KR101478034B1 - Apparatus for analyzing code in contents, method thereof and computer recordable medium storing the method - Google Patents

Abstract

The present invention relates to an apparatus for analyzing a content code, a method thereof, and a computer-readable recording medium on which the method is recorded. The method includes the steps of: So as to improve the extraction rate. According to the present invention, the content calling unit calls the content to be analyzed. The basic information collection unit collects basic information through dynamic profiling of the called contents. The static analysis unit performs a static analysis on the content based on the collected basic information. At this time, the static analysis unit assigns the indirect address of the collected basic information to the control flow to expand the analysis range of the code area of the contents. By expanding the scope of analysis as described above, it is possible to provide a basis for extracting more effective separating execution target code blocks from the code area of the contents.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a content analyzing apparatus, a content analyzing method, and a computer-

The present invention relates to a content copy prevention technique, and more particularly, to a content code analysis device for expanding analysis coverage of a code area of a content and improving the extraction rate of a code block necessary for preventing copying of content, , A method thereof, and a computer-readable recording medium on which the method is recorded.

Generally, a plurality of contents are installed on an operating system of a host terminal. Content is a digital work that is stored and distributed in digital form and includes software, application programs, multimedia data, and the like. For example, the user can perform document editing, image editing, game, and the like using various contents installed in the host terminal.

Some of these contents are available for free, but they are sold on-line and off-line for a fee. The user purchases necessary contents and installs the purchased contents in the host terminal. The content is installed in the host terminal when it passes the authentication through the authentication number. The authentication number is usually provided with the purchased content.

The contents of the authentication method using the authentication number have a problem that they are easily exposed to hacking. That is, when a code capable of hacking the authentication number of the content or bypassing the authentication is added to the content, persons who have not purchased the content can install the copied content in the host terminal and use the content without permission.

The content provider (CP) is increasingly damaged by unauthorized use of such contents. The unauthorized use of the content is a factor that deteriorates the development intention of the contents provider.

In addition, since the content provider must pay attention to the security method for suppressing the unauthorized copying of the developed content, it takes a lot of cost to develop the content, which is a burden on the content provider.

Accordingly, it is an object of the present invention to provide a content code analyzing apparatus capable of minimizing the burden on a content provider for a security method for suppressing copying of developed content, a method thereof, and a computer readable recording medium .

It is another object of the present invention to provide a content code analyzing apparatus, a content analyzing method, and a content analyzing method capable of enhancing the extraction rate of a code block necessary for preventing copying of content by expanding a range of analysis of a content code region And to provide a computer-readable recording medium having the program recorded thereon.

In order to achieve the above object, the present invention provides a content code analyzing apparatus including a content calling unit, a basic information collecting unit, and a static analyzing unit. The content calling unit calls the content to be analyzed. The basic information collection unit collects basic information through dynamic profiling of the called content. The static analysis unit performs a static analysis on the content based on the collected basic information.

In the apparatus for analyzing content codes according to the present invention, the basic information may include information on a code region of the content collected during a run-time of the content.

The basic information may include at least one of a branch address, a jump address, a call address, and an indirect address of a RET, Address.

In the code analyzing apparatus for contents according to the present invention, the static analyzing unit may perform a static analysis by substituting an indirect address of the collected basic information into a control flow.

In the code analyzing apparatus for contents according to the present invention, the static analyzing unit can select a plurality of basic block groups through static analysis of the code area of the contents.

The basic block group includes a plurality of basic blocks, and allows entry of a control signal through an entry point and movement of a control signal between the plurality of basic blocks , And a group of the plurality of basic blocks related to each other without entry of a control signal into the plurality of basic blocks except for the starting point.

In the code analyzing apparatus for contents according to the present invention, the basic block includes a code having an attribute of a single input and a single output and an attribute of not allowing entry of a control signal from the outside to the inside, Block.

The basic information may include at least one of a start address of the basic block group, an end address of the basic block group, a number of calls of the basic block group, a size of the basic block group, And may include information on whether or not a real number calculation is performed.

In the code analyzing apparatus for contents according to the present invention, the basic information may include at least one of the number of times that the basic terminal block refers to the memory of the host terminal in the basic block group, the number of times that the OS terminal API calls in the basic block group, At least one of the execution time of the group, the total number of instructions executed in the basic block group, the number and type of parameters transmitted for execution of the basic block group, and the types of values to be returned after execution of the basic block group can do.

In the code analyzing apparatus for contents according to the present invention, a basic block group on a critical path that is necessarily executed at least once at the time of executing the content among the plurality of basic block groups is extracted as a separation execution object code block And an extraction and generation unit.

The apparatus for code analysis of contents according to the present invention may further include a storage unit for storing the content, the code block to be separated for the content, and the service content in which the code to be separated from the content is separated from the content .

The present invention also relates to a method of analyzing a content, comprising: a calling step of calling a content to be analyzed by a code analysis device; a collecting step of collecting basic information through dynamic profiling of the called content; And performing an analysis of a content of the content based on the collected basic information.

