IT202100012488A1 - Method of configuring neural networks and method of processing binary files - Google Patents

Description

?Neural Network Configuration Method and Binary File Processing Method?

DESCRIPTION

FIELD OF TECHNIQUE

The present invention relates to the field of software security and the protections applied thereto.

STATE OF THE ART

The software, due to its intrinsic characteristics, is highly sensitive in terms of security.

Consider, for example, that software often incorporates or manages confidential, private or proprietary data? third party intellectual. It also makes explicit the know-how that made its creation possible. This information is available in the form of instructions and data structures that make up a given software or that are processed by it. I am therefore potentially available to anyone with a copy of the software. Therefore, the software can also be seen as a container of fundamental assets for the business of the company that developed it.

The software ? exposed to numerous threats and risks. In a scenario of type MATE (Man-At-The-End), an attacker, having available a certain software and controlling the? Environment in which it will come? performed, can analyze the behavior of said software, for example using a debugger, or can? disassemble or decompile it to extract its logical structure. These reverse engineering operations can therefore allow to obtain some of the assets present in the software. MATE attacks are frequent and can consist in the identification and possible reuse of functionalities? considered strategic, the compromise of license controls, the identification of flaws or contexts of use that can be exploited to compromise the functionalities? the software itself or the environments in which it runs, etc.

Given the severity of the risks which the software ? exposed, you can not? regardless of adopting appropriate mitigations. In this context, mitigations are the software protection methods and technologies, adopted both in the software development phase and immediately before its distribution. The software protection process combines the use of cryptographic functions, software transformations, and software engineering techniques to mitigate risk. Can software protections rely on functionality? of security available in? the environment in which the software ? executed, but can also be integrated into the software itself, using specially designed protection technologies.

While there are no definitive solutions that can prevent attackers from obtaining the assets in the software, numerous protection solutions adopted are known in the art, aimed at delaying the most effective attacks. possible the attacker and therefore preserve the business model adopted by the owner of this software.

Consider, for example, the scenario of a software house - software houses represent an important part of the software protection market - when it intends to commercialize a new video game. A large part of the sales of this type of product is concentrated in the first days following its release on the market. Therefore, it becomes essential to delay as soon as possible. It is possible when an attacker successfully breaches the software protections contained in the work, such as licensing controls, releasing cracks or circulating illegal copies of the video game.

The effectiveness of the protection techniques applied to the software are often evaluated, before a given software is released, by internal or external specialized personnel of the company that develops the software. However, this evaluation process ? often performed manually or by means of semi-automated tools, thus requiring the expenditure of a considerable amount? of time and resources. Also, the weather very often ? limited due to the business models adopted which impose a stringent time-to-market in order to be able to establish itself on the market before the competitors.

A first step that attackers must first perform to extract assets from the software is to identify the protection techniques that have been applied to specific portions of the software, in order to disable or eliminate them. An evaluation of the effectiveness of the protections cannot regardless of estimating how easy ? recognize which protections have been applied.

SUMMARY OF THE INVENTION

Currently the tools known in the state of the art aimed at identifying the protection techniques applied to a software are not yet satisfactory since offer, when present, a limited level of automation and consequently depend heavily on? activity? manual, in a context where time plays a fundamental role for the success or failure of a software product on the market.

Furthermore, these tools are not optimized for carrying out tasks? identification of protected areas within the software itself.

The purpose of the present invention ? that of improving the degree of automation in the phase of identifying the protection techniques applied to the software.

? object of the present invention a method for automating the process of identifying the software protections applied to a binary file and of identifying the protected areas within said file as described by claim 1 and by preferred embodiments thereof described by the claims 2-12.

? further object of the present invention is a file processing method as described by claim 13 and by preferred embodiments thereof described by claims 14-16.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the present invention will be described below, purely by way of example, with reference to the accompanying drawings, in which:

- Fig.1 shows an example of a computer system usable for the purposes of the present invention;

- Fig.2 shows a schematic example of a binary file in which the functions and the possible presence of protections are highlighted;

- Fig.3 shows, by means of functional blocks, an example of a configuration method of a neural network capable of obtaining information about the protection techniques possibly present in a file to be analysed;

- Fig.4 shows an example of a coded function;

- Fig.5 shows, by means of functional blocks, a simplified architecture of a neural network based on LSTM (Long Short Term Memory) cells;

- Fig.6 shows, by means of functional blocks, a simplified architecture of a BERT (Bidirectional Encoder Representations from Transformers) neural network.

