JP4945296B2 - Code detection apparatus and code detection method - Google Patents

Description

The present invention relates to a code detection apparatus and a code detection method for detecting a detection target code by analyzing a program code including a plurality of codes.

  There is known a dynamic analysis technique for analyzing a program code including a plurality of codes (instructions) during program execution. The dynamic analysis technique is realized by using an interpreter execution that converts and executes each code in a block unit including at least one code in the program code. Further, a program execution control technique for controlling whether or not to execute a specific code in the program code is known.

  Furthermore, a program execution control technique using execution of an interpreter has been proposed (see Non-Patent Documents 1 and 2). In the program execution control technique using interpreter execution, as shown in FIG. 1, the detection target code is detected by analyzing the program code in units of blocks.

  A hook code, which is a code for controlling program execution, is added to the detected code to be detected. The code to which the hook code is added is branched to an execution control code for controlling whether or not to execute the code at the time of program execution. Since the hook code is added immediately before the detection target code, it is impossible to bypass the hook code, and the execution of the detection target code can be reliably controlled.

  As a block that is an execution unit of interpreter execution, for example, an area sandwiched between two branch instructions in a program code is used. Until the branch occurs, the program code is executed in descending order of the memory addresses, so that there is no deviation from the normal operation. If the branch instruction is executed, the branch destination address is determined, and the next block to be read is specified. Therefore, the program code can be sequentially analyzed and executed in units of blocks.

  Non-Patent Document 1 discloses a method for securing mobile code execution using a program execution control technique using interpreter execution. Here, mobile code is a program code acquired via a network.

  The method of Non-Patent Document 1 is applied to a system that develops and executes an untrusted mobile code in a memory area of the program code during execution of the trusted program code. The method of Non-Patent Document 1 assumes that an illegal branch instruction is issued from mobile code, execution control moves to a code different from the original return address, and an unintended code is executed as a threat. Yes.

  The method of Non-Patent Document 1 detects a branch instruction from the mobile code in order to prevent the above threat. A hook code for determining whether or not to execute the branch branch instruction is added immediately before the detected branch instruction. This prevents an illegal branch instruction from being executed when the mobile code is executed after the analysis and conversion of the mobile code.

  On the other hand, Non-Patent Document 2 discloses a resource access control method using a program execution control technique using interpreter execution. In the resource access control method, access control is executed for a system call called by a program. For example, it is possible to use the resource access control such that reading of a specific file is permitted but writing is prohibited.

  In the method of Non-Patent Document 2, a program binary is read for each block, and the read block is executed by an interpreter on a VM (Virtual Machine) called Strata. At this time, when a code that calls a specific system call is detected, a hook code that calls an access control code provided in advance by Strata is added immediately before the code. Thereby, when a system call subject to access control is included in the program code, it is possible to determine whether or not to permit execution of the system call.

  As described above, the methods of Non-Patent Documents 1 and 2 are capable of controlling even a code that cannot be monitored from outside the program code, such as a function call in the program code. Better than access control technology.

  Furthermore, Strata has a function of holding blocks that have been executed once as a cache in a memory as a cache as a technique for reducing the overhead of execution of the interpreter. The cache is stored in pairs of block addresses and parsed (compiled) code. As shown in FIG. 2, in Strata, the address of the current program code is specified by referring to the program counter that counts the address of the program code being executed, and cached using the current program code address as a key. Is searched.

If cached, the analyzed code corresponding to the current program code address is executed. On the other hand, if not cached, normal interpreter execution is performed. As a result, when the same program code is executed by the printer a plurality of times, the overhead required for the second and subsequent executions of the printer is reduced.
Robert Wahbe et.al., “Efficient software-based fault isolation”, In Proc. Of the fourteenth ACM Symposium on Operating Systems Principals, 1994. Kevin Scott et.al., “Safe virtual execution using software dynamic translation”, In Proc. Of 18th Annual Computer Security Applications Conference, 2002.

  In the methods of Non-Patent Document 1 and Non-Patent Document 2 when the Strata cache function is not used, the following processes (1) to (5) are executed.

  (1) A block is read from the program code.

  (2) The code constituting the block is analyzed.

  (3) When a detection target code is detected by analysis, a hook code is added to the detection target code.

  (4) After analyzing the code in the block, the block is executed.

  (5) If a hook code is detected during execution of the block, the execution control code is called.

  However, processes (2), (3), and (5) are processes that do not occur in normal program execution, and may cause an increase in overhead. In particular, the process of analyzing the code in each block in the process (2) and the process of adding the hook code in the process (3) require a cost.

  On the other hand, even when the Strata cache function is used in Non-Patent Document 2, an overhead equivalent to the above occurs when a cache miss occurs. A cache miss always occurs when a block is first executed. Alternatively, in a computer with a small installed memory capacity (for example, a portable device), since the memory capacity that can be allocated to the cache area is limited, it is difficult to avoid the occurrence of a cache miss.

  As described above, it is difficult to reduce overhead in a program analysis system that detects a detection target code by analyzing a program code including a plurality of codes.

  In view of the above problems, the present invention provides a code detection apparatus and a code detection method capable of reducing overhead in a program analysis system for detecting a detection target code by analyzing a program code including a plurality of codes. Objective.

  In order to achieve the above object, a first feature of the present invention is a code detection apparatus for detecting a detection target code by analyzing a program code including a plurality of codes, the first code analyzing the program code An analysis unit; and a second analysis unit that analyzes the program code using an analysis result obtained by the first analysis unit, wherein the first analysis unit detects the detection target code from the program code. And an analysis information generation unit that generates analysis information for specifying an analysis target region that is a region to be analyzed by the second analysis unit in the program code based on a detection result by the first detection unit. The second analysis unit is specified by the specifying unit that specifies the analysis target region in the program code by referring to the analysis information, and the specifying unit. And summarized in that and a second detector for detecting the detection target code from said analysis target area.

  According to such a feature, the specifying unit specifies an analysis target region in the program code by referring to the analysis information. The second detection unit detects a detection target code from the analysis target region specified by the specifying unit. Since the second detection unit performs a detection target code detection process on a part of the program code, the processing load on the second analysis unit is reduced and the overhead is reduced.

  A second feature of the present invention relates to the first feature of the present invention, wherein the first analysis unit analyzes the program code before execution of the program code, and the second analysis unit includes the program code. The gist is to analyze the program code during the execution of the program.

  According to such a feature, the first analysis unit analyzes the program code before execution of the program code (static analysis), and the second analysis unit analyzes the program code during execution of the program code (dynamic analysis). ). Since the second detection unit performs the detection process of the detection target code for a part of the program code, the processing load of the dynamic analysis is reduced.

  A third feature of the present invention relates to the first feature of the present invention, and further includes a control information storage unit that stores program control information including a hook code that is a code for controlling the execution of the detection target code. The second analysis unit is characterized in that the hook code is added to the detection target code detected from the analysis target region.

  According to such a feature, the second analysis unit adds a hook code that is a code for controlling execution of the detection target code to the detection target code detected from the analysis target region. Since the second detection unit performs the detection target code detection process on a part of the program code, the processing load of the hook code addition process is reduced.

  A fourth feature of the present invention relates to the first feature of the present invention, and further includes a control information storage unit that stores program control information including a hook code that is a code for controlling the execution of the detection target code. The first analysis unit adds the hook code to the detection target code detected from the program code, and the specifying unit analyzes the region where the hook code is not added by the first analysis unit. The gist is to identify the target area.

  According to such a feature, the first analysis unit adds a hook code to the detection target code. Since the specifying unit of the second analysis unit specifies an area to which no hook code is added as an analysis target area, the area to which the hook code is added can be excluded from the analysis target, and the hook in the second analysis unit can be excluded. The processing load of code addition processing is reduced.