In the method for analyzing a content code according to the present invention, in the collecting step, the basic information is information about a code region of the content collected during a run-time of the content by the code analyzing apparatus .

In the collecting step, the collected basic information includes a branch address, a jump address, a call address, and an indirect address of a RET, address) of the address space.

The collected basic information may include at least one of a start address of the basic block group, an end address of the basic block group, a number of calls of the basic block group, a size of the basic block group, And information on the presence or absence of a real number calculation in the block group.

In the code analysis method of contents according to the present invention, the collected basic information may include at least one of the number of times that the basic terminal block refers to the memory of the host terminal in the basic block group, the number of times that the OS API of the host terminal is called in the basic block group, At least one of the execution time of the basic block group, the total number of instructions executed in the basic block group, the number and types of parameters transmitted for execution of the basic block group, and the types of values returned after execution of the basic block group .

In the code analysis method for contents according to the present invention, in the analysis step, static analysis can be performed by substituting the indirect address of the collected basic information into a control flow.

In the method of analyzing a content code according to the present invention, the analysis step may further include a selection step of selecting a plurality of basic block groups through the static analysis of the code area of the content.

In the code analysis method of contents according to the present invention, it is preferable that the code analyzing device, which is performed after the analyzing step, includes a plurality of basic block groups on a critical path which is always executed at least once in executing the contents And extracting the basic block group as a separate execution object code block.

The code analysis method of contents according to the present invention may further comprise: a step of generating a list of code blocks to be separated, which is executed by the code analysis device after the extracting step, And inserting the stub code into the code area from which the block is extracted to generate the service content.

In the method of analyzing a content code according to the present invention, the calling step may further include a security level setting step in which the code analyzing device sets a security level for the content to be analyzed. The code analyzing apparatus may further include an extracting step of extracting a code block to be separated from the plurality of basic block groups according to the set security level, which is performed after the analyzing step.

In the code analysis method for contents according to the present invention, the security level setting step may include: displaying the security level setting item by the code analyzing device; and the security level setting item selected from the security level setting items And setting a security level.

In the method of analyzing content codes according to the present invention, the security level setting item may include at least one of a basic block group calling frequency, a basic block group calling position, a memory reference frequency of a host terminal, an OS API reference frequency of a host terminal, Of hardware elements of the < / RTI >

In the method of analyzing a content code according to the present invention, the selecting step includes the steps of: the code analyzing device defining a basic block group in a code area of the content; And if there is a control signal, dividing and redefining the basic block group based on an instruction address of the control signal.

In the code analysis method of contents according to the present invention, in the redefining step, the finally redefined basic block group is divided into a property of a single input and a single output, And may include a plurality of basic blocks having attributes that are not allowed.

The present invention also provides a computer-readable recording medium having recorded thereon a code analysis method for the content.

According to the present invention, since static analysis is performed on the content using the basic information of the code area collected through dynamic profiling of the content, It is possible to improve the extraction rate of code blocks necessary for preventing copying of contents.

By utilizing the code analysis technique of the content according to the present invention, the content provider can minimize the cost burden on the security method for suppressing the reproduction of the developed content.

1 is a block diagram showing a configuration of a content analyzing apparatus according to an embodiment of the present invention.
2 is a block diagram showing the configuration of the control unit of FIG.
3 is a block diagram showing a data structure of contents.
4 is a block diagram showing the configuration of the content for service execution and the code block to be separated from the content.
Figs. 5 to 7 are illustrations for explaining the attributes of the code block to be separated. Fig.
8 is a flowchart illustrating a code analysis method of contents according to an embodiment of the present invention.
FIGS. 9 and 10 are exemplary diagrams for explaining a selection step of a basic block group extracted by the separation execution target code block in FIG. 8. FIG.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 to 7, an apparatus 10 for analyzing content code according to an exemplary embodiment of the present invention includes an input unit 11, a storage unit 13, (15) and a control unit (17), and performs dynamic profiling and static analysis on the content (30).

The code analyzing apparatus 10 according to the present embodiment is an apparatus for analyzing the contents 30 in order to serve the contents 30 in a digital rights management (DRM) system based on separation execution. Herein, the term " separate execution " means that the host terminal and the storage device operate in conjunction with each other in executing the content 30. [ Particularly, in order to realize separation execution, some code blocks (hereinafter referred to as 'separation execution target code blocks 34') separated from the code area 31 of the original contents 30 are installed in the storage device, The content from which the code block 34 has been removed (hereinafter referred to as "service content 32") is installed in the host terminal. Therefore, in order to execute the content 30 based on the separation execution, the host terminal requests the storage device for the output value of the part where the separation execution object code block 34 is removed during execution of the service content 32, And executes the corresponding contents 30 in the form of the contents. At this time, the detachment object code block 34 is converted into a code block for the storage device executable in the storage device having the processor, and is provided to the storage device. The code analyzing apparatus 10 according to the present embodiment can divide the content 30 into a separate execution target code block 34 and a service content 32 through analysis of the content 30. [

At this time, the code analyzing apparatus 10 according to the present embodiment may be a terminal device capable of dynamic profiling and static analysis of the content 30, and may be a server built on a host terminal or a network. The host terminal includes a PC, a notebook, a workstation, a smart phone, and the like.

The input unit 11 provides a plurality of keys for operating the code analyzing apparatus 10 and generates a selection signal according to the key selection of the analyst and transmits the generated selection signal to the controller 17. The analyzer can call the content 30 to be analyzed through the input unit 11 and input a selection signal for code analysis of the called content 30. The input unit 11 may be an input device such as a keypad, a pointing device such as a touch pad, or a touch screen.

The storage unit 13 stores a program necessary for controlling the operation of the code analysis apparatus 10 and information generated during execution of the program. In particular, the storage unit 13 stores an execution program for performing dynamic profiling and static analysis on the contents 30. [ The storage unit 13 includes a content 30 to be analyzed, a separation execution target code block 34 extracted through code analysis of the content 30, and a separation execution target code block 34 from the content 30 The service content 32 in which the stub code 36 (stub code) is inserted in the code area can be stored.

At this time, the content 30 may include a plurality of files, for example, an application program interface (API) provided by an operating system, an API provided by a developer, or a dynamic linking library (DLL). The content 30 including the plurality of files may be divided into a code area 31 and a data area 33. The actual content 30 includes a code area 31 and a data area 33 . The code region 31 includes a plurality of code blocks, and the separation execution object code block 34 includes a plurality of code blocks extracted from the code region 31. For example, the detachment object code block 34 includes a plurality of basic block groups 37, and the basic block group 37 is a group of a plurality of basic blocks 35. [

At this time, the basic block 35 is a sequence of instructions having attributes of a single input and a single output, and is a code block having attributes that do not allow entry from the outside to the inside Can be defined. That is, the basic block 35 is a continuous sentence (a group of codes) which is executed all at once from start to end, and is a group of sentences whose execution is not stopped due to the flow control in the middle.

The service content 32 includes a code area 31a in which a stub code 36 is inserted in a code area of the basic block group 37 extracted by the separation executing object code block 34 and a data area 33 do. At this time, the stub code 36 has a code area extracted from the contents for service 32 and a code execution area corresponding to the extracted code area corresponding to the extracted code area when performing the separation execution of the contents 30 between the host terminal and the storage device The block 34 is connected. That is, the stub code 36 transfers the control signal from the extracted code area to the storage device when performing the separation execution for the content 30. [ The storage device 53 receiving the control signal performs an operation on the separation execution object code block 34 corresponding to the control signal and returns the calculated output value to the host terminal 51.

The separation execution subject code block 34 includes a plurality of basic block groups 37 extracted from the code area 31 of the contents 30 through profiling and analysis of the contents 30. [ That is, the separation execution target code block 34 performs the profiling and analysis of the content 30 and selects the basic block group 37 (37) from the code area 31 of the content 30 as the selected basic block group 37 ) May be extracted into the separation execution object code block 34. [ A stub code 36 is inserted in the part where the separation execution object code block 34 is extracted. As will be described later, through the profiling and analysis of the content 30, the content 30 is divided into the separation execution object code block 34 and the service contents 32 from which the separation execution object code block 34 is extracted . For example, the separation execution object code block 34 may include a code block existing on a critical path of the contents 30, that is, a basic block group 37. [ Here, the important path means a path that is always executed at least once when the content 30 is executed.

The detachment object code block 34 may be converted into a code block for a storage device and provided in a form stored in the storage device or in a form of a download. The separation execution object code block 34 is a basic block group 37 including a plurality of basic blocks 35 as described above. The separation execution subject code block 34 permits the entry of the control signal through the entry point of the separation execution subject code block 34 and the movement of the control signal between the basic blocks 35, It is preferable to select the basic block group 37 including a plurality of mutually related basic blocks 35 without entry of the control signal into the basic block 35 excluding the starting point of the basic block 35. [

When extracting the basic block group 37 having the control signal into the basic block 35 excluding the starting point from the basic block group 37 with the separation execution object code block 34, The control signal may enter the stub code 36 inserted after extracting the block 34 in the middle rather than the beginning. In this case, the stub code 36 can not process the corresponding control signal, and execution of the corresponding content 30 may be stopped or an error may occur. That is, since the stub code 36 includes a garbage value such as NOP (no-operation instruction) in the remaining area except for the first 5 bytes, an error may occur when the control signal enters the area containing the garbage value. In other words, since the basic block group 37 having the control signal input to the basic block 35 excluding the starting point has a high probability of generating an error when performing the separation execution, 34).

The display unit 15 can display information stored in the storage unit 13 as well as various function menus executed by the code analysis apparatus 10. [ The display unit 15 can display a list of the content 30 to be analyzed, the code block for separation execution 34, and the contents for service 32 under the control of the control unit 17. [ The display unit 15 can display image information necessary for code analysis. At this time, an LCD (Liquid Crystal Display) or a touch screen may be used as the display unit 15. The touch screen serves both as a display device and as an input device.

The control unit 17 is a microprocessor that performs the overall control operation of the code analysis apparatus 10. [ The control unit 17 controls the dynamic profiling and the static analysis on the content 30. [ The control unit 17 extracts the separation execution object code block 34 through dynamic profiling and static analysis or generates a list of extracted extraction execution object code blocks 34 or generates service contents 32 .

In particular, the control unit 17 includes a content calling unit 12, a basic information collecting unit 14, and a static analyzing unit 16, and may further include an extracting and generating unit 18. The content calling unit 12 calls the content 30 to be analyzed. The basic information collecting unit 14 performs dynamic profiling on the called content 30 to collect basic information. The static analysis unit 16 performs a static analysis on the code area 31 of the content 30 based on the collected basic information. The extraction and generation unit 18 extracts the separation execution object code block 34 from the contents 30 using the analysis information of the static analysis unit 16 or extracts the list of the extraction execution object code blocks 34 Or generates content 32 for service.

The content calling unit 12 can call the corresponding content 30 in the storage unit 13 when a selection signal for the content 30 to be analyzed is input through the input unit 11. [ The content calling unit 12 may receive and set the security level of the content 30 to be analyzed when the content 30 to be analyzed is called. That is, the content calling unit 12 can display the list of the contents 30 to be analyzed on the display unit 15. [ The analyzer selects the content 30 to be analyzed in the list through the input unit 11 and selects and sets a security level for the selected content 30. [ At this time, the content calling unit 12 displays a security level setting item that can be selected by the analyst on the display unit 15. [ When the analyzer selects a specific security level setting item from among the displayed security level setting items, the content calling unit 12 sets the security level of the content 30 to be analyzed as the selected security level setting item.

For example, the security level setting item includes a code block to be extracted, that is, a calling frequency of the basic block group 37, a calling position of the basic block group 37, a memory reference frequency of the host terminal, an OS API reference frequency of the host terminal, And at least one of hardware elements.

The call frequency item of the basic block group 37 is an item set by the analyzer by the call frequency of the separation execution target code block 34 to be automatically extracted by profiling and analysis, 30) is called during the execution of the item can be selected. At this time, the higher the calling frequency, the more important the security effect is because the corresponding basic block group 37 is important, but this may impair the storage device and reduce the execution speed of the entire contents 30. Accordingly, the analyzer preferably sets an appropriate calling frequency according to the security level of the content 30 to be analyzed.

The calling position item of the basic block group 37 is used to select the basic block group 37 called at the beginning of execution of the program in the selection of the detachment execution object code block 34 or to select the basic block group 37 ) Is selected.

The memory reference frequency item of the host terminal is an item for setting how often the separation execution subject code block 34 to be selected refers to the memory of the host terminal. The higher the memory reference frequency, the greater the dependency on the host terminal. This means that the security efficiency due to the isolation execution target code block 34 is high. However, when the memory of the host terminal is referred to repeatedly, the execution speed of the content 30 can be lowered. Therefore, the analyzer preferably sets an appropriate memory reference frequency according to the security level of the content 30 to be analyzed.

The OS API reference frequency item of the host terminal is an item for setting how often the OS code reference block 34 to be selected refers to the OS API. The higher the OS API reference frequency, the greater the dependency on the host terminal. This means that the security efficiency due to the isolation execution target code block 34 is high. However, when the OS API of the host terminal is frequently referred to, it is possible to lower the execution speed of the content 30. Therefore, the analyzer sets the reference frequency of the OS API according to the security level of the content 30 to be analyzed desirable.

The hardware element of the storage device may be a hardware form factor of a storage device to be used with the content 30, for example, a DRAM, a NAND Flash, or a NOR Flash, And the speed of the microprocessor. The hardware element of the storage device is one of the important factors in calculating the output value by executing the actual separation execution object code block 34. [

In the present embodiment, the analyst has disclosed an example of directly setting the security level, but the security level can be set to the default. In the present embodiment, an example of setting the security level after selecting the content 30 to be analyzed has been described. However, it is also possible to select the content 30 to be analyzed after setting the security level.

As described above, the content 30 includes a plurality of files, for example, APIs provided by the operating system, APIs provided by the developer, or files such as DLLs. Therefore, it is not desirable to set a part to be analyzed in the content 30 and to select a basic block block extracted from the API that has already been released from the content 30 as the code block 34 for separation execution, It is necessary to limit the portion to be analyzed of the code region 31 to the code region 31.

The basic information is information collected for the code area 31 through dynamic profiling during run-time with respect to the content 30. In other words, since dynamic profiling can track the inputs, outputs, and values assigned to registers and the flow of content 30 to the code, dynamic profiling can be used to extend the scope of analysis, can do. The collected basic information includes the start address of the basic block group 37, the end address of the basic block group 37, the number of calls of the basic block group 37, the size of the basic block group 37, ) ≪ / RTI > In particular, the collected basic information includes at least one indirect address of a branch address, a jump address, a call address, and an indirect address of a RET. The indirect address includes the start address of the basic block group 37, the size of the basic block group 37, and the information about the branch taken address. The collected basic information includes the number of times the host terminal's memory is referred to in the basic block group 37, the number of times the OS terminal API calls are made in the basic block group 37, The execution time of the block group 37, the total number of instructions executed in the basic block group 37, the number and type of parameters transmitted for execution of the basic block group 37, the return after execution of the basic block group 37 And the type of value to be used.

The static analysis unit 16 performs a static analysis on the code area 31 of the content 30 based on the basic information collected for the code area 31. [ That is, the static analysis unit 16 performs static analysis on the code area 31 excluding the relevant part because it is not preferable to select a part related to the disclosed API among the contents 30 as an analysis target. At this time, the static analysis unit 16 may perform static analysis based on the basic information excluding the basic information related to the published API among the contents 30 among the collected basic information.

A general static analysis is a method of finding the starting point of the code area 31 of the contents 30 and analyzing the starting point of the contents 30 according to the control flow. Therefore, since there is no information available on the run-time basis for static analysis, it is only possible to move to a path in which a certain value is indicated in the binary code. Especially, there are restrictions on the value of register, data of Heap area, and movement to external DLL. In addition, following the control flow also has significant limitations in the absence of indirect information. Therefore, general static analysis can grasp various starting points arbitrarily, but it is difficult to have meaning, so the range of analysis is limited.

However, since the static analysis unit 16 performs static analysis based on the basic information collected through dynamic profiling, the analysis range of the code region 31 of the content 30 can be extended. In other words, the static analysis unit 16 may extend the scope of analysis of the code area 31 of the content 30 by performing dynamic profiling alone or by performing a static analysis by assigning an indirect address in the collected basic information to the control flow It is possible to extract more effective basic block groups 37 as compared to performing them.

Since the scope of analysis of the contents 30 can be extended through the assignment of the indirect addresses in this manner, the dynamic range of the content 30 can be varied according to the characteristics of the contents 30 to be analyzed. However, The scope of analysis can be increased several tens of times. For example, if a static analysis is performed for a compression program such as Alzip.exe (a solution of Eastsoft Co., Ltd.), the analysis range is less than 1%. However, if static analysis is performed using basic information collected through dynamic profiling The analysis range of 27% or more can be confirmed. That is, the number of indirect addresses existing in the code area 31 of the content 30 is considerably large and the possibility of extending the analysis range by using the indirect address means that various outputs, for example, the basic block group 37 can be derived do.

On the other hand, since the size of the basic block group 37 can be several tens to hundreds of bytes in 1 Byte as in the RET, the larger the size of the basic block group 37, the more likely the probability of internal entry becomes large. Also, if all instructions of the content 30 can be examined and analyzed before execution, a more accurate and detailed basic block group 37 can be defined. However, this also can not completely define the basic block group (37) due to the existence of the indirect address.

Therefore, the basic block group 37, which does not enter the control signal to the basic block 35 except for the start point, is allowed to move to the content 30, while allowing the entry of the control signal through the start point and the movement of the control signal between the basic blocks 35, The static analysis unit 16 can select the basic block group 37 in the code area 31 of the content 30 by using the following definition.

At this time, the definition of the basic block group 37 is as follows. The basic block group 37 defined once is not fixedly defined but the basic block group 37 is separated and redefined according to the presence or absence of a control signal entering into the basic block group 37. [

2, 3, and 9, the static analysis unit 16 includes a basic block group 37 including a plurality of basic blocks 35 associated with each other in the code area 31 of the contents 30, Can be defined. In this case, the defined basic block group 37 can be regarded as a group of the basic blocks 35 in which there is no entry of the control signal into the basic block 35b except the starting point so far during the analysis.

Here, when the control signal through the basic block 35a located at the start point of the basic block group 37 is input, the static analysis unit 16 does not perform redefinition of the corresponding basic block group 37. [ Also, even when the control signal moves between the basic blocks 35 included in the basic block group 37, the static analysis unit 16 does not perform redefinition of the corresponding basic block groups 37. That is, in the two cases, the static analysis unit 16 maintains the current definition state of the basic block group 37.

However, as shown in FIGS. 2, 3 and 10, when the control signal is inputted to the other basic block 35b except for the basic block 35a located at the starting point of the basic block group 37, The base block 16 redefines the basic block group 37 by dividing the corresponding basic block group 37 based on the basic block 35b to which the control signal is inputted. That is, if there is a control signal entering the inside of the basic block group 37, the static analysis unit 16 divides and redefines the basic block group 37 based on the instruction address of the control signal.

By redefining the basic block group 37 as described above, it is possible to increase the probability that the divided basic block groups 37a and 37b are formed as a basic block group without internal entry.

At this time, the basic block group 37 to be redefined is divided into the first basic block group 37a and the subsequent second basic block group 37b including the command address of the control signal based on the command address of the control signal. ). The branch address of the first basic block group 37a becomes the next instruction address for entry into the start point of the second basic block group 37b.

By repeating this redefinition step, the finally redefined basic block group 37 is divided into a plurality of basic blocks 35 having attributes of single input and single output and attributes that do not permit entry from the outside to the inside, (37). ≪ / RTI >

The extraction and generation unit 18 extracts the separation execution object code block 34 from among the extracted plurality of basic block groups 37 or generates a list of the extraction execution object code blocks 34 extracted, (32). Particularly, the extraction and generation unit 18 extracts a basic block group 37 on an important path that is necessarily executed at least once at the time of executing the content 30 among the plurality of extracted basic block groups 37, 34). The extraction and generation unit 18 can extract the separation execution object code block 34 according to the set security level. For example, the analyzer may assign a weight to at least one of the calling frequency of the basic block group 37, the calling position of the basic block group 37, the memory reference frequency of the host terminal, the OS API reference frequency of the host terminal, If the security level is set, the extraction and generation unit 18 can select the separation execution object code block 34 according to the set security level. That is, the analyst can set the security level at the analyzer level in consideration of the type, value, and the like of the content 30, and thereby obtain the copy prevention effect of the content 30.

The extraction and generation unit 18 can generate a list of extracted extraction execution target code blocks 34. [ The list of the separation execution target code block 34 may be provided to the content registration server together with the corresponding content 30 and used when registering the corresponding content 30. [

The extraction and generation unit 18 can generate the service content 32 by inserting the stub code 36 into the code area from which the separation execution object code block 34 is extracted. At this time, the stub code 36 connects the code area extracted from the contents 30 and the extracted code object block 34 to be extracted.

The extraction and generation unit 18 further includes a separation execution target code block 34 extracted from the content 30 and a service content 34 into which the stub code 36 is inserted in the code area from which the separation execution target code block 34 is extracted (32), and may be stored in the storage unit (13).

When the control signal through the basic block 35 located at the starting point is inputted, the separation execution target code block 34 extracted by the extraction and generation unit 18 as described above allows input of the corresponding control signal. The separation execution object code block 34 allows the movement of the control signal between the basic blocks 35 according to the input of the control signal through the start point. Further, the separation executing object code block 34 includes a plurality of basic blocks 35 in which no control signal is input to the basic block 35 excluding the starting point. In other words, the separation executing object code block 34 includes a plurality of basic blocks 35 which do not allow entry of the control signal into the basic block 35 excluding the starting point.

The extraction execution target code block 34 extracted by the extraction and generation unit 18 has the attributes shown in Figs. 5 to 7. That is, as shown in FIG. 5, when the control signal through the basic block 35a located at the starting point is inputted, the separation execution object code block 34 allows input of the corresponding control signal.

As shown in Fig. 6, the code block 34 for separation execution permits the movement of the control signal between the basic blocks 35a and 35b according to the input of the control signal through the start point.

As shown in Fig. 7, the code block 34 for separation execution includes a plurality of basic blocks 35a and 35b which do not enter control signals into the basic block 35b except for the start point. In other words, the separation execution object code block 34 includes a plurality of basic blocks 35 which do not allow entry of the control signal into the basic block 35b excluding the starting point.

Therefore, the code analyzing apparatus 10 according to the present embodiment performs a static analysis on the content 30 using the basic information of the code area 31 collected through the dynamic profiling of the content 30 The analysis range of the code area 31 of the content 30 can be expanded and the extraction rate of the code block necessary for preventing copying of the content 30 can be improved.

A code analysis method according to the present embodiment will be described with reference to FIG. 1 to FIG. 8 is a flowchart illustrating a method of analyzing a content code according to an exemplary embodiment of the present invention. FIGS. 9 and 10 are exemplary diagrams for explaining a selection step of a basic block group extracted by the separation execution target code block in FIG. 8. FIG.

First, in step S61, the code analysis device 10 calls the content 30 to be analyzed. That is, when a selection signal for calling the content 30 to be analyzed from the analyst is input through the input unit 11, the code analysis apparatus 10 displays the list of the pre-analysis contents 30 stored in the storage unit 13 on the display unit 15). Then, when the specific content 30 is selected from the list, the code analyzing apparatus 10 calls the selected content 30. [

Next, in step S63, the code analyzing apparatus 10 sets a security level for the selected content 30. [ That is, the code analyzing apparatus 10 displays on the display unit 15 a security level setting item that the analyst can select. When the analyzer selects a specific security level setting item from the displayed security level setting items, the code analyzing device 10 sets the security level of the content 30 to be registered with the selected security level setting item.

At this time, although the example of proceeding in the order of steps S61 and S63 has been described in this embodiment, it may be performed in the reverse order. If the security level is set to the default, the code analyzing apparatus 10 may skip step S63.

Next, in step S65, the code analyzing apparatus 10 starts execution of the called content 30.

Next, in step S67, the code analysis device 10 performs dynamic profiling on the called content 30 to collect basic information about the code area 31. [ That is, the code analyzing apparatus 10 collects basic information about the code area 31 during the run-time for the content 30. The collected basic information includes the start address of the basic block group 37, the end address of the basic block group 37, the number of calls of the basic block group 37, the size of the basic block group 37, ) ≪ / RTI > In particular, the collected basic information includes at least one indirect address among a branch address, a jump address, a call address, and an indirect address of RET. The indirect address includes the start address of the basic block group 37, the size of the basic block group 37, and information on the branch address. The collected basic information includes the number of times the host terminal's memory is referred to in the basic block group, the number of times the OS terminal API calls are made in the basic block group, the execution time of the basic block group, A number of types of parameters to be transferred for execution of the basic block group, and types of values to be returned after execution of the basic block group.

