WO2020075335A1 - 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム - Google Patents
解析機能付与装置、解析機能付与方法及び解析機能付与プログラム Download PDFInfo
- Publication number
- WO2020075335A1 WO2020075335A1 PCT/JP2019/020095 JP2019020095W WO2020075335A1 WO 2020075335 A1 WO2020075335 A1 WO 2020075335A1 JP 2019020095 W JP2019020095 W JP 2019020095W WO 2020075335 A1 WO2020075335 A1 WO 2020075335A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- analysis
- hook
- point
- trace
- analysis function
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/032—Protect output to user by software means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present invention relates to an analysis function addition device, an analysis function addition method, and an analysis function addition program.
- a malicious script is a program that exploits the functions provided by the script engine to realize an attack.
- an attack is carried out using a script engine that an operating system (OS) has by default, or a script engine included in a specific application such as a web browser or a document file viewer.
- OS operating system
- Obfuscation of code is a problem that occurs when parsing malicious scripts. Many malicious scripts have a process called obfuscation that interferes with analysis. Obfuscation deliberately increases the complexity of the code, making it difficult to parse based on the surface information of the code. That is, obfuscation interferes with an analysis method called static analysis, which analyzes information obtained from the code without executing the script.
- the method called dynamic analysis that knows the behavior by executing the script and monitoring its behavior is not affected by the obfuscation as described above. Therefore, a method based on dynamic analysis is mainly used in the analysis of malicious scripts.
- Hooks are commonly used in dynamic analysis of malicious scripts.
- a hook is a mechanism for adding unique processing to a specific place in a program.
- log output processing is added by using a hook to analyze by grasping the execution status of the script.
- script level hooks As a hook method for analyzing a script, there are roughly three methods depending on the place where the hook is applied. These are script level hooks, system level hooks, and script engine level hooks.
- ⁇ Script level hook is a method to directly hook the script to be analyzed. Since the malicious script is generally obfuscated as described above, it is not easy to find the insertion position of the hook that can obtain useful information for the analyst from the script. Therefore, hooks are implemented by overriding certain language elements.
- the language element refers to a functional unit provided to the programmer by the script language. Language elements include prepared functions, methods, and statements. For example, the eval function and the document.write method provided by JavaScript (registered trademark) and the CreateObject statement provided by VBScript are each one language element.
- System level hook is a method to hook system API (Application Programming Interface) and system calls.
- the system level hook implements the analysis by executing the script while monitoring the process of the script engine after applying the hook.
- ⁇ Script engine level hook is a method of hooking a specific function in the script engine. Generally, it is not obvious which part of the program code of the script engine corresponds to the part to be hooked, so it is necessary to identify the part to be hooked by analyzing the script engine. Then, in the script engine level hook, the hook is applied to the relevant part, and the script is analyzed by executing it.
- Non-Patent Document 1 describes a method of creating a framework that analyzes JavaScript by hooking by overriding a function provided by JavaScript, which is called JavaScript API hooking. This is an example of a script level hook. According to this method, the behavior of a script written in JavaScript can be analyzed.
- Non-Patent Document 2 by hooking a system call using a hardware breakpoint on a virtual machine monitor (VMM (Virtual Machine Monitor)) and executing while referring to a specific data structure of Windows, The system call trace log at thread level is acquired. According to this method, the behavior of the script can be analyzed through the script engine by acquiring the system call trace of the script engine that is executing the script. This is an example of a system level hook.
- VMM Virtual Machine Monitor
- Non-Patent Document 3 implements a data flow analysis function called taint analysis on the VMM and realizes an API hook that accurately tracks the code to be analyzed. According to this method, by acquiring the API of the script engine that is executing the script, the behavior of the script can be analyzed through the script engine. Again, this is an example of a system level hook.
- Non-Patent Document 4 an open source script engine (ActionScript in this document) is modified to add a function to trace a method call, property access, and class generation. This is an example of a script engine level hook. According to this method, the behavior of the script can be analyzed.
- Non-Patent Document 1 relies on a language specification that a language element such as a built-in function can be overridden, and for a specific script language having such a language specification. Since it is only feasible, there was a problem of poor versatility.
- Semantic gap refers to a semantic gap.
- the amount of information that can be obtained varies depending on the information obtained when monitoring the level of the script itself or the script engine near it, and the information obtained when monitoring at the system level where there is a gap from the script. It is called a semantic gap.
- the operation of the cookie observed by the language element Document.Cookie.Set is observed at the system level as a mere WriteFile to the file related to the cookie. This reduces the amount of semantic information from cookie operations to file operations. This is called the loss of semantics, which is a problem caused by the semantic gap.
- Non-Patent Document 4 a semantic gap does not occur because the behavior can be monitored in the vicinity of the script called the script engine, but how to implement the hook depends on the implementation of the script engine. There is a problem that it is not obvious because it depends. In other words, it is not possible to know the location in the script engine where hooks are applied to insert the analysis code (called the hook point) and the memory monitoring location (called the tap point) that is output as a log by the analysis code. It needs to be clarified by analysis.
- script engine level hooks can be solved in principle, unlike the problems of script level hooks and system level hooks. That is, if hook points and tap points can be detected from the script engine binary and hooks can be automatically applied, any script engine can have an analysis function without a semantic gap.
- Non-Patent Document 5 and Non-Patent Document 6 an analysis method for extracting a code portion having a specific function by automatic reverse engineering for an application executed on an OS on a VMM. And an analysis method for detecting tap points is proposed.
- Non-Patent Document 5 and Non-Patent Document 6 do not realize the detection of the hook point, and the application target is not the script engine, so that the automatic hook to the script engine is realized. There was a problem of not having it.
- the present invention has been made in view of the above, and can be arbitrarily applied regardless of the language specification of the script language, and an analysis function addition device that can realize the addition of the analysis function without causing a semantic gap,
- An object is to provide an analysis function addition method and an analysis function addition program.
- the analysis function providing device executes while monitoring a script engine, and acquires an execution trace including an API trace and a branch trace.
- the first detection unit that analyzes the execution trace and detects the hook point where the hook is inserted to insert the analysis code, and the memory monitoring point that outputs the log by the analysis code based on the monitoring at the hook point.
- a second detection unit that detects a tap point, and a providing unit that provides a script engine with a hook and an analysis function based on the hook point and the tap point.
