WO2022201323A1 - シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 - Google Patents
シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2022201323A1 WO2022201323A1 PCT/JP2021/012047 JP2021012047W WO2022201323A1 WO 2022201323 A1 WO2022201323 A1 WO 2022201323A1 JP 2021012047 W JP2021012047 W JP 2021012047W WO 2022201323 A1 WO2022201323 A1 WO 2022201323A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- symbol
- code block
- code
- backdoor
- program
- Prior art date
Links
- 238000000605 extraction Methods 0.000 title claims abstract description 80
- 239000000284 extract Substances 0.000 claims description 41
- 238000004458 analytical method Methods 0.000 claims description 36
- 238000000034 method Methods 0.000 claims description 18
- 238000010586 diagram Methods 0.000 description 20
- 230000006870 function Effects 0.000 description 20
- 238000007689 inspection Methods 0.000 description 5
- 230000003068 static effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/75—Structural analysis for program understanding
Definitions
- the present disclosure relates to a symbol narrowing device, a program analysis device, a symbol extraction method, a program analysis method, and a non-transitory computer-readable medium.
- a "backdoor” referred to in this specification is, for example, a program that includes multiple functions that make up software, and that is embedded as part of the program and is not known to the user and is not desired. It can be defined as a function.
- Non-Patent Document 1 describes extracting backdoor code candidates by scoring the code contained in the binary to be inspected.
- a function that performs static data comparison is specified from the code included in the target binary, and how much the comparison result by the specified function is in the subsequent execution path.
- Candidates for backdoor code are extracted by scoring whether or not they have an impact.
- Another object of the present invention is to provide a symbol narrowing device, a program analysis device, a symbol extraction method, a program analysis method, and a non-transitory computer-readable medium.
- a symbol narrowing-down device includes symbol extracting means for extracting a plurality of predetermined symbols from code included in the binary of a program, and code included in the binary of the program, a first code block extracting means for extracting a code block having a specific property as a first code block to be analyzed as to whether or not it is a backdoor; second code block extracting means for extracting, as a plurality of second code blocks, a plurality of code blocks for accessing each of the predetermined symbols of the backdoor to be analyzed among the plurality of second code blocks; symbol narrowing means for extracting a symbol accessed by said second code block that satisfies a condition on a control flow according to type from said plurality of predetermined symbols; and said symbol narrowing means. and symbol output means for outputting the extracted symbol.
- a symbol extraction method is a symbol extraction method executed by a symbol narrowing-down device, comprising a symbol extraction step of extracting a plurality of predetermined symbols from codes included in a binary of a program; a first code block extracting step of extracting a code block having a specific property from among codes included in the binary of the program as a first code block to be analyzed as to whether or not it is a backdoor; a second code block extracting step of extracting, as a plurality of second code blocks, a plurality of code blocks for accessing each of the plurality of predetermined symbols from the code included in the binary of the program; Symbols accessed by the second code block that satisfy a condition on the control flow according to the type of backdoor to be analyzed, among the plurality of predetermined symbols. and a symbol output step of outputting the symbols extracted in the symbol narrowing step.
- a non-transitory computer-readable medium includes a symbol extraction process for extracting a plurality of predetermined symbols from code included in a binary of a program, and a code included in the binary of the program.
- a first code block extracting process for extracting a code block having a specific property from among the codes included in the binary of the program as a first code block to be analyzed as to whether or not it is a backdoor;
- a second code block extracting process for extracting, as a plurality of second code blocks, a plurality of code blocks for accessing each of the plurality of predetermined symbols from the plurality of second code blocks;
- a symbol narrowing process for extracting, from the plurality of predetermined symbols, a symbol accessed by the second code block that satisfies a condition on the control flow according to the type of the backdoor;
- a program for causing a computer to execute a symbol output process for outputting the symbols extracted in the narrowing process is stored.
- a symbol narrowing device a program analysis device, a symbol extraction method, a program analysis method, capable of extracting symbols corresponding to the type of backdoor to be analyzed from among many symbols included in the program, And, a non-transitory computer-readable medium can be provided.
- FIG. 1 is a block diagram showing a configuration example of a symbol narrowing device according to Embodiment 1;
- FIG. 2 is a flow chart showing an example of the flow of processing of the symbol narrowing down device shown in FIG. 1;
- 2 is a block diagram showing a configuration example of a program analysis device including the symbol narrowing device shown in FIG. 1;
- FIG. 4 is a flow chart showing an example of the flow of processing of the program analysis device shown in FIG. 3;
- FIG. 11 is a block diagram showing a configuration example of a symbol narrowing device according to Embodiment 2;
- FIG. 3 is a schematic diagram showing an example of a control flow graph of a certain program for explaining a dead code block, which is an example of a code block with specific properties;
- FIG. 3 is a schematic diagram showing an example of a control flow graph of a certain program for explaining a dead code block, which is an example of a code block with specific properties
- FIG. 3 is a schematic diagram showing an example of a control flow graph of a certain program for explaining a dead code block, which is an example of a code block with specific properties
- FIG. 4 is a schematic diagram showing an example of a control flow graph of a certain program for explaining another example of code blocks with specific properties
- 6 is a flow chart showing an example of the flow of processing of the symbol narrowing-down device shown in FIG. 5
- 6 is a schematic diagram showing an example of a control flow graph of a certain program for explaining symbol narrowing processing by the symbol narrowing down device shown in FIG. 5;
- FIG. 5 is a schematic diagram showing an example of a control flow graph of a certain program for explaining symbol narrowing processing by the symbol narrowing down device shown in FIG. 5;
- FIG. 5 is a schematic diagram showing an example of a control flow graph of
- FIG. 6 is a schematic diagram showing an example of a control flow graph of a certain program for explaining symbol narrowing processing by the symbol narrowing down device shown in FIG. 5;
- FIG. 6 is a block diagram showing a configuration example of a program analysis device including the symbol narrowing-down device shown in FIG. 5;
- FIG. 14 is a flow chart showing an example of the flow of processing of the program analysis device shown in FIG. 13;
- FIG. 13 is a diagram showing a hardware configuration example of a program analysis apparatus according to Embodiment 3; It is a block diagram which shows the structural example of the program-analysis apparatus of a conceptual stage.
- FIG. 16 is a block diagram showing a configuration example of the program analysis device 50 in the conceptual stage prior to the first embodiment.
- the program analysis device 50 includes a code block extraction section 51 , a backdoor score calculation section 52 and an analysis result output section 53 .
- the code block extraction unit 51 extracts all code blocks with specific properties from the code included in the binary of the program to be analyzed (hereinafter referred to as the target binary).
- the code block described here refers to, for example, a group of codes in units of functions or basic blocks in a program.
- a code block with a specific property is, for example, a dead code block.
- a dead code block is a code block that cannot be reached by normal control flow when the program is executed.
- the backdoor score calculation unit 52 calculates a score indicating the possibility that the code block is a backdoor code, or , a backdoor score, which is a score indicating the magnitude of the impact on the system when the code block is executed, is calculated.
- a system described here is, for example, a computer including an environment for executing a program to be analyzed.
- the backdoor score calculation unit 52 assigns a preset score for the operation to the code block. Perform processing to add to the backdoor score.
- the predetermined sensitive operation described here is, for example, an operation that, if executed illegally, is considered to have a serious impact on the system including the program and the environment in which the program is executed, and the user (for example, the program It is an operation predetermined by a requester who requests an inspection of a person, an analyst who performs an inspection, etc.).
- the source code of a high-level language such as C language is mainly composed of functions and variables with names that humans can understand and that are easy to understand.
- the compiler compiles the source code, it creates symbols to keep track of what binary code or data is associated with the names of such functions and variables in the source code. Generate. A large number of symbols generated in this way exist in the program.
- the predetermined sensitive operations described above also include operations that access these predetermined symbols.
- the analysis result output unit 53 outputs the code block extracted by the code block extraction unit 51 and the backdoor score for the code block calculated by the backdoor score calculation unit 52 as analysis results.
- the program analysis device 50 can present code blocks, which are candidates for backdoor code contained in the program to be analyzed, and backdoor scores corresponding thereto, for example, to the program analyst. Therefore, the program analyst can extract backdoor code candidates from the program without comparing the code of the program to be analyzed with the specifications or manually examining the code of the program in detail. can.
- the program analysis device 50 uses a large number of predetermined symbols for score calculation without narrowing down, even when the types of backdoors to be analyzed are different. Therefore, depending on the type of backdoor to be analyzed, the program analysis apparatus 50 may have used symbols that do not contribute to the increase or decrease of the score for calculating the score.
- the symbol narrowing-down device 10 according to Embodiment 1 is found, which is capable of extracting symbols corresponding to the type of backdoor to be analyzed from among many symbols included in the program to be analyzed.
- FIG. 1 is a block diagram showing a configuration example of a symbol narrowing device 10 according to Embodiment 1.
- the symbol narrowing-down device 10 selects the type of backdoor to be analyzed from among the many symbols included in the program to be analyzed (that is, the type of backdoor candidate to be extracted). Symbols can be extracted.
- the program analysis device can calculate the backdoor score by excluding symbols that hardly contribute to increase or decrease of the backdoor score, depending on the type of backdoor to be analyzed. A specific description will be given below.
- the symbol narrowing device 10 includes a symbol extraction unit 11, a first code block extraction unit 12, a second code block extraction unit 13, a symbol narrowing unit 14, and a symbol output unit 15. Prepare.
- the symbol extraction unit 11 extracts a plurality of predetermined symbols from the code included in the binary of the program to be analyzed (hereinafter referred to as the target binary).
- the plurality of predetermined symbols mentioned here means the plurality of symbols determined based on at least one of the symbol type and scope level attribute information of the symbols among all the symbols included in the target binary.
- Symbol types include, for example, data types and function types.
- the symbol extraction unit 11 extracts a plurality of predetermined symbols having the same symbol type and scope level from among the codes included in the target binary.
- the first code block extracting unit 12 extracts all code blocks with specific properties from among the codes included in the target binary as first code blocks to be analyzed for whether or not they are backdoors.
- the code block described here refers to, for example, a group of codes in units of functions or basic blocks in a program.
- a code block with a specific property is, for example, a dead code block.
- a dead code block is a code block that cannot be reached by normal control flow when the program is executed.
- the second code block extraction unit 13 extracts all code blocks that perform a predetermined sensitive operation from among the codes included in the target binary.
- the predetermined sensitive operation described here is, for example, an operation that, if executed illegally, is considered to have a serious impact on the system including the program and the environment in which the program is executed, and is predetermined by the user. operation.
- a system is, for example, a computer including an environment for executing a program to be analyzed.
- the second code block extraction unit 13 particularly extracts a plurality of code blocks that access each of the plurality of predetermined symbols extracted by the symbol extraction unit 11 as a plurality of second code blocks. Note that access to a given symbol is included in the given sensitive operation.
- the symbol narrowing unit 14 selects a second code block among the plurality of second code blocks extracted by the second code block extracting unit 13 that satisfies a condition on the control flow according to the type of backdoor to be analyzed. 2 code blocks. After that, the symbol narrowing unit 14 extracts symbols accessed by the extracted second code block from among the plurality of predetermined symbols extracted by the symbol extracting unit 11 .
- the types of backdoors described here include, for example, a backdoor that illegally takes out sensitive information inside the program, and a backdoor that illegally takes sensitive information outside the program into the program.
- the symbol narrowing-down unit 14 extracts a second code block that satisfies the conditions on the control flow according to the backdoor type, and extracts a symbol that accesses the extracted second code block. Details of the conditions on the control flow according to the backdoor type will be described in detail in the second embodiment.
- the symbol output unit 15 outputs the symbols narrowed down by the symbol narrowing-down unit 14 to the outside of the symbol narrowing-down device 10 .
- the symbol output from the symbol narrowing device 10 is a score indicating the possibility that the first code block to be analyzed is a backdoor code, or an effect on the system when the first code block to be analyzed is executed. It is used to calculate the backdoor score, which is a score that indicates the magnitude of the impact.
- FIG. 2 is a flowchart showing an example of the processing flow of the symbol narrowing-down device 10. As shown in FIG.
- the symbol extraction unit 11 extracts a plurality of predetermined symbols determined based on at least one of the symbol type and scope level attribute information of the symbol from among the codes included in the target binary. symbol is extracted (step S101).
- the first code block extraction unit 12 extracts a code block having a specific property from among the codes included in the target binary as a first code block to be analyzed for whether or not it is a backdoor (step S102).
- the second code block extraction unit 13 extracts, as a plurality of second code blocks, code blocks for accessing the plurality of predetermined symbols extracted by the symbol extraction unit 11 (step S103). .
- the symbol narrowing-down unit 14 selects the symbols accessed by the second code blocks that satisfy the conditions on the control flow according to the type of backdoor to be analyzed from among the plurality of second code blocks. , from a plurality of predetermined symbols (step S104). Thereafter, the symbol output unit 15 outputs the symbols narrowed down by the symbol narrowing-down unit 14 to the outside of the symbol narrowing-down device 10 (step S105).
- the symbol narrowing-down device 10 selects the type of backdoor to be analyzed from many symbols included in the program to be analyzed (that is, what type of backdoor symbols can be extracted). As a result, depending on the type of backdoor analyzed, symbols that hardly contribute to the increase or decrease of the backdoor score can be excluded from the targets used for backdoor score calculation.
- FIG. 3 is a block diagram showing a configuration example of the program analysis device 1 in which the symbol narrowing device 10 is installed.
- the program analysis device 1 includes a symbol narrowing device 10, a backdoor score calculation unit 17, and an analysis result output unit 18.
- the backdoor score calculation unit 17 calculates the operation content (specifically, a predetermined backdoor score).
- the backdoor score calculation unit 17 calculates the backdoor score based on at least the contents of the symbols narrowed down by the symbol narrowing-down device 10 that are accessed by the first code block or code blocks that are child nodes thereof. calculate.
- the analysis result output unit 18 outputs the first code block extracted by the first code block extraction unit 12 and the backdoor score for the first code block calculated by the backdoor score calculation unit 17 as an analysis result. do. At this time, the analysis result output unit 18 can output the analysis result in a manner in which, for example, a backdoor score for the code block is assigned to the first code block.
- FIG. 4 is a flowchart showing an example of the processing flow of the program analysis device 1. As shown in FIG. In FIG. 4, symbol narrowing processing by the symbol narrowing-down device 10 is omitted.
- a backdoor score is calculated based on the content of the operation (specifically, the content of the predetermined sensitive operation).
- the backdoor score calculation unit 17 calculates the backdoor score based on at least the contents of the symbols narrowed down by the symbol narrowing-down device 10 that are accessed by the first code block or code blocks that are child nodes thereof.
- the analysis result output unit 18 outputs the first code block extracted by the first code block extraction unit 12 and the backdoor score for the first code block calculated by the backdoor score calculation unit 17 as the analysis result. (step S107).
- the program analysis apparatus 1 presents the first code block, which is a backdoor code candidate included in the program to be analyzed, and the corresponding backdoor score to, for example, the program analyst. can do.
- the program analyst can extract backdoor code candidates from the program without comparing the code of the program to be analyzed with the specifications or manually examining the code of the program in detail. can be done.
- the program analysis apparatus 1 uses the symbol narrowing-down apparatus 10 to exclude symbols that hardly contribute to the increase or decrease of the backdoor score, depending on the type of backdoor to be analyzed. A score can be calculated.
- FIG. 5 is a block diagram showing a configuration example of the symbol narrowing device 20 according to the second embodiment.
- the symbol narrowing device 20 includes a symbol extraction unit 21, a first code block extraction unit 22, a second code block extraction unit 23, a symbol narrowing unit 24, a symbol output unit 25, a target a condition table 26;
- the symbol extraction unit 21 extracts a plurality of predetermined symbols determined based on at least one attribute information of the symbol type and scope level, among all the symbols included in the target binary.
- the first code block extracting unit 22 extracts all code blocks with specific properties from among the codes included in the target binary as first code blocks to be analyzed for whether or not they are backdoors.
- the first code block extraction unit 22 performs static analysis and the like on the target binary to create a control flow graph of the entire program. After that, the first code block extracting unit 22 extracts all code blocks having specific properties as first code blocks from the codes included in the target binary based on information such as the created control flow graph.
- a code block with a specific property is, for example, a dead code block, as described above.
- a dead code block is a code block that cannot be reached by normal control flow when the program is executed.
- FIG. 6 and 7 are schematic diagrams showing examples of control flow graphs of a certain program for explaining dead code blocks.
- solid-line circles represent normal nodes
- dashed-line circles represent dead code block nodes
- arrows represent control flows (same in FIGS. 8 and 9 below). ).
- the first code block extraction unit 22 extracts nodes that do not have parent nodes on the control flow graph as dead code blocks (ie, first code blocks). Further, as shown in FIG. 7, the first code block extracting unit 22 extracts not only nodes that do not have parent nodes on the control flow graph, but also their child nodes as dead code blocks (that is, first code blocks). You may
- the dead code block described above will not be executed as long as normal input values to the program are given. However, as shown in Figure 8, if there is a vulnerability in the program, the dead code block can be called and executed by the vulnerable function under certain conditions such as giving special input values. be.
- code blocks with specific properties are not limited to the dead code blocks described above.
- a code block that does not pass through a predetermined function that is always passed through when a program is normally executed such as an authentication function or a parser function, may be defined as a code block that has a specific property.
- an authentication function as a starting point on the control flow.
- the first code block extraction unit 22 may extract code blocks that do not pass through the authentication function as code blocks with specific properties.
- the second code block extraction unit 23 extracts all code blocks that perform predetermined sensitive operations from among the codes included in the target binary.
- a predetermined sensitive operation is, for example, an operation that, if executed illegally, is considered to have a serious impact on the system including the program and the environment in which the program is executed. , a requester requesting program inspection, an analyst who performs inspection, etc.).
- a predetermined sensitive operation includes an operation predetermined by the user to call a predetermined function, an operation to access a predetermined symbol (an operation to access a predetermined variable, or an operation to execute a predetermined instruction). including).
- the operation of calling a predetermined function includes, for example, an operation of calling at least one of a system call, a predetermined library function, and a predetermined API (Application Programming Interface).
- An operation that accesses a predetermined symbol includes, for example, an operation that accesses a global variable of the program.
- the second code block extraction unit 23 extracts, in particular, the plurality of code blocks that access each of the plurality of predetermined symbols extracted by the symbol extraction unit 21 as the plurality of second code blocks.
- the symbol narrowing unit 24 selects a second code block among the plurality of second code blocks extracted by the second code block extracting unit 23 that satisfies the conditions on the control flow according to the type of backdoor to be analyzed. 2 code blocks. After that, the symbol narrowing unit 24 extracts symbols accessed by the specified second code block from among the plurality of predetermined symbols extracted by the symbol extracting unit 21 .
- the types of backdoors described here include, for example, the type of backdoor that illegally takes out sensitive information inside the program, and the type that illegally takes in sensitive information from the outside of the program. There are backdoors. After specifying the second code block that satisfies the conditions on the control flow corresponding to the backdoor type, the symbol narrowing unit 24 extracts the symbols that access the specified second code block.
- the symbol narrowing unit 24 first extracts a plurality of second code blocks extracted by the second code block extracting unit 23. Of these, the first code block or its child node, the second code block, and the second code block that can be traced from the normal control flow (in other words, any of the multiple code blocks that make up the normal control flow). and specify. After that, the symbol narrowing unit 24 selects the first code block or the second code block which is a child node of the first code block and the second code block which can be traced from the normal control flow, among the plurality of predetermined symbols extracted by the symbol extracting unit 21. , to extract symbols that are accessed from any of the This also excludes symbols that are not accessed by the second code block that can be traced from the normal control flow, that is, symbols that are not used during normal execution.
- the symbol narrowing-down unit 24 first extracts a plurality of second code blocks extracted by the second code block extracting unit 23. Among the code blocks, a second code block that is the first code block or its child node and accesses an external resource (external to the program) is identified. After that, the symbol narrowing unit 24 extracts symbols accessed by the specified second code block from among the plurality of predetermined symbols extracted by the symbol extracting unit 21 .
- the target condition table 26 stores conditions according to the types of backdoors to be analyzed, as described above.
- the symbol output unit 25 outputs the symbols narrowed down by the symbol narrowing-down unit 24 to the outside of the symbol narrowing-down device 20 .
- the symbol output from the symbol narrowing device 20 is a score indicating the possibility that the first code block to be analyzed is a backdoor code, or an effect on the system when the first code block to be analyzed is executed. It is used to calculate the backdoor score, which is a score that indicates the magnitude of the impact.
- FIG. 10 is a flowchart showing an example of the processing flow of the symbol narrowing device 20.
- FIG. 11 and 12 are schematic diagrams showing an example of a control flow graph of a certain program for explaining symbol narrowing processing by the symbol narrowing down device 20.
- FIG. 11 shows the state before symbol narrowing down
- FIG. 12 shows the state after symbol narrowing down.
- the first code block extraction unit 22 performs static analysis and the like on the target binary to create a control flow graph (step S201).
- the symbol extraction unit 21 extracts a plurality of predetermined symbols (set S ) is extracted (step S202).
- set S a plurality of predetermined symbols
- symbols S1 to S6 are extracted as predetermined symbols (that is, symbols S1 to S6 are extracted as elements of set S).
- the first code block extraction unit 22 extracts a plurality of code blocks with specific properties from among the codes included in the target binary to determine whether they are backdoors or not. All of them are extracted as the first code block (set D) to be analyzed (step S203).
- the first code block (set D) is extracted as the first code block (set D) to be analyzed (step S203).
- eight dead code blocks D1-D8, which are nodes without parent nodes on the control flow graph, are extracted as the first code blocks D1-D8 to be scored (that is, the first code blocks D1-D8). 1 code blocks D1 to D8 are extracted as elements of the set D).
- the second code block extraction unit 23 extracts all code blocks that perform a predetermined sensitive operation from among the codes included in the target binary.
- the second code block extraction unit 23 extracts a plurality of code blocks for accessing each of the plurality of predetermined symbols (set S) extracted by the symbol extraction unit 21, particularly a plurality of second code blocks.
- Set E is extracted (step S204).
- six code blocks E1-E6, which are nodes that access at least one of the symbols S1-S6, are extracted as second code blocks E1-E6 (that is, the second code blocks E1-E6).
- 2 code blocks E1 to E6 are extracted as elements of set E).
- the identification of the sets Ea and Eb may be performed by the symbol narrowing section 24 or may be performed by the second code block extracting section 23 .
- the symbols are narrowed down by the symbol narrowing-down unit 24 (steps S206 to S210).
- a specific flow of processing by the symbol narrowing-down unit 24 is as follows. Here, as an example, the flow of processing for detecting a backdoor code that illegally takes out sensitive information in a program will be described.
- one unselected symbol to be inspected is selected from a plurality of predetermined symbols (set S) extracted by the symbol extraction unit 21 (step S206).
- one or more second code blocks that access the selected symbol are specified from among the plurality of second code blocks (set E) extracted by the second code block extraction unit 23 (step S207). .
- any of the one or more second code blocks accessing the symbol under selection includes an element of the set Ea, and any of the one or more second code blocks accessing the symbol under selection is , is determined whether or not the elements of the set Eb are included (step S208). That is, any of the one or more second code blocks that access the symbol being selected includes a second code block that can be traced from the normal control flow, and one or more second code blocks that access the symbol being selected. A determination is made whether any of the code blocks contain the first code block or its child node, the second code block.
- any of the one or more second code blocks accessing the symbol being selected includes elements of the set Ea, and any of the one or more second code blocks accessing the symbol being selected is , the set Eb (YES in step S208), the selected symbol is extracted as a symbol to be used for score calculation (step S209). Otherwise (NO in step S208), the selected symbol is not extracted as a symbol used for score calculation.
- step S210 After that, if there are symbols that have not been selected as inspection objects (YES in step S210), the symbols that have not been selected as inspection objects are selected (step S206), and steps S207 to S209 are performed. If there are no unselected symbols to be inspected (NO in step S210), the symbols narrowed down for use in score calculation are output from the symbol output unit 25 (step S211).
- the symbol narrowing-down device 20 selects the type of backdoor to be analyzed from among a large number of symbols included in the program to be analyzed (that is, what type of backdoor symbols can be extracted). As a result, depending on the type of backdoor to be analyzed, symbols that hardly contribute to the increase or decrease of the backdoor score can be excluded from the targets used in calculating the backdoor score.
