[go: up one dir, main page]

CN107209815B - Method for code obfuscation using return-oriented programming - Google Patents

Method for code obfuscation using return-oriented programming Download PDF

Info

Publication number
CN107209815B
CN107209815B CN201680009011.3A CN201680009011A CN107209815B CN 107209815 B CN107209815 B CN 107209815B CN 201680009011 A CN201680009011 A CN 201680009011A CN 107209815 B CN107209815 B CN 107209815B
Authority
CN
China
Prior art keywords
rop
code
payload
host program
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201680009011.3A
Other languages
Chinese (zh)
Other versions
CN107209815A (en
Inventor
高德斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SINGAPORE MANAGEMENT UNIVERSITY
Huawei International Pte Ltd
Original Assignee
SINGAPORE MANAGEMENT UNIVERSITY
Huawei International Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SINGAPORE MANAGEMENT UNIVERSITY, Huawei International Pte Ltd filed Critical SINGAPORE MANAGEMENT UNIVERSITY
Publication of CN107209815A publication Critical patent/CN107209815A/en
Application granted granted Critical
Publication of CN107209815B publication Critical patent/CN107209815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)

Abstract

Embodiments of the present invention relate to the use of Return Oriented Programming (ROP) for non-malicious purposes, i.e., for code obfuscation to improve security. Program code associated with a specified function of sensitive nature may be hidden by creating ROP code that performs the specified function of the original (not obfuscated) code and constructing a ROP payload that can be loaded to execute the ROP code. The original code may be replaced with a spurious code not related to the specified function, and a control flow instruction is provided to load the ROP payload to execute the ROP code.

Description

用于使用返回导向编程的代码混淆的方法Methods for code obfuscation using return-oriented programming

技术领域technical field

本发明的实施例涉及代码保护,并且更具体地说,应用返回导向编程(ReturnOriented Programming,ROP)以混淆代码并且用于非恶意目的。Embodiments of the present invention relate to code protection and, more particularly, apply Return Oriented Programming (ROP) to obfuscate code and use it for non-malicious purposes.

背景技术Background technique

混淆是保护算法和代码免于公开的重要技术。应用开发人员经常使用此技术来保护程序中至关重要的算法,使得程序的源代码和机器代码难以理解。Obfuscation is an important technique for protecting algorithms and code from disclosure. Application developers often use this technique to protect critical algorithms in a program, making the program's source and machine code incomprehensible.

一种现有的混淆技术包括增加拆分程序代码的难度,使得程序代码的仅一小部分会被拆分。另一种现有的混淆技术包括对所选指令应用加密,使得已加密指令仅可用密钥公开。One existing obfuscation technique involves increasing the difficulty of splitting program code so that only a small portion of the program code is split. Another existing obfuscation technique involves applying encryption to selected instructions so that the encrypted instructions can only be disclosed with the key.

然而,这些现有的混淆技术会造成限制。使用第一技术,代码分析仪将意识到程序代码的仅一小部分被拆分。使用第二技术,人们会质疑程序分析并且在加解密处理期间引起关注。However, these existing obfuscation techniques create limitations. Using the first technique, the code analyzer will realize that only a small portion of the program code is split. Using the second technique, one would question program analysis and raise concerns during encryption and decryption processing.

发明内容SUMMARY OF THE INVENTION

本发明的实施例涉及将返回导向编程(Return Oriented Programming,ROP)用于非恶意目的,即,用于代码混淆以提高安全性。可以通过创建实行原始(未被混淆)代码的指定功能的ROP代码并且构造能经过加载以执行所述ROP代码的ROP有效负载来隐藏与敏感性质的指定功能相关联的代码。可以用与指定功能不相关的杂散代码替代原始代码,并且提供控制流指令来加载ROP有效负载以执行ROP代码。Embodiments of the present invention relate to the use of Return Oriented Programming (ROP) for non-malicious purposes, ie, for code obfuscation to improve security. Code associated with a specified function of a sensitive nature can be concealed by creating ROP code that performs the specified function of the original (unobfuscated) code and constructing a ROP payload that can be loaded to execute the ROP code. The original code can be replaced with stray code unrelated to the specified functionality, and control flow instructions are provided to load the ROP payload to execute the ROP code.

根据本发明的一个方面,提供一种执行混淆代码的方法。所述方法包括:According to one aspect of the present invention, a method of executing obfuscated code is provided. The method includes:

在具有ROP嵌入式主机程序的移动设备中,响应于调用与从所述ROP嵌入式主机程序省略的客户代码相关联的指定功能,检索ROP有效负载,所述ROP嵌入式主机程序包含用于实行所述指定功能的ROP代码;以及In a mobile device having a ROP embedded host program, the ROP payload is retrieved in response to invoking a specified function associated with client code omitted from the ROP embedded host program, the ROP embedded host program containing means for executing the ROP code for the specified function; and

使用所述ROP有效负载重新设置移动设备的存储器寄存器,从而执行用于实行与客户代码相关联的调用功能的ROP代码。The mobile device's memory registers are reset using the ROP payload, thereby executing the ROP code for carrying out the calling function associated with the client code.

在以上方法的一个实施例中,检索ROP有效负载包含从移动设备将获得与调用功能相关联的数据的请求发送到远程服务器,并且从所述服务器接收所请求的数据和ROP有效负载这两者。In one embodiment of the above method, retrieving the ROP payload includes sending a request from the mobile device to obtain data associated with the invoking function to a remote server, and receiving both the requested data and the ROP payload from the server .

在以上方法的另一个实施例中,检索ROP有效负载包含从移动设备中的存储器设备检索ROP有效负载。In another embodiment of the above method, retrieving the ROP payload includes retrieving the ROP payload from a memory device in the mobile device.

根据本发明的另一个方面,提供一种代码混淆方法。所述方法包括:According to another aspect of the present invention, a code obfuscation method is provided. The method includes:

从具有客户代码的主机程序代码中识别与所述客户代码相关的多个片段并且确定对应于所述片段的多个返回地址;identifying, from host program code having client code, a plurality of fragments associated with the client code and determining a plurality of return addresses corresponding to the fragments;

通过修改将存储于存储器寄存器中的返回地址创建连接片段的ROP代码,其中所述ROP代码将实行客户代码的指定功能;Create the ROP code of the connected segment by modifying the return address to be stored in the memory register, wherein the ROP code will perform the specified function of the client code;

构造ROP有效负载,所述ROP有效负载包含客户代码所需的参数数据、片段的返回地址,以及用于重新设置存储器寄存器以执行ROP代码的数据段;constructing a ROP payload containing the parameter data required by the client code, the return address of the segment, and a data segment for resetting memory registers to execute the ROP code;

用杂散代码替代主机程序代码中的客户代码;Replace client code in host program code with stray code;

提供用于用ROP有效负载重新设置存储器寄存器的命令码;以及Provides command codes for resetting memory registers with the ROP payload; and

将ROP有效负载存储在存储器设备处,其中所述ROP有效负载用于在运行时被调用,从而执行用于实行与客户代码相关联的指定功能的ROP代码。A ROP payload is stored at a memory device for being invoked at runtime to execute ROP code for performing specified functions associated with client code.

在以上方法的一个实施例中,存储器设备位于服务器计算机处,所述服务器计算机远离将安装有包含ROP代码的ROP嵌入式主机程序的移动设备。In one embodiment of the above method, the memory device is located at a server computer remote from the mobile device on which the ROP embedded host program containing the ROP code will be installed.

在以上方法的另一个实施例中,存储器设备位于将安装有包含ROP代码的ROP嵌入式主机程序的移动设备处。In another embodiment of the above method, the memory device is located at the mobile device on which the ROP embedded host program containing the ROP code is to be installed.

根据本发明的另一个方面,提供一种移动设备所述移动设备包括:According to another aspect of the present invention, a mobile device is provided, and the mobile device includes:

处理器,以及存储器设备,所述存储器设备具有ROP嵌入式主机程序,所述ROP嵌入式主机程序包含用于实行与从所述ROP嵌入式主机程序省略的客户代码相关联的指定功能的ROP代码,所述处理器用于:a processor, and a memory device having a ROP embedded host program containing ROP code for carrying out specified functions associated with guest code omitted from the ROP embedded host program , the processor is used to:

响应于调用所述指定功能而检索ROP有效负载;以及retrieving a ROP payload in response to invoking the specified function; and

使用所述ROP有效负载重新设置移动设备的存储器寄存器,从而执行用于实行与客户代码相关联的调用功能的ROP代码。The mobile device's memory registers are reset using the ROP payload, thereby executing the ROP code for carrying out the calling function associated with the client code.

在以上设备的一个实施例中,处理器用于通过将获得与调用功能相关联的数据的请求发送到远程服务器并且从所述服务器接收所请求的数据和ROP有效负载两者来检索ROP有效负载。In one embodiment of the above apparatus, the processor is configured to retrieve the ROP payload by sending a request to obtain data associated with the calling function to a remote server and receiving both the requested data and the ROP payload from the server.

在以上设备的另一个实施例中,处理器用于通过从移动设备中的存储器设备检索ROP有效负载来检索ROP有效负载。In another embodiment of the above apparatus, the processor is to retrieve the ROP payload by retrieving the ROP payload from a memory device in the mobile device.

在以上设备的另一个实施例中,处理器用于在检索ROP有效负载之前通过验证外部输入来实行对检索ROP有效负载的授权。In another embodiment of the above apparatus, the processor is configured to effect authorization to retrieve the ROP payload by validating external input prior to retrieving the ROP payload.

附图说明Description of drawings

将参考附图详细描述本发明,在附图中:The present invention will be described in detail with reference to the accompanying drawings, in which:

图1A示出主机程序(例如,音乐播放器);Figure 1A shows a host program (eg, a music player);

图1B示出待混淆的客户代码(例如,许可证验证码);FIG. 1B shows client code (eg, license verification code) to be obfuscated;

图1C示出代码混淆之后的图1B的客户代码;Figure 1C shows the client code of Figure 1B after code obfuscation;

图2示出根据本发明的一个实施例的代码混淆方法;以及FIG. 2 illustrates a code obfuscation method according to one embodiment of the present invention; and

图3示出根据本发明的一个实施例的用于执行混淆客户代码的方法。Figure 3 illustrates a method for executing obfuscated client code according to one embodiment of the present invention.

具体实施方式Detailed ways

下文描述中陈述许多具体细节,以对本发明各实施例进行通彻理解。然而,本领域熟练技术人员将理解,可以在不具有这些具体细节中的一些或全部的情况下实践本发明的实施例。在其它情况下,为了不多余地混淆所描述的实施例的相关方面,并未详细地描述熟知的过程操作。在附图中,相同参考标号在若干视图中始终指代相同或相似功能性或特征。In the following description, numerous specific details are set forth to provide a thorough understanding of various embodiments of the present invention. However, one skilled in the art will understand that embodiments of the present invention may be practiced without some or all of these specific details. In other instances, well-known process operations have not been described in detail in order not to unnecessarily obscure relevant aspects of the described embodiments. In the drawings, the same reference numerals refer to the same or similar functionality or features throughout the several views.

本发明的实施例公开一种使用返回导向编程(Return Oriented Programming,ROP)的新混淆技术。Embodiments of the present invention disclose a new obfuscation technique using Return Oriented Programming (ROP).

近年来ROP已经成为最有效的运行时攻击技术之一。使用ROP的攻击者通常作为第一步骤从有效代码序列识别片段。片段可被称为有效代码序列的小片段,且更具体地说,可被称为在现有机器指令的中间潜在地开始并且以返回指令结束的指令序列。识别片段提供形成ROP程序的基本单元。在第二步骤中,程序的控制流变为第一片段在ROP程序中的地址。由于每个片段以返回指令结束,因此当第一片段返回时,程序可以“返回”到第二片段,其中此类地址仔细准备在寄存器上。如果片段含有类似上托的指令,其将从寄存器获得参数,所述参数也应布置在寄存器上,就在所述片段的返回地址之后。总之,ROP基本上从程序中的现有指令中聚集有效代码的片段,以形成实行特定功能并改变原始程序的控制流的另一个程序。ROP has become one of the most effective runtime attack techniques in recent years. Attackers using ROP often identify fragments from valid code sequences as a first step. A fragment may be referred to as a small fragment of a valid code sequence, and more specifically, may be referred to as a sequence of instructions that potentially begins in the middle of existing machine instructions and ends with a return instruction. Recognition fragments provide the basic units that form the ROP program. In the second step, the control flow of the program becomes the address of the first segment in the ROP program. Since each fragment ends with a return instruction, when the first fragment returns, the program can "return" to the second fragment, where such addresses are carefully prepared on registers. If a fragment contains a popup-like instruction, it will get parameters from a register, which should also be placed on the register, just after the return address of the fragment. In summary, ROP basically gathers pieces of valid code from existing instructions in a program to form another program that performs a specific function and alters the control flow of the original program.

ROP传统上用于对易受影响的程序的恶意攻击。对比而言,本发明的实施例采用ROP用于非恶意目的,即保护和隐藏程序代码,并且方法是在应用开发期间嵌入ROP。ROP is traditionally used for malicious attacks on vulnerable programs. In contrast, embodiments of the present invention employ ROP for non-malicious purposes, ie, protecting and hiding program code, and by embedding the ROP during application development.

图1A到1C示出本发明可以应用于的非限制性实例。图1A示出具有如图1B中所示的客户代码(例如,许可证验证码)的主机程序(例如,音乐播放器)。许可证验证码将被混淆,使得敌手无法例如通过逆向工程伪造新的许可证文件。图1C示出代码混淆之后的图1B的客户代码;1A to 1C illustrate non-limiting examples to which the present invention may be applied. FIG. 1A shows a host program (eg, a music player) with client code (eg, a license verification code) as shown in FIG. 1B . The license verification code will be obfuscated, making it impossible for an adversary to forge a new license file, eg by reverse engineering. Figure 1C shows the client code of Figure 1B after code obfuscation;

图2示出代码混淆方法200。将参考图1A到1C中的实例描述方法200,其中主机程序是基于安卓的,并且使用本地代码(C/C++)写入。FIG. 2 shows a code obfuscation method 200 . The method 200 will be described with reference to the example in FIGS. 1A-1C where the host program is Android based and written using native code (C/C++).

在方块202中,识别主机程序内的客户代码进行代码混淆。此处,客户代码是未被混淆的,并且主机程序呈非ROP形式。In block 202, the client code within the host program is identified for code obfuscation. Here, the client code is unobfuscated and the host program is in non-ROP form.

在方块204中,分析主机程序代码和本地库以识别与客户代码相关的有用片段(ROP片段)。还确定对应于所识别片段的返回地址。In block 204, the host program code and native libraries are analyzed to identify useful fragments (ROP fragments) associated with the client code. A return address corresponding to the identified fragment is also determined.

为了定位这些片段,可以开发同时支持ARM架构上的so文件和apk文件的半自动化工具。所述工具用于分析主机程序(例如,安卓应用)、安卓系统中的本地库以及安卓安装包中的库,并且确定对应于所识别片段的返回地址。To locate these fragments, semi-automatic tools can be developed that support both so files and apk files on the ARM architecture. The tool is used to analyze host programs (eg, Android applications), native libraries in the Android system, and libraries in the Android installation package, and determine return addresses corresponding to the identified fragments.

在方块206中,将所识别片段链接或连接在一起以创建ROP代码。这通过修改存储于存储器寄存器中的返回地址(如在方块204中确定的)来实现。ROP代码在适当的时候执行时将实行与客户代码相关联的指定功能。In block 206, the identified segments are linked or concatenated together to create a ROP code. This is accomplished by modifying the return address stored in the memory register (as determined in block 204). The ROP code, when executed, will perform the specified function associated with the client code.

在方块208中,构造ROP有效负载,其用于改变主机程序的控制流并且由此执行混淆的客户代码(ROP代码)。In block 208, a ROP payload is constructed, which is used to alter the control flow of the host program and thereby execute obfuscated guest code (ROP code).

为了改变控制流,可以使用如C标准库中定义的用于提供非本地跳转的setjmp()和longjmp()子程序。如由jmp_buf定义,Setjmp()将保存调用环境或存储器寄存器的内容,使得longjmp()可以恢复它们。以此方式,当setjmp()被调用时,longjmp()“返回”到程序的状态。因此,jmp_buf保留恢复调用环境所需的信息。To alter the flow of control, the setjmp() and longjmp() subroutines for providing non-local jumps as defined in the C standard library can be used. As defined by jmp_buf, Setjmp() will save the contents of the calling environment or memory registers so that longjmp() can restore them. In this way, longjmp() "returns" to the state of the program when setjmp() is called. Therefore, jmp_buf holds the information needed to restore the calling environment.

由于setjmp()保存的jmp_buf将通过堆溢出漏洞改变,因此ROP有效负载应含有(i)客户代码所需的参数数据,(ii)所识别片段的返回地址(如先前在方块204中确定),以及(iii)用于重新设置存储器寄存器以执行ROP代码的数据段。Since the jmp_buf held by setjmp() will be altered through a heap overflow vulnerability, the ROP payload should contain (i) the parameter data required by the client code, (ii) the return address of the identified fragment (as previously determined in block 204), and (iii) a data segment for resetting memory registers to execute the ROP code.

在方块210中,从主机程序代码移除客户代码。提供或嵌入杂散代码以替代客户代码。在杂散代码之后,提供用于以ROP有效负载重新设置存储器寄存器的命令码。具体来说,提供longjmp()子程序以重新设置调用环境并且提供改变主机程序的返回地址的机构。In block 210, the guest code is removed from the host program code. Provide or embed stray code in place of customer code. After the stray code, the command code for resetting the memory registers with the ROP payload is provided. Specifically, the longjmp() subroutine is provided to reset the calling environment and to provide a mechanism for changing the return address of the host program.

在方块212中,对含有包含杂散代码和ROP代码的主机程序代码的APK文件重新封装并签名。APK文件相应地分布并安装为各种移动设备中的ROP嵌入式主机程序。此类移动设备是本领域中已知的,并且至少包括处理器和存储器设备,存储器设备含有可由处理器执行从而使得移动设备实行各种操作的指令。In block 212, the APK file containing the host program code including stray code and ROP code is repackaged and signed. The APK files are accordingly distributed and installed as ROP embedded host programs in various mobile devices. Such mobile devices are known in the art and include at least a processor and a memory device containing instructions executable by the processor to cause the mobile device to perform various operations.

在方块214中,ROP有效负载存储于存储器设备中,将在运行时被调用以执行将实行与客户代码相关联的指定功能的ROP代码。在一个实施例中,ROP有效负载存储于远程服务器计算机处的存储器设备中。在另一实施例中,ROP有效负载存储于移动设备的存储器设备中。In block 214, the ROP payload is stored in the memory device to be invoked at runtime to execute the ROP code that will perform the specified function associated with the client code. In one embodiment, the ROP payload is stored in a memory device at the remote server computer. In another embodiment, the ROP payload is stored in a memory device of the mobile device.

以下根据上文,图3示出用于执行混淆的客户代码的方法300。Below in light of the above, FIG. 3 illustrates a method 300 for executing obfuscated client code.

在方块302中,提供安装有ROP嵌入式主机程序的移动设备。具体来说,在ROP嵌入式主机程序中,预选客户代码已经以ROP代码形式混淆。当调用与混淆的客户代码相关联的指定功能(例如,如图1A中的许可证验证功能)时,作为响应,移动设备发送与调用功能相关联的数据请求到远程服务器计算机。移动设备还执行一般与调用功能不相关的杂散代码。In block 302, a mobile device with the ROP embedded host program installed is provided. Specifically, in the ROP embedded host program, the preselected client code has been obfuscated in the form of ROP code. When invoking a specified function associated with the obfuscated client code (eg, the license verification function in FIG. 1A ), in response, the mobile device sends a data request associated with the invoking function to the remote server computer. The mobile device also executes stray code not generally associated with calling functions.

在方块304中,远程服务器以通常与调用功能相关联的数据响应。还从安装有ROP嵌入式主机程序的远程服务器或移动设备检索ROP有效负载。In block 304, the remote server responds with data typically associated with the calling function. The ROP payload is also retrieved from a remote server or mobile device with the ROP embedded host program installed.

在ROP有效负载存储于远程服务器处的存储器设备中的一个实施例中,远程服务器以预存储于远程服务器中的ROP有效负载另外响应。In one embodiment where the ROP payload is stored in a memory device at the remote server, the remote server additionally responds with the ROP payload pre-stored in the remote server.

在ROP有效负载存储于移动设备处的存储器设备中的另一个实施例中,在调用所述功能后检索移动设备中预存储的ROP有效负载。在此实施例中,调用混淆的客户代码可以是自动的(非条件性的),或使用预配置用于触发执行混淆的客户代码(条件)的外部输入。例如,在从存储器设备检索ROP有效负载之前,通过验证可以从移动设备的用户接收到的外部输入来实行ROP有效负载检索的授权。In another embodiment where the ROP payload is stored in a memory device at the mobile device, the pre-stored ROP payload in the mobile device is retrieved after invoking the function. In this embodiment, invoking the obfuscated client code may be automatic (unconditional), or use an external input preconfigured to trigger execution of the obfuscated client code (conditional). For example, authorization of the ROP payload retrieval is effected by validating external input that may be received from a user of the mobile device prior to retrieving the ROP payload from the memory device.

在方块306中,应用检索到的ROP有效负载来重新设置移动设备的存储器寄存器。因此,恢复原始调用环境,并且控制流返回到主机程序,从而执行用于实行与混淆的客户代码相关联的指定功能的ROP代码。In block 306, the retrieved ROP payload is applied to reset the mobile device's memory registers. Thus, the original calling context is restored, and control flow returns to the host program, executing the ROP code for carrying out the specified functionality associated with the obfuscated guest code.

以上公开内容是参考基于安卓的应用而描述。应了解,本发明的实施例适合应用于其它平台,包含x86和SPARC。The above disclosure is described with reference to an Android-based application. It should be appreciated that embodiments of the present invention are suitable for application to other platforms, including x86 and SPARC.

如将根据以上内容了解到,本发明的实施例克服了现有混淆技术的限制,并且提供若干优点和区别,包含但不限于以下:As will be appreciated from the above, embodiments of the present invention overcome the limitations of existing obfuscation techniques and provide several advantages and differences, including but not limited to the following:

通过使用ROP,待混淆的代码当内嵌于主机程序中时呈ROP形式。ROP嵌入式主机程序能够被完整且成功地拆分,因此将不会引起对代码混淆的质疑。By using ROP, the code to be obfuscated takes the form of ROP when embedded in the host program. The ROP embedded host program can be split completely and successfully, so there will be no question of code obfuscation.

通过重写主机程序中的返回地址而改变主机程序的控制流。使用ROP技术时,静力分析将不能检测程序(运行时概念)的返回地址。在运行时,返回地址中的一些将变为ROP片段的地址。Change the control flow of the host program by rewriting the return address in the host program. When using the ROP technique, the static analysis will not be able to detect the return address of the program (runtime concept). At runtime, some of the return addresses will become the addresses of the ROP fragments.

在某些实施例中,使用远程服务器来控制调用预选程序功能之后的特性。具体来说,服务器将含有ROP片段的返回地址的ROP有效负载发送到移动设备。所述有效负载不可使用主机程序的静力分析访问。因此,ROP有效负载控制混淆的客户代码在运行时的调用。In some embodiments, a remote server is used to control the properties after invoking a preselected program function. Specifically, the server sends a ROP payload to the mobile device containing the return address of the ROP fragment. The payload is not accessible using the static analysis of the host program. Therefore, the ROP payload controls the invocation of obfuscated client code at runtime.

使用本地代码改变安卓应用,尤其是嵌入机构来修改jmp_buf或返回地址。Use native code to change the Android application, especially the embedding mechanism to modify the jmp_buf or return address.

现在ROP应用于非恶意目的并且实际上用于提高安全性。由于在程序开发期间进行ROP,因此程序完全在同样也是ROP构造者的开发人员的控制下。因此,开发人员可以修改程序的任何方面以使得ROP嵌入成为可能。而现有ROP技术应用于恶意攻击,其中ROP构造者无法改变程序中的指令。Now ROP is used for non-malicious purposes and is actually used to improve security. Since ROP occurs during program development, the program is completely under the control of the developer who is also the ROP constructor. Therefore, developers can modify any aspect of the program to enable ROP embedding. The existing ROP technology is applied to malicious attacks, in which the ROP constructor cannot change the instructions in the program.

可以提供用于分析安卓应用中的片段的半自动工具,其支持将供所述应用使用的apk文件和库,包含安卓系统中的本地库以及apk文件。A semi-automatic tool for analyzing fragments in an Android application can be provided that supports apk files and libraries to be used by the application, including native libraries and apk files in the Android system.

本领域熟练技术人员根据对本说明书的考量和对本发明的实践将清楚其它实施例。此外,出于描述明确性的目的使用了某些术语且这些术语不会限制本发明的所揭示实施例。上文描述的实施例和特征应视为示例性的。Other embodiments will be apparent to those skilled in the art upon consideration of this specification and practice of the invention. Furthermore, certain terms are used for the purpose of clarity of description and do not limit the disclosed embodiments of the invention. The embodiments and features described above should be considered as exemplary.

Claims (18)

1.一种执行混淆代码的方法,其特征在于,所述方法包括:1. a method for executing obfuscated code, wherein the method comprises: 在具有返回导向编程ROP嵌入式主机程序的移动设备中,响应于调用与从所述ROP嵌入式主机程序省略的客户代码相关联的指定功能,检索ROP有效负载,所述ROP嵌入式主机程序包含用于实行所述指定功能的ROP代码;以及In a mobile device with a return-oriented programming ROP embedded host program, a ROP payload is retrieved in response to invoking a specified function associated with client code omitted from the ROP embedded host program, the ROP embedded host program comprising ROP codes for carrying out the specified functions; and 使用所述ROP有效负载重新设置所述移动设备的存储器寄存器,从而执行用于实行与所述客户代码相关联的调用功能的所述ROP代码。A memory register of the mobile device is reset using the ROP payload, thereby executing the ROP code for carrying out the calling function associated with the client code. 2.根据权利要求1所述的方法,其特征在于,检索ROP有效负载包含从移动设备将获得与所述调用功能相关联的数据的请求发送到远程服务器,并且从所述服务器接收所述所请求的数据和所述ROP有效负载这两者。2. The method of claim 1, wherein retrieving a ROP payload comprises sending a request from a mobile device to obtain data associated with the invoking function to a remote server, and receiving the data from the server. Both the requested data and the ROP payload. 3.根据权利要求1所述的方法,其特征在于,检索ROP有效负载包含从所述移动设备中的存储器设备检索所述ROP有效负载。3. The method of claim 1, wherein retrieving a ROP payload comprises retrieving the ROP payload from a memory device in the mobile device. 4.根据权利要求3所述的方法,其特征在于,进一步包括:4. The method of claim 3, further comprising: 在从所述移动设备中的所述存储器设备检索所述ROP有效负载之前,通过验证外部输入来实行对检索所述ROP有效负载的授权。Authorization to retrieve the ROP payload is effected by validating external input prior to retrieving the ROP payload from the memory device in the mobile device. 5.根据权利要求1所述的方法,其特征在于,所述ROP嵌入式主机程序是安卓应用。5. The method according to claim 1, wherein the ROP embedded host program is an Android application. 6.根据权利要求1所述的方法,其特征在于,所述ROP有效负载包含所述客户代码所需的参数数据、形成所述ROP代码的多个片段的返回地址,以及用于重新设置所述存储器寄存器以执行所述ROP代码的数据段。6. The method of claim 1, wherein the ROP payload contains parameter data required by the client code, return addresses forming a plurality of fragments of the ROP code, and a method for resetting all the memory register to execute the data segment of the ROP code. 7.根据权利要求1到5中任一权利要求所述的方法,其特征在于,通过以下步骤准备所述ROP嵌入式程序:7. The method according to any one of claims 1 to 5, wherein the ROP embedded program is prepared by the following steps: 从具有所述客户代码的非ROP主机程序代码中识别与所述客户代码相关的多个片段并且确定对应于所述片段的多个返回地址;Identifying a plurality of fragments associated with the client code from the non-ROP host program code having the client code and determining a plurality of return addresses corresponding to the fragments; 通过修改将存储于存储器寄存器中的所述返回地址创建连接所述片段的所述ROP代码;creating the ROP code connecting the fragment by modifying the return address to be stored in a memory register; 构造所述ROP有效负载,所述ROP有效负载包含所述客户代码所需的参数数据、所述片段的所述返回地址,以及用于重新设置所述存储器寄存器以执行所述ROP代码的数据段;constructing the ROP payload containing parameter data required by the client code, the return address for the segment, and a data segment for resetting the memory registers to execute the ROP code ; 用杂散代码替代所述主机程序代码中的所述客户代码;replacing the client code in the host program code with stray code; 提供用于用所述ROP有效负载重新设置所述存储器寄存器的命令码;以及providing a command code for resetting the memory register with the ROP payload; and 存储所述ROP有效负载。The ROP payload is stored. 8.一种代码混淆方法,其特征在于,包括:8. A code obfuscation method, comprising: 从具有客户代码的主机程序代码中识别与所述客户代码相关的多个片段并且确定对应于所述片段的多个返回地址;identifying, from host program code having client code, a plurality of fragments associated with the client code and determining a plurality of return addresses corresponding to the fragments; 通过修改将存储于存储器寄存器中的所述返回地址创建连接所述片段的返回导向编程ROP代码,其中所述ROP代码将实行所述客户代码的指定功能;Creating a return-oriented programming ROP code connecting the fragment by modifying the return address to be stored in a memory register, wherein the ROP code will perform the specified function of the client code; 构造ROP有效负载,所述ROP有效负载包含所述客户代码所需的参数数据、所述片段的所述返回地址,以及用于重新设置所述存储器寄存器以执行所述ROP代码的数据段;constructing a ROP payload containing parameter data required by the client code, the return address for the segment, and a data segment for resetting the memory registers to execute the ROP code; 用杂散代码替代所述主机程序代码中的所述客户代码;replacing the client code in the host program code with stray code; 提供用于用所述ROP有效负载重新设置所述存储器寄存器的命令码;以及providing a command code for resetting the memory register with the ROP payload; and 将所述ROP有效负载存储在存储器设备处,其中所述ROP有效负载用于在运行时被调用从而执行用于实行与所述客户代码相关联的所述指定功能的所述ROP代码。The ROP payload is stored at a memory device, wherein the ROP payload is for being invoked at runtime to execute the ROP code for carrying out the specified function associated with the client code. 9.根据权利要求8所述的方法,其特征在于,所述存储器设备位于服务器计算机处,所述服务器计算机远离将安装有包含所述ROP代码的ROP嵌入式主机程序的移动设备。9. The method of claim 8, wherein the memory device is located at a server computer remote from the mobile device on which the ROP embedded host program containing the ROP code is to be installed. 10.根据权利要求8所述的方法,其特征在于,所述存储器设备位于将安装有包含所述ROP代码的ROP嵌入式主机程序的移动设备处。10. The method of claim 8, wherein the memory device is located at a mobile device on which a ROP embedded host program containing the ROP code is to be installed. 11.根据权利要求8所述的方法,其特征在于,所述主机程序是安卓应用。11. The method of claim 8, wherein the host program is an Android application. 12.一种移动设备,其特征在于,包括:12. A mobile device, comprising: 处理器,以及存储器设备,所述存储器设备具有返回导向编程ROP嵌入式主机程序,所述ROP嵌入式主机程序包含用于实行与从所述ROP嵌入式主机程序省略的客户代码相关联的指定功能的ROP代码,所述处理器用于:a processor, and a memory device having a return-oriented programming ROP embedded host program, the ROP embedded host program containing specified functions for performing specified functions associated with guest code omitted from the ROP embedded host program The ROP code, the processor is used to: 响应于调用所述指定功能而检索ROP有效负载;以及retrieving a ROP payload in response to invoking the specified function; and 使用所述ROP有效负载重新设置所述移动设备的存储器寄存器,从而执行用于实行与所述客户代码相关联的调用功能的所述ROP代码。A memory register of the mobile device is reset using the ROP payload, thereby executing the ROP code for carrying out the calling function associated with the client code. 13.根据权利要求12所述的设备,其特征在于,所述处理器用于通过将获得与所述调用功能相关联的数据的请求发送到远程服务器并且从所述服务器接收所述所请求的数据和所述ROP有效负载两者来检索所述ROP有效负载。13. The apparatus of claim 12, wherein the processor is configured to receive the requested data from the server by sending a request to obtain data associated with the calling function to a remote server and both the ROP payload to retrieve the ROP payload. 14.根据权利要求12所述的设备,其特征在于,所述处理器用于通过从所述移动设备中的所述存储器设备检索所述ROP有效负载来检索所述ROP有效负载。14. The device of claim 12, wherein the processor is to retrieve the ROP payload by retrieving the ROP payload from the memory device in the mobile device. 15.根据权利要求14所述的设备,其特征在于,所述处理器用于在检索所述ROP有效负载之前通过验证外部输入来实行对检索所述ROP有效负载的授权。15. The apparatus of claim 14, wherein the processor is to enforce authorization to retrieve the ROP payload by validating external input prior to retrieving the ROP payload. 16.根据权利要求12所述的设备,其特征在于,所述ROP嵌入式主机程序是安卓应用。16. The device of claim 12, wherein the ROP embedded host program is an Android application. 17.根据权利要求12所述的设备,其特征在于,所述ROP有效负载包含所述客户代码所需的参数数据、形成所述ROP代码的多个片段的返回地址,以及用于重新设置所述存储器寄存器以执行所述ROP代码的数据段。17. The apparatus of claim 12, wherein the ROP payload contains parameter data required by the client code, return addresses forming a plurality of fragments of the ROP code, and instructions for resetting all the memory register to execute the data segment of the ROP code. 18.根据权利要求12到16中任一权利要求所述的设备,其特征在于,通过以下步骤准备所述ROP嵌入式程序:18. The apparatus according to any one of claims 12 to 16, wherein the ROP embedded program is prepared by the following steps: 从具有所述客户代码的非ROP主机程序代码中识别与所述客户代码相关的多个片段并且确定对应于所述片段的多个返回地址;Identifying a plurality of fragments associated with the client code from the non-ROP host program code having the client code and determining a plurality of return addresses corresponding to the fragments; 通过修改将存储于存储器寄存器中的所述返回地址创建连接所述片段的所述ROP代码;creating the ROP code connecting the fragment by modifying the return address to be stored in a memory register; 构造所述ROP有效负载,所述ROP有效负载包含所述客户代码所需的参数数据、所述片段的所述返回地址,以及用于重新设置所述存储器寄存器以执行所述ROP代码的数据段;constructing the ROP payload containing parameter data required by the client code, the return address for the segment, and a data segment for resetting the memory registers to execute the ROP code ; 用杂散代码替代所述主机程序代码中的所述客户代码;replacing the client code in the host program code with stray code; 提供用于用所述ROP有效负载重新设置所述存储器寄存器的命令码;以及providing a command code for resetting the memory register with the ROP payload; and 存储所述ROP有效负载。The ROP payload is stored.
CN201680009011.3A 2015-02-06 2016-02-02 Method for code obfuscation using return-oriented programming Active CN107209815B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SG10201500921Q 2015-02-06
SG10201500921QA SG10201500921QA (en) 2015-02-06 2015-02-06 Method for obfuscation of code using return oriented programming
PCT/SG2016/050052 WO2016126206A1 (en) 2015-02-06 2016-02-02 Method for obfuscation of code using return oriented programming

Publications (2)

Publication Number Publication Date
CN107209815A CN107209815A (en) 2017-09-26
CN107209815B true CN107209815B (en) 2020-08-14

Family

ID=55411723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680009011.3A Active CN107209815B (en) 2015-02-06 2016-02-02 Method for code obfuscation using return-oriented programming

Country Status (3)

Country Link
CN (1) CN107209815B (en)
SG (1) SG10201500921QA (en)
WO (1) WO2016126206A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3522006A1 (en) * 2018-02-01 2019-08-07 Gemalto Sa Method for protecting an executable code
CN110321727A (en) * 2018-03-29 2019-10-11 阿里巴巴集团控股有限公司 The storage of application information, processing method and processing device
CN109829313B (en) * 2019-02-28 2020-11-24 中国人民解放军战略支援部队信息工程大学 A method and device for defending against SGX side-channel attacks based on code reuse programming

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103440457A (en) * 2013-08-20 2013-12-11 上海交通大学 Binary program analytic system based on process simulation
CN103946855A (en) * 2011-11-07 2014-07-23 高通股份有限公司 Methods, devices, and systems for detecting return-oriented programming exploits

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7620987B2 (en) * 2005-08-12 2009-11-17 Microsoft Corporation Obfuscating computer code to prevent an attack
US8689201B2 (en) * 2010-01-27 2014-04-01 Telcordia Technologies, Inc. Automated diversity using return oriented programming
US9411597B2 (en) * 2014-05-06 2016-08-09 Nxp B.V. Return-oriented programming as an obfuscation technique

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103946855A (en) * 2011-11-07 2014-07-23 高通股份有限公司 Methods, devices, and systems for detecting return-oriented programming exploits
CN103440457A (en) * 2013-08-20 2013-12-11 上海交通大学 Binary program analytic system based on process simulation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于ARM架构的ROP攻击与防御技术研究;钱逸;《中国优秀硕士论文全文数据库 信息科技辑》;20130715;全文 *

Also Published As

Publication number Publication date
WO2016126206A1 (en) 2016-08-11
CN107209815A (en) 2017-09-26
SG10201500921QA (en) 2016-09-29

Similar Documents

Publication Publication Date Title
US9805188B2 (en) Control flow integrity system and method
EP3612969B1 (en) System and method for runtime detection, analysis and signature determination of obfuscated malicious code
EP3207485B1 (en) Code pointer authentication for hardware flow control
US20170372068A1 (en) Method to identify known compilers functions, libraries and objects inside files and data items containing an executable code
US20050108562A1 (en) Technique for detecting executable malicious code using a combination of static and dynamic analyses
CN107430650B (en) Securing computer programs against reverse engineering
JP2019502197A (en) System and method for detection of malicious code in runtime generated code
CN109255235B (en) Mobile application third-party library isolation method based on user mode sandbox
WO2016078130A1 (en) Dynamic loading method for preventing reverse of apk file
CN107273723A (en) A kind of Android platform applied software protection method based on so file shell addings
US11269988B2 (en) Automated software application verification system
Kawakoya et al. Stealth loader: Trace-free program loading for API obfuscation
US20160171213A1 (en) Apparatus and method for controlling instruction execution to prevent illegal accesses to a computer
CN107209815B (en) Method for code obfuscation using return-oriented programming
Abrath et al. Obfuscating windows dlls
CN112134905B (en) Android system based signature method, device and equipment
El-Harake et al. Blocking advertisements on android devices using monitoring techniques
Babar et al. Generic unpacking techniques
Pappas Defending against return-oriented programming
KR20180093529A (en) Method for preventing falsification of application based on interdependence between byte code and native code and apparatus therefor
Draissi et al. Wemby’s web: Hunting for memory corruption in webassembly
US20250165227A1 (en) Protecting Software
KR102225838B1 (en) Anti-emulation method and apparatus for protecting android applications
Yada Stealth Loader: Trace-Free Program Loading for API Obfuscation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant