KR101741131B1 - Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof - Google Patents
Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof Download PDFInfo
- Publication number
- KR101741131B1 KR101741131B1 KR1020160024583A KR20160024583A KR101741131B1 KR 101741131 B1 KR101741131 B1 KR 101741131B1 KR 1020160024583 A KR1020160024583 A KR 1020160024583A KR 20160024583 A KR20160024583 A KR 20160024583A KR 101741131 B1 KR101741131 B1 KR 101741131B1
- Authority
- KR
- South Korea
- Prior art keywords
- crash
- memory
- analyzing
- instruction
- risk
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/008—Reliability or availability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3624—Software debugging by performing operations on the source code, e.g. via a compiler
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/366—Software debugging using diagnostics
Abstract
Description
The present invention relates to a crash analysis apparatus and a method thereof, and more particularly, to a crash analysis apparatus and method for determining a risk of a vulnerability occurring when a crash occurs by statically analyzing a program.
Recently, the use of mobile devices such as smart phones and tablet PCs has increased dramatically. In addition, damage from mobile security infringement such as personal information leakage is increasing rapidly. Recent reports on mobile security threats have increased infringement by malicious code on mobile devices to a degree comparable to PC environments. These security threats generally exploit program vulnerabilities and lead to malicious behavior. Therefore, in order to appropriately respond to these security threats, it is required to develop an analysis technique for detecting vulnerability of mobile code.
For mobile code analysis, some constraints must be considered. First, since mobile applications are generally provided to users as binary executables, analysis techniques targeting binary code are needed. And because most mobile devices use ARM processors, which consume less power than x86 processors, analysis techniques for ARM binary code should be studied. However, compared to x86 binary code, analysis research on ARM binary code is relatively inactive, and there are not many analysis tools suitable for ARM binary code analysis. Therefore, we need a static analyzer for ARM binary code.
Accordingly, the present invention provides a crash analysis apparatus and method for determining a risk of a vulnerability occurring when a binary program is converted into an intermediate language and then a static analysis is performed on the binary program.
The present invention also provides a crash analysis apparatus and method for automatically analyzing a binary program according to an attack pattern of a hacker to detect the possibility of an attack by a hacker.
In addition, the present invention provides a crash analysis apparatus and method for improving the accuracy of a memory analysis result by analyzing a memory in the case of a storage-related command.
The present invention also provides a computer-readable recording medium on which a program for executing a method for automatically analyzing the crash is recorded.
In order to achieve the above object, a crash risk analysis apparatus provided by the present invention comprises a disassembler for disassembling a binary program into a machine language, and obtaining control flow information from the machine language; An intermediate language converter for converting the machine language into an intermediate language; A crash generator for generating a plurality of crashes by a crash-inducing program previously created to intentionally cause a crash; And a crash risk analyzer for statically analyzing all the commands affected by each of the instructions that have generated the plurality of crashes among the instructions converted into the intermediate language and analyzing the risk of the corresponding crash.
Advantageously, the risk analyzer identifies the arrival points of the instructions for each of the instructions that generated the plurality of crashes, finds the point at which the instruction is actually used among the reach points, It can be derived as a graph.
Preferably, the risk analyzer identifies a command that can transfer control of the program from the usage point graph, and then, if the command that generated the crash is a store series command or a branch series command, The possibility can be analyzed.
If the target address of the branch sequence command is influenced by the command that generated the crash, the risk analyzer may determine that the crash is attackable.
Preferably, the risk analyzer further performs a memory analysis process of subdividing a memory region when the instruction that generated the crash is a store sequence command, and analyzing a region that can be stored in the register and the memory for each instruction .
Preferably, the risk analyzer may refine the stack memory area after dividing the heap memory area and the stack memory area to perform the memory analysis process.
Preferably, the risk analyzer detects a heap memory using the fact that the return value is an address of a heap area allocated after the dynamic memory allocation function call, and uses the initialized register information at the function start point To detect a stack memory.
