KR102105020B1 - Dynamic self mutation system using virtual machine based code transformation technology - Google Patents

Abstract

Provided is a dynamic self-variation system using a VM-based code variation technique. The dynamic self-variation system comprises: an original code management part configured to store a source code and an execution file of an original program; and a variation engine server including an obfuscation engine configured to perform execution file recombination on the source code of the original program through obfuscation and compiling, and perform execution file recombination on an execution code of the original program through obfuscation and encoding through a virtual code, thereby selectively performing binary level obfuscation and obfuscation of the compiled execution file.

Description

Dynamic self mutation system using virtual machine based code transformation technology

The present invention relates to a method of obfuscating a program. More specifically, the present invention relates to a method of constructing a preventive code protection system in which a plurality of duplicate obfuscation execution programs are generated in advance and dynamically mutated according to a scheduler.

Reverse engineering-based unauthorized code analysis and modification is a major concern in the software industry. Such attacks can have numerous undesirable consequences, including cheating in online games, unauthorized use of software, and illegal pay TV. The industry is looking for solutions to problems to prevent reverse engineering of software systems, and code obfuscation, which makes it difficult to track or analyze sensitive code, is a potential alternative.

Obfuscation is a modification of program code while maintaining execution uniformity and can be applied at compile-time, loading-time, or run-time.

These techniques include address re-ordering and stack padding, system-call re-ordering, instruction set randomization, and heap randomization. exist.

Virtual machine (VM) based code virtualization is emerging as a promising way to implement code obfuscation. (Fang et al., 2011, Oreans-Technology, 2015, 2016, VMProtect-Software, 2015, Wang et al., 2013, 2014 Yang and Huang, 2011).

The basic principle of VM-based protection is to replace program instructions with virtual instructions unfamiliar to the attacker. The replaced virtual instructions are converted to native machine code at runtime to run on the underlying hardware platform.

Using this VM-based method, the execution path of obfuscation code can be controlled by the virtual instruction scheduler.

There are two general schedulers. The first consists of a dispatcher that determines which instructions are ready to run, and a set of bytecode handlers that decode the bytecode and convert it into basic machine code.

Through this process, the original program instructions can be replaced with custom byte codes, so that the purpose or logic of sensitive or important code areas can be concealed.

Conventional VM-based code protection technology mainly uses a single virtual instruction scheduler with a focus on making a single byte code set more complex. This is based on the assumption that the scheduler and bytecode instruction set are difficult to analyze in most real runtime environments. However, it has been proven that this assumption can often be broken by a cumulative attack. To protect software from cumulative attacks, it is important to have a certain level of non-determinism and diversity during program execution.

Accordingly, an object of the present invention is to provide a dynamic self-mutation method using a virtual machine-based code variation technique and a system based thereon by adding temporal diversity to solve the above-described problem.

 In addition, it is an object of the present invention to realize the code independence between replication programs so that it is difficult to attack other replication programs in service by neutralizing reuse of information that can be obtained even if the analysis of some replication programs by an attacker is successful.

A dynamic self-mutation system using a VM-based code variation technology according to the present invention for solving the above problems is provided. The dynamic self-mutation system includes an original code management unit configured to store source code and executable files of the original program; And an obfuscation engine configured to perform recombination of executable files through obfuscation and compilation of the source code of the original program, and recombination of executable files through obfuscation through virtual code and encoding of the executable code of the original program. Including a mutation engine server including a, binary level obfuscation and obfuscation of the compiled executable can be selectively performed. In addition, the dynamic auto-mutation system may further include an agent configured to receive the recombined executable file and apply the executable file.

In one embodiment, the obfuscation engine downloads the source code of the original program, performs obfuscation of the source code according to an obfuscation option, compiles the obfuscated code, and uses the compiled code Can be configured to recombine the executable.

In one embodiment, the obfuscation engine downloads the executable file of the original program, deassembles the original program, extracts machine code, generates virtual code corresponding to the machine code, and byte codes the virtual code. It can be configured to recombine the executable by encoding it into the original program.

In one embodiment, the obfuscation engine generates a random seed and time stamp based obfuscation technique, transforms a predefined handler into the obfuscation technique to generate a new virtual machine (VM), and the new virtual machine It can be configured to recombine the executable file by encoding with the byte code and combining it with the original program.

In one embodiment, the mutation engine server further includes a mutation code management unit configured to store and manage the duplicate programs having the same execution logic and function by time by obfuscation, and the mutation code management unit communicates with the agent To transmit the duplicate program.