DETAILED DESCRIPTION OF THE INVENTION

The following detailed description of the preferred embodiments refers to the accompanying drawings which form a part thereof and show, by way of example, specific embodiments of the present invention. The following description is not ? therefore to be understood in a limiting sense, and the extent of the inventions? defined only by the appended claims.

Fig. 1 shows an example of a computer system 10 configured to provide information about any software protections contained in a file to be analysed.

System 10 includes, for example, a general purpose computing device 20, in the form of a conventional personal computer, which includes a unit processor 21, a system memory 22 and a system bus 23 which couples the system memory 22 and other system components to the unit? of processing 21.

The system bus 23 can? be any one of several types of bus capable of allowing a communication channel between different hardware devices to exchange information. System memory 22 comprises, for example, a read-only memory (ROM) 24 and a random access memory (RAM) 25. A basic input/output system (BIOS) 26, stored in ROM 24, contains the basic routines which transfer information between the components of the personal computer 20. The BIOS 24 also contains the system startup routines. The personal computer 20 further includes a hard disk drive 27 for reading from and writing to at least one hard disk 29. The hard disk drive 27? connected to the system bus 23 via an interface for the unit? hard drives 32.

For example, system 10 includes hard disk 29 but could include other types of media, such as memory cards, external hard disks, RAM, ROM and the like.

Program modules can be stored on hard disk 29 on ROM 24 and RAM 25.

A user can enter commands and information in the personal computer 20 through one or more? input devices such as, for example, a keyboard 40 and an optical pointing device 42. These and other input devices are often connected to the unit? of processing 21 through a specific input interface 46 which depends on the type of port used such as for example a serial port, a parallel port, a USB port, etc. coupled to the system bus 23. A monitor 47 or other display device also connects to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor, personal computers may also include other output devices (not shown) such as a printer.

The personal computer 20 can? operate, in a data exchange network, using logical connections to one or more? remote computers such as remote computer 49. Remote computer 49 can? be another personal computer, a server, a router, a network PC or another node on the network. It typically includes many or all of the components described above in relation to the personal computer 20. However, in the example in Fig.1 ? shown for simplicity? only a storage device 50. The logical connections shown in Fig. 1 may comprise a LAN and/or WAN type network 51 common in offices, corporate computer networks, intranets and the Internet.

When in a LAN/WAN network environment, PC 20 connects to a network 51 through a network interface or adapter 53 which can be a wired or wireless network card. In a networked environment, program modules represented as residing within the personal computer 20 or portions thereof may be stored in a remote storage device 50.

Program modules may include: OS 35, one more? application programs 36, at least one neural network NN(Pi) (processing module 33) and a training module MOD_TRAIN 34. In particular, ? expected a plurality? of neural networks NN(Pi), each associated with a particular software protection.

Each of the neural networks NN(Pi) pu? be implemented in hardware, software, or a combination thereof. The MOD_TRAIN 34 training module has the task of training each neural network NN(Pi) by means of data sets, ie a collection of data used as samples for the purpose of ?teaching? to the neural network NN(Pi) how to react to specific input data.

How will I come? described more more detailed forward, each neural network NN(Pi) ? trained to obtain information about a specific security technique that may be present in a file to be analyzed.

Figure 2 shows a schematic example of a binary file that can belong, for example, to an application or a software library. The binary file ? formed by a plurality of functions FNZ 1 ? FNZ n, each of which ? composed of a sequence of assembly instructions, also called lines of code or pi? in general code. One or more? of said plurality? of functions contained in the binary file may require software protection if their content represents an asset, or constitutes a value in economic and/or know-how terms.

The assets that can constitute a critical area within the binary file can be for example, but not limited to, proprietary algorithms (or other intellectual property), cryptographic secrets or security controls such as for example license controls of commercial software.

In figure 2, the FNZ 1 function and the FNZ 6 function are shown with the symbol of a shield to want to specify that these two functions are the result of the application of software protections since? containing at least one asset. Note that particular lines of code or functions may have been protected to confuse attackers even though they are not assets.