In step S69, the code analyzing apparatus 10 performs a static analysis based on the collected basic information. That is, the code analyzing apparatus 10 substitutes the indirect address among the collected basic information on the control flow, and performs a static analysis on the code area 31 of the content 30.

As described above, in the present embodiment, since the static analysis is performed based on the collected basic information, the analysis range for the code area 31 of the content 30 is extended compared to performing the dynamic profiling or static analysis alone .

On the other hand, in step S69, the code analyzing apparatus 10 can select a plurality of basic block groups 37 through static analysis based on basic information. In other words, the code analyzing apparatus 10 can select a plurality of basic block groups 37 in the code region of the content by substituting the indirect address among the collected basic information into the control flow.

In step S69, the code analyzing apparatus 10 can select the basic block group 37 through a definition (rule), as shown in Figs. 9 and 10. Fig.

9, the code analysis apparatus 10 can define a basic block group 37 including a plurality of basic blocks 35 associated with each other in the code area 31 of the content 30 .

Here, when the control signal through the basic block 35a located at the start point of the basic block group 37 is inputted, the code analysis apparatus 10 does not perform redefinition of the corresponding basic block group 37. [ Also, even when the control signal moves between the basic blocks 35 included in the basic block group 37, the code analyzing apparatus 10 does not perform redefinition of the corresponding basic block groups 37. [ That is, in the above two cases, the code analysis apparatus 10 maintains the basic block group 37 in its current defined state.

10, when the control signal is inputted to the other basic block 35b except for the basic block 35a located at the starting point of the basic block group 37, The block group 37 is divided and redefined based on the basic block 35b to which the control signal is inputted. That is, if there is a control signal entering the inside of the basic block group 37, the code analyzing apparatus 10 divides and redefines the basic block group 37 based on the command address of the control signal.

By redefining the basic block group 37 as described above, it is possible to increase the probability that the divided basic block groups 37a and 37b are formed into the basic block group 37 without internal entry.

At this time, the basic block group 37 to be redefined is divided into the first basic block group 37a and the subsequent second basic block group 37b including the command address of the control signal based on the command address of the control signal. ).

By repeating this redefinition step, the finally redefined basic block group 37 is divided into a plurality of basic blocks 35 having attributes of single input and single output and attributes that do not permit entry from the outside to the inside, (37). ≪ / RTI >

Subsequently, in step S71, the code analyzing apparatus 10 can extract the separation execution object code block 34 from among the plurality of selected basic block groups 37. [ In other words, in step S71, the code analyzing apparatus 10 can extract the basic block group 37 into the separation execution object code block 34 according to the security level set in the selected plurality of basic block groups 37. [ For example, the analyzer may determine the calling frequency of the basic block group 37, the calling position of the basic block group 37, the memory reference frequency of the host terminal 51, the OS API reference frequency of the host terminal 51, When at least one of the hardware elements is weighted and a security level is set, the code analyzing apparatus 10 can extract the separation execution object code block 34 according to the set security level.

At this time, the code analyzing apparatus 10 may generate a list of extracted extraction execution target code blocks 34 after step S71.

In step S73, the code analyzing apparatus 10 can generate the service content 32 by inserting the stub code 36 into the code area from which the separation execution object code block 34 is extracted. At this time, the stub code 36 connects the code area extracted from the contents 30 and the extracted code object block 34 to be extracted.

In this way, the separation execution object code block 34 is extracted from the contents 30, the service execution contents 32 are generated by inserting the stub code 36 into the code area from which the separation execution object code block 34 is extracted , The code analyzing apparatus 10 can divide the contents 30 into the separated execution execution target code block 34 and the generated service contents 32. [ At this time, in step S73, the code analysis apparatus 10 can store the separation execution object code block 34 and the service contents 32 in the storage unit 13. [

The code analysis method of contents according to the present embodiment may be implemented in the form of a program command which can be executed through various computer means and recorded in a computer-readable recording medium. The recording medium may include program commands, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. For example, the recording medium may be a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical medium such as a CD-ROM or a DVD, a magneto-optical medium such as a floppy disk magneto-optical media, and hardware devices that are specially configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such a hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

It should be noted that the embodiments of the present invention disclosed in the present specification and drawings are only illustrative of specific examples for the purpose of understanding and are not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention are possible in addition to the embodiments disclosed herein.

The present invention relates to a device for code analysis of contents, a method thereof, and a computer-readable recording medium on which the method is recorded, wherein basic information of a code area is collected through dynamic profiling of contents, The scope of analysis of the code area of the content is expanded and the extraction rate of the code block necessary for preventing the copying of the content is improved thereby to realize the separation execution object It is possible to provide an analysis technique capable of effectively extracting code blocks.

10: Code analysis device 11: Input section
12: content calling unit 13:
14: basic information collecting part 15: display part
16: static analysis unit 17: control unit
18: Extraction and Generation Unit 30: Contents
31: code area 32: contents for service
33: data area 34: separation execution target code block
35: Basic Block 37: Basic Block Group

Claims (26)

A code analyzing apparatus for contents,
A content calling unit for calling contents to be analyzed;
A basic information collection unit for collecting basic information through dynamic profiling of the called content;
A static analyzer for performing a static analysis on a code area of the content based on the collected basic information and selecting a plurality of basic block groups in a code region of the content; And
An extraction and generation unit for extracting a basic block group on a critical path that is executed at least one time in executing the content among the plurality of basic block groups into a separation execution object code block;
And a content analyzer for analyzing the contents of the content. The method according to claim 1,
Wherein the basic information includes information on a code region of the content collected during a run-time of the content. 3. The method of claim 2,
Wherein the basic information comprises at least one indirect address of a branch address, a jump address, a call address, and an indirect address of a RET. Device. The apparatus according to claim 1,
And a static analysis is performed by substituting the indirect address of the collected basic information into a control flow. delete The method according to claim 1,
Wherein the basic block group allows entry of a control signal through an entry point and movement of a control signal between the plurality of basic blocks, and a plurality of control signals for the plurality of basic blocks except for the start point And a basic block of the content. The method according to claim 6,
Wherein the basic block is a code block having a property of a single input and a single output and an attribute of not allowing entry of an external control signal into the internal block. The method according to claim 1,
The basic information includes information on the start address of the basic block group, the end address of the basic block group, the number of calls of the basic block group, the size of the basic block group, and whether there is a real number calculation in the basic block group Characterized by a content code analyzing device. 9. The method of claim 8,
Wherein the basic information includes at least one of the number of times that the basic terminal block refers to the memory of the host terminal in the basic block group, the number of times that the host terminal calls the OS API in the basic block group, the execution time of the basic block group, A number and type of parameters transmitted for execution of the basic block group, and types of values returned after execution of the basic block group. delete The method according to claim 1,
A storage unit for storing the content, the code block to be separated for execution of the content, and the service content in which the code block for separation execution is separated from the content;
Wherein the content analyzing apparatus further comprises: In a code analysis method of contents,
A calling step for calling the content to be analyzed by the code analysis device;
A collection step of collecting basic information through dynamic profiling of the called content by the code analysis device;
An analysis step of performing a static analysis on a code area of the content based on the collected basic information and selecting a plurality of basic block groups;
An extraction step of extracting, from the plurality of basic block groups, a basic block group on a critical path that is necessarily executed at least once at the time of executing the content, as a separation execution object code block;
And analyzing the content of the content. 13. The method according to claim 12, wherein, in the collecting step,
Wherein the basic information includes information on a code region of the content collected during a run-time of the content by the code analysis apparatus. 13. The method according to claim 12, wherein, in the collecting step,
Wherein the collected basic information includes at least one indirect address among a branch address, a jump address, a call address, and an indirect address of a RET. Code analysis method. 13. The method according to claim 12, wherein, in the collecting step,
Wherein the collected basic information includes information on a start address of a basic block group, an end address of a basic block group, a number of calls of a basic block group, a size of a basic block group, and whether there is a real number calculation in a basic block group Method of code analysis of content. 16. The method of claim 15,
The collected basic information includes the number of times the basic terminal block refers to the memory of the host terminal in the basic block group, the number of calls to the OS API of the host terminal in the basic block group, the execution time of the basic block group, Further comprising at least one of a number of instructions, a number and type of parameters to be transmitted for execution of a basic block group, and a type of a value to be returned after executing a basic block group. 13. The method of claim 12, wherein in the analyzing step,
And a static analysis is performed by substituting the indirect address of the collected basic information into a control flow. delete delete 13. The method of claim 12, further comprising:
Generating a list of extracted code blocks to be extracted by the code analyzing device; or
Generating a service content by inserting a stub code into a code area from which the code execution unit is extracted;
The method of claim 1, further comprising: 13. The method of claim 12,
Wherein the calling step includes a security level setting step in which the code analyzing device sets a security level for the content to be analyzed,
And the code analyzing unit extracts a code block to be separated from among the plurality of basic block groups according to the set security level in the extracting step. 22. The method of claim 21,
The code analysis device displaying a security level setting item;
Setting the security level to a security level setting item selected from the security level setting items;
And analyzing the content of the content. 23. The method of claim 22,
Wherein at least one of a calling frequency of the basic block group, a calling position of the basic block group, a memory reference frequency of the host terminal, an OS API reference frequency of the host terminal, and a hardware element of the storage device is included. 13. The method of claim 12,
Defining a basic block group in a code region of the content;
A redefining step of redefining the basic block group based on an instruction address of the control signal when the code analyzing apparatus has a control signal for entering the basic block group;
And analyzing the content of the content. 25. The method of claim 24, wherein in the redefining step,
Wherein the finally redefined basic block group comprises a plurality of basic blocks having attributes of a single input and a single output and attributes that do not permit entry from the outside to the inside. The code analysis method of. A computer-readable recording medium on which a program for performing the method according to any one of claims 12 to 17, and 20 to 25 is recorded.

Images