In an embodiment, the target server may further include a target server configured to include the agent, and the target server may be configured to deliver a plurality of mutation programs corresponding to the replication program to a client through a proxy.

In one embodiment, the target server checks whether the security and service from the attack target and the server program and the client are normal, and the service management, the state management mechanism for managing the falsified or attacked state, the replacement mechanism related to the replacement of the replication program, and the server program and the client. Can be configured to perform a normal verification mechanism. Alternately, the client is a state management mechanism that manages service failures, tampering or attacked states, a replacement mechanism related to the replacement of the replication program, and a server program and a client to verify whether the security and service from the target are normal. It can be configured to perform a verification mechanism.

In one embodiment, in the state management mechanism, when it is determined that the service interruption occurs in the application and network layer, the target server determines a service failure state, and when the server program is forged or tampered with, new replication from the obfuscation engine By downloading the program, the server program can be restarted, the danger state of the attack on the server program is recognized, the state is transferred to the attack risk state, and the prevention program for the server program can be driven. Alternatively, if it is determined that a service interruption occurs in the application and network layers, the client determines that the service is in a failed state, and when the server program is forged or falsified, downloads a new replication program from the obfuscation engine and downloads the server program. It can be restarted, recognize the attack risk state for the server program, transition to the attack risk state, and run the prevention program for the server program.

According to at least one embodiment of the present invention, binary level obfuscation and obfuscation of a compiled executable can be selectively performed.

According to at least one embodiment of the present invention, binary level obfuscation and obfuscation for an executable file are selectively performed, and a dynamic mutation element is added in time to counter a malicious program analysis attack.

According to at least one embodiment of the present invention, it is possible to increase the analysis time by increasing the difficulty level for a malicious program analysis attack or to induce the attack to be abandoned.

1 shows a conceptual diagram of source code obfuscation and binary level obfuscation according to the present invention.
2 shows a detailed configuration of a dynamic auto-variation system that performs a dynamic auto-variation method using a virtual machine-based code variation technique according to the present invention.
3 shows a structure of a PE format according to the present invention.
4 shows an obfuscation and executable file recombination method performed by the obfuscation engine at the source code level according to the present invention.
5 shows an obfuscation, encoding and executable file recombination method performed by the obfuscation engine at the binary level according to the present invention.
6 shows a flowchart of a VM-based obfuscation method in connection with the present invention.
7 shows a configuration in which the VM-based code obfuscation method according to the present invention is performed through an obfuscation engine.
8 shows a configuration and conceptual diagram of an agent and a client performing various mechanisms according to the present invention.

The above-described features and effects of the present invention will become more apparent through the following detailed description in connection with the accompanying drawings, and accordingly, those skilled in the art to which the present invention pertains can easily implement the technical spirit of the present invention. Will be able to.

The present invention can be applied to various changes and can have various embodiments, and specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

In describing each drawing, similar reference numerals are used for similar components.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from other components.

For example, the first component may be referred to as a second component without departing from the scope of the present invention, and similarly, the second component may be referred to as a first component. The term and / or includes a combination of a plurality of related described items or any one of a plurality of related described items.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by a person skilled in the art to which the present invention pertains.

Terms, such as those defined in a commonly used dictionary, should be interpreted as having meanings consistent with meanings in the context of related technologies, and should not be interpreted as ideal or excessively formal meanings unless explicitly defined in the present application. Should not.

The suffix modules, blocks, and parts for components used in the following description are given or mixed in consideration of the ease of writing the specification, and do not have a meaning or a role distinguished from each other.

Hereinafter, with reference to the accompanying drawings, preferred embodiments of the present invention will be described so that those skilled in the art can easily carry out. In the following description of embodiments of the present invention, when it is determined that detailed descriptions of related well-known functions or well-known configurations may unnecessarily obscure the subject matter of the present invention, detailed descriptions thereof will be omitted.

Hereinafter, a dynamic self-mutation method using a virtual machine-based code variation technique according to the present invention and a system performing the same will be described.

The present invention relates to a method of obfuscating a program, and constructing a preventive code protection system by a scheduler by generating a plurality of duplicate obfuscation execution programs.

According to the present invention, code independence between replication programs is realized, so that even if an attacker successfully analyzes some replication programs, the reuse of information that can be obtained is neutralized, making it difficult to target other replication programs in service.