Conversely, the FNZ 4 function? instead shown with an X symbol to indicate that it is not a protected function with any type of software protection.

After being applied to the code, software protections leave their own digital imprint, or fingerprint, which is anomalous with respect to unprotected code.

Examples of fingerprints present in the code following the application of a software protection could be particularly complex control flows or logical conditions.

Each software protection has a characteristic fingerprint that could allow to deduce some information such as which peculiarities? own the protected assets and which properties? security yes? decided to apply. Examples of software protections can be: control flow flattening, opaque predicates, branch functions, arithmetic encoding, conversion of data into functions (for example with Mealy machines), merging or subdivision of variables, recoding of variables (for example, xor masking, residual number encoding, ...), white-box cryptography, virtualization through the use of virtual machines or JIT compilation, call stack checks, code guards , control flow tagging, anti-debugging, code mobility, client/server code splitting, anti-cloning and software attestation.

Figure 3 shows, by means of a flowchart, a preferred embodiment of a configuration method of neural networks 100 that can be implemented, for example, by means of the system 10.

Method 100 allows you to configure one or more? neural networks NN(Pi), each to be used to obtain information about a specific protection technique possibly present in a file to be analysed.

After a starting phase, the method 100 provides a first phase 110 in which one or more? source files (that is, a file expressed with a high-level language) used for training a neural network. For brevity, consider using a single source file. According to the example described, this source file is, initially, without software protections.

Subsequently, according to an example, one or more? software protections. In the considered example we refer to the case in which more? software protections P1,?,Pn. In particular, these P1,?,Pn protections are applied to one or more? source file functions.

As ? also reiterated more? further, not all functions in the source file have protections applied, but some of them remain unprotected. There? allow? to train the neural networks NN(Pi) also to recognize unprotected functions.

According to the example described here, the source file provided with the software protections P1,?,Pn is then compiled, obtaining a binary file.

Note that ? possible to provide that it is directly provided a binary file to which have already been? apply the protections P1,?,Pn., avoiding what? to carry out the first phase 110. Note that some protections are applied to the source file while others are applied directly to the binary file.

In a second phase 120 the disassembly of the binary file obtainable, for example, from the previous compilation is carried out in order to extract the plurality thereof. of functions contained in it (that is, of its portions of code).

The disassembly operation makes it possible to obtain the previously compiled file in the form of assembly code by replacing each machine language operating code with a sequence of characters which represents it in mnemonic form, ie? in a way that can be easily interpreted by an operator. Data and memory addresses can also be rewritten in assembly according to a numerical base, such as hexadecimal, or in symbolic form using text strings (identifiers). Will the program in assembly format result? therefore relatively more readable against the corresponding binary.

Examples of operational codes in mnemonic format are the ADD for the addition operation or the MOV to indicate a copy operation.

Furthermore, ? carried out a third phase 130 which has the purpose of collecting in a data set, or collection of data, the plurality? of protected functions extracted from the assembly file together with the indication of the protections present for each function. This indication? an identifier of the type of protection applied P1,?,Pn. The data set can have a matrix structure.

Note that the data set can also be obtained by means of a library of protected functions associated with a library of protections, without carrying out the application of the protections to the functions of the binary file and the extraction of the functions from the binary file indicated in the second phase 120.

The set of information regarding the protected function and the indication of the protections applied to the same function defines a CHMP sample. This CHMP sample is, for example, a row of the data set in the following format:

(asmj, P1,?,Pn)

where asmj ? the jth protected function extracted from the assembly file and the identifiers P1,?,Pn represent the specific software protections applied to the asmj function.

In particular, the identifiers P1,?,Pn can be boolean variables which indicate whether the protection Pi ? been applied to the asmj function. For functions to which not ? no protection has been applied, the identifiers P1,?,Pn assume the value ?false?.

The CHMP samples will be used in the subsequent phases of method 100. Note that in order to carry out a good training phase of a neural network ? The data set must contain a large enough number of CHMP samples.

According to a preferred embodiment of the method 100, the first phase 110 (compilation phase) and the second phase 120 (disassembly phase) can be performed more than once. times using different combinations of protections that provide for the application of one or more? protection sequences for each function.