- FIG. 13 is a block diagram showing a configuration example of the program analysis device 2 in which the symbol narrowing device 20 is installed.
- the program analysis device 2 includes a symbol narrowing device 20, a backdoor score calculation unit 27, and an analysis result output unit 28.
- the backdoor score calculation unit 27 calculates a backdoor score for each first code block extracted by the first code block extraction unit 22 based on the operation content of the first code block or its child node code block. Calculate Here, the backdoor score calculation unit 27 calculates the backdoor score based on at least the contents of the symbols narrowed down by the symbol narrowing-down device 20 that are accessed by the first code block or code blocks that are child nodes thereof. calculate.
- the analysis result output unit 28 outputs the first code block extracted by the first code block extraction unit 22 and the backdoor score for the first code block calculated by the backdoor score calculation unit 27 as an analysis result. do.
- the output format of each first code block by the analysis result output unit 28 may be symbol information in the target binary, the relative address of the code block, the code block name named when the program was analyzed, and the like. Also, the first code block may be output with a backdoor score assigned to the code block.
- the program to be analyzed is in binary format and the binary of the program is input. good.
- the source code to be analyzed may be compiled in the symbol narrowing device 20 or the program analysis device 2 and converted into a binary format.
- the symbol extraction unit 21, the first code block extraction unit 22, the second code block extraction unit 23, the symbol narrowing unit 24, the symbol output unit 25, the backdoor score calculation unit 27, or a processing unit (not shown) can extract the source code Information obtained from may be used for analysis as appropriate.
- FIG. 14 is a flowchart showing an example of the processing flow of the program analysis device 2. As shown in FIG. In FIG. 14, symbol narrowing processing by the symbol narrowing device 20 is omitted.
- the backdoor score calculation unit 27 calculates the backdoor score based on at least the contents of the symbols narrowed down by the symbol narrowing-down device 20 that are accessed by the first code block or code blocks that are child nodes thereof.
- the analysis result output unit 28 outputs the first code block extracted by the first code block extraction unit 22 and the backdoor score for the first code block calculated by the backdoor score calculation unit 27 as the analysis result. (step S213).
- the program analysis apparatus 2 presents the first code block, which is a backdoor code candidate included in the program to be analyzed, and the corresponding backdoor score to the program analyst, for example. can do.
- the program analyst can extract backdoor code candidates from the program without comparing the code of the program to be analyzed with the specifications or manually examining the code of the program in detail. can be done.
- the program analysis apparatus 2 uses the symbol narrowing-down apparatus 20 to exclude symbols that hardly contribute to the increase or decrease of the backdoor score, depending on the type of backdoor to be analyzed. A score can be calculated.
- FIG. 15 is a diagram showing a hardware configuration example of the symbol narrowing down device 100 according to the third embodiment.
- symbol narrowing device 100 comprises processor 101 and memory 102 .
- the processor 101 may be, for example, a microprocessor, an MPU (Micro Processing Unit), or a CPU (Central Processing Unit).
- Processor 101 may include multiple processors.
- Memory 102 is comprised of a combination of volatile and non-volatile memory. Memory 102 may include storage remotely located from processor 101 . In this case, the processor 101 may access the memory 102 via an I/O (Input/Output) interface (not shown).
- I/O Input/Output
- the symbol narrowing device 10 can have the hardware configuration shown in FIG. Further, the symbol extraction unit 11, the first code block extraction unit 12, the second code block extraction unit 13, the symbol narrowing unit 14, and the symbol output unit 15 in the symbol narrowing device 10 are stored in the memory 102 by the processor 101. It may be realized by reading and executing a program.
- the symbol narrowing down device 20 can have the hardware configuration shown in FIG.
- the symbol extractor 21, the first code block extractor 22, the second code block extractor 23, the symbol narrower 24, and the symbol output unit 25 in the symbol narrowing device 20 are stored in the memory 102 by the processor 101. It may be realized by reading and executing a program. Also, the target condition table 26 in the symbol narrowing device 20 may be stored in the memory 102 .
- FIG. 15 Although the hardware configuration example of the symbol narrowing device 100 has been described in FIG. 15, it is not limited to this.
- a configuration including a processor 101 and a memory 102 can be adopted as in the case of the symbol narrowing-down device 100.
- FIG. Each of the program analysis apparatuses 1 and 2 can have a hardware configuration including a processor 101 and memory 102 .
- non-transitory computer-readable media examples include magnetic recording media (e.g., flexible discs, magnetic tapes, hard disk drives), magneto-optical recording media (e.g., magneto-optical discs), CD-ROMs (Compact Disc-Read Only Memory) , CD-R (CD-Recordable), CD-R/W (CD-ReWritable), semiconductor memory (e.g.
- the programs described above may be supplied to the computer by various types of transitory computer readable media, examples of which are electrical signals, optical signals, , and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the symbol narrowing devices 10, 20 and the program analysis devices 1, 2 via wired communication channels such as electric wires and optical fibers, or wireless communication channels. .
- (Appendix 1) a symbol extraction means for extracting a plurality of predetermined symbols from the code included in the binary of the program; a first code block extraction means for extracting a code block having a specific property from among the codes included in the binary of the program as a first code block to be analyzed as to whether or not it is a backdoor; a second code block extracting means for extracting a plurality of second code blocks for accessing each of the plurality of predetermined symbols from the code included in the binary of the program; Symbols accessed by said second code blocks satisfying a condition on the control flow according to the type of backdoor to be analyzed, among said plurality of second code blocks, are defined as said plurality of predetermined symbols. a symbol narrowing means for extracting from symbol output means for outputting the symbols extracted by the symbol narrowing means; A symbol refiner with
- the symbol extraction means extracts, as the plurality of predetermined symbols, a plurality of symbols determined based on at least one attribute information of a symbol type and a scope level.
- the symbol narrowing device according to appendix 1.
- the symbol narrowing means selects, among the plurality of second code blocks, a second code block that is the first code block or a child node thereof, and a second code block that is one of a plurality of code blocks that constitute a normal control flow. extracting symbols accessed from any of the code blocks from among the plurality of predetermined symbols extracted by the symbol extracting means; A symbol narrowing device according to appendix 1 or 2.
- the symbol narrowing means selects, from among the plurality of second code blocks, symbols accessed by the second code block, which is the first code block or a child node thereof and accesses an external resource, extracting from among the plurality of predetermined symbols extracted by the symbol extracting means; A symbol narrowing device according to appendix 1 or 2.
- the first code block extracting means extracts a code block that cannot be reached by a normal control flow as the first code block that is a code block having the specific property. extract from within the code contained in the The symbol narrowing device according to any one of Appendices 1 to 4.
- the first code block extracting means extracts code blocks that do not pass through a code block having a predetermined function that is passed through in a normal control flow as the code block that has the specific property. extracting from among the code contained in the binary as a first code block;
- the symbol narrowing device according to any one of Appendices 1 to 4.
- (Appendix 7) a symbol narrowing device according to any one of Appendices 1 to 6;
- the possibility that the first code block is a backdoor code is determined at least based on the contents of the symbol output from the symbol narrowing device, which is accessed by the first code block or a code block that is a child node of the first code block. or a backdoor score calculation means for calculating a backdoor score, which is a score indicating the degree of impact on the system when the first code block is executed; analysis result output means for outputting the first code block and the backdoor score for the first code block as analysis results;
- a program analysis device with
- a symbol extraction method executed by a symbol narrowing device a symbol extraction step of extracting a plurality of predetermined symbols from code contained in program binaries; a first code block extracting step of extracting a code block having a specific property from among the codes included in the binary of the program as a first code block to be analyzed as to whether it is a backdoor; a second code block extracting step of extracting a plurality of second code blocks for accessing each of the plurality of predetermined symbols from code included in the binary of the program; Symbols accessed by said second code blocks satisfying a condition on the control flow according to the type of backdoor to be analyzed, among said plurality of second code blocks, are defined as said plurality of predetermined symbols.
- a symbol narrowing step for extracting from a symbol output step of outputting the symbols extracted in the symbol narrowing step;
- the first code block is a backdoor code, based on at least the contents of the symbols output in the symbol extraction method according to appendix 8, which are accessed by the first code block or code blocks that are child nodes thereof.
- a backdoor score calculating step for calculating a backdoor score, which is a score indicating the possibility or a score indicating the magnitude of the impact on the system when the first code block is executed; an analysis result output step of outputting the first code block and the backdoor score for the first code block as an analysis result;
- a symbol extraction process for extracting a plurality of predetermined symbols from the code included in the binary of the program a first code block extraction process for extracting a code block having a specific property from among the codes included in the binary of the program as a first code block to be analyzed as to whether or not it is a backdoor; a second code block extraction process for extracting a plurality of second code blocks for accessing each of the plurality of predetermined symbols from among the codes included in the binary of the program; Symbols accessed by said second code blocks satisfying a condition on the control flow according to the type of backdoor to be analyzed, among said plurality of second code blocks, are defined as said plurality of predetermined symbols.
- a non-transitory computer-readable medium that stores a program that causes a computer to execute
- the possibility that the first code block is a backdoor code is determined at least based on the contents of the symbol output in the symbol output process, which is accessed by the first code block or a code block that is a child node of the first code block. or a backdoor score calculation process for calculating a backdoor score, which is a score indicating the degree of impact on the system when the first code block is executed; an analysis result output process for outputting the first code block and the backdoor score for the first code block as an analysis result; 11.
- a non-transitory computer-readable medium storing the program according to appendix 10, which further causes a computer to execute .
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
実施の形態1に係るプログラム解析装置について説明する前に、発明者が事前検討した内容について説明する。
図1は、実施の形態1に係るシンボル絞り込み装置10の構成例を示すブロック図である。シンボル絞り込み装置10は、解析対象のプログラムに含まれる多数のシンボルの中から、解析されるバックドアのタイプに応じた(即ち、どのようなタイプのバックドアの候補を抽出するかに応じた)シンボルを抽出することができる。その結果、例えば、プログラム解析装置は、解析されるバックドアのタイプによっては、バックドアスコアの増減にほとんど寄与しないシンボルを除外して、バックドアスコアの算出を行うことができる。以下、具体的に説明する。
図2は、シンボル絞り込み装置10の処理の流れの一例を示すフローチャートである。
図3は、シンボル絞り込み装置10が搭載されたプログラム解析装置1の構成例を示すブロック図である。
図5は、実施の形態2にかかるシンボル絞り込み装置20の構成例を示すブロック図である。
図13は、シンボル絞り込み装置20が搭載されたプログラム解析装置2の構成例を示すブロック図である。
図15は、実施の形態3に係るシンボル絞り込み装置100のハードウェア構成例を示す図である。図15において、シンボル絞り込み装置100は、プロセッサ101と、メモリ102と、を備えている。プロセッサ101は、例えば、マイクロプロセッサ、MPU(Micro Processing Unit)、又はCPU(Central Processing Unit)であってもよい。プロセッサ101は、複数のプロセッサを含んでもよい。メモリ102は、揮発性メモリ及び不揮発性メモリの組み合わせによって構成される。メモリ102は、プロセッサ101から離れて配置されたストレージを含んでもよい。この場合、プロセッサ101は、図示されていないI/O(Input/Output)インタフェースを介してメモリ102にアクセスしてもよい。
プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出手段と、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出手段と、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数の第2コードブロックを抽出する第2コードブロック抽出手段と、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出する、シンボル絞り込み手段と、
前記シンボル絞り込み手段によって抽出された前記シンボルを出力するシンボル出力手段と、
を備えたシンボル絞り込み装置。
前記シンボル抽出手段は、シンボルタイプ及びスコープレベルの少なくとも何れかの属性情報に基づいて決定された複数のシンボルを、前記複数の所定のシンボルとして抽出する、
付記1に記載のシンボル絞り込み装置。
前記シンボル絞り込み手段は、前記複数の第2コードブロックのうち、前記第1コードブロック又はその子ノードである第2コードブロックと、通常のコントロールフローを構成する複数のコードブロックの何れかである第2コードブロックと、の何れからもアクセスされるシンボルを、前記シンボル抽出手段によって抽出された前記複数の所定のシンボルの中から抽出する、
付記1又は2に記載のシンボル絞り込み装置。
前記シンボル絞り込み手段は、前記複数の第2コードブロックのうち、前記第1コードブロック又はその子ノードであり、且つ、外部リソースへのアクセスを行う、前記第2コードブロック、によってアクセスされるシンボルを、前記シンボル抽出手段によって抽出された前記複数の所定のシンボルの中から抽出する、
付記1又は2に記載のシンボル絞り込み装置。
前記第1コードブロック抽出手段は、前記プログラムを実行した際に、通常のコントロールフローでは到達することのできないコードブロックを、前記特定の性質を持つコードブロックである前記第1コードブロックとして、前記バイナリに含まれるコードの中から抽出する、
付記1~4の何れか一項に記載のシンボル絞り込み装置。
前記第1コードブロック抽出手段は、前記プログラムを実行した際に、通常のコントロールフローでは経由する所定の機能を有するコードブロック、を経由しないコードブロックを、前記特定の性質を持つコードブロックである前記第1コードブロックとして、前記バイナリに含まれるコードの中から抽出する、
付記1~4の何れか一項に記載のシンボル絞り込み装置。
付記1~6の何れか一項に記載のシンボル絞り込み装置と、
少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、前記シンボル絞り込み装置から出力された前記シンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出手段と、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力手段と、
を備えた、プログラム解析装置。
シンボル絞り込み装置が実行するシンボル抽出方法であって、
プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出ステップと、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出ステップと、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数の第2コードブロックを抽出する第2コードブロック抽出ステップと、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出するシンボル絞り込みステップと、
前記シンボル絞り込みステップにおいて抽出された前記シンボルを出力するシンボル出力ステップと、
を備えたシンボル抽出方法。
プログラム解析装置が実行するプログラム解析方法であって、
少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、付記8に記載のシンボル抽出方法において出力されたシンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出ステップと、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力ステップと、
を備えた、プログラム解析方法。
プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出処理と、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出処理と、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数の第2コードブロックを抽出する第2コードブロック抽出処理と、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出するシンボル絞り込み処理と、
前記シンボル絞り込み処理において抽出された前記シンボルを出力するシンボル出力処理と、
をコンピュータに実行させるプログラムが格納された非一時的なコンピュータ可読媒体。
少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、前記シンボル出力処理において出力された前記シンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出処理と、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力処理と、
をさらにコンピュータに実行させる付記10に記載のプログラムが格納された非一時的なコンピュータ可読媒体。
2 プログラム解析装置
10 シンボル絞り込み装置
11 シンボル抽出部
12 第1コードブロック抽出部
13 第2コードブロック抽出部
14 シンボル絞り込み部
15 シンボル出力部
17 バックドアスコア算出部
18 解析結果出力部
20 シンボル絞り込み装置
21 シンボル抽出部
22 第1コードブロック抽出部
23 第2コードブロック抽出部
24 シンボル絞り込み部
25 シンボル出力部
26 対象条件テーブル
27 バックドアスコア算出部
28 解析結果出力部
50 プログラム解析装置
51 コードブロック抽出部
52 バックドアスコア算出部
53 解析結果出力部
100 シンボル絞り込み装置
101 プロセッサ
102 メモリ
Claims (11)
- プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出手段と、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出手段と、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数のコードブロックを、複数の第2コードブロックとして抽出する第2コードブロック抽出手段と、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出する、シンボル絞り込み手段と、
前記シンボル絞り込み手段によって抽出された前記シンボルを出力するシンボル出力手段と、
を備えたシンボル絞り込み装置。 - 前記シンボル抽出手段は、シンボルタイプ及びスコープレベルの少なくとも何れかの属性情報に基づいて決定された複数のシンボルを、前記複数の所定のシンボルとして抽出する、
請求項1に記載のシンボル絞り込み装置。 - 前記シンボル絞り込み手段は、前記複数の第2コードブロックのうち、前記第1コードブロック又はその子ノードである第2コードブロックと、通常のコントロールフローを構成する複数のコードブロックの何れかである第2コードブロックと、の何れからもアクセスされるシンボルを、前記シンボル抽出手段によって抽出された前記複数の所定のシンボルの中から抽出する、
請求項1又は2に記載のシンボル絞り込み装置。 - 前記シンボル絞り込み手段は、前記複数の第2コードブロックのうち、前記第1コードブロック又はその子ノードであり、且つ、外部リソースへのアクセスを行う、前記第2コードブロック、によってアクセスされるシンボルを、前記シンボル抽出手段によって抽出された前記複数の所定のシンボルの中から抽出する、
請求項1又は2に記載のシンボル絞り込み装置。 - 前記第1コードブロック抽出手段は、前記プログラムを実行した際に、通常のコントロールフローでは到達することのできないコードブロックを、前記特定の性質を持つコードブロックである前記第1コードブロックとして、前記バイナリに含まれるコードの中から抽出する、
請求項1~4の何れか一項に記載のシンボル絞り込み装置。 - 前記第1コードブロック抽出手段は、前記プログラムを実行した際に、通常のコントロールフローでは経由する所定の機能を有するコードブロック、を経由しないコードブロックを、前記特定の性質を持つコードブロックである前記第1コードブロックとして、前記バイナリに含まれるコードの中から抽出する、
請求項1~4の何れか一項に記載のシンボル絞り込み装置。 - 請求項1~6の何れか一項に記載のシンボル絞り込み装置と、
少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、前記シンボル絞り込み装置から出力された前記シンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出手段と、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力手段と、
を備えた、プログラム解析装置。 - シンボル絞り込み装置が実行するシンボル抽出方法であって、
プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出ステップと、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出ステップと、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数のコードブロックを、複数の第2コードブロックとして抽出する第2コードブロック抽出ステップと、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出するシンボル絞り込みステップと、
前記シンボル絞り込みステップにおいて抽出された前記シンボルを出力するシンボル出力ステップと、
を備えたシンボル抽出方法。 - プログラム解析装置が実行するプログラム解析方法であって、
少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、請求項8に記載のシンボル抽出方法において出力されたシンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出ステップと、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力ステップと、
を備えた、プログラム解析方法。 - プログラムのバイナリに含まれるコードの中から、複数の所定のシンボルを抽出するシンボル抽出処理と、
前記プログラムのバイナリに含まれるコードの中から、特定の性質を持つコードブロックを、バックドアであるか否かの解析対象である第1コードブロックとして抽出する第1コードブロック抽出処理と、
前記プログラムのバイナリに含まれるコードの中から、前記複数の所定のシンボルのそれぞれへのアクセスを行う複数のコードブロックを、複数の第2コードブロックとして抽出する第2コードブロック抽出処理と、
前記複数の第2コードブロックのうち、解析されるバックドアのタイプに応じたコントロールフロー上での条件、を満たすような前記第2コードブロック、によってアクセスされるシンボルを、前記複数の所定のシンボルの中から抽出するシンボル絞り込み処理と、
前記シンボル絞り込み処理において抽出された前記シンボルを出力するシンボル出力処理と、
をコンピュータに実行させるプログラムが格納された非一時的なコンピュータ可読媒体。 - 少なくとも、前記第1コードブロック又はその子ノードであるコードブロックによってアクセスされる、前記シンボル出力処理において出力された前記シンボル、の内容に基づいて、当該第1コードブロックがバックドアコードである可能性を示すスコア、又は、当該第1コードブロックが実行された際にシステムに及ぼす影響の大きさを示すスコアである、バックドアスコアを算出するバックドアスコア算出処理と、
前記第1コードブロックと、当該第1コードブロックに対する前記バックドアスコアと、を解析結果として出力する解析結果出力処理と、
をさらにコンピュータに実行させる請求項10に記載のプログラムが格納された非一時的なコンピュータ可読媒体。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/012047 WO2022201323A1 (ja) | 2021-03-23 | 2021-03-23 | シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 |
JP2023508228A JPWO2022201323A5 (ja) | 2021-03-23 | シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、プログラム | |
US18/267,690 US20240045973A1 (en) | 2021-03-23 | 2021-03-23 | Symbol narrowing-down apparatus, program analysis apparatus, symbol extraction method, program analysis method, and non-transitory computer readable medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/012047 WO2022201323A1 (ja) | 2021-03-23 | 2021-03-23 | シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022201323A1 true WO2022201323A1 (ja) | 2022-09-29 |
Family
ID=83396470
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/012047 WO2022201323A1 (ja) | 2021-03-23 | 2021-03-23 | シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 |
Country Status (2)
Country | Link |
---|---|
US (1) | US20240045973A1 (ja) |
WO (1) | WO2022201323A1 (ja) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021038704A1 (ja) * | 2019-08-27 | 2021-03-04 | 日本電気株式会社 | バックドア検査装置、バックドア検査方法、及び非一時的なコンピュータ可読媒体 |
-
2021
- 2021-03-23 US US18/267,690 patent/US20240045973A1/en active Pending
- 2021-03-23 WO PCT/JP2021/012047 patent/WO2022201323A1/ja active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021038704A1 (ja) * | 2019-08-27 | 2021-03-04 | 日本電気株式会社 | バックドア検査装置、バックドア検査方法、及び非一時的なコンピュータ可読媒体 |
Non-Patent Citations (1)
Title |
---|
YODA MINAMI; SAKURABA SHUJI; SEI YUICHI; TAHARA YASUYUKI; OHSUGA AKIHIKO: "Detection of the Hardcoded Login Information from Socket Symbols", 2020 INTERNATIONAL CONFERENCE ON COMPUTING, ELECTRONICS & COMMUNICATIONS ENGINEERING (ICCECE), IEEE, 17 August 2020 (2020-08-17), pages 33 - 38, XP033844938, DOI: 10.1109/iCCECE49321.2020.9231177 * |
Also Published As
Publication number | Publication date |
---|---|
US20240045973A1 (en) | 2024-02-08 |
JPWO2022201323A1 (ja) | 2022-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9621571B2 (en) | Apparatus and method for searching for similar malicious code based on malicious code feature information | |
Han et al. | Malware analysis using visualized image matrices | |
US9336381B1 (en) | Entropy-based detection of sensitive information in code | |
JP2019204482A (ja) | 並行脆弱性検出 | |
WO2017049800A1 (zh) | 检测应用漏洞代码的方法和装置 | |
US8806648B2 (en) | Automatic classification of security vulnerabilities in computer software applications | |
TWI528216B (zh) | 隨選檢測惡意程式之方法、電子裝置、及使用者介面 | |
TW201721418A (zh) | 檢測系統及其方法 | |
KR102011725B1 (ko) | 악성코드 검출을 위한 화이트리스트 구축 방법 및 이를 수행하기 위한 기록매체 및 장치 | |
US11609985B1 (en) | Analyzing scripts to create and enforce security policies in dynamic development pipelines | |
JP2017004123A (ja) | 判定装置、判定方法および判定プログラム | |
JP6245006B2 (ja) | テストケース生成装置、方法、及びプログラム | |
US10387288B2 (en) | Interactive analysis of a security specification | |
JP7235126B2 (ja) | バックドア検査装置、バックドア検査方法、及びプログラム | |
WO2022201323A1 (ja) | シンボル絞り込み装置、プログラム解析装置、シンボル抽出方法、プログラム解析方法、及び、非一時的なコンピュータ可読媒体 | |
CN104572066A (zh) | 用于面向屏幕的数据流分析的方法和系统 | |
CN115310087A (zh) | 一种基于抽象语法树的网站后门检测方法和系统 | |
JP7468641B2 (ja) | ソフトウェア修正装置、ソフトウェア修正方法、及びプログラム | |
WO2022201324A1 (ja) | プログラム解析装置、プログラム解析方法、及び、プログラムが格納された非一時的なコンピュータ可読媒体 | |
CN114691197A (zh) | 代码分析方法、装置、电子设备和存储介质 | |
WO2022038701A1 (ja) | プログラム解析装置、プログラム解析方法、及びコンピュータ可読媒体 | |
WO2020115853A1 (ja) | 情報処理装置、情報処理方法及び情報処理プログラム | |
WO2020008632A1 (ja) | 仮説推論装置、仮説推論方法、及びコンピュータ読み取り可能な記録媒体 | |
US11853751B2 (en) | Indirect function call target identification in software | |
WO2022230074A1 (ja) | 検知装置、検知方法及び検知プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21932933 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18267690 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2023508228 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21932933 Country of ref document: EP Kind code of ref document: A1 |