program static analysis method and system | |
| CN108614960B (en) | JavaScript virtualization protection method based on front-end byte code technology | |
| CN104823161B (en) | Generate the compiler without operator code | |
| US10599820B2 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| US8918768B2 (en) | Methods and apparatus for correlation protected processing of data operations | |
| US9721120B2 (en) | Preventing unauthorized calls to a protected function | |
| CN110569628B (en) | Code obfuscation method and device, computer device and storage medium | |
| EP3264274B1 (en) | Input discovery for unknown program binaries | |
| CN109344612A (en) | The active defense method and system inversely attacked for program code static analysis | |
| CN105718765A (en) | Method for achieving code obfuscation through finite automaton | |
| Bellettini et al. | Mardigras: Simplified building of reachability graphs on large clusters | |
| CN113366474A (en) | System, method and storage medium for obfuscating a computer program by representing control flow of the computer program as data | |
| Gadelha et al. | SMT-based refutation of spurious bug reports in the clang static analyzer | |
| EP2937803B1 (en) | Control flow flattening for code obfuscation where the next block calculation needs run-time information | |
| US9552284B2 (en) | Determining valid inputs for an unknown binary program | |
| Lin et al. | A value set analysis refinement approach based on conditional merging and lazy constraint solving | |
| JP2021530057A (en) | Compiler device with mask function | |
| US11307962B2 (en) | Method for semantic preserving transform mutation discovery and vetting | |
| CN109165509B (en) | Method, device, system and storage medium for measuring real-time credibility of software | |
| CN108733990B (en) | Block chain-based file protection method and terminal equipment | |
| CN108171061B (en) | Android system kernel safety detection method and device | |
| Chen et al. | Black-box testing based on colorful taint analysis | |
| CN117707613A (en) | Program code isomerism method, isomerism device, electronic equipment and storage medium | |
| CN108021790B (en) | File protection method and device, computing equipment and computer storage medium | |
| Deng et al. | A Pattern-Based Software Testing Framework for Exploitability Evaluation of Metadata Corruption Vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |