WO2022180702A1 - Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse - Google Patents

Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse Download PDF

Info

Publication number
WO2022180702A1
WO2022180702A1 PCT/JP2021/006933 JP2021006933W WO2022180702A1 WO 2022180702 A1 WO2022180702 A1 WO 2022180702A1 JP 2021006933 W JP2021006933 W JP 2021006933W WO 2022180702 A1 WO2022180702 A1 WO 2022180702A1
Authority
WO
WIPO (PCT)
Prior art keywords
execution
analysis
instruction
detection unit
unit
Prior art date
Application number
PCT/JP2021/006933
Other languages
English (en)
Japanese (ja)
Inventor
利宣 碓井
知範 幾世
裕平 川古谷
誠 岩村
潤 三好
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/006933 priority Critical patent/WO2022180702A1/fr
Priority to JP2023501730A priority patent/JPWO2022180702A1/ja
Publication of WO2022180702A1 publication Critical patent/WO2022180702A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to an analysis function imparting device, an analysis function imparting program, and an analysis function imparting method.
  • a malicious script is a script that behaves maliciously, and is a program that exploits the functions provided by the script engine to carry out attacks. In general, attacks are carried out using the default script engine of the operating system (OS), or the script engine of specific applications such as web browsers and document file viewers.
  • OS operating system
  • specific applications such as web browsers and document file viewers.
  • script engines may require user permission, but they can also implement actions via the system, such as file operations, network communication, and process startup. Therefore, attacks using malicious scripts pose a threat to users in the same way as attacks using malware in executable files.
  • Code obfuscation is a problem that arises when analyzing malicious scripts. Many malicious scripts are subjected to a process called obfuscation, which hinders analysis. Obfuscation deliberately increases the complexity of the code, making it difficult to analyze the code superficially. That is, it interferes with an analysis method called static analysis, which analyzes information obtained from the code without executing the script.
  • the latter is an analysis obstruction in which a malicious script acquires information about the environment in which it is executed, and does not exhibit malicious behavior unless it meets certain conditions. For example, if a feature that is frequently seen in the analysis environment is found, it is determined that the user is being analyzed, and is used to interrupt analysis by interrupting execution.
  • FIG. 22 is a diagram showing a code fragment showing an example of anti-analysis.
  • This code fragment acquires the number of cores of the CPU (Central Processing Unit) of the environment being executed, and if it is not 2 or more and 8 or less, it judges that the analysis environment is highly likely and terminates execution. It has an anti-analysis attack. Otherwise, it judges that it is not an analysis environment and shows malignant behavior.
  • CPU Central Processing Unit
  • Non-Patent Document 1 describes a technique for realizing symbolic execution, which is a type of multipath execution, for JavaScript (registered trademark). According to this method, in the conditional branching of a JavaScript script, it is possible to comprehensively follow the executable paths and observe the behavior.
  • Non-Patent Document 2 describes a method for realizing route forced execution, which is a type of multipath execution, for JavaScript. According to this method, in the conditional branching of JavaScript scripts, all paths can be exhaustively traced and the behavior can be observed.
  • Non-Patent Document 3 after manually remodeling the script engine in advance, by executing the script engine on the symbolic execution infrastructure for binary, the script executed on the script engine , describes a technique for realizing symbolic execution through a script engine. According to this technique, if there is a script engine that can be modified manually, any script language can be used to achieve general-purpose symbolic execution, exhaustively trace executable paths, and observe behavior.
  • Non-Patent Document 4 describes a method of analyzing a virtual machine (VM) that malware often uses to obfuscate its own programs. According to this technique, by analyzing the VM, it is possible to obtain information on its architecture. Since it is the VM that controls script execution in the script engine, the concept of this method can be partly diverted.
  • VM virtual machine
  • Non-Patent Document 5 multipath execution of scripts is enabled by analyzing the script engine and adding code to realize the multipath execution function based on the obtained architecture information. According to this method, multipath execution can be realized for various script languages and engines.
  • Non-Patent Document 1 and Non-Patent Document 2 have the problem that it is necessary to design and implement the multipath execution function individually for each script engine.
  • the methods described in Non-Patent Document 1 and Non-Patent Document 2 have the problem that it is necessary to know the architecture information of the VM of the script engine in advance in order to realize the multipath execution function.
  • Non-Patent Document 3 requires modifications to the script engine, so there is also the problem that it is necessary to know the architecture information of the VM of the script engine in advance.
  • the method described in Non-Patent Document 3 does not consider detailed architecture such as the mechanism of conditional branching within the script engine, so there is a problem that it is difficult to perform fine-grained multipath execution for the script.
  • Non-Patent Document 4 only targets VMs owned by malware, not VMs owned by script engines, so there is a problem that it cannot be directly applied to script engines.
  • the method described in Non-Patent Document 4 also has the problem that it does not refer to acquisition of architecture information related to conditional branching, which is important for multipath execution.
  • the technique described in Non-Patent Document 4 focuses only on the analysis of the VM, and has the problem that it does not take into account the addition of functions to the VM, such as the addition of multipath execution.
  • Non-Patent Document 5 has the problem that it can only be applied to the decode/dispatch type script engine and cannot be applied to the threaded code type script engine, which is another major method.
  • the present invention has been made in view of the above, and does not require separate design and implementation even for a threaded code type script engine, and does not require detailed architecture information such as conditional branching in advance. It is an object of the present invention to provide an analysis function imparting device, an analysis function imparting program, and an analysis function imparting method capable of realizing impartation of a multipath execution function in consideration of architecture.
  • the analysis function imparting device of the present invention includes a first analysis unit that analyzes the virtual machine of the script engine and an instruction set architecture that is the system of instructions of the virtual machine.
  • a second analysis unit that analyzes, and a virtual Based on a program counter, a conditional branch flag, which is an area that holds a flag indicating whether or not a branch is taken at the time of a conditional branch in the execution state, and a branch VM instruction, which is a virtual machine instruction that causes a branch
  • the script engine a first analysis unit that applies a hook that provides a multipath execution function, the first analysis unit analyzes a plurality of execution traces obtained by changing execution conditions using differential execution analysis, A first acquisition unit that acquires a program counter and a conditional branch flag and acquires a plurality of execution traces by changing execution conditions, and a first acquisition unit that clusters the execution traces and detects the boundary of each VM instruction Analyze a plurality of execution traces using the detection
  • a third detection unit that analyzes the binary of the script engine based on the boundary of each VM instruction detected by the first detection unit and detects the dispatcher, and a difference that focuses on the number of times the memory is read and a fourth detection unit that analyzes a plurality of execution traces using execution analysis and detects a conditional branch flag.
  • a multipath execution function that takes into account detailed architecture such as conditional branching can be implemented without requiring separate design and implementation and without prior architectural information. grant can be realized.
  • FIG. 1 is a diagram for explaining an example of the configuration of a threaded code type script engine.
  • FIG. 2 is a diagram showing pseudocode of a threaded code type VM that the script engine has.
  • FIG. 3 is a diagram illustrating an example of the configuration of the analysis function imparting device according to the embodiment.
  • FIG. 4 is a diagram showing an example of a test script (first test script) used for virtual program counter detection.
  • FIG. 5 is a diagram showing an example of a test script (second test script) used for branch VM instruction detection.
  • FIG. 6 is a diagram showing an example of an execution trace.
  • FIG. 7 is a diagram illustrating an example of a VM execution trace.
  • FIG. 8 is a diagram explaining processing of the VM instruction boundary detection unit.
  • FIG. 1 is a diagram for explaining an example of the configuration of a threaded code type script engine.
  • FIG. 2 is a diagram showing pseudocode of a threaded code type VM that the script engine has.
  • FIG. 9 is a diagram for explaining processing of the virtual program counter detection unit.
  • FIG. 10 is a diagram explaining processing of the dispatcher detection unit.
  • FIG. 11 is a diagram explaining processing of the branch VM instruction detection unit.
  • FIG. 12 is a flow chart showing a processing procedure of analysis function imparting processing according to the embodiment.
  • FIG. 13 is a flow chart showing a processing procedure of execution trace acquisition processing shown in FIG.
  • FIG. 14 is a flowchart showing the procedure of the VM instruction boundary detection process shown in FIG. 12;
  • FIG. 15 is a flow chart showing the procedure of the virtual program counter detection process shown in FIG.
  • FIG. 16 is a flow chart showing a processing procedure of dispatcher detection processing shown in FIG.
  • FIG. 17 is a flow chart showing the procedure of the conditional branch flag detection process shown in FIG. FIG.
  • FIG. 18 is a flowchart of a procedure of a VM execution trace acquisition process shown in FIG. 12;
  • FIG. 19 is a flow chart showing a processing procedure of branch VM instruction detection processing shown in FIG. 12 .
  • FIG. 20 is a flow chart showing the processing procedure of the analysis function imparting process shown in FIG.
  • FIG. 21 is a diagram showing an example of a computer that implements the analysis function imparting device by executing a program.
  • FIG. 22 is a diagram showing a code fragment showing an example of anti-analysis.
  • An analysis function imparting device is an analysis function imparting device that can be applied to a threaded code type script engine.
  • the analysis function imparting apparatus can detect the boundary of the VM instruction and the virtual program counter (VPC) which is a variable indicating the VM instruction to be executed next.
  • VPC virtual program counter
  • a dispatcher, a conditional branch flag, and a branch VM instruction which is a VM instruction that causes branching, are detected in order.
  • FIGS. 1 and 2 These are all components of the script engine and information about the architecture. The structure of a typical script engine and their functions will be described with reference to FIGS. 1 and 2. FIG.
  • FIG. 1 is a diagram for explaining an example of the configuration of a threaded code type script engine.
  • script engine 100 has bytecode compiler 102 and virtual machine (VM) 103 .
  • the bytecode compiler 102 also has a syntax analysis unit 104 and a bytecode generation unit 105 .
  • the VM 103 also has a code cache unit 106, a decode unit 107, a pointer cache unit 108, and a plurality of sets 109-1 to 109-3 of VM instruction handler units and dispatcher units.
  • the script engine 100 accepts script input.
  • the syntax analysis unit 104 receives a script as an input, generates an abstract syntax tree (AST) through lexical analysis and syntactic analysis, and outputs it to the bytecode generation unit 105 .
  • the bytecode generation unit 105 receives the AST as an input, converts it into bytecode, and stores it in the code cache unit 106 .
  • the decoding unit 107 collectively reads the codes from the code cache unit 106 and decodes all the read codes.
  • the decoding unit 107 converts all codes into pointers and stores them in the pointer cache unit 108 .
  • Groups 109-1 to 109-3 of distributed VM instruction handler units and dispatcher units execute programs corresponding to VM instructions. The contents described in the script are executed by referring to the pointer in the pointer cache unit 108, executing the VM instruction while checking the pointer one by one, and dispatching to the next VM instruction.
  • FIG. 2 is a diagram showing pseudocode of a threaded code type VM that the script engine has.
  • the pseudocode first initializes the VPC (line 1).
  • the pointer pointed to by the VPC is obtained from the pointer cache as the pointer of the VM instruction handler to be executed next (line 2).
  • a goto statement is used to dispatch to the next VM instruction handler (line 3).
  • the dispatched VM instruction handler is executed (lines 5, 9, and 13).
  • there is a dispatcher behind each VM instruction handler that gets a pointer to the VM instruction handler to be executed next and dispatches to it (lines 6, 7, 10, 11, 14, 15). .
  • a branch VM instruction is a VM instruction that causes a branch within a script, and a conditional branch flag is an area that holds a flag indicating whether or not a branch is taken at the time of a conditional branch.
  • the analysis function imparting apparatus 10 acquires an execution trace consisting of a branch trace and a memory access trace by hooking a branch instruction and hooking a memory operation instruction to a script engine binary.
  • a branch trace is a record of executed branches
  • a memory access trace is a record of executed memory reads and writes.
  • the analysis function imparting device 10 detects the boundaries of each VM instruction. That is, when there are a plurality of pairs of distributed VM instruction handler units and dispatcher units, it is detected where each of them starts and ends. At this time, the analysis function imparting apparatus 10 clusters the execution traces and detects clusters whose number of times of execution is equal to or greater than a threshold value as VM instructions. The analysis function imparting device 10 detects the start point and the end point of the continuous instruction string forming the VM instruction as boundaries. The VM instruction boundary detected here is used in VPC detection and dispatcher detection.
  • this analysis function imparting device 10 analyzes the execution trace and detects the VPC.
  • the analysis function imparting device applies differential execution analysis focusing on the number of times of memory reading to detect the VPC.
  • this analysis function imparting device 10 analyzes the binary of the script engine and detects the dispatcher.
  • the dispatcher is implemented by referring to the pointer cache and jumping to the pointer of the next VM instruction handler.
  • Dispatchers are distributed behind each VM instruction handler and generally their code is highly identical. By searching for code that exists behind such VM instruction handlers and has a high degree of identity, the analysis function imparting device 10 detects the dispatcher in a predetermined manner.
  • this analysis function imparting device 10 analyzes the execution trace and detects conditional branch flags.
  • the analysis function imparting device 10 applies differential execution analysis focused on memory reading to detect conditional branch flags.
  • the analysis function imparting device 10 obtains a VM execution trace for the script engine binary by monitoring the VPC and the pointer of the VM instruction handler dispatched by the dispatcher.
  • the VM execution trace records pointers of executed VM instruction handlers and VPCs.
  • This analysis function imparting device 10 analyzes this VM execution trace and detects branch VM instructions. In detecting a branch VM instruction, the analysis function imparting device 10 first executes a large number of test scripts to obtain a VM execution trace. Then, the analysis function imparting device 10 associates the pointer to the VM instruction with the VM instruction, and virtually assigns a VM opcode to each as an identifier. Then, the analysis function imparting device 10 collects the amount of change in the VPC before and after the execution of each VM opcode. If the VM opcode is anything other than a branch VM instruction, the amount of change in VPC is approximately constant.
  • the VPC varies depending on the branch destination.
  • the analysis function imparting device 10 evaluates variations in the amount of change in the VPC for each VM opcode in terms of variance, and detects those whose variance is equal to or greater than a certain threshold value as branch VM instructions.
  • the analysis function imparting device 10 hooks the script engine binary based on the VPC, the branch VM instruction, and the conditional branch flag obtained up to this point. With this hook, the analyzer 10 monitors what the VPC points to and branches the execution state when it is a branch VM instruction. Then, the analysis function imparting device 10 executes one execution state as it is, and executes the other execution state after rewriting the conditional branch flag. This causes both execution paths of the conditional branch to be executed. As described above, the analysis function imparting device 10 realizes imparting the multipath function to the crypto engine as a retrofit.
  • FIG. 3 is a diagram illustrating an example of the configuration of the analysis function imparting device according to the embodiment.
  • the analysis function imparting device 10 has an input unit 11, a control unit 12, a storage unit 13, and an output unit . Then, the analysis function imparting device 10 receives the input of the test script and the script engine binary.
  • the input unit 11 is composed of input devices such as a keyboard and a mouse, receives input of information from the outside, and inputs the information to the control unit 12 . Further, the input unit 11 has a communication interface for transmitting and receiving various information to and from another device connected via a wired connection or a network, etc., and receives input of information transmitted from the other device. accept.
  • the input unit 11 receives input of test scripts and script engine binaries, and outputs them to the control unit 12 .
  • a test script is a script input when dynamically analyzing a script engine to acquire an execution trace and a VM execution trace. Details of the test script will be described later.
  • Script engine binaries are the executable files that make up the script engine.
  • a script engine binary may consist of multiple executable files.
  • the control unit 12 has an internal memory for storing programs defining various processing procedures and required data, and executes various processing using these.
  • the control unit 12 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit).
  • the control unit 12 has a virtual machine analysis unit 121 (first analysis unit), an instruction set architecture analysis unit 122 (second analysis unit), and an analysis function addition unit 123 (addition unit).
  • the virtual machine analysis unit 121 analyzes the VM of the script engine.
  • the virtual machine analysis unit 121 acquires a plurality of execution traces by changing execution conditions, analyzes the plurality of execution traces using differential execution analysis, and acquires VPCs and conditional branch flags. Also, the virtual machine analysis unit 121 statically analyzes the script engine binary to acquire VM instruction boundaries and dispatchers.
  • the virtual machine analysis unit 121 includes an execution trace acquisition unit 1211 (first acquisition unit), a VM instruction boundary detection unit 1212 (first detection unit), a virtual program counter detection unit 1213 (second detection unit), and a dispatcher detection unit. It has a unit 1214 (third detection unit) and a conditional branch flag detection unit 1215 (fourth detection unit).
  • the execution trace acquisition unit 1211 accepts the test script and script engine binary as input.
  • the execution trace acquisition unit 1211 acquires an execution trace by executing the test script while monitoring execution of the script engine binary.
  • An execution trace consists of a branch trace and a memory access trace.
  • the branch trace records the type of branch instruction, the branch source address, and the branch destination address at the time of execution.
  • a memory access trace records the type of memory operation and the memory address of the operation target. Branch traces and memory access traces are known to be obtainable by instruction hooks.
  • the execution trace acquired by the execution trace acquisition unit 1211 is stored in the execution trace DB 131 .
  • the VM instruction boundary detection unit 1212 clusters the execution traces and detects the boundary of each VM instruction.
  • the VM instruction boundary detection unit 1212 clusters the execution trace and detects clusters whose number of executions is equal to or greater than a threshold value as VM instructions. Clustering finds contiguous code regions that are executed multiple times. This may be done, for example, by grouping together code distances between executed instructions, by finding common subsequences of executed code blocks, or by other methods.
  • the analysis function imparting device 10 detects the start point and the end point of the continuous instruction string forming the detected VM instruction as boundaries.
  • the VM instruction boundary detected here is used in VPC detection and dispatcher detection.
  • the virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131 to detect the VPC.
  • the virtual program counter detection unit 1213 analyzes a plurality of execution traces using differential execution analysis focusing on the number of times of memory reading and the boundary of each VM instruction detected by the VM instruction boundary detection unit 1212, and detects a VPC. .
  • the virtual program counter detection unit 1213 utilizes the fact that reading into the memory holding the VPC always occurs after execution of each VM instruction, and detects the VPC by finding the reading destination.
  • the virtual program counter detection unit 1213 uses differential execution analysis focusing on the number of times of memory reading for VPC detection.
  • the virtual program counter detection unit 1213 compares the execution traces of a plurality of test scripts acquired using the test scripts, and finds that the memory read count is proportional to both the number of repetitions and the number of statements to be repeated. Discover changing memory. Then, the virtual program counter detection unit 1213 refers to the boundary of each VM instruction detected by the VM instruction boundary detection unit 1212, and narrows down the read memory values to those that always point to the starting point of the VM instruction. The virtual program counter detection unit 1213 detects this memory as a VPC.
  • the dispatcher detection unit 1214 cuts out each VM instruction part from the script engine binary based on the VM instruction boundary detected by the VM instruction boundary detection unit 1212, and detects a part with a high degree of similarity between each VM instruction as a dispatcher.
  • a sequence alignment algorithm for example, may be used to detect portions with a high degree of similarity, or other methods may be used.
  • the conditional branch flag detection unit 1215 extracts and analyzes the execution trace for the second test script stored in the execution trace DB 131 and finds the conditional branch flag.
  • the conditional branch flag detection unit 1215 analyzes a plurality of execution traces and detects conditional branch flags using differential execution analysis focusing on the number of times of memory reading.
  • the conditional branch flag detection unit 1215 executes conditional branching in various patterns, and compares the memory change pattern at that time with the conditional branching pattern on the test script to detect the memory storing the conditional branching flag. do.
  • the instruction set architecture analysis unit 122 analyzes the instruction set architecture, which is the system of VM instructions.
  • the instruction set architecture analysis unit 122 has a VM execution trace acquisition unit 1221 (second acquisition unit) and a branch VM instruction detection unit 1222 (fifth detection unit).
  • the VM execution trace acquisition unit 1221 accepts test scripts and script engine binaries as inputs.
  • the VM execution trace acquisition unit 1221 acquires the VM execution trace, which is the execution trace executed on the VM, by executing the test script while monitoring execution of the script engine binary.
  • a VM execution trace consists of a VPC and a VM opcode for each executed VM instruction.
  • the VPC recording can be realized by monitoring the VPC memory detected by the virtual program counter detection unit 1213 .
  • the VM opcode here is an identifier virtually assigned to each linking a pointer to a VM instruction and a VM instruction.
  • the VM execution trace acquired by the VM execution trace acquisition unit 1221 is stored in the VM execution trace DB 133 .
  • the branch VM instruction detection unit 1222 extracts and analyzes the VM execution trace stored in the VM execution trace DB 133 to detect branch VM instructions.
  • the branch VM instruction detection unit 1222 pays attention to the fact that the magnitude of variation in the VPC value is different between the branch VM instruction and the other VM instructions, and determines a threshold value to branch the one with the larger variation in the VPC value. Detect as a VM instruction.
  • the branch VM instruction detection unit 1222 detects a branch VM instruction based on variations in the amount of change in the virtual program counter for each VM opcode in the VM execution trace.
  • the analysis function imparting unit 123 hooks the script engine to impart a multipath execution function.
  • the analysis function imparting unit 123 hooks the script engine using the obtained VPC, branch VM instruction, and conditional branch flag. This hook monitors the VPC to confirm the VM opcode, and branches the execution state if the VM opcode is for a branch VM instruction. This hook executes one execution state as it is, and rewrites the conditional branch flag to execute the other execution state, thereby providing the script engine with a multi-pass execution function.
  • the storage unit 13 is implemented by a semiconductor memory device such as RAM (Random Access Memory) and flash memory, or a storage device such as a hard disk and an optical disk, and stores a processing program for operating the analysis function imparting device 10, a processing Data used during program execution is stored.
  • the storage unit 13 has an execution trace database (DB) 131 , a VM execution trace DB 133 and an architecture information DB 132 .
  • the execution trace DB 131 and VM execution trace DB 133 store execution traces and VM execution traces acquired by the execution trace acquisition unit 1211 and VM execution trace acquisition unit 1221, respectively.
  • the execution trace DB 131 and VM execution trace DB 133 are managed by the analysis function imparting device 10 .
  • the execution trace DB 131 and the VM execution trace DB 133 may be managed by another device (server or the like). Via the communication interface, the acquired execution trace and VM execution trace are output to the management server of the execution trace DB 131 and VM execution trace DB 133 and stored in the execution trace DB 131 and VM execution trace DB 133 .
  • the output unit 14 is, for example, a liquid crystal display, a printer, etc., and outputs various information including information about the analysis function imparting device 10 . Further, the output unit 14 may be an interface that controls input/output of various data with an external device, and may output various information to the external device.
  • test script is a script that is input when dynamically analyzing the script engine. This test script focuses on the execution of branch instructions and the number of memory read/writes, and is used to capture the difference in behavior of the script engine that occurs when the test script is executed a different number of times. This test script is prepared in advance for analysis and is created manually. This creation requires knowledge of the specifications of the target script language.
  • FIG. 4 is a diagram showing an example of a test script (first test script) used for VPC detection.
  • the first test script uses iteration (line 2).
  • line 2 the number of repetitions
  • lines 3 to 5 the number of sentences to be repeated
  • FIG. 5 is a diagram showing an example of a test script (second test script) used for branch VM instruction detection.
  • the second test script uses multiple conditional branches (lines 4 to 8). In the second test script, this multiple conditional branching controls the branching conditions so that branches are taken or not taken in a particular pattern of order (lines 1, 5). In the second test script, the number of conditional branches and the pattern of success or failure of branching are changed to generate a difference.
  • FIG. 6 is a diagram showing an example of an execution trace.
  • the execution trace consists of a branch trace and a memory access trace, as described above.
  • FIG. 6 is a diagram showing an example of an execution trace.
  • the configuration of the execution trace will be shown using FIG.
  • trace indicates whether the log line is a branch trace or a memory access trace.
  • a branch trace log line for example, has the format described in lines 1 to 10 in Figure 6, and consists of three elements: type, src, and dst.
  • type indicates whether the executed branch instruction is a call instruction, a jmp instruction, or a ret instruction. Also, src indicates a branch source address, and dst indicates a branch destination address.
  • the memory access trace log line for example, has the format described in lines 11 to 13 in Figure 6, and consists of three elements: type, target, and value. type indicates whether the memory access is read or write. target indicates a memory address to be accessed. In addition, the value of the result of memory access is stored in value.
  • FIG. 7 is a diagram illustrating an example of a VM execution trace.
  • a VM execution trace is a record of VM opcodes and VPCs, as described above.
  • FIG. 7 is a cutout of a portion of the VM execution trace.
  • the configuration of the VM execution trace will be shown using FIG.
  • a VM execution trace log line for example, has the format shown in Fig. 7 and consists of two elements: vpc and pointer.
  • vpc indicates the value of VPC.
  • pointer indicates the value of the pointer that points to the beginning of the VM instruction handler to be executed, which is obtained from the pointer cache.
  • FIG. 8 is a diagram for explaining the processing of the VM instruction boundary detection unit 1212. As shown in FIG.
  • the VM instruction boundary detection unit 1212 detects the boundary of each VM instruction. At this time, the VM instruction boundary detection unit 1212 detects the VM instruction and its boundary in order to provide the script multipath execution function in the threaded code type VM. Specifically, the VM instruction boundary detection unit 1212 extracts an execution trace from the execution trace DB 131 . Then, as shown in FIG. 8, the VM instruction boundary detection unit 1212 clusters the execution trace by a predetermined method, and sets clusters whose execution count is equal to or greater than a threshold as VM instructions (for example, VM instruction handlers 1 to 3). To detect. The VM instruction boundary detection unit 1212 detects a start point and an end point of a continuous instruction sequence forming a VM instruction as a boundary.
  • the virtual program counter detection unit 1213 detects VPCs and pointer caches in order to provide a script multipath execution function in a threaded code VM.
  • the detection of the virtual program counter is realized by analyzing the memory access trace log of the acquired execution trace.
  • the virtual program counter detection unit 1213 uses differential execution analysis focusing on the number of times the memory is read.
  • FIG. 9 is a diagram for explaining the processing of the virtual program counter detection unit 1213. As shown in FIG.
  • the virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131.
  • the number of VPC reads is proportional to the number of iterations in the test script and the number of statements in the iteration.
  • N When the number of repetitions is N and the number of sentences to be repeated is M, approximately MN VPC reads occur. Therefore, the virtual program counter detection unit 1213 extracts memory increased by 4MN and 9MN in the execution trace for the first test script in which N and M are increased by 2N and 2M, and 3N and 3M, respectively.
  • the virtual program counter detection unit 1213 extracts a memory area that has read/write for each execution of one VM instruction and monotonically increases ((1) in FIG. 9).
  • the virtual program counter detection unit 1213 detects as a VPC that the read memory value always points to the starting point of the VM instruction. Specifically, the virtual program counter detection unit 1213 collates the destination of the VPC with the address of the VM instruction handler, and narrows down to a matching memory area ((2) in FIG. 9).
  • the dispatcher detection unit 1214 detects the dispatcher by analyzing the binary of the script engine using a predetermined method.
  • FIG. 10 is a diagram for explaining the processing of the dispatcher detection unit 1214. As shown in FIG.
  • the dispatcher detection unit 1214 detects dispatchers in order to provide script multipath execution functions in threaded code VMs.
  • the dispatcher detection unit 1214 cuts out each VM instruction part from the script engine binary based on the VM instruction boundary detected by the VM instruction boundary detection unit 1212 . Then, the dispatcher detection unit 1214 calculates the similarity between the codes of each VM instruction based on the assumption that the similarity of the dispatcher code is high ((1) in FIG. 10), and calculates the similarity between all the VM instructions. Detect the high degree part as a dispatcher.
  • the dispatcher detection unit 1214 can detect code that is commonly executed in the second half of a VM instruction as a dispatcher ((1) in FIG. 10).
  • conditional branch flag detection unit 1215 detects the conditional branch flag by analyzing memory access.
  • the conditional branch flag detection unit 1215 uses the execution trace obtained using the second test script.
  • the conditional branch flag detection unit 1215 detects the conditional branch flag by analyzing the test script and performing two stages of narrowing down.
  • the conditional branch flag has two states: branch taken or not taken. Also, the conditional branch flag is considered to be read a number of times proportional to the number of conditional branches.
  • conditional branch flag detection unit 1215 extracts the memories with the number of memory reads proportional to the number of conditional branches as the first stage of narrowing down. Then, as the second stage of narrowing down, the conditional branch flag detection unit 1215 extracts a memory in which two values are exchanged so that the value at the time of reading each memory corresponds to the conditional branch of the test script.
  • conditional branch flag detection unit 1215 extracts memory addresses that alternate between two values, X, Y, X, X, Y.
  • the conditional branch flag detection unit 1215 detects the conditional branch flag by repeating this while changing the number of times of branching.
  • the branch VM instruction detection unit 1222 detects the branch VM instruction by analyzing the acquired VM execution trace log. Since the test script here only needs to include a branch VM instruction, any script that includes branch control syntax may be used. For example, prepare a test script by collecting from the Internet or from official documents.
  • the branch VM instruction detection unit 1222 associates a pointer to a VM instruction with a VM instruction for each VM execution trace in the VM execution trace DB 133, and virtually assigns a VM opcode to each as an identifier.
  • FIG. 11 is a diagram for explaining the processing of the branch VM instruction detection unit 1222. As shown in FIG.
  • the branch VM instruction detector 1222 uses variance to evaluate the dispersion of pointers to this VM instruction.
  • the branch VM instruction detection unit 1222 calculates the variance of the VPC change amount for each VM opcode, and narrows down only the VM opcodes with the calculated variance larger than the threshold.
  • the branch VM instruction detection unit 1222 detects a VM instruction (in the example of FIG. 11, VM instruction handler 3) with variations in the progress of the VPC as a branch VM instruction while associating the pointer with the VM instruction ( (1) in FIG. 11).
  • the threshold is set to a value that can divide the resulting two groups by plotting the obtained variance values on a number line, for example.
  • analysis function imparting unit 123 receives as inputs the script engine binary and the hook points and tap points detected in the processing up to this point.
  • the analysis function imparting unit 123 hooks the script engine at the hook point.
  • the analysis function imparting unit 123 inserts the code for analysis so that the language element corresponding to the hook is executed at the time of hooking, and the memory of the tap point as its argument is output to the log.
  • Code for this analysis can be easily generated if the hook points and tap points are known. As a result, when the script is executed, its behavior will be output to the log, and the addition of the analysis function is realized.
  • the addition of the analysis function by this hook may be realized by directly rewriting the binary for the script engine binary, or by rewriting the memory image when the binary is executed and expanded on the process memory.
  • FIG. 12 is a flow chart showing a processing procedure of analysis function imparting processing according to the embodiment.
  • the input unit 11 receives a test script and a script engine binary as input (step S1).
  • the execution trace acquisition unit 1211 performs an execution trace acquisition process of executing the test script while monitoring the binary of the script engine and acquiring a branch trace and a memory access trace (step S2). Then, the VM instruction boundary detection unit 1212 detects a VM instruction and performs VM instruction boundary detection processing for detecting the boundary of the VM instruction (step S3).
  • the virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131, and performs virtual program counter detection processing for discovering the VPC (step S4).
  • the dispatcher detection unit 1214 extracts each VM instruction part from the script engine binary, and performs dispatcher detection processing for detecting a part having a high degree of similarity between each VM instruction as a dispatcher (step S5).
  • the conditional branch flag detection unit 1215 extracts and analyzes the execution trace for the second test script stored in the execution trace DB 131, and performs conditional branch detection processing for finding the conditional branch flag (step S6).
  • the VM execution trace acquisition unit 1221 receives a test script and a script engine binary as inputs, and performs VM execution trace acquisition processing for acquiring a VM execution trace by executing the test script while monitoring the execution of the script engine binary. (Step S7).
  • the branch VM instruction detection unit 1222 extracts and analyzes the VM execution trace stored in the VM execution trace DB 133, and performs branch VM instruction detection processing for detecting the branch VM instruction (step S8).
  • the analysis function imparting unit 123 performs the analysis function imparting process of hooking the script engine using the obtained VPC, branch VM instruction and conditional branch flag (step S9). Then, the output unit 14 outputs the script engine binary provided with the multipath execution function (step S10).
  • FIG. 13 is a flow chart showing a processing procedure of execution trace acquisition processing shown in FIG.
  • the execution trace acquisition unit 1211 receives the test script and the script engine binary as inputs (step S11).
  • the execution trace acquisition unit 1211 hooks the received script engine to acquire a branch trace (step S12).
  • the execution trace acquisition unit 1211 also hooks the received script engine to acquire a memory access trace (step S13).
  • the execution trace acquisition unit 1211 inputs the test script received in that state to the script engine to execute it (step S14), and stores the execution trace acquired thereby in the execution trace DB 131 (step S15).
  • the execution trace acquisition unit 1211 determines whether all the input test scripts have been executed (step S16). If the execution trace acquisition unit 1211 has finished executing all of the input test scripts (step S16: Yes), the execution trace acquisition unit 1211 ends the process. On the other hand, if the execution trace acquisition unit 1211 has not executed all of the input test scripts (step S16: No), it returns to execution of the test scripts in step S14 and continues processing.
  • FIG. 14 is a flowchart showing the procedure of the VM instruction boundary detection process shown in FIG. 12;
  • the VM instruction boundary detection unit 1212 extracts an execution trace from the execution trace DB 131 (step S21).
  • the VM instruction boundary detection unit 1212 clusters the execution traces by a predetermined method (step S22). Any method may be used for the clustering.
  • the VM instruction boundary detection unit 1212 detects clusters whose number of executions is equal to or greater than the threshold as VM instructions (step S23). Then, the VM instruction boundary detection unit 1212 sets the start point and the end point of the continuous instruction sequence forming the VM instruction as the boundary (step S24). The VM instruction boundary detection unit 1212 outputs the VM instruction boundary as a return value (step S25), and ends the VM instruction boundary detection process.
  • FIG. 15 is a flow chart showing the procedure of the virtual program counter detection process shown in FIG. 12
  • the virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131 (step S31). Subsequently, the virtual program counter detection unit 1213 focuses on the memory access trace of the execution trace, and counts the number of times of reading for each memory reading destination (step S32).
  • the virtual program counter detection unit 1213 receives as an input the first test script used to acquire the execution trace (step S33), analyzes the first test script, and detects the number of repetitions and the number of sentences to be repeated. Acquire (step S34).
  • the virtual program counter detection unit 1213 extracts from the execution trace DB 131 one more execution trace by the first test script with a different repetition count and number of repeated sentences (step S35). Then, the virtual program counter detection unit 1213 pays attention to the memory access trace and counts the number of readings for each memory reading destination (step S36). In addition, the virtual program counter detection unit 1213 receives as an input the first test script used to acquire the execution trace (step S37), analyzes the test script, and acquires the number of repetitions and the number of repeated sentences. (step S38).
  • the virtual program counter detection unit 1213 narrows down only memory read destinations whose read count changes in proportion to the number of repetitions and the increase or decrease in the number of repeated sentences (step S39). Furthermore, the virtual program counter detection unit 1213 narrows down the memory read destinations narrowed down in step S39 to those in which the read memory value always points to the start point of the VM instruction (step S40).
  • the virtual program counter detection unit 1213 determines whether or not the memory reading destination has been narrowed down to only one (step S41). If the virtual program counter detection unit 1213 cannot narrow down the memory reading destination to only one (step S41: No), the process returns to step S35, extracts the next execution trace, and continues the process. On the other hand, if the virtual program counter detection unit 1213 narrows down the memory reading destination to only one (step S41: Yes), it stores the narrowed down memory reading destination in the architecture information DB 132 as a virtual program counter (step S42). ) and terminate the process.
  • FIG. 16 is a flow chart showing a processing procedure of dispatcher detection processing shown in FIG.
  • the dispatcher detection unit 1214 receives the script engine binary as an input (step S51).
  • the dispatcher detector 1214 receives the boundary of the VM instruction from the VM instruction boundary detector 1212 (step S52).
  • the dispatcher detection unit 1214 cuts out each VM instruction part from the script engine binary based on the boundary of the VM instruction received from the VM instruction boundary detection unit 1212 (step S53).
  • the dispatcher detection unit 1214 calculates the code similarity between each VM instruction by a predetermined method (step S54). Any similarity calculation method can be used as long as it can calculate the similarity between codes.
  • the dispatcher detection unit 1214 extracts a portion with a high degree of similarity among all VM instructions based on the degree of similarity calculated in step S54 (step S55). Then, the dispatcher detection unit 1214 determines whether it is the end part of the VM instruction (step S56).
  • step S56: No If it is not the end part of the VM instruction (step S56: No), the dispatcher detection unit 1214 returns to step S55 and continues processing. If it is the end part of the VM instruction (step S56: Yes), the dispatcher detection unit 1214 outputs the extracted part as the dispatcher (step S57), and ends the process.
  • FIG. 17 is a flow chart showing the procedure of the conditional branch flag detection process shown in FIG. 12
  • conditional branch flag detection unit 1215 extracts one execution trace by the second test script from the execution trace DB 131 (step S71). Then, the conditional branch flag detection unit 1215 focuses on the memory access trace and counts the number of readings for each memory reading destination (step S72).
  • conditional branch flag detection unit 1215 receives as an input the second test script used to acquire the execution trace (step S73), analyzes this second test script, and determines the number of conditional branches and True/ A False order pattern is obtained (step S74). Then, the conditional branch flag detection unit 1215 narrows down only memory read destinations whose number of times of reading changes in proportion to the number of times of conditional branching (step S75). Furthermore, the conditional branch flag detection unit 1215 narrows down the read memory values to memory read destinations where two values are exchanged according to the order pattern of True/False (step S76).
  • the conditional branch flag detection unit 1215 determines whether or not the memory reading destination has been narrowed down to only one (step S77). If the conditional branch flag detection unit 1215 cannot narrow down the memory reading destination to only one (step S77: No), the process returns to step S71, extracts the next execution trace, and continues the process. On the other hand, if the memory read destination is narrowed down to only one (step S77: Yes), the conditional branch flag detection unit 1215 stores the narrowed down read destination in the architecture information DB 132 as a virtual program counter (step S78). End the process.
  • FIG. 18 is a flowchart of a procedure of a VM execution trace acquisition process shown in FIG. 12;
  • the VM execution trace acquisition unit 1221 receives the test script and the script engine binary as input (step S81). Then, the VM execution trace acquisition unit 1221 hooks the received script engine to record the VPC and VM operation code (step S82).
  • the VM execution trace acquisition unit 1221 inputs the test script received in that state to the script engine to execute it (step S83), and stores the VM execution trace acquired thereby in the VM execution trace DB 133 (step S84).
  • the VM execution trace acquisition unit 1221 determines whether all the input test scripts have been executed (step S85). If the VM execution trace acquisition unit 1221 has finished executing all the input test scripts (step S85: Yes), the process ends. If the VM execution trace acquisition unit 1221 has not finished executing all of the input test scripts (step S85: No), it returns to execution of the test scripts in step S83 and continues processing.
  • FIG. 19 is a flow chart showing a processing procedure of branch VM instruction detection processing shown in FIG. 12 .
  • the branch VM instruction detection unit 1222 extracts one VM execution trace from the VM execution trace DB 133 (step S91).
  • the branch VM instruction detection unit 1222 associates the pointer to the VM instruction with the VM instruction, and assigns a VM opcode to each as an identifier (step S92).
  • the branch VM instruction detection unit 1222 aggregates the amount of change in VPC before and after execution for each VM opcode (step S93).
  • the branch VM instruction detection unit 1222 determines whether or not all VM execution traces in the VM execution trace DB 133 have been processed (step S94). If all VM execution traces in the VM execution trace DB 133 have not been processed (step S94: No), the branch VM instruction detection unit 1222 returns to step S91 to extract and process the next VM execution trace.
  • step S94 the branch VM instruction detection unit 1222 calculates the variance of the VPC variation for each VM opcode (step S95).
  • the branch VM instruction detection unit 1222 receives the threshold as an input (step S96).
  • the branch VM instruction detection unit 1222 narrows down to only VM opcodes whose variance is larger than the threshold (step S97), stores them as branch VM instructions in the architecture information DB 132 (step S98), and ends the process.
  • FIG. 20 is a flow chart showing the processing procedure of the analysis function imparting process shown in FIG. 12
  • the analysis function imparting unit 123 receives a script engine binary as an input (step S101). Then, the analysis function imparting unit 123 extracts the VPC, the conditional branch flag, and the conditional branch VM instruction from the architecture information DB 132 (step S102). Subsequently, the analysis function imparting unit 123 applies a hook to the hook point of the script engine (step S103). The analysis function imparting unit 123 generates a code and inserts it into the script engine so that the multipath execution code is executed at the time of this hook (step S104). The analysis function imparting unit 123 outputs the hooked script engine thus obtained as a script engine with a multipath execution function (step S105), and terminates the process.
  • the analysis function imparting apparatus 10 executes the test script while monitoring the binary of the script engine, and acquires the branch trace and the memory access trace. Then, the analysis function imparting device 10 analyzes the virtual machine based on the execution trace, and acquires architecture information such as VM instruction boundaries, VPC, dispatchers, and conditional branch flags. Furthermore, the analysis function imparting device 10 executes the test script to acquire the VM execution trace, analyzes the instruction set architecture using the VM execution trace, and acquires the branch VM instruction as architecture information. Then, the analysis function imparting device 10 imparts the multipath execution function to the script engine based on the obtained architecture information.
  • the analysis function imparting device 10 detects various types of architecture information through analysis based on acquisition of execution traces and VM execution traces, even for proprietary script engines for which only binaries are available.
  • a multipath execution function can be added without manual reverse engineering.
  • analysis function imparting device 10 can automatically impart a multipath execution function to various script engines as long as a test script is prepared. can be realized.
  • the analysis function imparting device 10 considers detailed architecture such as conditional branching, it is possible to implement an accurate multipath execution function against the conditional branching of the script.
  • the analysis function imparting device 10 focuses on the threaded code type script engine, it is possible to impart the multipath execution function even to the script engine having the threaded code type VM.
  • the analysis function imparting apparatus 10 analyzes the script engine and retrofits the multipath execution function to the script engine of various script languages including threaded code type. On the other hand, it is possible to automatically provide the multipath execution function.
  • the analysis function imparting apparatus 10 is useful for analyzing the behavior of malicious scripts written in a wide variety of script languages, and has a route that cannot be executed unless a specific condition is met. It is suitable for comprehensively analyzing the behavior of a malicious script that is not affected by it. For this reason, the behavior of malicious scripts can be analyzed by providing multipath execution functions to various script engines using the analysis function imparting device 10, the analysis function imparting program, and the analysis function imparting method according to the present embodiment. It is possible to utilize it for countermeasures such as detection.
  • Each component of the analysis function imparting apparatus 10 shown in FIG. 3 is functionally conceptual, and does not necessarily need to be physically configured as shown. That is, the specific form of distributing and integrating the functions of the analysis function imparting device 10 is not limited to the illustrated one, and all or part of it can be functionally or It can be physically distributed or integrated.
  • each process performed in the analysis function imparting device 10 may be realized by a CPU and a program that is analyzed and executed by the CPU. Further, each process performed in the analysis function imparting device 10 may be realized as hardware by wired logic.
  • FIG. 21 is a diagram showing an example of a computer that implements the analysis function imparting device 10 by executing a program.
  • the computer 1000 has a memory 1010 and a CPU 1020, for example.
  • Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM 1011 and a RAM 1012.
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1090 .
  • a disk drive interface 1040 is connected to the disk drive 1100 .
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
  • Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, a program that defines each process of the analysis function imparting apparatus 10 is implemented as a program module 1093 in which code executable by the computer 1000 is described. Program modules 1093 are stored, for example, on hard disk drive 1090 .
  • the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the analysis function imparting apparatus 10 .
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the setting data used in the processing of the above-described embodiment is stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
  • LAN Local Area Network
  • WAN Wide Area Network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Un dispositif d'ajout de fonction d'analyse (10) qui comporte une unité d'analyse de machine virtuelle (121) qui analyse une machine virtuelle d'un moteur de script, une unité d'analyse d'architecture d'ensemble de commandes (122) qui analyse une architecture d'ensemble de commandes, et une unité d'ajout de fonction d'analyse (123) qui effectue un accrochage pour ajouter une fonction d'exécution à trajets multiples au moteur de script sur la base d'informations d'architecture. L'unité d'analyse de machine virtuelle (121) a une unité de détection de limite de commande de VM (1212) qui effectue un regroupement sur une pluralité de traces d'exécution et détecte les limites des commandes de VM, une unité de détection de compteur de programme virtuel (1213) qui utilise les limites des commandes de VM et une analyse d'exécution différentielle qui est focalisée sur un comptage de lecture pour que la mémoire détecte un compteur de programme virtuel, une unité de détection de répartiteur (1214) qui détecte un répartiteur sur la base des limites des commandes de VM, et une unité de détection de drapeau de branchement conditionnel (1215) qui utilise l'analyse d'exécution différentielle qui est focalisée sur le comptage de lecture pour que la mémoire détecte un drapeau de branchement conditionnel.
PCT/JP2021/006933 2021-02-24 2021-02-24 Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse WO2022180702A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/006933 WO2022180702A1 (fr) 2021-02-24 2021-02-24 Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse
JP2023501730A JPWO2022180702A1 (fr) 2021-02-24 2021-02-24