Specifically, the present invention relates to a system for a method of protecting a target program (server application) from static analysis.

Static analysis of exposed programs becomes a means of knowledge and application that can be attacked by forging, altering, or exploiting weak logic to fix the program. Accordingly, the first step goal is to create a number of malware and virus programs.

The target of static analysis of the target program is the source code obtained through reverse engineering. Depending on the level of reverse engineering, a more similar form to the original source code can be obtained. The degree of difficulty of the analysis can be eased by a similar degree, making the attack easier.

The method of preventing or making this difficult is obfuscation, which is divided into binary level and source code level depending on the target. In the case of the source code level, the obfuscation technique is applied to the source code written by the developer, and the executable file is generated and distributed through the compilation process. In the binary level, the obfuscation technique is applied in the step of generating the executable file. different.

In the case of obfuscation at the source code level, developer intervention is required, and the disadvantage is that the application step is cumbersome, but it can be confirmed whether it is applied in the compilation process and can verify the success / failure.

In the case of binary level obfuscation, there is no need for developer intervention, and since it is applied to the compiled executable file, it can be very easy to apply, but the risk of error may increase because it must be applied at a low level. It depends on the development environment. In this regard, FIG. 1 shows a conceptual diagram of source code obfuscation and binary level obfuscation according to the present invention.

Referring to FIG. 1, obfuscation of a source code level may be performed on a plurality of source codes SRC_1 to SRC_N. Subsequently, executable code may be generated through code compilation for the source code on which obfuscation has been performed. In addition, mutated executable code may be generated through binary level obfuscation of the executable code.

In the present invention, a method that can be applied to both is selectively applied, and by adding a dynamic variation factor in time, it is possible to multiply the difficulty for a malicious program analysis attack and induce the analysis time to be significantly increased or abandoned. have.

2 shows a detailed configuration of a dynamic auto-variation system that performs a dynamic auto-variation method using a virtual machine-based code variation technique according to the present invention.

In this regard, the obfuscation engine 120 for applying the obfuscation technique and the code to which the obfuscation has been applied are recombined to generate an executable file, and can be classified into an agent 1000a that applies it.

Referring to FIG. 2, the dynamic auto-variation system may include a mutation engine server 100 and a target server 1000. Meanwhile, the variation engine server 100 may be configured to include an original code management unit 110, an obfuscation engine 120, a variation code management unit 130, and a control and communication unit 140. Meanwhile, the agent 1000a in the target server 1000 may be configured to include a downloader 1010, a program control unit 1100, and one or more schedulers 1200. In addition, the client 200 may interwork with the mutation engine server 100 through the target server 1000. Specifically, the client 200 may receive a plurality of mutation programs from the program controller 1100 through the proxy 300. Detailed description of the above-described configuration will be described below.

In the structural diagram of FIG. 2, “original code” and “variant code” are collectively referred to as source code and executable code.

The source code is language level code used by the developer (programmer) when developing, and the executable code is the result of compiling the source code and can be interpreted at the machine level.

At this time, execution code (binary code) can be divided into assembly code interpreted at the machine level (eg, X86 CPU) and byte code interpreted at the virtual machine (eg, JVM) level. When executed, the byte code is converted into assembly code (machine language) and then executed on the machine.

The mutation code refers to a result of converting the source code or the execution code by maintaining the same in the execution sense through obfuscation technique. For example, in the case of a Windows environment on an x86 machine, the format is PE (Portable Executable).

3 shows a structure of a PE format according to the present invention. Typical file types executable on Windows are exe, dll, obj, sys, and so on.

1 to 3, the obfuscation engine 120 and / or the obfuscation agent 1000a may selectively apply obfuscation at the source level (= source code) and binary level (= executable code). do.

Meanwhile, FIG. 4 shows an obfuscation and execution method recombination method performed by the obfuscation engine at the source code level according to the present invention. In this regard, referring to FIGS. 1 to 4, the obfuscation engine 120 performs recombination of executable files through obfuscation and compilation of the source code of the original program. In addition, the obfuscation engine 120 may be configured to perform executable file recombination through obfuscation and encoding through virtual code on the execution code of the original program. Meanwhile, the agent 1000a is configured to receive the recombined executable file and apply the executable file. Specifically, the agent 1000a may apply the recombined executable file to the client 200 in the form of a plurality of mutation programs.