According to another aspect of the present invention, there is provided a crash risk analysis method comprising: disassembling a binary program into a machine language; Obtaining control flow information from the machine language; Converting the machine language into an intermediate language; Generating a plurality of crashes by a crash-inducing program previously created to intentionally cause a crash; And statically analyzing all the commands affected by each of the plurality of commands generated in the intermediate language and analyzing the risk of the corresponding crash.
Advantageously, said risk analysis step comprises the steps of: identifying the arrival points of said instructions for each of said instructions that have generated said plurality of crashes; Finding a point at which the corresponding instruction is actually used among the reaching points and deriving the result as a usage point graph; And analyzing an attack possibility by identifying an instruction that can transfer control of the program from the use point graph.
Preferably, the attack possibility analysis step may analyze an attack possibility when the command that generated the crash is a store series command or a branch series command.
Preferably, if the target address of the branch sequence command is influenced by the instruction that generated the crash, the attack possibility analysis step may determine that the crash is attackable.
Preferably, the risk analysis step further includes a memory analysis step of subdividing the memory area when the instruction causing the crash is a store sequence command, and analyzing a region that can be stored in the register and the memory for each instruction can do.
Preferably, the memory analysis step may include: dividing a heap memory area and a stack memory area; And elaborating the stack memory region.
According to another aspect of the present invention, there is provided a computer-readable recording medium having recorded thereon a program for performing one of the methods described above.
The present invention enables a crash analysis for a binary program by statically analyzing a program based on an intermediate language. Therefore, it is possible to automatically determine the risk of a vulnerability if a binary program crash occurs. In particular, when a crash occurs in a binary program, the present invention can automatically prevent a hacker from analyzing a binary program according to an attack pattern of the hackers, thereby determining the possibility of an attack by the hacker. As a result, the present invention has an advantage of effectively reducing invasion of malicious code for mobile devices. In addition, the present invention has the advantage of increasing the accuracy of the memory analysis result by analyzing the memory in the case of the storage related command.
1 is a schematic block diagram of an apparatus for analyzing a crash risk according to an embodiment of the present invention.
2 is a schematic flowchart of a crash risk analysis method according to an embodiment of the present invention.
3 is a schematic flowchart of the risk analysis process of FIG.
FIG. 4 is a diagram for explaining the memory analysis process of FIG. 3. Referring to FIG.
5 is a view for explaining the arrival point identification process of FIG.
FIG. 6 is a view for explaining an actual use point derivation process of FIG. 3. FIG.
FIG. 7 is a schematic processing flowchart of the memory analysis process of FIG. 3. FIG.
8 is a view for explaining a memory area dividing process of FIG.
FIGS. 9 to 11 are views for explaining the stack memory area refinement process of FIG.
12 is a diagram illustrating an example of a screen outputting a memory area analysis result according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings, which will be described in detail to facilitate a person skilled in the art to which the present invention pertains. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and like parts are denoted by similar reference numerals throughout the specification. And a detailed description thereof will be omitted to omit descriptions of portions that can be readily understood by those skilled in the art.
Throughout the specification and claims, where a section includes a constituent, it does not exclude other elements unless specifically stated otherwise, but may include other elements.
1 is a schematic block diagram of an apparatus for analyzing a crash risk according to an embodiment of the present invention. Referring to FIG. 1, an
A
The
The
The
Meanwhile, the
2 is a schematic flowchart of a crash risk analysis method according to an embodiment of the present invention. 1 and 2, a risk analysis method according to an embodiment of the present invention is as follows.
First, in step S100, the
In step S200, the
In step S300, the
In step S400, the
In step S500, the
At this time, an example of a more detailed process of the risk analysis process of step S500 is illustrated in FIG.
Referring to FIGS. 1 and 3, the risk analysis process (S500) will now be described.