  A fifth feature of the present invention relates to the fourth feature of the present invention, wherein the first analysis unit adds the hook code to the detection target code detected from the program code according to a predetermined condition. The gist is to determine whether or not to do so.

  According to such a feature, the first analysis unit determines whether or not to add the hook code to the detection target code detected from the program code according to a predetermined condition (for example, the size of the program code and the processing load). Determine. For this reason, it can be determined adaptively whether a hook code is added in a 1st analysis part.

  A sixth feature of the present invention relates to the fourth feature of the present invention, wherein the first analysis unit uses a branch instruction for branching to a hook dedicated function including the hook code as the hook code in the detection target code. The gist is to add.

  According to such a feature, the first analysis unit does not directly add the hook code, but indirectly adds the hook code to the detection target code by the hook dedicated function. Thereby, the code size can be reduced as compared with the case where the hook code is directly added.

  A seventh feature of the present invention relates to the first feature of the present invention, and further includes a control information storage unit that stores program control information including information for specifying the detection target code, and the first detection unit includes: When the program control information is updated, the updated detection target code is detected from the program code based on information for specifying the updated detection target code, and the analysis information generating unit is configured to detect the first detection unit. The gist is to update the analysis information based on the detection result of the detection target code after the update.

  According to such a feature, when the detection target code is updated, the first detection unit detects the updated detection target code, and the analysis information generation unit detects the detection target code updated by the first detection unit. The analysis information is updated based on the detection result. Thereby, it is possible to cope with the case where the detection target code is updated.

  An eighth feature of the present invention relates to the first feature of the present invention, and is a program that includes information for specifying the detection target code and information for specifying a candidate code that is a code to be changed to the detection target code. A control information storage unit for storing control information; and the first detection unit detects the detection target code and the candidate code from the program code based on the program control information, and the analysis information generation unit includes: Based on the detection result by the first detection unit, the regeneration information for specifying the region including the candidate code in the program code is generated, and the first detection unit generates the detection target code in the program control information. When the information to be specified is changed, the gist is to detect the changed detection target code from the area specified by the regeneration information.

  According to such a feature, the first detection unit detects not only the detection target code but also the candidate code. The analysis information generation unit generates regeneration information that identifies an area including the candidate code. Then, when the detection target code is changed to any candidate code, the first detection unit detects the changed detection target code from the program code area specified by the regeneration information. As a result, even when the detection target code is changed, it is possible to cope immediately.

  A ninth feature of the present invention relates to the first feature of the present invention, wherein the detection target code is a control movement command for calling a specific code in the program code, and the first detection unit and the second detection unit When detecting a control movement instruction from the program code, the detection unit determines whether a call destination code of the detected control movement instruction is the specific code, and calls the detected control movement instruction When the code is the specific code, the gist is to determine that the detected control movement command is the detection target code.

  According to such a feature, when the detection target code is a control movement instruction for calling a specific code in the program code, the control movement instruction is reliably detected.

  A tenth feature of the present invention relates to the first feature of the present invention, wherein the second analysis unit further includes a cache storage unit that stores an analyzed code that is an analyzed code, and the second detection unit Is summarized in that, when the detection target code is detected from the analysis target area, the analyzed code corresponding to the analysis target area including the detection target code is acquired from the cache storage unit.

  According to such a feature, the processing load of the second analysis unit is reduced by reusing the analyzed code corresponding to the detection target area including the detection target code.

  An eleventh feature of the present invention relates to the first feature of the present invention, wherein the first analysis unit detects a region that does not include the detection target code in the program code as a non-analysis target region, and performs the analysis The information includes information for specifying the non-analysis target region, and the specification unit of the second analysis unit includes the region of the program code excluding the region indicated by the information for specifying the non-analysis target region. The gist is to specify the area.

  A twelfth feature of the present invention relates to the eleventh feature of the present invention, and is summarized in that the information specifying the non-analysis target area includes a start address of the non-analysis target area.

  A thirteenth feature of the present invention is according to the eleventh feature of the present invention, wherein the first analysis unit divides the program code into regions sandwiched between two branch instructions, and for each divided region. The gist is to detect the non-analysis target region by performing detection processing of the detection target code.

  According to such a feature, the detection target code detection process is performed for each area sandwiched between two branch instructions, so that one detection target code includes a plurality of detection areas without generating an overlapping area in the program code. Detection in the region is avoided.

  A fourteenth feature of the present invention relates to the eleventh feature of the present invention, wherein the first analysis unit further includes an analysis information storage unit that stores the analysis information including information for specifying the non-analysis target region. The second analysis unit further includes a history information storage unit that stores history information in which the information specifying the non-analysis target region is associated with the number of times the non-analysis target region is executed, and the analysis information The gist of the generation unit is to update the analysis information stored in the analysis information storage unit based on the history information stored in the history information storage unit.

  According to such a feature, since the executed non-analysis target region is recorded as history information, the analysis information generation unit analyzes the pre-executed non-analysis target region by including it in the analysis information preferentially. Information can be generated more efficiently.

  A fifteenth feature of the present invention relates to the fourteenth feature of the present invention, wherein the information specifying the non-analysis target area stored in the history information storage unit includes at least a start address of the non-analysis target area. This is the gist.

  According to such a feature, since the start address of the non-analysis target area is recorded as history information, the non-analysis target area is uniquely specified.

  A sixteenth feature of the present invention relates to the fourteenth feature of the present invention, wherein the specifying unit refers to information for specifying the non-analysis target region from higher to lower in the analysis information storage unit, Specify whether the area of the program code to be executed next is the non-analysis target area, and the analysis information generation unit specifies the non-analysis target area corresponding to a certain number of times or more in the history information The information is set at a higher level in the analysis information storage unit, and the information specifying the non-analysis target region corresponding to less than a certain number of times in the history information is set at the lower level in the analysis information storage unit And

  According to such a feature, the analysis information generation unit uses the history information to place the non-analysis target region that has been executed in the past in the higher order of the (linear) search order, so that the specifying unit can perform the non-analysis target. Time to refer to (search) an area is shortened.

  A seventeenth feature of the present invention relates to the first feature of the present invention, wherein the detection target code is a branch instruction, and the second analysis unit is configured to include a predetermined branch instruction in the analyzed code. A branch destination information storage unit that stores information specifying the predetermined branch instruction and a branch destination of the predetermined branch instruction as branch destination information; and the first detection unit is stored in the branch destination information storage unit. The gist is to detect the detection target code based on the stored branch destination information.

  According to such a feature, the first detection unit can analyze even the program code in which the detection omission has occurred due to the difficulty of specifying the branch destination by using the branch destination information. Misdetection is reduced.

  An eighteenth feature of the present invention relates to the seventeenth feature of the present invention, wherein the predetermined branch instruction is an indirect branch instruction in which a branch destination is determined according to an execution result of another instruction, and the branch destination information storage The gist is to store the branch destination information when the analyzed code is executed.

  According to such a feature, it is possible to detect a branch destination for an indirect branch instruction.

  A nineteenth feature of the present invention is a code detection method for detecting a detection target code by analyzing a program code including a plurality of codes, the first step of analyzing the program code, and the first step A second step of analyzing the program code using an analysis result, wherein the first step detects the detection target code from the program code, and the program is based on the detection result of the detection target code. Generating analysis information for specifying an analysis target area, which is an area to be analyzed in the second step of the code, wherein the second step refers to the analysis information and the program code A step of specifying the analysis target region in the analysis target region specified by the specifying unit And summarized in that it comprises the step of detecting al the detected code.