- the analysis function can be arbitrarily applied regardless of the language specification of the script language, and an analysis function can be provided without causing a semantic gap.
- FIG. 1 is a schematic diagram illustrating the outline of the processing of the analysis function adding device according to the embodiment.
- FIG. 2A is a diagram showing an example of the test script shown in FIG. 2B is a diagram showing an example of the test script shown in FIG. 2-3 is a diagram showing an example of the test script shown in FIG.
- FIG. 3 is a diagram showing an example of the execution trace.
- FIG. 4 is a diagram showing an example of a data structure of data stored in the execution trace database (DB) shown in FIG.
- FIG. 5 is a diagram showing an example of a data configuration of data stored in the hook point DB.
- FIG. 6 is a diagram showing an example of a data configuration of data stored in the tap point DB.
- FIG. 2A is a diagram showing an example of the test script shown in FIG. 2B is a diagram showing an example of the test script shown in FIG. 2-3 is a diagram showing an example of the test script shown in FIG.
- FIG. 3 is a diagram showing an example of the execution trace.
- FIG. 7 is a diagram illustrating an example of processing of the backtrace analysis unit.
- FIG. 8 is a diagram illustrating an example of processing of the difference execution analysis unit.
- FIG. 9 is a diagram illustrating an example of processing of the modified Smith-Waterman algorithm.
- FIG. 10 is a diagram illustrating an example of processing of the tap point detection unit.
- FIG. 11 is a flowchart showing a processing procedure of the analysis function adding method according to the embodiment.
- FIG. 12 is a flowchart showing the processing procedure of the execution trace acquisition processing shown in FIG.
- FIG. 13 is a flowchart showing the processing procedure of the backtrace analysis processing shown in FIG.
- FIG. 14 is a flowchart showing the processing procedure of the difference execution analysis processing shown in FIG. FIG.
- FIG. 15 is a flowchart showing the processing procedure of the modified Smith-Waterman algorithm application processing shown in FIG.
- FIG. 16 is a flowchart showing the processing procedure of the tap point detection processing shown in FIG.
- FIG. 17 is a flowchart showing the processing procedure of the analysis function addition processing shown in FIG.
- FIG. 18 is a diagram illustrating an example of a computer that realizes an analysis function adding device by executing a program.
- the analysis function adding device detects hook points and tap points by analyzing a script engine binary using a test script.
- the hook point is the point where the hook is applied and the analysis code is inserted.
- a function (called an internal function) of the internal implementation of the script engine is used as a unit, and the hook is applied to the head of this internal function.
- the tap point is a memory monitoring point that is output as a log by the analysis code and is one of the arguments of the internal function.
- this analysis function adding device acquires an execution trace including an API trace and a branch trace for the script engine binary by using the system API hook and the branch instruction hook.
- the API trace is a record of the executed system API
- the branch trace is a record of the executed branch.
- this analysis function adding device analyzes this execution trace and detects a hook point.
- two analysis methods are applied: backtrace analysis, which searches backward from the system API call, and differential execution analysis, which analyzes based on the differences between multiple execution traces acquired by gradually changing the conditions. To do.
- the hook points detected by these are set as hook point candidates.
- this analysis function adding device detects the tap point by hooking this hook point candidate and searching the argument of the hooked function. That is, if the argument of the test script is found in the argument of the function of the hook point candidate, the analysis function providing device determines the hook point candidate as a valid hook point, and sets the argument as the tap point.
- the analysis function adding device hooks the script engine binary based on the hook point and tap point obtained in this way.
- the analysis function providing device inserts, into the hook point, a language element corresponding to the hook point and a code for logging out the memory of the tap point.
- this hook causes a log output as to which language element of the script language is executed with what argument when the script is executed.
- the analysis function addition device realizes the addition of the analysis function to the script engine afterwards.
- FIG. 1 is a diagram for explaining an example of the configuration of the analysis function adding device 10 according to the embodiment.
- the analysis function addition device 10 has an input unit 11, a control unit 12, an output unit 13, a storage unit 14, an execution trace DB 21, a hook point DB 22 and a tap point DB 23.
- the control unit 12 also includes an execution trace acquisition unit 121 (acquisition unit), a hook point detection unit 122 (first detection unit), a tap point detection unit 123 (second detection unit), and an analysis function addition unit 124 (addition). Part).
- the hook point detection unit 122 includes a back trace analysis unit 1221 (second analysis unit) and a difference execution analysis unit 1222 (first analysis unit). Then, the analysis function providing device 10 receives the input of the test script and the script engine binary.
- the input unit 11 is composed of an input device such as a keyboard and a mouse, receives information input from the outside, and inputs it to the control unit 12.
- the input unit 11 receives inputs of the test script and the script engine binary, and outputs them to the control unit 12.
- test script is a script that is input when the script engine is dynamically analyzed and an execution trace is acquired. Details of the test script will be described later.
- the script engine binary is an executable file that constitutes the script engine.
- the script engine binary may consist of multiple executable files.
- the control unit 12 has an internal memory for storing a program defining various processing procedures and required data, and executes various processing by these.
- the control unit 12 is an electronic circuit such as a CPU (Central Processing Unit) and an MPU (Micro Processing Unit).
- the control unit 12 includes an execution trace acquisition unit 121, a hook point detection unit 122, a tap point detection unit 123, and an analysis function addition unit 124.
- the execution trace acquisition unit 121 receives a test script and a script engine binary as input.
- the execution trace acquisition unit 121 acquires the execution trace by executing the test script while monitoring the execution of the script engine binary.
- the execution trace is composed of an API trace and a branch trace.
- the API trace is a record of the system API called and its arguments during execution.
- the branch trace records the type of branch instruction at the time of execution, the branch source address, and the branch destination address. It is known that the API trace can be acquired by a method called an API hook, and the branch trace can be acquired by an instruction hook.
- the execution trace acquisition unit 121 stores the acquired execution trace in the execution trace DB 21.
- the hook point detection unit 122 has a back trace analysis unit 1221 and a difference execution analysis unit 1222.
- the hook point detection unit 122 takes out and analyzes the execution trace stored in the execution trace DB 21, and finds a hook point candidate.
- the backtrace analysis unit 1221 and the difference execution analysis unit 1222 both serve to detect the hook point candidates.
- the hook point detection unit 122 inputs the execution trace to the back trace analysis unit 1221.
- the backtrace analysis unit 1221 searches the execution trace for a call to the system API related to the analysis target, and detects a hook point candidate by the backtrace from the search. In other words, the backtrace analysis unit 1221 detects the hook point by applying the backtrace from the system API corresponding to the language element to be analyzed.
- the differential execution analysis unit 1222 detects a hook point candidate by extracting a difference between a plurality of execution traces having different acquisition conditions and finding a part satisfying a specific condition.
- the difference execution analysis unit 1222 detects a hook point based on the difference found between the execution traces with different conditions.
- the difference execution analysis unit 1222 detects a hook point using an algorithm that detects that a sequence with high homology appears a specific number of times. For example, the difference execution analysis unit 1222 uses the modified Smith-Waterman algorithm as an algorithm for detecting that a sequence with high homology appears a certain number of times.
- the tap point detection unit 123 detects a tap point by hooking the hook point candidate obtained by the hook point detection unit 122 and searching the memory of the argument of the hooked function.
- the tap point detection unit 123 detects a tap point, which is a memory monitoring point to be output as a log by the analysis code, based on the monitoring at the hook point. Also, the tap point detection unit 123 determines a hook point candidate having a tap point as a hook point.
- the analysis function providing unit 124 provides the script engine with an analysis function by hooking the obtained hook point and tap point and outputting a log output of the language element corresponding to the hook point and the argument appearing at the tap point. To do. In other words, the analysis function addition unit 124 hooks the script engine based on the hook point and the tap point to add the analysis function.
- the output unit 13 is, for example, a liquid crystal display, a printer, or the like, and outputs various kinds of information including information related to analysis function addition.
- the output unit 13 may be an interface that controls input / output of various data with an external device, and may output various information to the external device.
- the storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disc, and a processing program or a process for operating the analysis function providing apparatus 10. Data and the like used during the execution of the program are stored.
- a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disc, and a processing program or a process for operating the analysis function providing apparatus 10. Data and the like used during the execution of the program are stored.
- the execution trace DB 21 stores the execution trace acquired by the execution trace acquisition unit 121.
- the hook point DB 22 stores the hook point candidates detected by the difference execution analysis unit 1222.
- the tap point DB 23 stores the tap points detected by the tap point detection unit 123.
- Test script configuration First, the test script will be described. 2-1 to 2-3 are diagrams showing an example of the test script.
- a test script is a script that is input when the script engine is dynamically analyzed. This test script serves to specify the language element to be parsed in the script engine. Therefore, in this embodiment, a script including only the language element to be analyzed is used. For example, if you want to analyze the processing of a language element called CreateObject to obtain hook points and tap points for this language element, create a test script that calls only CreateObject, as shown in Figure 2-1. This test script is prepared in advance of analysis and is created manually. This creation requires knowledge of the target script language specifications.
- test scripts are used, such as the test script shown in Figure 2-2 (A for differential execution analysis) and the test script shown in Figure 2-3 (B for differential execution analysis). Then, in the differential execution analysis, the hook points are detected by comparing the execution traces for each.
- the test script a script that calls the language element to be analyzed only once like A for differential execution analysis and a script that calls multiple times like B for differential execution analysis are prepared.
- the analysis function providing device 10 can identify a portion related to a language element by capturing a trace portion that appears a plurality of times when comparing execution traces.
- FIG. 3 is a diagram showing an example of the execution trace.
- the execution trace is composed of the API trace and the branch trace as described above.
- FIG. 3 shows a part of the execution trace cut out.
- the structure of the execution trace will be described with reference to FIG.
- the branch trace log line has the format described in the first to tenth lines of FIG. 3, for example, and consists of three elements, "type", "from", and "to".
- the "type” indicates whether the executed branch instruction is a call instruction, a jmp instruction, or a ret instruction. Further, the address of the branch source is shown in “from”. The address of the branch destination is shown in "to”.
- the log line of the API trace has, for example, the format described in the 11th to 13th lines in FIG. 3, and includes five types of “type”, “name”, “argindex”, “argname”, and “arg”. It consists of elements. Since "type" indicates that the log line is an API trace line, only the value API is taken. The name of the API is stored in “name”. In addition, an index indicating which argument of the API is stored in “argindex”. The name of the argument is stored in "argname”. The value of the observed argument is stored in "arg”.
- FIG. 4 is a diagram showing an example of a data structure of data stored in the execution trace DB 21.
- the execution trace DB 21 is a DB that stores the acquired execution trace. As shown in FIG. 4, the execution trace DB 21 has table schemas of "id”, “trace_id”, “image_name”, “branch_index”, “branch_type”, “src_addr”, “dst_addr”, and “args”.
- “Id” is an identifier that is assigned so that it is unique in the entire table, and has an integer value.
- “Trace_id” is an identifier that is uniquely assigned to each acquired execution trace and has an integer value.
- Image_name is the name of the execution file of the script engine that is the analysis target that is acquiring the execution trace.
- “Branch_index” is an ordinal number indicating the number of the branch recorded in one execution trace.
- “Branch_type” indicates by which instruction the branch was taken.
- Branch_type takes jmp, call, ret, etc. depending on the branch acquired in the execution trace. Further, “branch_type” also stores the type of the called system API when the system API is called. “Src_addr” holds the branch source. “Dst_addr” holds the branch destination address. In the case of branching within “image_name”, the offset may be retained. The argument when the system API is called is recorded in “Args”.
- FIG. 5 is a diagram showing an example of a data configuration of data stored in the hook point DB 22.
- the hook point DB 22 is a DB that stores detected hook point candidates. As shown in FIG. 5, the hook point DB 22 has table schemas of “id”, “trace_id”, and “hookpoint_addr”.
- FIG. 6 is a diagram showing an example of a data configuration of data stored in the tap point DB 23.
- the tap point DB 23 is a DB that stores detected tap point candidates. As shown in FIG. 6, the tap point DB 23 has table schemas of “id”, “trace_id”, “hookpoint_addr”, “tappoint_arg_number”, and “variable_type”.
- “Id”, “trace_id”, and “hookpoint_addr” are the same as those of the execution trace DB 21. “Tappoint_arg_number” indicates which number argument of the function pointed to by the hook point is the tap point. Also, “variable_type” is the type of the variable.
- FIG. 7 is a diagram for explaining an example of processing of the backtrace analysis unit 1221.
- the backtrace-based detection method is realized by analyzing the acquired execution trace log. This backtrace-based detection technique is used to detect hook points of language elements that require system interaction. That is, it is effective for a language element accompanied by a call to the system API.
- This method is based on the assumption that a language element that needs to interact with the system will call the required system API from the code area related to that language element in the script engine. Therefore, in this detection method, by tracing from the call of the system API corresponding to the black x mark in FIG. 5 to the code area of the script engine corresponding to the white x mark as indicated by arrows Y1 to Y3, The code part related to the language element is specified, and the hook point related to the language element existing there is detected.
- the differential execution analysis is a method of dynamically analyzing by acquiring a plurality of execution traces while changing conditions and analyzing the differences. This detection method is effective for language elements that do not involve calling the system API.
- VBScript's Eval function is a closed language element in the script engine, and it is not necessary to call the system API.
- the detection method by the back trace depending on the system API is not effective, but the detection method by the differential execution analysis enables the detection. It is based on the assumption that only the execution trace of the code related to the language element will appear as a difference between the execution trace when the element is called once and the execution trace when the element is executed multiple times.
- the differential execution analysis unit 1222 receives a plurality of test scripts and their execution traces as inputs.
- the test script includes a script that calls the language element to be analyzed only once (for example, A for differential execution analysis in FIG. 2-2) and a script that calls multiple times (for example, B for differential execution analysis in FIG. 2-3).
- the difference execution analysis unit 1222 detects the difference by comparing the execution traces. As a result, the difference execution analysis unit 1222 captures the trace portion relating to the language element to be analyzed, which appears in the difference when the execution traces are compared.
- FIG. 8 is a diagram showing an example of processing of the differential execution analysis unit 1222.
- the Eval function that is the analysis target language element is called only once, and in the test script (B for differential execution analysis B), it is called multiple times (3 times). . Therefore, comparing the execution trace A and the execution trace B, the branch trace portion has only one time in the execution trace A and three times in the execution trace B as shown by the portions R11, R21, R23, and R25 in FIG. You can see the subset of branch traces that appear. This part is a set of branches corresponding to the Eval function of the language element to be analyzed and becomes a hook point candidate.
- This extraction can be realized by the Smith-Waterman algorithm, which is a local alignment detection method that extracts highly homologous subsequences from two or more sequences.
- the Smith-Waterman algorithm is modified as follows, because the restriction of the number of times such as one occurrence on one side and three times on the other side is not considered in the Smith-Waterman algorithm.
- FIG. 9 is a diagram illustrating an example of processing of the modified Smith-Waterman algorithm.
- the Smith-Waterman algorithm is a sequence alignment algorithm based on dynamic programming (DP (Dynamic Programming)) and can extract highly homologous subsequences from two or more sequences.
- DP Dynamic Programming
- This algorithm uses a table called DP table shown in FIG.
- DP table In the DP table, one series is placed at the top of the table and another series is placed at the front side, and a match score is entered in each cell. With the subscript in the x-axis direction as i and the subscript in the y-axis direction as j, the score F (i, j) of the cell (i, j) is calculated based on the equation (1). Until the creation of this DP table, it is the same as the normal Smith-Waterman algorithm. Note that s (i, j) and d in the equation (1) are expressed as in the equations (2) and (3).
- each of the portions R11, R21, R23, and R25 in FIG. S is the portions R10 and R20 that appear first in the execution trace of FIG. E is the portions R12 and R26 that appear at the end of FIG. M is a portion R22, R24 that appears between the portions R21, R23, R25.
- each of these elements is composed of a log of a plurality of branch traces, but here, for simplification, the alphabet is used and compressed.
- the differential execution analysis unit 1222 again extracts a partial sequence having high homology with respect to the same row (part W11 in FIG. 7) from the DP table excluding the partial sequence extracted by the algorithm.
- the differential execution analysis unit 1222 repeats this processing for the number of times of calling in the test script, and among the extracted partial series (parts W1, W2, W3 in FIG. 7), the similarity of each partial character string is If it is equal to or larger than the threshold value, the log of the branch trace forming the part is detected as a hook point candidate. On the other hand, when the similarity of each partial character string is less than the threshold value, the difference execution analysis unit 1222 checks the cell having the next highest score.
- FIG. 10 is a diagram illustrating an example of processing of the tap point detection unit 123.
- Detecting tap points has the following two roles.
- the first point is to determine the final hook point from the hook point candidates obtained by the hook point detection.
- the second point is to specify the memory location for log output at the time of hook.
- the tap point is detected by searching the argument of the function that is the hook point.
- the tap point detection unit 123 hooks the hook point candidates obtained up to this point and acquires the execution trace again.
- the argument can be acquired by referring to it according to the calling convention.
- heuristics are required for further search.
- a search as shown in Fig. 10 is used. First, if the argument cannot be referenced as a pointer, consider it to be a value. If the argument can be referenced as a pointer, it is referenced as a pointer. Whether you see it as a value or when you refer to it as a pointer, try various types.
- the tap point detection unit 123 determines the hook point and sets the point at which the argument is obtained as the tap point.
- the argument in the test script is WScript.Shell
- this argument is observed when viewed as an LPBSTR type, so the tap point detection unit 123 uses this argument as the tap point. To detect.
- the processing of the tap point detection unit 123 is not limited to the above, and other search methods may be used.
- a method of acquiring type information by reverse engineering without using heuristics for details, see, for example, J. Lee, T. Avgerinos, and D. Brumley, “TIE: Principled Reverse Engineering of Types in Binary Programs”, Network and Distributed System Security Symposium, Internet Society, 2011.
- heuristics for details, see, for example, J. Lee, T. Avgerinos, and D. Brumley, “TIE: Principled Reverse Engineering of Types in Binary Programs”, Network and Distributed System Security Symposium, Internet Society, 2011.
- the analysis function adding unit 124 receives the script engine binary and the hook points and tap points detected by the processing up to this point as inputs.
- the analysis function adding unit 124 hooks the script engine at a hook point.
- a code for analysis is inserted so that a language element corresponding to the hook is executed and a tap point memory as an argument is output as a log.
- This analysis code can be easily generated if the hook point and tap point are known.
- the script when executed, its behavior is output as a log, and the analysis function is added.
- the addition of the analysis function by this hook may be realized by directly rewriting the binary for the script engine binary, or by rewriting the memory image when the binary is executed and expanded on the process memory.
- FIG. 11 is a flowchart showing a processing procedure of the analysis function adding method according to the embodiment.
- the input unit 11 receives a test script and a script engine binary as inputs (step S1).
- the execution trace acquisition unit 121 executes an execution trace acquisition process (step S2).
- the backtrace analysis unit 1221 detects hook point candidates by the backtrace analysis process (step S3).
- the analysis function providing device 10 proceeds to step S7.
- the difference execution analysis unit 1222 carries out a difference execution analysis process (step S5).
- step S6: No the analysis function provision device 10 ends the process because the hook point candidate is not detected.
- step S6: Yes the analysis function providing device 10 proceeds to step S7.
- the tap point detection unit 123 carries out tap point detection processing (step S7).
- step S8: No the analysis function providing device 10 ends the process.
- step S8 when the hook point and the tap point are detected (step S8: Yes), the analysis function adding unit 124 executes the analysis function adding process (step S9).
- the analysis function addition device 10 outputs the script engine binary to which the analysis function is added at the output unit 13 (step S10), and ends the process.
- FIG. 12 is a flowchart showing the processing procedure of the execution trace acquisition processing shown in FIG.
- the execution trace acquisition unit 121 receives a test script and a script engine binary as input (step S11). Then, the execution trace acquisition unit 121 applies a hook for acquiring the API trace to the received script engine (step S12). The execution trace acquisition unit 121 also applies a hook for acquiring the trace of the branch instruction (step S13). Then, the execution trace acquisition unit 121 inputs the test script received in that state into the script engine and executes it (step S14), and stores the execution trace acquired thereby in the execution trace DB 21 (step S15). The execution trace acquisition unit 121 ends the process when all the input test scripts have been executed (step S16: Yes). On the other hand, the execution trace acquisition unit 121 returns to the execution of the test script (step S14) and continues the process when all the input test scripts have not been executed (step S16: No).
- FIG. 13 is a flowchart showing the processing procedure of the backtrace analysis processing shown in FIG.
- the back trace analysis unit 1221 extracts an execution trace from the execution trace DB 21 (step S21).
- the backtrace analysis unit 1221 also receives the test script as an input (step S22). Then, the backtrace analysis unit 1221 scans the argument at the time of calling the system API existing in the execution trace (step S23).
- step S24 determines that there is no hook point that can be detected by the backtrace analysis, and ends the process.
- step S24 when there is a match between the argument in the test script and the argument of the system API (step S24: Yes), the backtrace analysis unit 1221 traces back the branch in the execution trace starting from the matched system API. Go (step S25). Then, the backtrace analysis unit 1221 sets N branches obtained by tracing back N times from the point where the trace reaches the script engine as hook point candidates (step S26). Then, the backtrace analysis unit 1221 outputs this hook point candidate and ends the processing (step S27).
- FIG. 14 is a flowchart showing the processing procedure of the difference execution analysis processing shown in FIG.
- the differential execution analysis unit 1222 extracts an execution trace from the execution trace DB 21 (step S31). Then, the difference execution analysis unit 1222 carries out Smith-Waterman algorithm application processing (step S32). By executing this processing, the difference execution analysis unit 1222 extracts the difference between a plurality of execution traces having different acquisition conditions, and finds a portion that satisfies a specific condition.
- step S33: Yes the difference execution analysis unit 1222 outputs the hook point candidate (step S34).
- step S34 the difference execution analysis unit 1222 ends the process.
- FIG. 15 is a flowchart showing a processing procedure for applying the modified Smith-Waterman algorithm shown in FIG.
- the differential execution analysis unit 1222 extracts an execution trace from the execution trace DB 21 (step S41).
- an execution trace that calls the analysis target language element once and an execution trace that calls multiple times.
- the difference execution analysis unit 1222 determines whether i is larger than the number of rows (step S46). When the difference execution analysis unit 1222 determines that i is not larger than the number of rows (step S46: No), it increments i by 1 (step S47) and returns to the calculation of the match score (step S45). And continue processing.
- step S46 determines whether j is greater than the number of rows (step S46: Yes).
- step S48 determines whether j is greater than the number of columns (step S48).
- step S48 determines that j is not larger than the number of columns (step S48: No)
- step S48 determines that j is larger than the number of columns (step S48: Yes)
- step S50 extracts the cell with the maximum match score (step S50), and backtracks from it.
- step S51 the series having the highest homology is extracted (step S51).
- the difference execution analysis unit 1222 newly extracts the upper (N ⁇ 1) series for the same row as the extracted series (step S52).
- the difference execution analysis unit 1222 calculates the degree of similarity for each of the N extracted sequences, which is the total number of N as described above (step S53).
- the difference execution analysis unit 1222 determines whether each of the calculated similarities exceeds a predetermined threshold value (step S54).
- step S54 determines that each of the calculated similarities exceeds a predetermined threshold value (step S54: Yes)
- the branch included in the extracted sequence is set as a hook point candidate (step S55).
- the hook point candidate is output (step S56), and the process ends.
- step S54: No determines that each of the calculated similarities does not exceed the predetermined threshold value (step S54: No)
- step S58 Backtracking to extract a sequence
- FIG. 16 is a flowchart showing the processing procedure of the tap point detection processing shown in FIG.
- the tap point detection unit 123 receives a test script and a hook point candidate as input (steps S61 and S62). Then, the tap point detection unit 123 hooks all the points of the hook point candidates (step S63) and executes the test script (step S64). When reaching the hook point candidate, the tap point detection unit 123 searches for an argument of the hooked function (step S65). At the time of this search, the tap point detection unit 123 determines whether the same argument as the argument specified in the test script is found (step S66).
- step S66 determines that the same argument as the argument specified in the test script is not found (step S66: No), it is determined that there is no hook point and tap point (step S67), and the process ends.
- step S66 determines that the same argument as the argument specified in the test script is found (step S66: Yes)
- the hook point candidate where the matched argument is found is determined as a hook point (step S66).
- step S68 the place of the argument which agrees is made the tap point (step S69). Then, the tap point detection unit 123 outputs the hook point and the tap point (step S70), and ends the process.
- FIG. 17 is a flowchart showing the processing procedure of the analysis function addition processing shown in FIG.
- the analysis function adding unit 124 receives the script engine binary, the detected hook point and tap point as inputs (steps S71 to S73). Then, the analysis function adding unit 124 hooks the hook point of the script engine (step S74), and generates and inserts the code so that the code that outputs the memory of the tap point is executed at the time of this hook (step S75). ). The analysis function adding unit 124 outputs the script engine with the hook thus obtained as a script script engine with an analysis function (step S76), and ends the process.
- the analysis function providing device 10 acquires an execution trace using a test script for a script engine to which an analysis function is desired. Then, the analysis function adding device 10 analyzes the execution trace by back trace analysis and differential execution analysis, and detects hook point candidates. Furthermore, the analysis function provision device 10 implements hook point determination and tap point detection by hooking and executing hook point candidates and searching the memory. Subsequently, the analysis function adding device 10 hooks the script engine based on the obtained hook point and tap point, and adds the analysis function.
- the analysis function addition device 10 detects hook points and tap points even for a proprietary script engine that can obtain only binary files, and adds analysis functions without requiring manual reverse engineering. realizable.
- the analysis function adding device 10 since the script engine level hook is realized, it is possible to monitor the behavior in the vicinity of the script, and it is possible to realize the analysis without the semantic gap.
- the analysis function addition device 10 applies the hook in a method that does not depend on the language specification of the script language, so that the analysis function can be added to the script engine of various script languages.
- the analysis function adding device 10 by analyzing the script engine and adding the analysis function afterwards, it is possible to automatically execute the analysis function having no semantic gap to the script engines of various script languages. Can be achieved.
- the analysis function adding device 10 is useful for analyzing the behavior of a malicious script written in various script languages, and performs the analysis on the malicious script without being affected by the semantic gap. Especially suitable. Therefore, according to the present embodiment, it is possible to analyze a malicious script and use it for countermeasures such as detection by adding an analysis function to various script engines using the analysis function addition device 10. .
- each component of each device shown in the drawings is functionally conceptual and does not necessarily have to be physically configured as shown. That is, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or part of the device may be functionally or physically distributed / arranged in arbitrary units according to various loads and usage conditions. It can be integrated and configured. Further, each processing function performed by each device may be implemented in whole or in part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by a wired logic.
- FIG. 18 is a diagram illustrating an example of a computer in which the analysis function providing device 10 is realized by executing a program.
- the computer 1000 has, for example, a memory 1010 and a CPU 1020.
- the computer 1000 has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
- the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
- the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120.
- the video adapter 1060 is connected to the display 1130, for example.
- the hard disk drive 1090 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. That is, the program that defines each process of the analysis function providing apparatus 10 is implemented as the program module 1093 in which the code executable by the computer 1000 is described.
- the program module 1093 is stored in, for example, the hard disk drive 1090.
- a program module 1093 for executing the same processing as the functional configuration of the analysis function addition device 10 is stored in the hard disk drive 1090.
- the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
- the data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 or the hard disk drive 1090 into the RAM 1012 as necessary and executes them.
- the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN, etc.). Then, the program module 1093 and the program data 1094 may be read from another computer by the CPU 1020 via the network interface 1070.
- LAN local area network
- WAN wide area network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
本実施の形態に係る解析機能付与装置について、解析機能付与装置の概略構成、及び解析機能付与装置における処理の流れ及び具体例を説明する。本実施の形態に係る解析機能付与装置は、テストスクリプトを用いてスクリプトエンジンバイナリを解析することにより、フックポイントとタップポイントを検出する。
まず、図1を参照して、実施の形態に係る解析機能付与装置10の構成について説明する。図1は、実施の形態に係る解析機能付与装置10の構成の一例を説明するための図である。
まず、テストスクリプトについて説明する。図2-1~図2-3は、テストスクリプトの一例を示す図である。
次に、実行トレースについて説明する。図3は、実行トレースの一例を示す図である。実行トレースは、前述の通り、APIトレースとブランチトレースによって構成されている。図3は、実行トレースの一部を切り出したものである。以降、図3を用いて実行トレースの構成を示す。
次に、実行トレースDB21が記憶するデータのデータ構成について説明する。図4は、実行トレースDB21が記憶するデータのデータ構成の一例を示す図である。
次に、フックポイントDB22が記憶するデータのデータ構成について説明する。図5は、フックポイントDB22が記憶するデータのデータ構成の一例を示す図である。
次に、タップポイントDB23が記憶するデータのデータ構成について説明する。図6は、タップポイントDB23が記憶するデータのデータ構成の一例を示す図である。
次に、図7を参照して、バックトレース解析部1221の処理について説明する。図7は、バックトレース解析部1221の処理の一例を説明するための図である。
次に、もう一つのフックポイント検出手法を用いた、差分実行解析部1222の処理を説明する。差分実行解析とは、条件を変更しつつ複数の実行トレースを取得し、その差分を分析することで動的解析する方法である。この検出手法は、システムAPIの呼び出しを伴わない言語要素に対して有効である。
次に、図9を用いて改変を施したSmith-Watermanアルゴリズムの処理を説明する。図9は、改変を施したSmith-Watermanアルゴリズムの処理の一例を示す図である。
次に、図10を用いてタップポイント検出部123の処理を説明する。図10は、タップポイント検出部123の処理の一例を示す図である。
次に、解析機能付与部124の処理を説明する。解析機能付与部124は、スクリプトエンジンバイナリと、ここまでの処理で検出されたフックポイント及びタップポイントを入力として受け付ける。解析機能付与部124は、スクリプトエンジンに対して、フックポイントでのフックを施す。ここで、フック時に実現される機能として、フックに対応した言語要素が実行されたことと、その引数としてのタップポイントのメモリがログ出力されるように、解析用のコードを挿入する。この解析用のコードは、フックポイントとタップポイントが判明していれば、容易に生成できる。これによって、スクリプトが実行された際に、その挙動がログ出力されるようになり、解析機能の付与が実現される。
図11は、実施の形態に係る解析機能付与方法の処理手順を示すフローチャートである。
次に、図11に示す実行トレース取得処理(ステップS2)について説明する。図12は、図11に示す実行トレース取得処理の処理手順を示すフローチャートである。
次に、図11に示すバックトレース解析処理(ステップS3)の流れについて説明する。図13は、図11に示すバックトレース解析処理の処理手順を示すフローチャートである。
次に、図11に示す差分実行解析処理(ステップS5)の流れについて説明する。図14は、図11に示す差分実行解析処理の処理手順を示すフローチャートである。
次に、図14に示す改変Smith-Watermanアルゴリズム適用処理(ステップS32)の流れについて説明する。図15は、図14に示す改変Smith-Watermanアルゴリズム適用の処理手順を示すフローチャートである。
次に、図11に示すタップポイント検出処理(ステップS7)の流れについて説明する。図16は、図11に示すタップポイント検出処理の処理手順を示すフローチャートである。
次に、図11に示す解析機能付与処理(ステップS9)の流れについて説明する。図17は、図11に示す解析機能付与処理の処理手順を示すフローチャートである。
このように、本実施の形態に係る解析機能付与装置10は、解析機能を付与したいスクリプトエンジンに対し、テストスクリプトを用いて実行トレースを取得する。そして、解析機能付与装置10は、その実行トレースをバックトレース解析と差分実行解析によって解析し、フックポイント候補を検出する。さらに、解析機能付与装置10は、フックポイント候補にフックを施して実行し、メモリを探索することによって、フックポイントの確定とタップポイントの検出を実現する。続いて、解析機能付与装置10は、得られたフックポイントとタップポイントに基づいて、スクリプトエンジンにフックを施し、解析機能を付与する。
[システム構成等]
図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行なわれる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて解析実行されるプログラムにて実現され、或いは、ワイヤードロジックによるハードウェアとして実現され得る。
図18は、プログラムが実行されることにより、解析機能付与装置10が実現されるコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。
11 入力部
12 制御部
13 出力部
14 記憶部
21 実行トレースDB
22 フックポイントDB
23 タップポイントDB
121 実行トレース取得部
122 フックポイント検出部
123 タップポイント検出部
124 解析機能付与部
1221 バックトレース解析部
1222 差分実行解析部
Claims (8)
- スクリプトエンジンを監視しながら実行し、API(Application Programming Interface)トレースとブランチトレースとを含む実行トレースを取得する取得部と、
前記実行トレースを解析し、フックを施して解析用コードを挿入する箇所であるフックポイントを検出する第1の検出部と、
前記フックポイントでの監視に基づいて、解析用コードによってログ出力するメモリ監視箇所であるタップポイントを検出する第2の検出部と、
前記フックポイント及び前記タップポイントに基づいて、スクリプトエンジンにフックを施して解析機能を付与する付与部と、
を有することを特徴とする解析機能付与装置。 - 前記第1の検出部は、複数の条件を変えた前記実行トレースの間に見られる差分に基づいて前記フックポイントを検出する第1の解析部を有することを特徴とする請求項1に記載の解析機能付与装置。
- 前記第1の解析部は、相同性の高い系列が特定の回数出現することを検出するアルゴリズムを用いて前記フックポイントを検出することを特徴とする請求項2に記載の解析機能付与装置。
- 前記第1の解析部は、相同性の高い系列が特定の回数出現することを検出するアルゴリズムとして改変されたSmith-Watermanアルゴリズム用いることを特徴とする請求項3に記載の解析機能付与装置。
- 前記第1の検出部は、解析対象の言語要素に対応したシステムAPIからのバックトレースを適用して前記フックポイントを検出する第2の解析部を有することを特徴とする請求項1~4のいずれか一つに記載の解析機能付与装置。
- 前記第2の検出部は、タップポイントを持ったフックポイント候補をフックポイントとして確定することを特徴とする請求項1~5のいずれか一つに記載の解析機能付与装置。
- 解析機能付与装置が実行する解析機能付与方法であって、
スクリプトエンジンを監視しながら実行し、API(Application Programming Interface)トレースとブランチトレースとを含む実行トレースを取得する工程と、
前記実行トレースを解析し、フックを施して解析用コードを挿入する箇所であるフックポイントを検出する工程と、
前記フックポイントでの監視に基づいて、解析用コードによってログ出力するメモリ監視箇所であるタップポイントを検出する工程と、
前記フックポイント及び前記タップポイントに基づいて、スクリプトエンジンにフックを施して解析機能を付与する工程と、
を含んだことを特徴とする解析機能付与方法。 - スクリプトエンジンを監視しながら実行し、API(Application Programming Interface)トレースとブランチトレースとを含む実行トレースを取得するステップと、
前記実行トレースを解析し、フックを施して解析用コードを挿入する箇所であるフックポイントを検出するステップと、
前記フックポイントでの監視に基づいて、解析用コードによってログ出力するメモリ監視箇所であるタップポイントを検出するステップと、
前記フックポイント及び前記タップポイントに基づいて、スクリプトエンジンにフックを施して解析機能を付与するステップと、
をコンピュータに実行させるための解析機能付与プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2020549950A JP7115552B2 (ja) | 2018-10-11 | 2019-05-21 | 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム |
US17/283,546 US11989292B2 (en) | 2018-10-11 | 2019-05-21 | Analysis function imparting device, analysis function imparting method, and recording medium |
EP19871119.4A EP3848833B1 (en) | 2018-10-11 | 2019-05-21 | Analysis function imparting device, analysis function imparting method, and analysis function imparting program |
AU2019357365A AU2019357365B2 (en) | 2018-10-11 | 2019-05-21 | Analysis function imparting device, analysis function imparting method, and analysis function imparting program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018-192966 | 2018-10-11 | ||
JP2018192966 | 2018-10-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020075335A1 true WO2020075335A1 (ja) | 2020-04-16 |
Family
ID=70164658
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/020095 WO2020075335A1 (ja) | 2018-10-11 | 2019-05-21 | 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US11989292B2 (ja) |
EP (1) | EP3848833B1 (ja) |
JP (1) | JP7115552B2 (ja) |
AU (1) | AU2019357365B2 (ja) |
WO (1) | WO2020075335A1 (ja) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210390183A1 (en) * | 2018-10-11 | 2021-12-16 | Nippon Telegraph And Telephone Corporation | Analysis function imparting device, analysis function imparting method, and recording medium |
WO2022079840A1 (ja) * | 2020-10-14 | 2022-04-21 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与方法および解析機能付与プログラム |
WO2022180702A1 (ja) * | 2021-02-24 | 2022-09-01 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 |
WO2023067667A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067668A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067665A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067663A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
JP7517585B2 (ja) | 2021-02-24 | 2024-07-17 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11630900B2 (en) * | 2019-09-30 | 2023-04-18 | Mcafee, Llc | Detection of malicious scripted activity in fileless attacks |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012164098A (ja) * | 2011-02-06 | 2012-08-30 | Mitsubishi Electric Corp | エントリ書換装置及びエントリ書換プログラム |
US20150199516A1 (en) * | 2013-03-05 | 2015-07-16 | Mcafee, Inc. | Execution profile assembly using branch records |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2279601B1 (en) * | 2008-05-19 | 2011-11-02 | Citrix Systems, Inc. | Methods and systems for enabling features provided by a first presentation layer protocol in a session implemented according to a second presentation layer protocol |
US8966623B2 (en) * | 2010-03-08 | 2015-02-24 | Vmware, Inc. | Managing execution of a running-page in a virtual machine |
US8874925B1 (en) * | 2011-07-21 | 2014-10-28 | Symantec Corporation | Systems and methods to scan memory for a threat |
US9600665B2 (en) * | 2012-12-21 | 2017-03-21 | Nippon Telegraph And Telephone Corporation | Monitoring device and monitoring method |
KR101543237B1 (ko) * | 2014-12-03 | 2015-08-11 | 한국인터넷진흥원 | 코드 패턴을 이용한 정적 분석과 api 흐름을 이용한 동적 분석을 통한 악성 스크립트 탐지 차단 장치, 시스템 및 방법 |
JP6708781B2 (ja) * | 2017-03-03 | 2020-06-10 | 日本電信電話株式会社 | 選択装置、選択方法及び選択プログラム |
US20190163905A1 (en) * | 2017-11-27 | 2019-05-30 | PC Pitstop, Inc. | System, Method, and Apparatus for Preventing Execution of Malicious Scripts |
EP3848833B1 (en) * | 2018-10-11 | 2023-05-24 | Nippon Telegraph And Telephone Corporation | Analysis function imparting device, analysis function imparting method, and analysis function imparting program |
US20230028595A1 (en) * | 2019-10-11 | 2023-01-26 | Nippon Telegraph And Telephone Corporation | Analysis function imparting device, analysis function imparting method, and analysis function imparting program |
WO2023023135A1 (en) * | 2021-08-20 | 2023-02-23 | Forter Ltd | A system and method for realtime js access control to dom/apis |
WO2023067668A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
-
2019
- 2019-05-21 EP EP19871119.4A patent/EP3848833B1/en active Active
- 2019-05-21 AU AU2019357365A patent/AU2019357365B2/en active Active
- 2019-05-21 US US17/283,546 patent/US11989292B2/en active Active
- 2019-05-21 WO PCT/JP2019/020095 patent/WO2020075335A1/ja active Application Filing
- 2019-05-21 JP JP2020549950A patent/JP7115552B2/ja active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012164098A (ja) * | 2011-02-06 | 2012-08-30 | Mitsubishi Electric Corp | エントリ書換装置及びエントリ書換プログラム |
US20150199516A1 (en) * | 2013-03-05 | 2015-07-16 | Mcafee, Inc. | Execution profile assembly using branch records |
Non-Patent Citations (10)
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210390183A1 (en) * | 2018-10-11 | 2021-12-16 | Nippon Telegraph And Telephone Corporation | Analysis function imparting device, analysis function imparting method, and recording medium |
US11989292B2 (en) * | 2018-10-11 | 2024-05-21 | Nippon Telegraph And Telephone Corporation | Analysis function imparting device, analysis function imparting method, and recording medium |
WO2022079840A1 (ja) * | 2020-10-14 | 2022-04-21 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与方法および解析機能付与プログラム |
JP7452691B2 (ja) | 2020-10-14 | 2024-03-19 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与方法および解析機能付与プログラム |
WO2022180702A1 (ja) * | 2021-02-24 | 2022-09-01 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 |
JP7517585B2 (ja) | 2021-02-24 | 2024-07-17 | 日本電信電話株式会社 | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 |
WO2023067667A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067668A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067665A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
WO2023067663A1 (ja) * | 2021-10-18 | 2023-04-27 | 日本電信電話株式会社 | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム |
Also Published As
Publication number | Publication date |
---|---|
EP3848833A1 (en) | 2021-07-14 |
EP3848833B1 (en) | 2023-05-24 |
AU2019357365B2 (en) | 2022-11-17 |
EP3848833A4 (en) | 2022-06-01 |
AU2019357365A1 (en) | 2021-05-13 |
US20210390183A1 (en) | 2021-12-16 |
JP7115552B2 (ja) | 2022-08-09 |
JPWO2020075335A1 (ja) | 2021-05-20 |
US11989292B2 (en) | 2024-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020075335A1 (ja) | 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム | |
Le et al. | Deep specification mining | |
Pan et al. | Gui-guided test script repair for mobile apps | |
CN109583200B (zh) | 一种基于动态污点传播的程序异常分析方法 | |
JP7287480B2 (ja) | 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム | |
CN106557413A (zh) | 基于代码覆盖率获取测试用例的方法和设备 | |
CN109101815B (zh) | 一种恶意软件检测方法及相关设备 | |
CN111240991B (zh) | 一种抗隐式污点传播的动态污点检测方法及系统 | |
US10509719B2 (en) | Automatic regression identification | |
WO2022180702A1 (ja) | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 | |
US11436133B2 (en) | Comparable user interface object identifications | |
WO2014190427A1 (en) | Identifying client states | |
US11868465B2 (en) | Binary image stack cookie protection | |
Murtaza et al. | Total ADS: Automated software anomaly detection system | |
Waly et al. | A complete framework for kernel trace analysis | |
Copos et al. | Inputfinder: Reverse engineering closed binaries using hardware performance counters | |
WO2023067668A1 (ja) | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム | |
WO2023067665A1 (ja) | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム | |
US8234525B2 (en) | Method and system for anomaly detection in software programs with reduced false negatives | |
WO2023067663A1 (ja) | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム | |
WO2023067667A1 (ja) | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム | |
WO2024079794A1 (ja) | 解析機能付与装置、解析機能付与方法および解析機能付与プログラム | |
JP7517585B2 (ja) | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 | |
WO2024079800A1 (ja) | 解析機能付与装置、解析機能付与方法および解析機能付与プログラム | |
KR102421394B1 (ko) | 하드웨어와 소프트웨어 기반 트레이싱을 이용한 악성코드 탐지 장치 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19871119 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2020549950 Country of ref document: JP |
|
ENP | Entry into the national phase |
Ref document number: 2019871119 Country of ref document: EP Effective date: 20210406 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019357365 Country of ref document: AU Date of ref document: 20190521 Kind code of ref document: A |