On the other hand, the application of obfuscation techniques at the source level is likely to be unable to be fully automated, and therefore requires administrator intervention at regular intervals. Referring to Figures 1 to 4, obfuscation and executable recombination method at the source code level according to the present invention has the following features. Here, each of the following step-by-step operations may be performed by the obfuscation engine 120.

1) That is, the source code of the program is placed in the Repository (10) space, and the latest version is downloaded. Here, the repository 10 corresponds to an external storage of source code, but the original code management unit 110 may also correspond to this. Alternatively, the original code management unit 110 may be configured to download the original program from the repository 10 and store source code and executable files of the original program. Meanwhile, this step uses a source code version control system (SCM) tool such as SVN to download the remote source code for the latest version or a specific version.

2) After downloading the source code, obfuscation is performed after setting options by the obfuscation option manager. At this time, a list of source code files to be applied may be selected. In other words, obfuscation is applied by selecting important parts of code rather than applying to all program sources. If all are applied, the performance of program execution may deteriorate. (That is, the memory may be large or the execution speed may be slow)

3) Details of application of obfuscation techniques are omitted.

4) The source code applied to obfuscation is built by the compiler. If an error occurs at this stage, administrator intervention is required. This means you need to tweak compiler options or take developer diagnostics for build errors.

5) After the build is completed, the time, version, obfuscation option, external interface, etc. are recorded and managed by the variation code management unit 130.

At this time, the mutant code refers to the result after obfuscation is applied, and here is an executable file (exe) or library (dll) file. Usually it will be an executable file, and it is in PE format in a state that can be run in an x86 environment.

However, in case of excessive traffic or an executable file with very large capacity, some modules are limited to manage the mutated library. On the other hand, according to the request of the "agent 1000a" of the target server 1000, the library is transferred, and the program execution path is changed to replace the library.

Accordingly, the obfuscation engine 120 downloads the source code of the original program, and performs obfuscation of the source code according to the obfuscation option. In addition, the obfuscation engine 120 may be configured to compile the obfuscated code and to recompose the executable file using the compiled code.

On the other hand, the application of obfuscation techniques at the binary level can be automated. In this regard, FIG. 5 shows a method for obfuscation, encoding and recombination of executable files performed by the obfuscation engine at the binary level according to the present invention. 1 to 3 and 5, the obfuscation engine 120 downloads an executable file of the original program, and assembles the original program to extract machine code. In addition, the obfuscation engine 120 may be configured to generate a virtual code corresponding to the machine code, encode the virtual code into byte code, and combine it with the original program to recompose the executable file.

In this regard, the technique of applying obfuscation at the binary level may be performed through the following method. In case of C / C ++ level language, it is close to machine language at compile time, JAVA level language produces bytecode at compile time, and JVM language is translated and executed by the virtual machine as the final machine language. Therefore, in the JAVA language, obfuscation can be applied more intuitively and easily than in the former case. That is, the obfuscation technique (symbol substitution, dummy code insertion, etc.) is applied to the bytecode itself.

However, in the case of C / C ++, when the transformation is made to the compiled machine language (assembly code), the identity is lost directly, and the execution itself is not executed, so obfuscation is usually applied at the source code level. Another method is to create a virtual machine (VM) directly, similar to JAVA. That is, it is a method of generating a virtual instruction corresponding to an instruction of the assembly code, and mapping the virtual machine handler that guarantees the same execution, while assuring the same operability, and transforming the assembly code into the virtual code.

Specifically, it consists of inserting the region replaced by the virtual code into the original program with respect to the code region to be protected, and upon execution, when entering the region, information such as registers and flags of the original program is stored in the context of the virtual machine. After converting the byte code of the virtual code area into machine language, it is executed on the machine. When the execution is completed, it returns to the original program area with the context information that was saved again, and the code is subsequently executed.

In the case of a program written in C / C ++, a binary-level obfuscation technique is applied by applying VM-based obfuscation to the compiled original program without modifying the source code. In this case, there is no need to download a separate source code or recompile.

The process is as follows.

1) Download the original program.

2) The machine code is extracted by disassembling the original program.

3) Create virtual code corresponding to the machine code.

4) Encode the virtual code into a byte code and combine it into the original program.

The core of the VM-based obfuscation application is to make it difficult to hide or understand the relationship between a machine instruction (Native Instruction Set) and a virtual instruction (Virtual Instruction Set). That is, the goal is to make it difficult to guess the original assembly code (Op-Code) from a virtual instruction.

At this time, one assumption is based on the fact that the mapping relationship between the machine language instruction and the virtual instruction during execution is difficult to guess in real time, and many studies have been conducted to obtain a sample executable file that applies the same obfuscation technique and reverse engineering. Several studies have been conducted and studies have been conducted to investigate the similarity of patterns.

Accordingly, in this embodiment, in order to improve the complexity of the VM implementation and obfuscation technique, it is intended to provide randomness for byte code, handler, virtual machine, and randomness for time.

In connection with the present invention, the VM-based obfuscation scheme is configured as follows. In this regard, FIG. 6 shows a flow diagram of a VM-based obfuscation method in connection with the present invention.

Referring to FIG. 6, the VM-based obfuscation method according to the present invention may perform 1) important code extraction step, 2) code virtualization step, 3) byte code generation step, and 4) file reconstruction step. This VM-based obfuscation method is performed through the following steps.

1) Important code segments to be protected are extracted from the compiled binary and decomposed into assembly code.

2) Native assembly code is converted into virtual instructions, ie, machine-independent intermediate representations used by the VM. However, the converted virtual instruction must have the same function as the original source code.

3) The generated virtual instruction is encoded in bytecode format.

4) A new VM section is linked (or inserted) to the target program, and at run time, the entry point of the protected code area calls the VM to convert the byte code instruction into native machine code to execute the program.

This VM-based code obfuscation technique disables the attack by rapidly increasing the amount of time and resource input in a way that makes it difficult for reverse engineering by allowing an attacker to interpret an unfamiliar virtualization instruction set from a familiar instruction set.

VM section components can be divided into VMContext, VMInit, Dispatcher, Handlers, Bytecode, and VMexit.

The context containing information such as local variables, function arguments, and return addresses of the target program is stored in a register-based VM memory space called VMContext.

When entering the VM, the VMinit component stores the target program context and initializes the VMContext.

After executing a protected code segment containing critical logic, VMExit restores the destination program context and then returns program control to the original program in order to continue executing native machine code.

<Example>

Since the existing VM-based code obfuscation technique assumes a single VM and a single handler set, it is easy to guess the relationship with the original assembly instructions in a structure in which similar patterns are repeated. Accordingly, the embodiment according to the present invention is based on a plurality of virtual machines, and tries to make analysis difficult by randomly generating a plurality of handlers. In this regard, FIG. 7 shows a configuration in which the VM-based code obfuscation method according to the present invention is performed through an obfuscation engine. In this regard, the new VM-based byte code transition step may be performed by a separate entity, or may be performed by the obfuscation engine 120.

Referring to FIG. 7, the obfuscation engine 120 may generate a random seed and time stamp based obfuscation technique, and transform a predefined handler into the obfuscation technique to generate a new virtual machine (VM). . In addition, the obfuscation engine 120 may be configured to recombine an executable file by encoding the byte code of the new virtual machine and combining it with the original program.

Meanwhile, a program that applies virtualization obfuscation (= VM-based code obfuscation) moves to the VM section (JUMP), reads and interprets the byte code by the dispatcher, and finds the handler corresponding to the symbol. Convert and execute the corresponding command into a machine command.

At this time, you can consider how to create multiple virtual machines (VMs) in advance. In other words, using the obfuscation technique, multiple handlers are created under the same structure. It generates random virtual instructions mapped to this replication handler, and virtual machines are created for multiple similar replicas for a predefined set of virtual instructions.

That is, multiple virtual machines that perform the same function but have different byte code formats are generated by applying obfuscation techniques.

The following shows a scenario applied to the embodiment.

1) Extract important code.

2) De-assembly (reverse engineering) in machine language (assembly) code.

3) Create a new virtual machine by transforming the predefined handler (with obfuscation technique).

4) Encode with the byte code of the new virtual machine.

5) Combine the byte code into the original program.

The “variant code management unit 130” stores and manages the duplicate programs having the same execution logic and function by time by obfuscation.

1) It communicates with the remote “agent (1000a)” to transmit the replication program.

2) It is important whether the selection criteria of the replication program are the same. That is, when a change of the original program occurs, the version must be corrected, and the duplicated program inherits the version to identify the identity. That is, a plurality of duplicate programs are regarded as the same program at the time of execution even if they have different shapes.

3) If the version is different, that is, the source code of the original program has been changed by the developer, the duplicated program is regarded as separate.

The “agent 1000a” downloads the necessary number of copy programs through communication with the “variant code management unit 130”. That is, the mutation code management unit 130 may transmit at least one replication program by communicating with the agent 1000a. Accordingly, the target server 1000 may be configured to deliver a plurality of mutation programs corresponding to the replication program to the client 200 through the proxy 300.

1) The “agent 1000a” performs network communication such as command, message transmission, and file download by a communication protocol with the “variant code management unit 130”.

2) Manage the service of the target program. That is, it governs the start and stop of the program.

3) Ensures non-disruptive execution of target programs.

In this regard, a program of interest mainly is a server type service. A number of existing commercialized products exist for the client program, and the scope of the server-type program can be limited to that of the server-type service program in order to increase the importance of security of the server-type program.

Several methods can exist to ensure non-disruptive execution. In this embodiment, a method of constructing a fault tolerant system on a distributed cluster structure is employed. In other words, multiple replication programs are run at the same time, and the proxy receives the client's request instead, and matches and delivers responses to multiple response candidate groups.

Accordingly, the target server 1000 determines whether the security and service of the server program and the client are normal from the attack target, and the state management mechanism for managing the service failure, tampering or attacked state, and the replacement mechanism related to the replacement of the replication program. It can be configured to perform a normal verification mechanism to verify.

In this regard, FIG. 8 shows a configuration and conceptual diagram of an agent and a client performing various mechanisms according to the present invention. Referring to FIG. 8, the client 200 may perform various mechanisms through the agent 1000a of the target server. In this regard, the agent 1000a may perform a state management mechanism, a replacement mechanism, and a normal verification mechanism. Alternatively, the client 200 may perform a state management mechanism, a replacement mechanism, and a normal confirmation mechanism in conjunction with the agent 1000a.

The mechanism is described in more detail as follows.

1) State management mechanism

The key is to manage the status of a service crash, tampering, or attack. In other words, the state of the program is continuously managed to keep it clean and clean.

a. Steady state

-Both server and client are operating normally

b. Service failure status

-Service interruption occurs in the application, network, and other layers.

In other words, if the network is temporarily short-circuited or stopped, it is determined that the service has failed, and measures are taken to give a warning alarm to the administrator.

If the client app has been forged, an abnormal service request may come in. In this case, communication received through a specific IP or identifier is blocked.

It corresponds to the case where the server app (program) is down. At this time, it may be down by an attack, or may be down due to a hardware and software defect. In this case, it is possible to recover to the normal state by identifying the cause of the problem and restarting it by the administrator.

c. Attacked (Modulation)

If the server app (program) is forged / modified, the “agent” downloads a new clone program from the “execution file manager” of the obfuscation engine and restarts it. At this time, a part is rebooted while maintaining the structure of two or more servers so that there is no interruption in service.

d. Risk of attack (prophylactic)

However, the status can be added in combination with a detection solution for whether the server app is attacked or not. Recently, many detection solutions for various server attacks such as zero-day attacks and APT attacks have been introduced. In conjunction with the detection events of these solutions, it recognizes the risk of attack, transitions to “attack risk” according to certain criteria, and takes preventive measures. Preventive measures go in a similar way to “attacked states”.

Accordingly, in the state management mechanism, if it is determined that the service interruption occurs in the application and network layers, the target server 200 may determine the service failure state. In addition, the target server 200 may download the new replication program from the obfuscation engine and restart the server program when the server program is forged or tampered with. In addition, the target server 200 may recognize an attack risk state for the server program, transition to an attack risk state, and drive a prevention program for the server program.

2) Replacement mechanism

a. The replacement may be regular or irregular.

Regular replacement is the replacement of the replication program with new ones at regular time intervals. It can also be downloaded through the agent in advance. At this time, the period can be determined according to the number of attacks or the volume of the program (complexity, size, language, etc.).

In other words, as the number of attacks increases, the cycle is shortened to defend against the attack success rate of the exposed replication program.

An occasional replacement is to replace a cloned program with a new mutated cloned program immediately after being successfully exposed to an attack by some cloned program, such as when the state changes to “attacked state”. Since the serviced program is changed to a different form from the existing program, the attacker must try again from the beginning.

3) Normal confirmation mechanism

The target of the attack is not only the server program, but also the client (app) that communicates with the server. In addition to the normality of service other than security (service failure), the regularity of security-related (falsification) should be done periodically.