First, in step S510, the
In step S520, the
In step S530, the
Finally, in step S540, the
On the other hand, in the case of the branch sequence command, if the target address is influenced by the command that generated the crash, it can be determined that the corresponding crash is attackable.
FIG. 7 is a schematic processing flowchart of the memory analysis process of FIG. 3. FIG. Referring to FIGS. 1 and 7, the memory analysis step S510 is as follows.
First, in step S512, the
Meanwhile, in step S514, the
In the above-described exemplary system, the methods are described on the basis of a flowchart as a series of steps or blocks, but the present invention is not limited to the order of the steps, and some steps may occur in different orders .
It will also be understood by those skilled in the art that the steps shown in the flowchart are not exclusive and that other steps may be included or that one or more steps in the flowchart may be deleted without affecting the scope of the invention.
Claims (15)
A disassembler for disassembling the binary program into a machine language and obtaining control flow information from the machine language;
An intermediate language converter for converting the machine language into an intermediate language;
A crash generator for generating a plurality of crashes by a crash-inducing program previously created to intentionally cause a crash; And
And a crash risk analyzer for statically analyzing all the commands affected by each of the instructions that have generated the plurality of crashes among the instructions converted into the intermediate language and analyzing the risk of the corresponding crash,
The risk analyzer
Identifying arrival points of the instructions for each of the instructions that generated the plurality of crashes, finding a point at which the instruction is actually used among the arrival points, deriving the result as a usage point graph,
And analyzing an attack possibility when the instruction causing the crash is a store series instruction or a branch series instruction word after identifying a command capable of transferring the control right of the program from the usage point graph,
Further comprising the steps of: if the instruction causing the crash is a store sequence instruction, further performing a memory analysis process of analyzing a memory region and an area that can be stored in a register and a memory for each instruction,
In order to perform the memory analysis process, a heap memory area and a stack memory area are separated from each other,
The heap memory is detected by using the fact that the return value after the dynamic memory allocation function call is the address of the allocated heap area and the stack memory is detected using the register information initialized at the function start point Wherein the crash risk analysis device is characterized in that:
Wherein when the target address of the branch sequence command is influenced by the instruction that generated the crash, the crash determination unit determines that the crash is attackable.
Disassembling the binary program into a machine language;
Obtaining control flow information from the machine language;
Converting the machine language into an intermediate language;
Generating a plurality of crashes by a crash-inducing program previously created to intentionally cause a crash; And
Analyzing all the commands affected by each of the plurality of commands generated in the intermediate language and analyzing the risk of the corresponding crash;
The risk analysis step
Identifying arrival points of the instructions for each of the instructions that generated the plurality of crashes;
Finding a point at which the corresponding instruction is actually used among the reaching points and deriving the result as a usage point graph;
Analyzing an attack possibility by identifying a command capable of transferring control of the program from the use point graph; And
And a memory analyzing step of segmenting the memory area when the instruction causing the crash is a store sequence command and analyzing an area that can be stored in the register and the memory for each instruction,
The memory analysis step
And separating a heap memory area and a stack memory area,
The segmentation step
The heap memory is detected by using the fact that the return value after the dynamic memory allocation function call is the address of the allocated heap area and the stack memory is detected using the register information initialized at the function start point The crash risk analysis method comprising the steps of:
And analyzing the possibility of an attack if the command causing the crash is a store series command or a branch series command.
Wherein when the target address of the branch sequence command is influenced by the command that generated the crash, the crash is determined to be attackable.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160024583A KR101741131B1 (en) | 2016-02-29 | 2016-02-29 | Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160024583A KR101741131B1 (en) | 2016-02-29 | 2016-02-29 | Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101741131B1 true KR101741131B1 (en) | 2017-05-29 |
Family
ID=59053519
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160024583A KR101741131B1 (en) | 2016-02-29 | 2016-02-29 | Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101741131B1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190078546A (en) * | 2017-12-26 | 2019-07-04 | 충남대학교산학협력단 | Apparatus and Method for crash risk classification of program |
KR20200107538A (en) * | 2019-03-08 | 2020-09-16 | 한국전자통신연구원 | System and method for generating secure profile of container instance |
KR102344497B1 (en) * | 2020-09-11 | 2021-12-28 | 국방과학연구소 | Software taint analysis method and software taint analysis device using the same |
WO2022097799A1 (en) * | 2020-11-09 | 2022-05-12 | 동국대학교 산학협력단 | Security vulnerability analysis method for generating function abstract information and electronic device including same |
-
2016
- 2016-02-29 KR KR1020160024583A patent/KR101741131B1/en active IP Right Grant
Non-Patent Citations (1)
Title |
---|
"공격 가능한 크래시 탐지를 위한 ARM 바이너리의 정적 분석 방법", 충남대학교 대학원 석사학위논문(2015.02.)* |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190078546A (en) * | 2017-12-26 | 2019-07-04 | 충남대학교산학협력단 | Apparatus and Method for crash risk classification of program |
KR102267618B1 (en) * | 2017-12-26 | 2021-06-21 | 충남대학교산학협력단 | Apparatus and Method for crash risk classification of program |
KR20200107538A (en) * | 2019-03-08 | 2020-09-16 | 한국전자통신연구원 | System and method for generating secure profile of container instance |
KR102186009B1 (en) | 2019-03-08 | 2020-12-04 | 한국전자통신연구원 | System and method for generating secure profile of container instance |
US11449600B2 (en) | 2019-03-08 | 2022-09-20 | Electronics And Telecommunications Research Institute | System and method for generating security profile of container instance |
KR102344497B1 (en) * | 2020-09-11 | 2021-12-28 | 국방과학연구소 | Software taint analysis method and software taint analysis device using the same |
WO2022097799A1 (en) * | 2020-11-09 | 2022-05-12 | 동국대학교 산학협력단 | Security vulnerability analysis method for generating function abstract information and electronic device including same |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wu et al. | Effective detection of android malware based on the usage of data flow APIs and machine learning | |
Xiao et al. | Malware detection based on deep learning of behavior graphs | |
EP3295647B1 (en) | Malware warning | |
Ham et al. | Analysis of android malware detection performance using machine learning classifiers | |
US20160110543A1 (en) | Apparatus and method for detecting malicious application based on visualization similarity | |
Kapratwar et al. | Static and dynamic analysis of android malware | |
KR101051722B1 (en) | Monitor program, monitoring method and computer program product for hardware related thereto | |
KR101741131B1 (en) | Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof | |
Rana et al. | Evaluation of tree based machine learning classifiers for android malware detection | |
Sabhadiya et al. | Android malware detection using deep learning | |
US20140075560A1 (en) | Automatic classification of security vulnerabilities in computer software applications | |
JP2021523434A (en) | Malware detection | |
Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
Han et al. | Malware classification methods using API sequence characteristics | |
KR101963756B1 (en) | Apparatus and method for learning software vulnerability prediction model, apparatus and method for analyzing software vulnerability | |
CN108764374B (en) | Image classification method, system, medium, and electronic device | |
Motiur Rahman et al. | StackDroid: Evaluation of a multi-level approach for detecting the malware on android using stacked generalization | |
Ren et al. | MobiSentry: Towards easy and effective detection of android malware on smartphones | |
JP5441043B2 (en) | Program, information processing apparatus, and information processing method | |
Andreopoulos | Malware detection with sequence-based machine learning and deep learning | |
CN106462704B (en) | Dynamic reads in code analysis device and dynamic reads in code analysis methods | |
Mane et al. | Review of malware detection using deep learning | |
Peng et al. | ACTS: extracting android app topological signature through graphlet sampling | |
Yu et al. | Android Malware Detection Using Ensemble Learning on Sensitive APIs | |
Vijay et al. | Android-based smartphone malware exploit prevention using a machine learning-based runtime detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |