JP2012234248A - Software obfuscation device, software obfuscation method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide sufficient resistance even to an attack that extracts and diverts a function.SOLUTION: A software obfuscation device comprises dependency generation means for generating dependency among plural functions included in software. That is, dependency is built among plural functions to enlarge the scale, and thereby it is made difficult to analyze the functions, so that it is made difficult to extract a feature.

Description

  The present invention relates to a software obfuscation apparatus, a software obfuscation method, and a program that can prevent the outflow of software functions.

  The software may include information that should be kept secret to the user, such as valuable algorithms and content encryption keys. On the other hand, many techniques (RE: Reverse Engineering) for analyzing software have been developed. For this reason, when software is analyzed by these techniques, there is a threat that an unauthorized person obtains confidential information. For this threat, there is a technique called obfuscation that makes it difficult to analyze software while keeping the software specifications.

  As an example of this, there is an encoding method in which a variable in a program is linearly converted by an arithmetic unit and encoded, and n variables (where n is a positive integer) to be encoded are arbitrarily selected, and m An xn matrix (where m is a positive integer satisfying m ≧ n) and an arbitrary vector of m dimensions are generated. Then, using the generated matrix and vector as conversion keys, the n variables are linearly converted and simultaneously encoded into m integers. This makes it possible to conceal the number of variables used in the original program and the reference / substitution relationship between the variables and obfuscate highly resistant programs by increasing the number of secret key candidates. (For example, refer to Patent Document 1).

JP 2006-079347 A

  In other words, since the conventional technique is an obfuscation method for the purpose of analyzing data and processing contents in a program or preventing falsification, such obfuscation method is a method for preventing analysis or falsification while maintaining function functions. The input / output specifications of the target function are not changed by obfuscation. For this reason, the obfuscation method targeting a single function has a problem in that sufficient security cannot be realized against attacks that extract and divert functions.

  Therefore, the present invention has been made in view of the above-described problems, and provides a software obfuscation apparatus, a software obfuscation method, and a program that have sufficient resistance against attacks that extract and divert functions. The purpose is to do.

  The present invention proposes the following items in order to solve the above problems. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this.

  (1) The present invention is a software obfuscation device that makes software analysis difficult, and includes dependency generation means (for example, a merge unit in FIG. 1) that generates dependency relationships for a plurality of functions included in the software. And a software obfuscation device characterized in that the device is provided with an equivalent to 200).

  According to this invention, the dependency relationship generating means for generating the dependency relationship is provided for a plurality of functions included in the software. In other words, by building dependency relationships for a plurality of functions and increasing their scale, it becomes difficult to analyze the functions and extract functions.

  (2) In the software obfuscation device according to (1), the dependency generation unit constructs a dependency by merging a plurality of functions into one function. An obfuscation device is proposed.

  According to the present invention, the dependency relationship generating means constructs a dependency relationship by merging a plurality of functions into one function. That is, by merging a plurality of functions into one function and enlarging the function, it becomes difficult to analyze the function and make it difficult to extract the function.

  (3) In the software obfuscation device according to (2), the dependency relationship generation unit merges a plurality of functions having different functions into one function by using a function selection argument. The software obfuscation device is proposed.

  According to this invention, the dependency relationship generating means merges a plurality of functions having different functions into one function using the function selection argument. In other words, a plurality of functions having different functions are merged into one function using function selection arguments, thereby making it difficult to analyze the functions and to extract the functions.

  (4) In the software obfuscation apparatus according to (2), the dependency generation unit uses a pointer type variable for data output for a plurality of functions having different data types of return values. We have proposed a software obfuscation device characterized by merging into functions.

  According to the present invention, the dependency relationship generating means merges a plurality of functions having different data types of return values into one function using the pointer type variable for data output. That is, a plurality of functions having different data types of return values are merged into one function by using a pointer type variable for data output, thereby making it difficult to analyze the function and to extract a function.

  (5) The present invention further includes dividing means (for example, equivalent to the dividing unit 300 in FIG. 4) for dividing a variable having a long byte length among variables included in the software into a plurality of variables using a union. A software obfuscation apparatus is proposed, which comprises a conversion means (for example, equivalent to the conversion unit 400 in FIG. 4) for converting software including the divided variables.

  According to the present invention, the dividing means divides a variable having a long byte length among variables included in software into a plurality of variables using a union. The converting means converts software including the divided variables. Therefore, since the variable having a long byte length can be divided into a plurality of variables by the dividing means, it is possible to encode a variable having an arbitrary data length, that is, all types of variables. Note that a union refers to a structure in which multiple variables share the same memory area. By using a union, a variable with a large byte length is divided into multiple variables and encoded using the existing method. Can be For example, a double-precision floating-point type variable (double) type variable can be divided into two integer type variables.

  (6) The present invention relates to the software obfuscation device according to (5), wherein the conversion means selects a variable to be encoded (for example, equivalent to the selection unit 410 in FIG. 6); Coding variable determining means for determining m coding variables from the selected coding variables (e.g., corresponding to the coding variable determining unit 420 in FIG. 6), and rule determining means for determining the coding rules and decoding rules. (For example, equivalent to the rule determination unit 430 in FIG. 6), replacement means for replacing the encoded variable in the software with another encoded variable (for example, equivalent to the replacement unit 440 in FIG. 6), and the converted software correctly A software obfuscation device is proposed, which is provided with a correcting means (for example, corresponding to the correcting unit 450 in FIG. 6) that corrects it so that it can be executed.

  According to this invention, the selection means selects a variable to be encoded, and the encoding variable determination means determines m encoding variables from the selected encoding variable. Then, the rule determining unit determines the encoding rule and the decoding rule, and the replacing unit replaces the encoding variable in the software with another encoding variable, and the correction unit corrects the converted software so that it can be executed correctly. To do. Therefore, software obfuscation can be realized by converting the software.

  (7) The present invention provides the software obfuscation device according to (6), wherein the replacement unit replaces the target variable to which substitution is performed (for example, the first replacement unit in FIG. 7). And a second replacement unit (for example, corresponding to the second replacement unit 442 in FIG. 7) that replaces the target variable that is being referred to. Proposal of a device.

  According to this invention, the first replacement unit replaces the target variable for which substitution is performed, and the second replacement unit replaces the target variable for which reference is performed. Thereby, obfuscation can be performed effectively.

  (8) According to the present invention, in the software obfuscation device of (7), the correction means adds an additional means for adding a definition of a primary variable for saving the encoding variables and the values of these variables (for example, FIG. 8) and a converting means (for example, equivalent to the converting section 452 in FIG. 8) for converting the instruction substituted by the first replacing means into an instruction sequence that can be executed. A software obfuscation device is proposed.

  According to this invention, the adding means adds the definitions of the primary variables for saving the encoded variables and the values of these variables, and the converting means is an instruction that can execute the assignment instruction replaced by the first replacing means. Convert to column. Therefore, by this processing, it is possible to obtain executable software while obfuscating.

  (9) The present invention is a software obfuscation method in a software obfuscation apparatus that makes it difficult to analyze software, and includes a step of generating dependency relationships for a plurality of functions included in the software. A software obfuscation method is proposed.

  According to the present invention, dependency relationships are generated for a plurality of functions included in software. In other words, by building dependency relationships for a plurality of functions and increasing their scale, it becomes difficult to analyze the functions and extract functions.

  (10) The present invention is a software obfuscation method in a software obfuscation device that makes software analysis difficult, and includes a first step of generating dependency relationships for a plurality of functions included in the software; A second step (for example, corresponding to step S101 in FIG. 9) of dividing a variable having a long byte length among variables included in the software into a plurality of variables using a union, and software including the divided variables And a third step (for example, corresponding to step S102 in FIG. 9) of converting software.

  According to the present invention, dependency relationships are generated for a plurality of functions included in software, and a variable having a long byte length among variables included in software is divided into a plurality of variables using a union. Then, the software including the divided variables is converted. That is, by generating dependency relations for a plurality of functions and increasing their scale, it becomes difficult to analyze the functions and to extract functions. Furthermore, since a variable having a long byte length can be divided into a plurality of variables, it is possible to encode a variable having an arbitrary data length, that is, all types of variables, thereby further improving safety.

  (11) The present invention is a program for causing a computer to execute a software obfuscation method in a software obfuscation apparatus that makes it difficult to analyze software, wherein dependency relations are set for a plurality of functions included in the software. A program for causing a computer to execute the generating step is proposed.

  According to the present invention, dependency relationships are generated for a plurality of functions included in software. In other words, by building dependency relationships for a plurality of functions and increasing their scale, it becomes difficult to analyze the functions and extract functions.

  (12) The present invention is a program for causing a computer to execute a software obfuscation method in a software obfuscation apparatus that makes it difficult to analyze software, wherein dependency relations are set for a plurality of functions included in the software. A first step of generating, a second step of dividing a variable having a long byte length among the variables included in the software into a plurality of variables using a union (for example, corresponding to step S101 in FIG. 9), A program for causing a computer to execute a third step (for example, corresponding to step S102 in FIG. 9) for converting software including the divided variables is proposed.

  According to the present invention, dependency relationships are generated for a plurality of functions included in software, and a variable having a long byte length among variables included in software is divided into a plurality of variables using a union. Then, the software including the divided variables is converted. That is, by generating dependency relations for a plurality of functions and increasing their scale, it becomes difficult to analyze the functions and to extract functions. Furthermore, since a variable having a long byte length can be divided into a plurality of variables, it is possible to encode a variable having an arbitrary data length, that is, all types of variables, thereby further improving safety.

  According to the present invention, since a plurality of functions can have dependency relationships, there is an effect that diversion by extracting a single function can be made difficult.

It is a figure which shows the structure of the obfuscation apparatus of the software which concerns on the 1st Embodiment of this invention. It is the figure which illustrated the original software which concerns on an Example. It is the figure which illustrated the software after conversion concerning an example. It is a figure which shows the structure of the obfuscation apparatus of the software which concerns on the 2nd Embodiment of this invention. It is a figure for demonstrating a union. It is a figure which shows the detailed structure of the conversion part of this invention. It is a figure which shows the detailed structure of the replacement part of this invention. It is a figure which shows the detailed structure of the correction part of this invention. It is a processing flow of the software obfuscation apparatus of this invention. It is the figure which illustrated the source code of the original software which concerns on an Example. It is the figure which illustrated the source code of the variable-converted software which concerns on an Example. It is the figure which illustrated the source code of the software after obfuscation which concerns on an Example.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

<First Embodiment>
The software obfuscation apparatus according to the present embodiment will be described with reference to FIG.

<Configuration of software obfuscation device>
The software obfuscation apparatus according to the present embodiment includes a function extraction unit 100 and a merge unit 200.

  The function extraction unit 100 extracts a function from software. The merge unit 200 performs a process of merging a plurality of functions extracted by the function extraction unit 100. Note that a plurality of functions having different functions are merged into one function using function selection arguments, and a plurality of functions having different data types of return values are merged into one using a pointer type variable for data output. Merge into two functions.

<Processing of software obfuscation device>
The processing of the software obfuscation apparatus according to the present embodiment will be described based on the examples shown in FIGS.

  FIG. 2 shows two functions that perform merging. Here, the upper function obtains an integer value, calculates the result twice, and returns. The lower function obtains two arguments x and y, and calculates the sum of these. Calculate and return.

  FIG. 3 shows the function after merging the two functions shown in FIG. Here, “x1” is an argument for giving information to a function called double (), and “x2” and “y2” are arguments for giving information to a function called add (). Also, “d” is an argument newly provided to properly use these functions because the two functions are merged.

  In the merged function, when the argument d is set to 0, the function double can be used, and a value obtained by doubling the value of the first argument (x1) can be obtained. In this case, the second (x2) and third (x3) arguments are ignored. When a value other than 0 (for example, 1) is set in the argument d, the function add can be used, and the sum of the value of the second argument (x2) and the value of the third argument (x3) is obtained. be able to. In this case, the first argument (x1) is ignored.

  Further, in this embodiment, one outputs an integer and the other outputs a real number. As described above, when merging functions having different output data types, the calculation result is stored in the data area as described above, the address of the data area is stored in the pointer variable (p), and the address is set. By returning, data is output via the pointer variable. On the other hand, when merging functions having the same output data type, it is possible to output data by a method of returning the return value as it is. Furthermore, in the above example, a single argument (d) is used for proper use of functions, but the use of a plurality of arguments can make analysis more difficult.

  As described above, according to the present embodiment, since a plurality of functions are merged into one function, the scale of the function increases and analysis becomes difficult. In addition, the merged function can be used properly by using a newly introduced argument.

<Second Embodiment>
The software obfuscation apparatus according to this embodiment will be described with reference to FIGS. In the present embodiment, after merging the functions performed in the first embodiment, an arbitrary variable in the software is encoded.

<Configuration of software obfuscation device>
As shown in FIG. 4, the software obfuscation apparatus according to the present embodiment includes a function extraction unit 100, a merge unit 200, a division unit 300, and a conversion unit 400. In addition, about the component which attaches | subjects the same code | symbol as 1st Embodiment, since it has the same function, the detailed description is abbreviate | omitted.

  The dividing unit 300 divides a variable having a long byte length among variables included in software into a plurality of variables using a union. The conversion unit 400 converts software including the divided variables.

<About union>
The union used in the dividing unit 300 will be described.
A union refers to a structure in which a plurality of variables share the same memory area. By using a union, it is possible to divide a variable having a large byte length into a plurality of variables and encode it using an existing method. For example, a double-precision floating-point type variable (double) type variable can be divided into two integer type variables. FIG. 5 shows an example of a union. The defined DATA type variable dat is a member variable dat. d can be used as a double type variable. On the other hand, the member variable dat. i [0] can be used as an int type variable for manipulating the lower 4 bytes of this double type variable. Dat. Similarly, i [1] can be used as an int type variable for operating the upper 4 bytes.

<Internal configuration of conversion unit>
As illustrated in FIG. 6, the conversion unit 400 further includes a selection unit 410, an encoding variable determination unit 420, a rule determination unit 430, a replacement unit 440, and a correction unit 450.

In the following, it is assumed that the target software includes N variables, x ₁ , x ₂ ,..., X _n, and the value stored in the variable x ₁ is output as the execution result. It is assumed that there is no loss of generality. Further, even when there are a plurality of variables for storing execution results, it is possible to treat each piece of software in the same way by assuming that there are a plurality of software for storing execution results in one variable.

The selection unit 410 selects n variables x ₁ , x ₂ ,..., X _n to be encoded. Here, the variable x ₁ to the execution result is stored, it is necessary to select as the encoding target. The number n is arbitrary, and a larger value is selected when the safety is increased, and a smaller value is selected when the execution efficiency is increased. However, the following variables are excluded from encoding targets. 1) Variable in which user input is directly written. 2) A variable whose address is obtained by an address operator.

Encoding variable determination unit 420, m pieces of encoded variables _{y 1, y 2, ···,} determines a _{y m.} Here, the number m is set larger than the number n of encoding target variables. Note that a larger value is selected to increase safety, and a smaller value is selected to increase execution efficiency.

  The rule determining unit 430 arbitrarily determines an m-by-n pool matrix A and an m-dimensional integer vector b. However, the matrix A is selected so that the rank is n. The following relational expression number 1 is constituted by the matrix A and the integer type vector b.

  If each row of the above equation is an encoding rule, Equation 2 is obtained.

Next, the encoding rule is regarded as a simultaneous equation for unknown variables x ₁ , x ₂ ,..., X _n and solved to obtain Equation 3.

Each of these formulas is used as a decryption rule. In the process of solving the above simultaneous equations, n coding rules are used. By replacing the variables x ₁ , x ₂ ,..., X _{n included} in the coding rules that are not used with the coding variables using the decoding rules, mn non-trivial relational expressions are obtained. . Here, the encoding variables y ₁ , y ₂ ,..., Y _m always satisfy these relational expressions.

Replacement unit 440, coded variables _{x 1,} x 2 in the program, ..., and _{x n,} encoding the variable _{y 1,} y 2, ..., replaced by _{y m,} first, assignment is performed The variable that is being referenced is replaced with the encoded variable, and then the variable being referenced is replaced with the encoded variable.

Specifically, the first replacement unit 441 shown in FIG. 7 replaces the assignment instruction x _i ← f with the instruction shown in Equation 4 below.

Thus, the right side of the function _{e 1,} e 2, · · ·, in _{e m,} target variable _{x i} which assignment is performed is replaced in equation f.

Further, the second replacement unit 442 shown in FIG. 7 converts the referenced target variables x ₁ , x ₂ ,..., X _n in the instruction sequence obtained by the above processing, respectively, to the decryption rule d. _{1, d} 2, ···, replaced by _{d n,} to organize the expression.

The correction unit 450 corrects the converted software so that it can be executed correctly. Specifically, the adding unit 451 shown in FIG. 8 stores the encoding variables y ₁ , y ₂ ,..., Y _m and temporary variables t ₁ , t ₂ ,. , T _m definition is added.

Also, the conversion unit 452 illustrated in FIG. 8 converts the instruction converted by the first replacement unit 441 into an instruction sequence that can be sequentially executed. That is, the instruction sequence shown in Equation 5 is changed to the instruction sequence shown in Equation 6. In this way, by saving the value of the encoded variable before update in the temporary variable, the value of the encoded variable after update can be calculated sequentially. Here, the function _{e 1 ', e 2',} ···, e m ' , respectively, the function _{e 1,} e 2, · · ·, in _{e m,} encoded variables _{y 1,} y 2, · · · , Y _m are replaced with temporary variables t ₁ , t ₂ ,..., T _m .

<Processing of software obfuscation device>
The process of the software obfuscation apparatus according to this embodiment will be described with reference to FIG. Note that the processing related to merging is the same as in the first embodiment, and a detailed description thereof will be omitted.

  First, the dividing unit 300 divides a variable having a long byte length among variables included in the software into a plurality of variables using a union (step S101). Then, the conversion unit 400 converts the software including the divided variables (step S102).

  In the conversion unit 400, as described above, selection processing, coding variable determination processing, rule determination processing, replacement processing, and correction processing are performed.

  Therefore, according to the present embodiment, since a plurality of functions are merged into one function, the scale of the function increases and analysis becomes difficult. In addition, the merged function can be used properly by using a newly introduced argument. Furthermore, since it becomes possible to encode a variable having an arbitrary data length, that is, all types of variables, a plurality of pieces of data having different semantics can be converted together, and safety is further improved.

<Example>
FIG. 10 shows source code before obfuscation, and in this embodiment, a conversion example of a function for obtaining a definite integral in a section [a; b] of a function f by piecewise quadrature is shown.

Here, the rules used for encoding the variables are as shown in Equation 7. However, sum _H means the upper 4 bytes of sum, and sum _L means the lower 4 bytes. FIG. 11 shows source code in which variable conversion is introduced, and FIG. 12 shows source code after obfuscation.

  The software obfuscation device of the present invention is recorded by recording the processing of the software obfuscation device on a computer-readable recording medium, and causing the software obfuscation device to read and execute the program. Can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

100; Function extraction unit 200; Merging unit 300; Division unit 400; Conversion unit 210; Selection unit 220; Coding variable determination unit 230; Rule determination unit 240; Replacement unit 241; First replacement unit 242; Unit 250; correction unit 251; addition unit 252; conversion unit

Claims (12)

A software obfuscation device that makes software analysis difficult,
An obfuscation device for software, comprising: dependency generation means for generating a dependency relationship for a plurality of functions included in the software.   The software obfuscation device according to claim 1, wherein the dependency generation unit constructs a dependency by merging a plurality of functions into one function.   3. The software obfuscation device according to claim 2, wherein the dependency relationship generation unit merges a plurality of functions having different functions into one function using a function selection argument.   3. The software obfuscation according to claim 2, wherein the dependency relationship generation unit merges a plurality of functions having different data types of return values into one function by using a pointer type variable for data output. Device. further,
A dividing unit that divides a variable having a long byte length among variables included in the software into a plurality of variables using a union;
Conversion means for converting the software including the divided variables;
A software obfuscation device characterized by comprising: The converting means is
A selection means for selecting a variable to be encoded;
Encoding variable determining means for determining m encoding variables from the selected encoding variable;
Rule determining means for determining an encoding rule and a decoding rule;
Replacement means for replacing the encoded variable in the software with another encoded variable;
Correction means for correcting the converted software so that it can be executed correctly,
The software obfuscation device according to claim 5, comprising: The replacement means comprises:
First replacement means for replacing a target variable for which substitution is performed;
A second replacement means for replacing the target variable being referred to;
The software obfuscation device according to claim 6. The correcting means is
Additional means for adding encoding variables and primary variable definitions for saving the values of these variables;
Conversion means for converting the substitution instruction substituted by the first substitution means into an instruction sequence that can be executed;
The software obfuscation device according to claim 7, comprising: A software obfuscation method in a software obfuscation device that makes software analysis difficult,
A software obfuscation method comprising a step of generating a dependency relationship for a plurality of functions included in the software. A software obfuscation method in a software obfuscation device that makes software analysis difficult,
A first step of generating dependencies for a plurality of functions included in the software;
A second step of dividing a variable having a long byte length among the variables included in the software into a plurality of variables using a union;
A third step of converting software including the divided variables;
A software obfuscation method characterized by comprising: A program for causing a computer to execute a software obfuscation method in a software obfuscation device that makes software analysis difficult,
A program for causing a computer to execute a step of generating dependency relationships for a plurality of functions included in the software. A program for causing a computer to execute a software obfuscation method in a software obfuscation device that makes software analysis difficult,
A first step of generating dependencies for a plurality of functions included in the software;
A second step of dividing a variable having a long byte length among the variables included in the software into a plurality of variables using a union;
A third step of converting software including the divided variables;
A program that causes a computer to execute.

Images