Clients can use a solution to check for forgery. A simple method is to calculate the hash value of the application in advance and check whether it is matched at every execution.

a. There can be a heart-beat method as a normal verification algorithm between servers.

In other words, messages are exchanged at regular intervals between servers, such as pulse measurement, and if there is no response, it is considered to be disconnected after several more attempts or the server is down.

At this time, messages are exchanged with the “agent” for N replication programs. The “agent” has all the information about each copying program, and can issue a command to the copying program. The message may be a simple hello (checking whether the program is running), a hash value for checking forgery, or a command to reboot.

b. Another algorithm may be a mutual authentication method.

The protocol is configured to perform mutual authentication on the encrypted channel.

It forms a HTTPS (TLS1.2) encrypted channel, secures authentication through mutual certificates, and filters and pollutes sources (successful attacks) by using pre-shared information to solve and correct problems.

-The shared information is constantly changed and shared through the encrypted channel.

-Consider using a shared information to solve math problems by passing a computational algorithm and comparing the answers to verify them. For example, it issues (hash, a, b, c, d), passes the algorithm HAS-256, (a, b, c) values, and d values are d values The result value cannot be manipulated unless known in advance.

In the above, a dynamic self-mutation method using a virtual machine-based code variation technique according to the present invention and a system for performing the same are described. Looking at the technical effect according to the present invention are as follows.

According to at least one embodiment of the present invention, binary level obfuscation and obfuscation of a compiled executable can be selectively performed.

According to at least one embodiment of the present invention, binary level obfuscation and obfuscation for an executable file are selectively performed, and a dynamic mutation element is added in time to counter a malicious program analysis attack.

According to at least one embodiment of the present invention, it is possible to increase the analysis time by increasing the difficulty level for a malicious program analysis attack or to induce the attack to be abandoned.

The above-described features and effects of the present invention will become more apparent through the following detailed description in connection with the accompanying drawings, and accordingly, those skilled in the art to which the present invention pertains can easily implement the technical spirit of the present invention. Will be able to.

The present invention can be applied to various changes and can have various embodiments, and specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

According to the software implementation, design and parameter optimization for each component as well as the procedures and functions described herein may be implemented as separate software modules. Software code can be implemented in a software application written in an appropriate programming language. The software code is stored in a memory and can be executed by a controller or processor.

Claims (8)

In the dynamic self-mutation system using VM-based code mutation technology,
An original code management unit configured to store source code and executable files of the original program; And
An obfuscation engine configured to perform executable file recombination through obfuscation and compilation of the source code of the original program, and recombination of executable files through obfuscation through virtual code and encoding for the executable code of the original program A variation engine server comprising;
An agent configured to receive the recombined executable file and apply the executable file; And
A target server configured to include the agent,
The mutation engine server,
Further comprising a variation code management unit configured to store and manage the replication program having the same execution logic and function by time by the obfuscation,
The mutation code management unit transmits the replication program in communication with the agent,
The target server
A state management mechanism configured to deliver a plurality of mutation programs corresponding to the replication program to a client through a proxy, and manages a service failure, tampering or attacked state, a replacement mechanism related to the replacement of the replication program, and a server program and a client A dynamic self-mutation system, configured to perform a normal verification mechanism that checks whether security and services are normal from an attack target. According to claim 1,
The obfuscation engine,
It is configured to download the source code of the original program, perform obfuscation of the source code according to the obfuscation option, compile the obfuscated code, and recompose the executable file using the compiled code, Dynamic automutation system. According to claim 1,
The obfuscation engine,
Download the executable file of the original program, deassemble the original program, extract machine code, generate virtual code corresponding to the machine code, encode the virtual code into byte code and combine it with the original program A dynamic auto-mutation system, configured to recombine executable files. According to claim 3,
The obfuscation engine,
Generate obfuscation technique based on random seed and time stamp,
The predefined handler is modified with the obfuscation technique to create a new virtual machine (VM),
A dynamic auto-mutation system configured to recombine an executable file by encoding the byte code of the new virtual machine and combining it with the original program. delete delete delete According to claim 1,
In the state management mechanism,
The target server,
If it is determined that a service interruption occurs in the application and network layers, it is determined as a service failure state
If the server program is forged or tampered with, download a new copy program from the obfuscation engine and restart the server program,
Dynamic self-mutation system, characterized in that, by recognizing an attack risk state for the server program, transitioning to an attack risk state, and driving a prevention program for the server program.

Images