  According to the present invention, it is possible to provide a code detection apparatus and a code detection method that can reduce overhead in a program analysis system that detects a detection target code by analyzing a program code including a plurality of codes.

  Next, first to sixth embodiments of the present invention will be described with reference to the drawings. In the description of the drawings in the following first to sixth embodiments, the same or similar parts are denoted by the same or similar reference numerals.

<First Embodiment>
(Configuration of program analysis system)
First, the configuration of the program analysis system according to the present embodiment will be described. FIG. 3 is a functional block diagram of the program analysis system according to the present embodiment.

  As illustrated in FIG. 3, the program analysis system includes a code detection device 100, a code execution device 200, a program code storage unit 300, a dynamically analyzed code storage unit 320, and a control information storage unit 400.

  The program code storage unit 300 stores a program code including a plurality of codes. In the present embodiment, an example will be described in which each code constituting a program code is described in an assembly language including an instruction, an address of the instruction, and an argument of the instruction.

(Configuration of code detection device)
The code detection apparatus 100 detects the detection target code by analyzing the program code. The code detection device 100 includes a first analysis unit 110 and a second analysis unit 120.

  The first analysis unit 110 executes “static analysis” for analyzing the program code before executing the program. The second analysis unit 120 executes “dynamic analysis” for analyzing the program code during program execution. In the present embodiment, the second analysis unit 120 reads and analyzes the program code in units of blocks, as in the case of interpreter execution.

  The first analysis unit 110 includes a block generation unit 111, a first detection unit 112, an analysis information generation unit 113, and an analysis information storage unit 114.

  The block generation unit 111 sequentially generates blocks from the program code stored in the program code storage unit 300.

  The first detection unit 112 performs block analysis processing on the block generated by the block generation unit 111. Specifically, the first detection unit 112 determines whether or not the detection target code is included in the block generated by the block generation unit 111.

  The control information storage unit 400 stores information for specifying the detection target code and information for specifying the hook code to be added to the detection target code. The first detection unit 112 detects the detection target code in the block by referring to the control information storage unit 400.

  The analysis information generation unit 113 generates analysis information for specifying an analysis target block that is a block (region) to be analyzed by the second analysis unit 120 based on the detection result by the first detection unit 112. The analysis information generated by the analysis information generation unit 113 is stored in the analysis information storage unit 114.

  The second analysis unit 120 includes a specification unit 121, a second detection unit 122, a code output unit 123, a compilation unit 124, a hook code addition unit 125, and a cache storage unit 126.

  The specifying unit 121 specifies the analysis target block from the program code by referring to the analysis information stored in the analysis information storage unit 114.

  The second detection unit 122 detects the detection target code from the analysis target block specified by the specifying unit 121. When the detection target code is detected from the analysis target block, the second detection unit 122 determines whether the dynamically analyzed code of the analysis target block exists in the cache storage unit 126.

  When the dynamically analyzed code of the analysis target block exists in the cache storage unit 126, the second detection unit 122 acquires the cached dynamically analyzed code. The dynamically analyzed code acquired from the cache storage unit 126 is stored in the dynamically analyzed code storage unit 320 by the code output unit 123. When the dynamically analyzed code of the analysis target block does not exist in the cache storage unit 126, the second detection unit 122 outputs the analysis target block to the compilation unit 124 via the code output unit 123.

  The compiling unit 124 and the hook code adding unit 125 add the hook code immediately before the detection target code and compile the analysis target block. The analysis target block after the compile processing is stored in the cache storage unit 126.

  The code output unit 123 outputs the analysis target block after the compile processing as dynamically analyzed code. The dynamically analyzed code output by the code output unit 123 is stored in the dynamically analyzed code storage unit 320.

(Configuration of code execution device)
The code execution device 200 executes the dynamically analyzed code stored in the dynamically analyzed code storage unit 320. The code execution device 200 includes a code execution unit 210, a code control unit 220, and a control policy storage unit 800.

  The code execution unit 210 executes the dynamically analyzed code in units of blocks. Further, the code execution unit 210 specifies the address of the program code to be executed next by executing each block, and outputs the address to the specifying unit 121 as the analysis target block address. By repeating this process, it is possible to execute the interpreter with analysis by the second analysis unit 120.

  When the hook code is detected from the dynamically analyzed code, the code execution unit 210 notifies the code control unit 220 to that effect. When receiving the notification that the hook code has been detected, the code control unit 220 determines whether to execute the detection target code to which the hook code is added according to the control policy stored in the control policy storage unit 800. To do.

(Structure of analysis information)
Next, analysis information stored in the analysis information storage unit 114 will be described. The analysis information is information that identifies a memory area of a memory area that stores the program code and does not include the detection target code.

  FIG. 4 is a diagram illustrating an example of analysis information. As shown in FIG. 4, the analysis information has a configuration in which a block ID of a block not including the detection target code, a start address of the block, and an end address of the block are associated with each other. A “block” is a part of a program code expressed by a start address and an end address. Hereinafter, a block registered in the analysis information storage unit 114 is referred to as a “registered block”.

(Analysis information generation process)
Next, analysis information generation processing will be described with reference to FIGS.

  As shown in FIG. 5, the block begins with a start instruction and ends with an unconditional branch instruction. An unconditional branch instruction is an instruction that unconditionally branches to a specific code, and includes the following instructions, for example.

B PC + xxxx; Branch to address PC + xxxx BL PC + yyyy; Branch to address PC + yyyy MOV PC, lr; Branch to address stored in lr register Conversely, a conditional branch instruction has a condition field as Accordingly, it is an instruction that transfers control to a specific branch destination when the condition is satisfied.

CMP lr, r1; compares the value of the lr register with the value of the r1 register is there. A block including main and _Start is referred to as “block 1”, and an Nth generated block is hereinafter referred to as “block N”. The starting point of blocks other than block 1 is equal to the branch destination code from a certain block.

  FIG. 6 is a diagram illustrating a relationship between a plurality of blocks. In FIG. 6, the branch destinations of the branch instruction included in block 1 are block 2 and block 3. Further, the branch destination of the branch instruction included in block 3 is block 4.

(Processing flow of analysis information generation process)
Next, the processing flow of the analysis information generation process will be described. FIG. 7 is a flowchart showing a process flow of the analysis information generation process.

  In step S1000, the first analysis unit 110 acquires the start address of the first block (block 1) of the program code.

  In step S1001, the first analysis unit 110 executes block analysis processing from the start address acquired in step S1000. Details of the block analysis processing will be described later.

  In step S1002, the first analysis unit 110 registers the block analyzed in step S1001 in the analyzed block list. The analyzed block list includes the block ID, start address, and end address of the analyzed block. Blocks that have been subjected to block analysis processing once are registered in the analyzed block list.

  In step S1003, the first analysis unit 110 acquires all branch destination addresses of the blocks analyzed in step S1001. The following four patterns can be considered as the acquired branch destination addresses.

  (1) A branch destination address is specified, a branch destination block exists, and the address is not included in any analyzed block.

  (2) A branch destination address is specified, and there is no branch destination block.

  (3) The branch destination address is unspecified (there is no branch or the branch destination is unknown).

  (4) A branch destination address is specified, a branch destination block exists, and the address is included in any analyzed block.

  Patterns (1) and (4) are normal branches. As the pattern (2), for example, a branch to a dynamic link library function is applicable. As the pattern (3), for example, a case where a branch destination is determined by an external input at the time of program execution is applicable. Alternatively, the case where the program ends in the block is also included in the pattern (3).

  In the patterns (1) and (4), the branch destination block can be acquired. However, in the patterns (2) and (3), the branch destination block cannot be acquired, and the subsequent analysis is impossible.