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/006933 WO2022180702A1 (fr) 2021-02-24 2021-02-24 Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse

Publications (1)

Publication Number Publication Date
WO2022180702A1 true WO2022180702A1 (fr) 2022-09-01

Family

ID=83047874

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/006933 WO2022180702A1 (fr) 2021-02-24 2021-02-24 Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse

Country Status (2)

Country Link
JP (1) JPWO2022180702A1 (fr)
WO (1) WO2022180702A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024079803A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif, procédé et programme de détection de vulnérabilité
WO2024079794A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
WO2024079793A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif de découverte de vulnérabilité, procédé de découverte de vulnérabilité et programme de découverte de vulnérabilité
WO2024079804A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
WO2024079800A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020075335A1 (fr) * 2018-10-11 2020-04-16 日本電信電話株式会社 Dispositif d'attribution de fonction d'analyse, procédé d'attribution de fonction d'analyse et programme d'attribution de fonction d'analyse

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020075335A1 (fr) * 2018-10-11 2020-04-16 日本電信電話株式会社 Dispositif d'attribution de fonction d'analyse, procédé d'attribution de fonction d'analyse et programme d'attribution de fonction d'analyse

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ERTL, ANTON. M. ET AL.: "Vmgen - a generator of efficient virtual machine interpreters", SOFTWARE - PRACTICE AND EXPERIENCE, vol. 32, no. 3, 28 January 2002 (2002-01-28), pages 265 - 294, XP001087296, DOI: https://doi.org/10.10002/spe.434 *
SHARIF, M. ET AL.: "Automoatic Reverse Engineering of Malware Emulators", 2009 30TH IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 2009, pages 94 - 109, XP031515099 *
USUI TOSHINOBU, FURUKAWA WAKI, ​​OTSUKI HAYATO, KAWAFURUYA YUHEI, IWAMURA SEI, MIYOSHI JUN,MATSUURA KANTA MATSUURA: "Automatically appending multi-path execution functionality to vanilla script engines", COMPUTER SECURITY SYMPOSIUM 2019 (21/10/2019 - 24/10/2019), 14 October 2019 (2019-10-14) - 24 October 2019 (2019-10-24), Japan , pages 961 - 968, XP009539387, ISSN: 1882-0840 *
USUI, T. ET AL.: "Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers", DIGITAL THREATS: RESEARCH AND PRACTICE, vol. 2, no. 1, January 2021 (2021-01-01), pages 1 - 31, XP058674428, DOI: https://doi.org/10.1145/3416126 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024079803A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif, procédé et programme de détection de vulnérabilité
WO2024079794A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
WO2024079793A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif de découverte de vulnérabilité, procédé de découverte de vulnérabilité et programme de découverte de vulnérabilité
WO2024079804A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
WO2024079800A1 (fr) * 2022-10-11 2024-04-18 日本電信電話株式会社 Dispositif d'ajout de fonction d'analyse, procédé d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse

Also Published As

Publication number Publication date
JPWO2022180702A1 (fr) 2022-09-01

Similar Documents

Publication Publication Date Title
WO2022180702A1 (fr) Dispositif d'ajout de fonction d'analyse, programme d'ajout de fonction d'analyse et procédé d'ajout de fonction d'analyse
JP7287480B2 (ja) 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム
US8850581B2 (en) Identification of malware detection signature candidate code
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
JP7115552B2 (ja) 解析機能付与装置、解析機能付与方法及び解析機能付与プログラム
US9507933B2 (en) Program execution apparatus and program analysis apparatus
US9176849B2 (en) Partitioning of program analyses into sub-analyses using dynamic hints
EP3547121B1 (fr) Dispositif, procédé et programme de combinaison
KR101796369B1 (ko) 소프트웨어 분석을 위한 리버스 엔지니어링 협업 장치, 방법 및 시스템
US9495542B2 (en) Software inspection system
US20160011951A1 (en) Techniques for web service black box testing
Li et al. Characterizing erasable accounts in ethereum
KR20210045122A (ko) 기호 실행을 사용하는 소프트웨어 테스트 입력 생성 장치 및 방법
WO2023067668A1 (fr) Procédé d'ajout de fonction d'analyse, dispositif d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
WO2023067665A1 (fr) Procédé d'ajout de fonction d'analyse, dispositif d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
US20230141948A1 (en) Analysis and Testing of Embedded Code
US9910889B2 (en) Rapid searching and matching of data to a dynamic set of signatures facilitating parallel processing and hardware acceleration
WO2020111482A1 (fr) Procédé et système d'ingénierie inverse utilisant des mégadonnées en fonction du contexte d'exécution de programme
WO2023067667A1 (fr) Procédé conférant une fonction d'analyse, dispositif conférant une fonction d'analyse et programme conférant une fonction d'analyse
WO2023067663A1 (fr) Procédé d'ajout de fonction d'analyse, dispositif d'ajout de fonction d'analyse et programme d'ajout de fonction d'analyse
JP6984760B2 (ja) 変換装置及び変換プログラム
Bhardwaj et al. Fuzz testing in stack-based buffer overflow
Nep et al. A research on countering virtual machine evasion techniques of malware in dynamic analysis
Nguyen et al. Context-based statement-level vulnerability localization
Chen et al. Dynamic Taint Analysis with Control Flow Graph for Vulnerability Analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21927805

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023501730

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21927805

Country of ref document: EP

Kind code of ref document: A1