  The difference between the patterns (1) and (4) is whether or not the block having the branch destination address as the start address has been analyzed. This is determined by whether or not the branch destination address is included in any analyzed block.

  In step S1004, the first analysis unit 110 determines whether it is possible to acquire a branch destination block. Specifically, if all the acquired branch destination addresses are pattern (1) or (4), the process proceeds to step S1005. On the other hand, if all the acquired branch destination addresses are the pattern (2) or (3), the process proceeds to step S1008.

  In step S1005, the first analysis unit 110 determines the pattern (1) and the pattern (4). That is, if all the acquired branch destination addresses are included in any analyzed block, the pattern is (4), and the process proceeds to step S1008. On the other hand, if all the acquired branch destination addresses are not included in any analyzed block, the block having the branch destination address as the start address has not been analyzed, and the process proceeds to step S1006.

  Here, the condition of the pattern (4) does not need to match the branch destination address and the start address of the analyzed block, and it is only necessary to be sandwiched between the start address and the end address. As an example, in FIG. 8, it is assumed that an arrow is a branch source and a branch destination of each block, branch from block 1 to block 2, and block 2 is analyzed. The start address of block 2 is x and the end address is y, which is registered in the analyzed block list. After that, when branching from block 3 to an address z sandwiched between x and y of block 2, the end address of the block starting from z is y, and since this block is included in block 2, it has already been analyzed. Determined.

  In step S1006, the first analysis unit 110 accumulates the start (head) addresses of all unanalyzed blocks in the analysis candidate stack. The analysis candidate stack is a FIFO stack that stores the start address of the block to be analyzed next time.

  In step S1007, the first analysis unit 110 extracts one analysis target start address from the analysis candidate stack. Thereafter, step S1001 is applied again to the block starting from the analysis target start address.

  On the other hand, in step S1008, the first analysis unit 110 checks the analysis candidate stack. If the analysis candidate stack is empty, the process advances to step S1099 to end the static analysis for the program code. On the other hand, if an analysis candidate stack is stacked, the process proceeds to step S1009.

  In step S1009, the first analysis unit 110 extracts one of the addresses.

  In step S1010, the first analysis unit 110 determines whether the address is included in any analyzed block.

  Note that when the analysis target start address is loaded on the analysis candidate stack, the block starting from that address has not been statically analyzed, but the block is blocked by another block while waiting for analysis in the stack. May be analyzed, so step S1010 is required.

  For example, in the example of FIG. 9, after analyzing the block 1, the start addresses y and w of the blocks 2 and 4 are put on the analysis candidate stack as analysis candidates. However, if block 2 is analyzed first, the analysis proceeds to blocks 3 and 4, and w is again added to the analysis candidate stack as the branch destination of block 3.

  As described above, since there is a possibility that a plurality of the same analysis target start addresses may be stacked on the analysis candidate stack, it is necessary to perform a duplicate check using the analyzed block list in step S1010. If the address has not been analyzed in step S1010, the analysis is actually executed in step S1001.

(Block analysis processing flow)
Next, the processing flow of block analysis processing will be described. In the block analysis process, when a detection target code is not included in a block starting from a given address, the block is registered in the analysis information storage unit 114. Specific examples of detection target codes and detection methods will be described later.

  FIG. 10 is a flowchart showing a processing flow of the block analysis processing.

  In step S2000, the first analysis unit 110 acquires the start address of the analysis target block.

  In step S2001, the first analysis unit 110 generates an analysis target block by specifying an end address.

  Here, the end address is basically the address of the unconditional branch instruction detected last, but there is an exception. An example in which an exception occurs will be described with reference to FIG. In FIG. 11, it is assumed that the start address of the block currently being analyzed is x, and the address of the unconditional branch instruction that is first detected from the start address is y. It is assumed that the block 2 having the start address z and the end address y is already registered in the analyzed block list. In this case, the block starting with x and ending with y partially overlaps with block 2.

  In order to prevent this situation, by detecting an unconditional branch instruction in step S2001, the acquired end address sets the start address of the generated block (here, w) as the end address of the block. Therefore, in this example, the end address of the block 4 of the start address x is w. Of course, the end address of the block is not an unconditional branch instruction.

  In step S2002, the first analysis unit 110 reads a code from the block.

  In step S2003, the first analysis unit 110 determines whether the code read in step S2002 corresponds to the detection target code. If the code read in step S2002 corresponds to the detection target code, the block is not registered in the analysis information storage unit 114 as a registered block, and the process ends. On the other hand, if the code read in step S2002 corresponds to the detection target code, the process proceeds to step S2004.

  In step S2004, the first analysis unit 110 determines whether all codes existing in the block have been read. If there is an unread (unanalyzed) code in the block, the process returns to step S2002. If there is no unread code in the block, the process proceeds to step S2005, and the block is registered in the analysis information storage unit 114.

(Specific example of block analysis processing)
Next, a specific example of the block analysis process will be described with reference to FIGS.

  In FIG. 12, the alphabet in each block represents the start address and the end address, and the arrows represent the relationship between the blocks. It is assumed that each hatched block is a block to be registered in the analysis information storage unit 114. Further, the branch destination block of the block 6 is assumed to be the branch destination of the pattern (2) or the pattern (3) described above.

  In FIG. 12, the number of blocks that can be analyzed is seven, and duplication of analysis cannot occur. Therefore, the process starting from step S1001 in FIG. 7 always occurs seven times. FIG. 13 shows analysis information, an analysis candidate stack, and an analyzed block list at the end of each process. In FIG. 13, the analysis information and the analyzed block list are indicated by block IDs, and addresses are omitted.

  After applying the first step S1001 to step S1007 for block 1, address m and address c are stacked in the analysis candidate stack, and block 1 is registered in the analyzed block list.

  Next, the address c is extracted from the analysis candidate stack, and the second analysis is performed on the block 2 having the address c as a start address. Since block 2 is a block to be registered in the analysis information storage unit 114, the registered block is block 2, and the branch destination addresses m, i, and e of block 2 are registered in the analysis candidate stack, and are stored in the analyzed block list. Blocks 1 and 2 are registered.

  Similarly, after the analysis of block 3 with e as the start address, m, i, and g are stacked on the analysis candidate stack. After the analysis of the block 4, the branch destination address is included in the block 3 that already exists in the analyzed block list, and thus is not stacked on the analysis candidate stack. By repeating the same procedure, the analysis information shown in FIG. 13 is generated.

(Dynamic analysis process flow)
Next, the dynamic analysis process, that is, the operation of the second analysis unit 120 will be described. As described above, the second analysis unit 120 identifies the program code to be analyzed from the program code based on the analysis target block address presented from the code execution unit 210, and detects the program code based on the analysis information. It is determined whether or not it is a target.

  Furthermore, the second analysis unit 120 detects the detection target code and adds a hook code to the detected detection target code. Hereinafter, the dynamically analyzed code output by the second analysis unit 120 every time is referred to as a block, similar to the description of the operation of the first analysis unit 110.

  FIG. 14 is a flowchart showing the operation of the second analysis unit 120.

  In step S3000, the second analysis unit 120 acquires the start address of the first block of the program code (start address of the first block of the main function). At the start of analysis, the start address of the first block of the program code is acquired. In the subsequent processing, the start address of the analysis target block is given by the code execution unit 210.

In step S3001, the second analysis unit 120 determines whether the start address acquired in step S3000 is included in any registered block registered in the analysis information. If the start address is included in the registration block, the process proceeds to step S3099. On the other hand, if the start address is not included in the registration block, the process proceeds to step S3002.

  In step S3099, the second analysis unit 120 determines that dynamic analysis of the analysis target block is unnecessary, and outputs the analysis target block as it is as a dynamically analyzed code.

  In step S3002, the second analysis unit 120 determines whether or not the analysis target block exists in the cache. When the analysis target block exists in the cache, the process proceeds to step S3199. If the analysis target block does not exist in the cache, the process proceeds to step S3003.

  Note that the cache search method differs depending on the cache configuration method. When the cache includes a start address and an end address, the search may be performed using the start address and the end address of the analysis target block as in the search for the analysis information.

  In step S3199, the second analysis unit 120 outputs the dynamically analyzed code existing in the cache as the dynamically analyzed code of the analysis target block.

  In step S3003, the second analysis unit 120 specifies the end address of the analysis target block, and reads the analysis target block from the program code storage unit. In step S3003, as in step S2001 of FIG. 10, it is checked again whether the address of the unconditional branch instruction detected from the block matches the end address of the analysis information. When they match, the end address of the block is one before the start address of the matched block. If they do not match, the address of the unconditional branch instruction becomes the end address of the block.

  In step S3004, the second analysis unit 120 compiles the analysis target block read in step S3003. In step S3004, a hook code is added to the detection target code detected from the block.

(Specific example of dynamic analysis processing)
The operation | movement outline | summary figure at the time of stopping at step S3099 of FIG. 14, step S3199, and step S3299 is shown in FIGS. 15 to 17, the memory space for program code is shown in the upper part, the execution memory space for the code detection apparatus 100 (second analysis unit 120) is shown in the middle part, and the execution memory space for the code execution apparatus 200 is shown in the lower part. Yes.

  In FIG. 15, the second analysis unit 120 reads a block, determines that the block is a non-analysis target block based on the analysis information, and outputs the block as it is (steps S3001 and S3099). In this case, since the hook code is not added to the block, the code control unit 220 is not called.

  In FIG. 16, the second analysis unit 120 reads a block and determines that the block is an analysis target block based on the analysis information (step S3001). The second analysis unit 120 searches the cache storage unit 126 (step S3002), and outputs the dynamically analyzed block from the cache storage unit 126 (step S3199). When a hook code is added to the block, the code control unit 220 is called when the block is executed.

  In FIG. 17, the second analysis unit 120 reads each block and determines that the block is an analysis target block based on the analysis information (step S3001). The second analysis unit 120 searches the cache storage unit 126 (step S3002). However, since the block does not exist in the cache storage unit 126, the block is read from the program code (step S3003), the read block is compiled (step S3004), and a compiled block is output (step S3299).

  Finally, since the branch destination can be reliably specified at the time of program execution, the code execution device 200 sets the second analysis unit 120 for the analysis target block address to be executed next in any case of FIGS. 15 to 17. Notify

(Action / Effect)
According to this embodiment, the 1st analysis part 110 designates the memory area which the 2nd analysis part 120 should analyze by static analysis. The second analysis unit 120 that performs dynamic analysis of the program code performs detection processing of the detection target code for a part of the program code according to the result of the static analysis. For this reason, the processing load of the second analysis unit 120 that performs dynamic analysis of the program code is reduced, and the processing speed of the entire system is improved.

  Further, by using the code detection method according to this embodiment in combination with the technique using the cache storage unit 126, the cost required for the dynamic analysis process can be greatly reduced. Also, the compilation process for adding the hook code can be omitted both when the analysis target block exists in the analysis information and when it exists in the cache. For this reason, interpreter execution using both methods has a great effect of reducing dynamic analysis processing costs compared to existing technologies. Furthermore, since only the analyzed analysis target block is stored in the cache storage unit 126, it is suitable when the memory capacity of a portable device or the like is small.

Second Embodiment
In the present embodiment, a case will be described in which the detection target code detected by the first analysis unit 110 and the second analysis unit 120 is a control transfer instruction (branch instruction) to a specific code.

  Here, as a case where the detection target code is a control transfer instruction (branch instruction) to a specific code, for example, a specific function call is applicable. That is, the detection target code is a branch instruction that branches to a specific address in the program code, and the branch destination is a specific function that is determined in advance. The specific function is, for example, a function that is not allowed to be called from program code.

  In the present embodiment, the control information storage unit 400 stores a symbol name of a specific function in addition to information specifying a detection target code and information specifying a hook code. Specifically, the control information storage unit 400 stores a detection target code and a symbol name of a specific function in association with each other.

  The branch instruction includes a branch instruction in which a branch destination address is directly designated and a branch instruction in which a branch destination address is designated by a register. In a branch instruction in which a branch destination address is directly specified, the branch destination address is compared with a symbol table included in the program code.

  When the branch destination address is specified by a register, the program code is analyzed to detect a code whose address is copied to the register, and the address is compared with the symbol table. For example, the following branch instruction corresponds to the case where the branch destination address is specified by a register.

MOV 0x12 lr
B lr
In this branch instruction, the value of the lr register that is the branch destination of the branch instruction (B) is derived from the MOV instruction. In this case, the value of the lr register is the address 0x12.

(Detection target code detection process flow)
Next, the detection process flow for the detection target code, specifically, details of step S2003 in FIG. 10 will be described. FIG. 18 is a flowchart showing a detection process flow of the detection target code.

  In step S4001, the first analysis unit 110 determines whether the read code is a branch instruction. If the read code is a branch instruction, the process advances to step S4002. On the other hand, if the read code is not a branch instruction, the process advances to step S4099.

  In step S4099, the first analysis unit 110 determines that the read code is not a detection target code.

  In step S4002, the first analysis unit 110 acquires the symbol name of the function to be called from the branch destination address of the branch instruction.

  In step S4003, the first analysis unit 110 determines whether the symbol name acquired in step S4002 matches the symbol name stored in the control information storage unit 400. If they match, the process proceeds to step S4199, and if they do not match, the process proceeds to step S4099.

  In step S4199, the first analysis unit 110 determines that the read code is a detection target code.

  The detection target code detection process described with reference to FIG. 18 is executed not only in the first analysis unit 110 but also in the second analysis unit 120.

(Action / Effect)
According to this embodiment, when the detection target code is a branch instruction that calls a function that is not permitted to be called in the program code, the control movement instruction is reliably detected. Therefore, it is possible to prevent a specific function or shared library from being called by performing control so that a branch instruction that calls a function that is not allowed to be called is not executed during program execution.

<Third Embodiment>
(Configuration of program analysis system)
In the present embodiment, a configuration in which the first analysis unit 110 adds a hook code to the detection target code will be described. FIG. 19 is a functional block diagram showing the configuration of the program analysis system according to this embodiment.

  As shown in FIG. 19, the first analysis unit 110 is different from FIG. 3 in that it includes a hook code addition unit 115 and a statically analyzed code storage unit 116.

  The hook code adding unit 115 adds a hook code to the detection target code in the program code.

  In the analysis information storage unit 114, a block to which a hook code is added in addition to a block that does not include a detection target code is registered as a registration block.

  The statically analyzed code storage unit 116 stores the statically analyzed code with the hook code added.

  The identifying unit 121 identifies the analysis target block from the statically analyzed code stored in the statically analyzed code storage unit 116 based on the analysis information stored in the analysis information storage unit 114. About another structure, it is the same as that of 1st Embodiment mentioned above.

  If the program code is developed for an embedded device, the size of the program code is often about the maximum size allowed by the system. For this reason, when the size of the program code is about the maximum size allowed by the system, the hook code may not be added during the static analysis.

  Also, if the size of the program code is about the maximum size allowed by the system, the size of the statically analyzed code will exceed the maximum size allowed by the system by not adding hook code during static analysis. Is prevented.

(Block analysis processing flow)
Next, a processing flow of block analysis processing according to the present embodiment will be described. FIG. 20 is a flowchart showing a processing flow of block analysis processing according to the present embodiment. As shown in FIG. 20, it differs from FIG. 10 in that step S2006 is added.

  In step S2006, when the code is a detection target code, the first analysis unit 110 adds a hook code by referring to the program control information.

  In step S2005, the block is registered in the analysis information both when the detection target code is detected in the block and when the detection target code is not detected in the block.

(Action / Effect)
According to the present embodiment, the analysis information storage unit 114 registers a block to which a hook code is added in addition to a block that does not include a detection target code. Based on the analysis information stored in the analysis information storage unit 114, the specification unit 121 specifies an analysis target region from the statically analyzed code stored in the statically analyzed code storage unit 116.

  Therefore, the block to which the hook code is added at the time of the static analysis is excluded from the target of the dynamic analysis (compilation), thereby reducing the number of compilation processes at the time of the dynamic analysis.

<Modified example of the third embodiment>
In the third embodiment described above, an example in which no hook code is added at the time of static analysis when the size of the program code is about the maximum size allowed by the system has been described. When hook code is added to statically analyzed code, the code size increases.

  Therefore, in this modified example, a configuration in which a hook dedicated function including a hook code is used when the detection target code is a branch instruction will be described. The hook dedicated function is linked with the program code at the time of program execution, for example, as a dynamic library function.

  The first analysis unit 110 detects a detection target code from the block. At this time, if the program code size limit has occurred, the first analysis unit 110 rewrites the branch destination of the detection target code. That is, when the detection target code is a branch instruction, the branch destination of the branch instruction is rewritten to the hook dedicated function.

  On the other hand, the hook dedicated function includes a hook code and a branch instruction as shown in FIG. As a result, the hook dedicated function called from the detection target code (branch instruction) branches to the specific function that is the original branch destination after the hook code is executed, and the original block is executed after the specific function is executed. Returned to A hook dedicated function is prepared for each detection target code.

  In FIG. 21, arrows indicate a branch source and a branch destination, a dotted line indicates a normal branch without a hook code, and a solid line indicates a branch with a hook code. It is assumed that the original code branches from the detection target code to a specific code by a function call. In this case, the branch is made from the detection target code to the address x, and after execution of the specific code, the branch is made from the address y to the original block.

  The first analysis unit 110 rewrites the branch destination of the detection target code, and sets the branch destination as the start address z of the hook dedicated function. In the hook dedicated function, a branch instruction to a specific code is embedded after the hook code. After executing the specific code, return to the original block.

  By the hook dedicated function, the hook code is always executed before the specific code is executed, and the execution of the detection target code can be controlled. In addition, since the processing load at the time of program execution increases by using a hook exclusive function, it is preferable to apply this change example when the problem of a code size arises.

<Fourth embodiment>
In the present embodiment, a configuration that can be used when the program control information stored in the control information storage unit 400 is updated will be described. When the detection target code included in the program control information is updated, the analysis information stored in the analysis information storage unit 114 needs to be updated.

  When the program control information is updated while the second analysis unit 120 is executing the dynamic analysis, the dynamic analysis is stopped and the dynamic analysis is suspended until the regeneration of the analysis information is completed. For this reason, it is necessary to regenerate the analysis information in as short a time as possible.

(Configuration of program analysis system)
FIG. 22 is a functional block diagram showing the configuration of the program analysis system according to this embodiment. As shown in FIG. 22, the control information storage unit 400 is different from FIG. 3 in that candidate codes are stored. The candidate code is a code that may become a detection target code by updating the program control division method.

  For example, when the function of a program is restricted only when a specific user uses the program, the code that calls the function becomes a candidate code, and when the program is used, the code becomes a detection target code. Even when the detection target code is updated by updating the program control information, a new detection target code is selected from the candidate codes.

  Moreover, the 1st analysis part 110 differs from FIG. 3 by the point provided with the regeneration information storage part 117. FIG. The analysis information generation unit 113 according to the present embodiment generates regeneration information in addition to the analysis information. The analysis information generation unit 113 sets a block including the candidate code as a registered block. Similar to the analysis information, the regeneration information includes a block ID, a start address, and an end address.

  When the analysis information is updated by updating the program control information, the blocks that must be analyzed by the first analysis unit 110 (specifically, the first detection unit 112) are registered in the regeneration information storage unit 117. Only blocks. Specifically, block analysis processing is executed for all the blocks registered in the regeneration information, and the analysis information is updated.

  In the block analysis processing according to the present embodiment, the blocks are classified into the following three types.

(1) Blocks including detection target codes (2) Blocks including only candidate codes that are not detection target codes (3) Blocks not including candidate codes Blocks classified in (1) above are registered only in regeneration information It should be a block. The blocks classified as (2) are blocks that should be registered in both analysis information and regeneration information. The blocks classified as (3) above are blocks that should be registered only in the analysis information.

(Regeneration information generation method)
Next, a method for generating regeneration information in block analysis processing will be described. FIG. 23 is a flowchart illustrating a method for generating regeneration information in block analysis processing. In FIG. 23, steps S2007 to S2010 are newly added from the processing flow according to the first embodiment described above.

  In step S2007, the first analysis unit 110 registers a block including the detection target code in the regeneration information.

In step S2008, the first analysis unit 110 determines whether or not the code corresponds to a candidate code when the code is not a detection target code. If the code does not correspond to a candidate code, the process proceeds to step S2004. On the other hand, if the code corresponds to a candidate code, the process proceeds to step S2009, and it is determined whether or not the code is already registered in the regeneration information. If the code is not registered in the regeneration information, the block is registered in the regeneration information in step S2010.
The reason why step S2009 is necessary is that when there are a plurality of candidate codes in the block, there is a possibility that the process proceeds to step S2010 a plurality of times during the analysis processing of the block, and duplicate registration of regenerated information occurs. This is because there is a possibility.

(Action / Effect)
According to the present embodiment, when the detection target code is changed to any candidate code, the first analysis unit 110 detects a new detection target code from the blocks registered in the regeneration information. Therefore, by generating the regeneration information in advance, it is not necessary to re-analyze the entire program code even if the program control information is updated.

<Fifth Embodiment>
In the present embodiment, attention is focused on the processing in step S3001 in FIG. The analysis target block is determined by the analysis target block address output from the code execution device 200. This analysis target block address is an address indicated by the program counter, that is, an address of a code to be executed next.

  In general, code executed in a program has locality, and the code of the entire program is not executed uniformly, and part of the code is often executed intensively. Therefore, there is a locality in the output block address to be analyzed, and there is a high possibility that a part of the addresses will correspond.

  When some codes are executed intensively, some blocks are similarly searched in the analysis target block (analysis information storage unit 114), and the same registered block is frequently found as a search result. Will be accessed.

(Configuration of program analysis system)
FIG. 24 is a configuration diagram of the program analysis system according to the present embodiment. As shown in FIG. 24, the second analysis unit 120 is different from FIG. 3 in that it includes a history information storage unit 127. As shown in FIG. 25, the history information storage unit 127 includes a block ID of a registration block (a block that does not include a detection target code), a start address of the registration block, an end address of the registration block, and the registration block. History information in which the number of times executed by the code execution unit 210 is associated is stored.

  The history information stored in the history information storage unit 127 is used by the analysis information generation unit 113 of the first analysis unit 110. The analysis information generation unit 113 updates the analysis information stored in the analysis information storage unit 114 based on the history information.

  Specifically, the analysis information generation unit 113 changes the data structure of the analysis information storage unit 114 so that registered blocks that are frequently accessed by the specifying unit 121 are searched in a shorter time. This speeds up the process in step S3001, that is, the process executed when the specifying unit 121 searches for the registered block in the analysis information storage unit 114.

  For example, at the time of the first program execution, the specifying unit 121 uses the analysis information stored in the analysis information storage unit 114 to specify the analysis target block (registered block) in the program code, and the code execution unit 210. The history information recording the registration block executed by is generated.

  After the execution of the program is completed, the analysis information generation unit 113 updates the analysis information stored in the analysis information storage unit 114 using the generated history information. For example, when each piece of data stored in the analysis information storage unit 114 is linearly searched from the top of the entry, the analysis information storage unit 114 arranges a registration block with a large number of executions at a higher level based on history information. In the example of FIG. 25, the block with the block ID2 is arranged higher than the block with the block ID1.

  The data structure used for data search generally has an index using a hash table. In this case, the data searched by the index can be searched by O (1), and ideally the linear search as described above does not occur.

  However, since there are actually a plurality of data projected to the same index, linear search is executed after the data is narrowed down once by the index. Therefore, even when analysis information is realized using a hash table, it can be said that updating analysis information using history information is useful.

(Action / Effect)
According to this embodiment, analysis information is updated according to the first program execution result. In the next program execution, the second analysis unit analyzes the program code using the updated analysis information. As a result, the program can be analyzed in a shorter time when the next program is executed than when the first program is executed.

<Sixth Embodiment>
In the present embodiment, attention is focused on the process in step S1003 of FIG. 7, that is, the process of acquiring all branch destination addresses of the analyzed block. In order to realize such processing, it is necessary to detect a branch instruction included in the block and acquire a branch destination.

  Here, when an executable program code is an analysis target, branch instructions are roughly divided into direct branch instructions and indirect branch instructions. In the direct branch instruction, the branch destination is easily obtained because the branch destination address is specified in the instruction.

  On the other hand, the indirect branch instruction is a branch using a program counter. The value of the program counter in the indirect branch instruction is determined by an instruction different from the instruction, and it is difficult to specify a value other than during program execution. Therefore, when the analysis target block includes an indirect branch instruction in step S1003, it is very difficult for the first analysis unit 110 to acquire the branch destination of the indirect branch instruction.

  On the other hand, the branch destination of an indirect branch instruction can be easily specified during program execution. This is because the branch destination value is assigned to the program counter when the program is executed, so that the branch destination can be specified only by analyzing the branch instruction.

  Therefore, in this embodiment, when an indirect branch instruction exists in the block, the second detection unit 122 of the second analysis unit 120 records the branch destination of the indirect branch instruction at the time of program execution.

(Configuration of program analysis system)
FIG. 26 is a configuration diagram of the program analysis system according to the present embodiment. As shown in FIG. 26, the second analysis unit 120 is different from FIG. 3 in that it includes a branch destination information storage unit 128.

  The second detection unit 122 of the second analysis unit 120 detects an indirect branch instruction at the time of program execution, information that can specify the branch source block (the block ID, the block address), and the branch destination by the branch instruction Are stored in the branch destination information storage unit 128 as branch destination information.

As described above, if an indirect branch instruction can be detected, it is easy to specify a branch destination during program execution. Moreover, although it depends on the architecture, the number of indirect branch instructions is limited to several types at most, so that the indirect branch instruction can be easily detected by the second detection unit 122. For example, an indirect branch instruction in the case of an assembler code in the ARM ^™ architecture is as shown in FIG. 27, for example.

(Branch destination detection processing)
Next, branch destination detection processing according to the present embodiment will be described. FIG. 28 is a diagram showing an outline of the branch destination detection process. In FIG. 28, block 0 branches to block 1 by an indirect branch instruction. When there is no branch destination information, it is very difficult to specify the address of block 1 which is a branch destination from this block 0. For this reason, as shown in FIG. 28A, detection omission occurs in the blocks 1 to 3.

  On the other hand, by using the branch destination information, the address of the block 1 that is the branch destination from the block 0 is specified, and after analyzing the block 0, the block 1 is specified. Further, as shown in FIG. 28B, the branch destination program code of block 1 (blocks 2 and 3) can be analyzed.

  As shown in FIG. 28, the branch destination information storage unit 128 stores branch destination information in which a branch destination block ID, a branch source block ID, and a branch destination address are associated with each other.

  FIG. 29 is a flowchart showing a processing flow of analysis information generation processing. 29 is different from FIG. 7 in that step S1011 is added. In Step S1011 and Step S1003, the first detection unit 112 acquires all branch destination addresses using the branch destination information.

(Action / Effect)
According to the present embodiment, when there is a detection failure of the detection target code in the first detection unit 122, the first detection unit 122 uses the branch destination information to detect the detection failure. The target code can be detected.

<Other embodiments>
As described above, the present invention has been described according to the first to sixth embodiments. However, it should not be understood that the description and drawings constituting a part of this disclosure limit the present invention. From this disclosure, various alternative embodiments, examples and operational techniques will be apparent to those skilled in the art.

  In the embodiment described above, the case where the detection target code is a branch instruction has been described, but the detection target code may be an instruction other than the branch instruction.

  In the above-described embodiment, the program analysis system including the code execution device 200 has been described. However, the present invention can also be applied to a program analysis system that does not include the code execution device.

  Thus, it should be understood that the present invention includes various embodiments and the like not described herein. Therefore, the present invention is limited only by the invention specifying matters in the scope of claims reasonable from this disclosure.

It is a figure for demonstrating the background art of this invention (the 1). It is a figure for demonstrating the background art of this invention (the 2). It is a functional block diagram of the program analysis system concerning a 1st embodiment of the present invention. It is a figure which shows an example of the analysis information which concerns on 1st Embodiment of this invention. It is a figure for demonstrating the analysis information generation process which concerns on 1st Embodiment of this invention (the 1). It is a figure for demonstrating the analysis information generation process which concerns on 1st Embodiment of this invention (the 2). It is a flowchart which shows the processing flow of the analysis information generation process which concerns on 1st Embodiment of this invention. It is a figure for demonstrating the analysis information generation process which concerns on 1st Embodiment of this invention (the 3). It is a figure for demonstrating the analysis information generation process which concerns on 1st Embodiment of this invention (the 4). It is a flowchart which shows the processing flow of the block analysis process which concerns on 1st Embodiment of this invention. It is a figure for demonstrating the block analysis process which concerns on 1st Embodiment of this invention (the 1). It is a figure for demonstrating the block analysis process which concerns on 1st Embodiment of this invention (the 2). It is a figure for demonstrating the block analysis process which concerns on 1st Embodiment of this invention (the 3). It is a flowchart which shows the processing flow of the dynamic analysis process which concerns on 1st Embodiment of this invention. It is a figure which shows the specific example of the dynamic analysis process which concerns on 1st Embodiment of this invention (the 1). It is a figure which shows the specific example of the dynamic analysis process which concerns on 1st Embodiment of this invention (the 2). It is a figure which shows the specific example of the dynamic analysis process which concerns on 1st Embodiment of this invention (the 3). It is a flowchart which shows the detection processing flow of the detection target code which concerns on 2nd Embodiment of this invention. It is a functional block diagram which shows the structure of the program analysis system which concerns on 3rd Embodiment of this invention. It is a flowchart which shows the processing flow of the block analysis process which concerns on 3rd Embodiment of this invention. It is a figure for demonstrating the block analysis process which concerns on 3rd Embodiment of this invention. It is a functional block diagram which shows the structure of the program analysis system which concerns on 4th Embodiment of this invention. It is a flowchart which shows the production | generation method of the regeneration information in the block analysis process which concerns on 4th Embodiment of this invention. It is a functional block diagram which shows the structure of the program analysis system which concerns on 5th Embodiment of this invention. It is a figure which shows an example of the historical information which concerns on 5th Embodiment of this invention. It is a functional block diagram which shows the structure of the program analysis system which concerns on 6th Embodiment of this invention. It is a figure which shows an example of an indirect branch instruction. It is a figure which shows the outline | summary of the branch destination detection process which concerns on 6th Embodiment of this invention. It is a flowchart which shows the processing flow of the analysis information generation process which concerns on 6th Embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 ... Code detection apparatus 110 ... 1st analysis part 111 ... Block generation part 112 ... 1st detection part 113 ... Analysis information generation part 114 ... Analysis information storage part 115 ... Hook code addition part, 116 ... Static Analyzed code storage unit, 117 ... regeneration information storage unit, 120 ... second analysis unit, 121 ... identification unit, 122 ... second detection unit, 123 ... code output unit, 124 ... compilation unit, 125 ... addition of hook code 126: Cache storage unit, 127 ... History information storage unit, 128 ... Branch destination information storage unit, 200 ... Code execution device, 210 ... Code execution unit, 220 ... Code control unit, 300 ... Program code storage unit, 320 ... Dynamically analyzed code storage unit, 400 ... control information storage unit, 800 ... control policy storage unit

Claims (17)

A code detection device for detecting a detection target code by analyzing a program code including a plurality of codes,
A first analysis unit for analyzing the program code before executing the program code ;
A second analysis unit that analyzes the program code using an analysis result by the first analysis unit during execution of the program code ;
The first analysis unit includes:
A first detection unit for detecting the detection target code from the program code;
An analysis information generation unit configured to generate analysis information for specifying a non- analysis target region that is a region not to be analyzed by the second analysis unit based on a detection result by the first detection unit; ,
The second analysis unit includes
A reference unit that refers to the analysis information , and specifies a region excluding the non-analysis target region indicated by the analysis information as the analysis target region in the program code;
A second detection unit that detects the detection target code from the analysis target region specified by the specification unit ;
The analysis information generated by the first analysis unit includes information for specifying a region that does not include the detection target code in the program code as a non-analysis target region,
The second analysis unit is a program to be analyzed among the program codes based on an address of a program code to be executed next given by a code execution unit that executes the program code during the execution of the program code. A code detection apparatus characterized by identifying a code and determining whether or not the program code is an analysis target area based on the analysis information . A control information storage unit that stores program control information including a hook code that is a code for controlling execution of the detection target code;
The code detection apparatus according to claim 1, wherein the second analysis unit adds the hook code to the detection target code detected from the analysis target region. A control information storage unit that stores program control information including a hook code that is a code for controlling execution of the detection target code;
The first analysis unit adds the hook code to the detection target code detected from the program code,
The code detection apparatus according to claim 1, wherein the specifying unit specifies a region where the hook code is not added by the first analysis unit as the analysis target region. The said 1st analysis part determines whether the said hook code is added to the said detection object code detected from the said program code according to the size or processing load of the said program code. 4. The code detection device according to 3 . The code detection apparatus according to claim 3 , wherein the first analysis unit adds a branch instruction for branching to a hook dedicated function including the hook code as the hook code to the detection target code. A control information storage unit for storing program control information including information for specifying the detection target code;
When the program control information is updated, the first detection unit detects the updated detection target code from the program code based on information for specifying the updated detection target code,
The code detection apparatus according to claim 1, wherein the analysis information generation unit updates the analysis information based on a detection result of the detection target code after the update by the first detection unit. A control information storage unit for storing program control information including information for specifying the detection target code and information for specifying a candidate code that is a code of a change destination candidate of the detection target code;
The first detection unit detects the detection target code and the candidate code from the program code based on the program control information,
The analysis information generation unit generates regeneration information for specifying a region including the candidate code in the program code based on the detection result by the first detection unit,
The first detection unit detects the changed detection target code from an area specified by the regeneration information when information for specifying the detection target code in the program control information is changed. The code detection device according to claim 1. The detection target code is a control movement instruction for calling a specific code in the program code,
The first detector and the second detector are
When a control movement command is detected from the program code, it is determined whether a call destination code of the detected control movement command is the specific code,
2. The code detection according to claim 1, wherein when the call destination code of the detected control movement instruction is the specific code, it is determined that the detected control movement instruction is the detection target code. apparatus. The second analysis unit adds the hook code to the detection target code detected from the analysis target area, compiles the analysis target area, and the analyzed code that is the analysis target area after the compile processing A cache storage unit for storing
The second detector is a case where the detection target code from said analysis target area is detected, the analyzed code corresponding to the analysis target area including the detected code is stored in the cache storage unit The code detection apparatus according to claim 1 , wherein the compiling process is omitted and the analyzed code is output . The code detection device according to claim 9 , wherein the information for specifying the non-analysis target area includes a start address of the non-analysis target area. The first analysis unit divides the program code into regions sandwiched between two branch instructions, and detects the non-analysis target region by performing detection processing of the detection target code for each of the divided regions. The code detection device according to claim 1 . The first analysis unit further includes an analysis information storage unit that stores the analysis information including information specifying the non-analysis target region,
The second analysis unit further includes a history information storage unit that stores history information in which the information for specifying the non-analysis target region is associated with the number of times the non-analysis target region is executed,
The analysis information generation unit is registered in the analysis information storage unit based on the history information stored in the history information storage unit, and more frequently registered areas accessed by the specifying unit by changing the data structure of the analysis information storage unit as retrieved in a short time, cord according to claim 1, characterized in that updating the analysis information stored in the analysis information storage unit Detection device. The code detection device according to claim 12 , wherein the information specifying the non-analysis target area stored in the history information storage unit includes at least a start address of the non-analysis target area. Whether the area of the program code to be executed next is the non-analysis target area by referring to information for specifying the non-analysis target area from higher to lower in the analysis information storage unit. Whether or not
The analysis information generation unit
Information specifying the non-analysis target area corresponding to a certain number of times or more in the history information is set in the upper order in the analysis information storage unit,
The code detection device according to claim 12 , wherein information specifying the non-analysis target region corresponding to less than a certain number of times in the history information is set in a lower order in the analysis information storage unit. The detection target code is a branch instruction;
The second analysis unit, when a predetermined branch instruction is included in the analyzed code that is the analysis target area after the compile processing , and information for specifying the predetermined branch instruction, and a branch destination of the predetermined branch instruction Is further provided with a branch destination information storage unit for storing as branch destination information,
The said 1st detection part detects the said detection object code using the said branch destination information with reference to the said branch destination information memorize | stored in the said branch destination information storage part. Code detection device. The predetermined branch instruction is an indirect branch instruction in which a branch destination is determined according to an execution result of another instruction,
The code detection device according to claim 15 , wherein the branch destination information storage unit stores the branch destination information when the analyzed code is executed. A code detection method for detecting a detection target code by analyzing a program code including a plurality of codes,
A first step of analyzing the program code before executing the program code ;
A second step of analyzing the program code using the analysis result of the first analysis step during the execution of the program code ,
The first step includes
A first detection step of detecting the detection target code from the program code;
The first based on the detection result by the detecting step, and an analysis information generating step in which the second step is to generate the analysis information for identifying the non-analysis target area is an area which is not analyzed among the program code,
The second step includes
A specifying step of the reference to the analysis information, identifies a region excluding the non-analysis target area in which the analysis information indicates as the analysis target area in the program code,
A second detection step of detecting the detection target code from the analysis target region specified by the specification step ,
The analysis information generated by the first step includes information for specifying a region that does not include the detection target code in the program code as a non-analysis target region,
The second step identifies a program code to be analyzed among the program codes based on an address of a program code to be executed next given during execution of the program code, and based on the analysis information, A code detection method for determining whether or not a program code is an analysis target area .

Images