How already? mentioned, advantageously, the data set ? also built using compiled functions to which not ? no software protection has been applied. Functions compiled without any software protection are called vanilla functions and are intended to balance the data set. The purpose of this balancing? that of preventing an unbalanced data set from negatively affecting the learning process of a neural network, described later in this document, leading it to focus on prevailing events, neglecting rare ones. In particular, the vanilla functions are used to make the neural network learn how unprotected functions are made, so that it can distinguish these from the functions protected with the specific protection technique that the neural network ? trained to identify.

In a fourth step 140, the coding of each function (asmj) belonging to the plurality? of functions by converting them into CHMP_COD coded functions. This operation has the purpose of transforming the instructions contained in the functions of each CHMP sample expressed in assembly language into a sequence of numerical values, in particular, the instructions containing operating codes, data and addresses when expressed in mnemonic format.

At the end of said coding phase 140 each CHMP_COD coded function belonging to the data set will be? expressed as a sequence of numerical values, thus resulting suitable for use in a training phase of a neural network. The coding phase 140 can? optionally include two further sub-phases that allow a neural network to reach more? convergence quickly: the masking sub-phase and the scaling sub-phase.

In a fifth step 150, one of the neural networks NN(Pi) is trained. For example, ? trained a first neural network NN(P1) associated with a first software protection P1.

In particular, the first neural network NN(P1) ? trained to provide a first probability index? PIi (in this case i = 1) which indicates the probability? that a given j-th function (asmj) is protected by the first protection P1.

Furthermore, if a function has been identified to which the first protection P1 is applied with a first probability index? PIi,j higher than a given threshold, the first neural network NN(P1) can? also provide a second index FAi,j,k. This second index FAi,j,k represents the possibility? that the first protection P1 (Pi with i= 1) has been applied to the instructions of a specific area (generally indicated with the index k) of this function (asmj). For example, where? more high the value of the second index pi? the area ? ?suspect?.

For example, for each instruction of a function, the first neural network NN(P1) indicates the probability? that this presents the first protection P1. There? allows you to identify the instructions of the function to which ? a certain protection has been applied or which alternatively have been introduced by the application of the protection, or in other words, to identify the position of a protection within a function.

The training of the first neural network NN(P1) ? carried out using the data set which includes the CHMP_COD coded functions relating to the first protection P1 and the CHMP_COD coded functions protected with every possible pair of protections Pi (for example, P1+P2, P1+P3, ... , P1+Pn). Note that also ? possible to use combinations more? longer than those indicated above, for example triple (e.g. P1+P2+P3), quadruple (e.g. P1+P2+P3+P4), etc. In this way, accuracy could be improved in cases where particular combinations of protections are to be identified. long (triple, quadruple, etc.), for example, why? ? known to be used in the state of the art.

According to the example described, the training ? carried out using the MOD_TRAIN 34 training module.

Training can be repeated for each neural network NN(Pi) also relating to the other protections of interest P2-Pn.

Observe that the neural network NN(Pi) can? be chosen between neural networks capable of managing sequences and/or neural networks having an attention mechanism.

A type of neural network capable of managing sequences is, for example, a recurrent type neural network, i.e. a network in which there are feedback connections. This feedback creates a sort of ?memory? of what happened in the recent past, making information processed at time T-1 or T-2 available at time T, thus making the value of the current output depend not only on the current input values, but also on the previous inputs. An example of a recurrent neural network? the LSTM (Long Short-Term Memory) network.

The idea behind the attention mechanism? that of being able to define on which parts of the input vector the neural network must concentrate in order to generate the appropriate output. In other words, an attention mechanism allows you to process some input data while also attending to the relevant information contained in other input data. The attention mechanism also allows you to mask data that does not contain relevant information. Examples of neural networks that use the attention mechanism can be, for example, recurrent neural networks, such as the gi? cited LSTM, or neural networks such as BERT (Bidirectional Encoder Representations from Transform).

The neural networks NN(Pi), trained as described above, can be used in a classification method applied to a binary file to be analyzed (that is, a file distinct from the one used for training in the configuration method 100).

In this case, the binary file to be analyzed is disassembled and from the assembly file cos? Once obtained, the relative functions (asm) to be analyzed are extracted. There? can? be obtained by a conventional disassembler.

Each function (asm) ? then processed by each neural network NN(Pi).

Each of these neural networks NN(Pi) will return? a relative first probability index? PIi,j associated with a specific protection Pi and also, preferably, the second index of FAi,j,k for each function.

The set of values of the first probability index? PIi,j allows classification of the protections P1,?, Pn possibly present in the analyzed binary file.

The values of the second indices FAi,j,k are associated with further indications which identify the position of the instructions within each function having these values of the second index.

So the classification method will allow? to evaluate the quality? of the safety of the protections applied to the binary file analyzed why? the identification of such protections by neural networks NN(Pi) indicates that the protection ? quickly identifiable, so an attacker is 'delayed' less.

With reference to examples of practical applications, it should be noted that the companies specialists in software protection typically operate using two distinct teams: the first (protection team) deals with actually protecting the software, while the second team (reverse engineering team), emulates the behavior of possible attackers, trying to identify the assets present within the application and the protections used, to then remove/bypass the latter, compromising the security of the assets. The security team proposes an initial solution, whose goodness? ? evaluated by the reverse engineering team. These operations are then performed iteratively until? Not ? a sufficient level of protection has been achieved (or the time available has run out).

The classification method described, based on the configuration method 100, can then be used by the company? specialized in software protection in two modalities? different. The security team can get a quick assessment of the identifiability? of the chosen protections (without waiting for the results of the reverse engineering activities). Contextually, the classification method described can It can also be used by the reverse engineering team to automate and speed up the identification of assets, an essential first step in their activities.

The configuration and classification methods described above are applicable to each type of protection listed above and, with particular effectiveness, to the following types of protection, as emerged from tests carried out by the Applicant: control flow flattening, opaque predicates, branch functions, l?encode arithmetic.

Particular embodiments of some of the steps of the method 100 described above are described below.

Encoding

The coding step 140, as previously stated, has the purpose of transforming the instructions contained in the functions of each CHMP sample into sequences of numerical values. This transformation has the objective of encoding each function (asmj) of the CHMP samples belonging to the data set as a matrix of numerical values whose rows are the encodings of the instructions making up the function itself.

The encoded function, as shown in figure 4a, has two dummy pseudo-instructions (also encoded together with the rest of the function) of <begin> and <end> added respectively to the beginning and at the end of the function (asmj) to make it explicit the boundaries. These dummy pseudo-instructions are inserted in a preliminary phase of the coding phase 140.

Optionally, still in said preliminary phase, the number of instructions that make up the function can? be truncated at the first n statements. By way of example only, in figure 4c ? shown is the encoded function truncated to a prefixed maximum size of 4 with respect to the function in Figure 4a. The truncation operation becomes necessary when the type of neural network chosen to be trained to operate as a classifier requires that the input sequence have a maximum size which must not be exceeded.

Figure 4b instead shows the detail of an i-th instruction belonging to the function of figure 4a after it has been encoded. According to the example, the codified instruction ? composed by:

- an opcode representing the numeric coding of the instruction opcode; - an address representing the address of the education;

- a series of parameters op1-op6 representing the coding of any operands of the instruction.

The number of parameters pu? vary according to the chosen hardware architecture.

In figure 4b ? represented the generalization of an? instruction based on ARM type architecture where the instructions pi? complexes can have up to six operands. However, the number of operands manageable by the coding step 140 does not have a limit to the maximum number of operands so as to be able to easily adapt to the instructions of different hardware architectures.

An example of coding of an instruction carried out by this method is described below, taking into account that the numerical values reported relating to the coding are to be intended for purely descriptive purposes, given that these values can change according to the hardware architecture and the neural network chosen.

An example of assembly instruction ? ?0x1234 add r0, r2, 5? which expresses the assignment r0 = r2 5 and pu? be divided into five different parts:

- 0x1234: ? the numeric value that indicates the address of the instruction that in the considered example ? an integer expressed in hexadecimal, which is equivalent to the number 4660 in decimal base, and indicates the position of the instruction in memory;

- add: ? the type of operation (opcode) of? the instruction, which in this case ? a sum;

- r0: ? the first operand of the instruction and refers to the memory register r0;

- r2: ? the second operand of the instruction e refers to the memory register r2;

- 5: ? the third operand of the instruction and indicates the integer 5.

In this example, the instruction uses only three operands, the fourth, fifth and sixth operands will be absent.

For example, the encoding step 140 transforms each function instruction line of each CHMP sample into a sequence of 1250 values so? subdivided:

- 236 dedicated to the encoding of the opcode;

- 4 dedicated to coding the instruction address;

- 273 dedicated to encoding the first operand;

- 239 dedicated to encoding the second operand;

- 239 dedicated to the encoding of the third operand;

- 239 dedicated to the encoding of the fourth operand;

- 16 dedicated to the encoding of the fifth operand;

- 4 dedicated to the coding of the sixth operand.

Consider that the coding of the instruction must always be a sequence 1250 long values even in the case of a lower number of operands, in the example equal to 6. Given that the ADD instruction considered has only three operands, even the absence any operands missing ? encoded so as not to alter the length of the coding sequence of values.

The coding of the opcode takes place on a sequence of 236 numerical values and represents the embedding of the opcode itself. Embedding is a standard modeling technique where words or numbers are mapped into number sequences. These values have been pre-calculated by means of a neural network using standard algorithms, such as for example the CBOW (Continuous Bag Of Words) and Skip-gram algorithms, described in the document

?Distributed Representations of Words and Phrases and their Compositionality?, in Proceedings of the 26<th >International Conference on Neural Information Processing Systems, Volume 2 (NIPS?13), pp. 3111-3119, available at the following address: https://proceedings.neurips.cc/paper/2013/file/9aa42b31882ec039965f3c4923ce901b-Paper.pdf

The coding of the address takes place on a sequence of 4 numerical values where each of the 4 values ? determined according to a specific criterion.

The first value of the sequence ? valued at 1 when the instruction contains an address, or at 0 when missing, as in the case of some special instructions. The <begin> and <end> statements are examples of special statements.

The second value of the sequence ? valued at 0 when the instruction does not have an address or if the result of the mathematical operation ? performed on invalid operands (NaN) or is infinite. In all other cases the second value of the sequence ? valued at 1.

The third value of the sequence contains the value of the address expressed in decimal when present, otherwise ? valued at 0.

The fourth value of the sequence ? valued at 1 when the address of the instruction contains the exclamation point (!) as happens for some special addresses, otherwise ? valued at 0. The exclamation point ? used in certain (very rare) cases in ARM to indicate the write-back operation, ie that the result of an operation must be written into a certain address. For example, if in a? instruction ? wrote the address "1234!" does it mean that the result of the instruction must be written in the memory cell 1234. If not ? present the exclamation point, then the result of the operation is not written in the memory cell 1234 (which typically will only be read).

According to said criteria, the address 0x1234 contained in the example instruction ? encoded as 1, 1, 4660, 0.

The coding of the first operand, as previously mentioned, takes place on a sequence of 273 values which are divided into 9 sections in order to represent the different types of operand.

A first section named ?string? ? used to encode a string type operand on a value of the sequence. A second section named ?number? ? used to encode a numeric type operand on a sequence of 4 values. A third, fourth and fifth sequence called ?endian?, ?cond? and ?CPU state? they are used to encode the internal states of the processor respectively on sequences of 2, 15 and 4 values. The sixth section called ?register? ? used to encode memory registers on a sequence of 154 values. A seventh section called ?barrier? ? used to encode memory barriers on a sequence of 12 values. A memory barrier? a type of operation that allows the CPU to impose a constraint on the ordering of operations avoiding out-of-order execution due to performance optimizations of modern CPUs.

An eighth section called ?address? ? used to encode memory addresses on a sequence of 65 values. Finally, the ninth section called ?coproc? ? used to encode a math coprocessor on a sequence of 16 values.

In the example instruction the first operand ? a register, r0, and therefore sar? codified in the sixth section ?register? while the sequences of values of the other sections will all be set to 0.

Of the 154 values of this section, the first 123 values are associated with the registers where the first value ? associated with register r0, the second value ? associated with register r1, the third value ? associated with register r2, etc. In the coding phase, the value associated with the register to be encoded will be? valued at 1 while the other values associated with the other registers will be valued at 0. The remaining 31 values are used to code the special mathematical operations on the registers such as for example the scalings. Since the first operand, r0, of our example does not need any special mathematical operations, the sequence of 31 values will be? all valued at 0.

The coding of the second operand, similarly to what is described for the first operand, takes place on a sequence of 239 values which are divided into 4 sections in order to represent the different types of operand.

A first section called ?number? ? used to encode a numeric type operand on a sequence of 4 values. A second section called ?register? ? used to encode memory registers on a sequence of 154 values. A third section named ?address? ? used to encode memory addresses on a sequence of 65 values. A fourth section named ?reg coproc? ? used to encode a math coprocessor register on a sequence of 16 values.

In the example instruction the second operand ? again a register, r2, and therefore sar? coded in the second section ?register? while the sequences of values of the other sections will all be set to 0.

Of the 154 values of this section, the first 123 values are associated with the registers where the first value ? associated with register r0, the second value ? associated with register r1, the third value ? associated with register r2, etc. In the coding phase, the value associated with the register to be encoded will be? valued at 1 while the other values associated with the other registers will be valued at 0. The remaining 31 values are used to code the special mathematical operations on the registers such as for example the scalings. Since the second operand, r2, of our example does not require any special mathematical operations, the sequence of 31 values will be? all valued at 0.

The coding of the third operand takes place on a sequence of 239 values which are divided into 4 sections, as for the second operand, in order to represent the different types of operand. A first section called ?number? ? used to encode a numeric type operand on a sequence of 4 values. A second section called ?register? ? used to encode memory registers on a sequence of 154 values. A third section named ?address? ? used to encode memory addresses on a sequence of 65 values. A fourth section named ?reg coproc? ? used to encode a math coprocessor register on a sequence of 16 values.

In the example instruction the third operand ? a number, 5, therefore sar? encoded in the first section ?number? while the sequences of values of the other sections will all be set to 0.

The first value of the section ?number? ? valued at 1 when the operand contains a numeric value, otherwise ? valued at 0. The second value of the section ?number? ? valued at 1 when the numeric value is not ? NaN or infinity, otherwise ? valued at 0. The third value of the section ?number? ? valued with the numerical value of the operand, which in the example ? equal to 5. The fourth value of the section ?number? ? set to 1 when exclamation point (!) notation is used, otherwise ? valued at 0.

According to the criteria defined for the section number, the third operand of the example, the number 5, ? coded as 1150.

The coding of the fourth operand takes place on a sequence of 239 values which are divided into 4 sections, as for the second and third operand, in order to represent the different types of operand. A first section called ?number? ? used to encode a numeric type operand on a sequence of 4 values. A second section called ?register? ? used to encode memory registers on a sequence of 154 values. A third section named ?address? ? used to encode memory addresses on a sequence of 65 values. A fourth section named ?reg coproc? ? used to encode a math coprocessor register on a sequence of 16 values.

The example instruction doesn't have a fourth operand but it will have to? however be encoded to keep the length of the sequence of values consistent. In this case the coding values of all sections will be set to 0.

The encoding of the fifth operand takes place on a sequence of 16 values included in a single section called ?reg coproc? and ? used to encode a math coprocessor register on a sequence of 16 values.

The instruction of example also in this case doesn't have a fifth operand but it will have to? however be encoded to keep the length of the sequence of values consistent. As for the previous case, in the absence of the operand, the values of the section will all be set to 0.

The coding of the sixth operand takes place on a sequence of 4 values included in a single section called ?number? ? used to encode a numeric type operand on a sequence of 4 values.

The instruction of example also in this last case doesn't have the sixth operand but it will have to? however be encoded to keep the length of the sequence of values consistent. As for the previous cases, in the absence of the operand, the values of the section will all be set to 0.

In conclusion, the example statement ?0x1234 add r0, r2, 5? at the end of the coding phase sar? represented on a numerical sequence of 1250 values cos? composed: - The first 236 values represent the add opcode and are encoded with the sequence (0.5741776823997498, 0.5895169377326965, 0.44707465171813965, 0.5283305644989014, ?);

- the next 4 values represent the address 0x1234 and are coded with the sequence (1, 1, 4660, 0);

- the following 273 values represent the first operand r0 and are coded with the sequence (0, ?, 0, 1, 0, ?);

- the following 239 values represent the second operand r2 and are coded with the sequence (0, ?, 0, 0, 0, 1, 0, ?);

- the following 239 values represent the third operand 5 and are coded with the sequence (1, 1, 5, 0, ?);

- the following 239 values represent the fourth absent operand and are coded with the sequence (0, 0, 0, 0, 0, 0, 0, 0, 0, ?);

- the following 16 values represent the absent fifth operand and are coded with the sequence (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);

- the next 4 values represent the sixth absent operand and are coded with the sequence (0, 0, 0, 0).

As previously stated, the coding step 140 can? optionally include two further sub-phases that allow a neural network to reach more? convergence quickly: the masking sub-phase and the scaling sub-phase.

The masking sub-phase has the task of eliminating each column from the coded samples belonging to the dataset which has the same value in all the samples. The elimination of these columns ? possible because the coding phase 140 ? able to represent more instructions than a processor would be able to do, and also some of the values are never actually used. The masking sub-phase allows to reduce the length of the encoded sequences and therefore the neural network under training does not spend time dwelling on data that is not really important. In the case d?example the sub-phase of masking ? able to reduce the length of the sequence of values from 1250 to 768.

The rescaling sub-phase performs a rescaling of the values within a range between 0 and 1. Although the coded samples belonging to the data set mostly contain the values 0 and 1, in some cases they contain very more big. For example, in the case of encoding the address expressed with a 4-long sequence, the third value of the sequence contains the address expressed in decimal base which in the example described above was worth 4660. Another example of values present in the decoding other than 0 and from 1 ? for example present in the section ?numbers? of the coding of the first, second, third, fourth and sixth operand. In the previous example, the third operand was the number 5, encoded as the third value of the number section of the third operand. The operation of rescaling avoids that the numbers pi? great weight is given a greater weight in the training phase which does not always correspond to greater importance. The greater weight attributed to a certain value in the initial phase of the training of a neural network slows down the learning process since the network would take more? time to understand that the greater weight attributed to these values was without foundation.

Training

When the coding phase 140 ? Yes ? concluded, the CHMP_COD coded samples can be used in the training phase 150 by sending them to the neural network NN(Pi).

As previously mentioned, at this stage ? You can use any neural network capable of handling sequences and with an attention mechanism. In particular, two possible alternative training steps will be described, using two different architectures of said neural networks.

Figure 5 shows a first simplified architecture based on LSTM cells, a type of recurrent neural network with a long-term memory mechanism that allows processing of data sequences. The information of said sequences are memorized in such a way that, thanks to the presence of cycles, by proceeding in the sequence the information memorized in the cells is of assistance in the processing of the new data. In this way the neural network ? able to interpret the assembly instructions contained in the CHMP_COD code samples in order. A semantic encoding of the function contained in the CHMP_COD code sample? used as input of the neural network where a first layer 1S_LSTM of LSTM cells analyzes the assembly instructions contained in the coded sample CHMP_COD. Said LSTM cells are bidirectional cells capable of analyzing the assembly instructions from first to last and in the opposite direction from last to first.

An attention mechanism ATT receives the output data from the first cell layer 1S_LSTM from which ? able to extract the LIV_ATT attention levels of the single instructions giving indication of which assembly instructions contain the protection. Greater ? the level of attention, pi? ? The assembly instruction is likely part of a guard. This level of attention LIV_ATT corresponds to the second index FAi,j,k, described above.

The output of the attention mechanism ATT ? added to the output of the first layer of cells 1S_LSTM so that the information of the attention levels LIV_ATT are added and subsequently enter a second layer 2S_LSTM of LSTM cells, which analyzes the assembly instructions contained in the coded sample.

The output of the second layer of cells 2S_LSTM enters the input of a last layer TRAS_LIN where a linear transformation and a sigmoid function are used to calculate the values of the first index PIi,j for each assembly instruction in a range between 0 and 1. The final value (or score) CLASS ? given by the score obtained by the last instruction contained in the CHMP_COD coded sample, i.e. the <end> pseudo-instruction. Said score pi? ? close to the value 1 and more? ? probably the presence of a protection. Said CLASS score corresponds to the first probability index? PIi,j.

A second architecture, as shown in figure 6, ? based on the BERT transformer-type system (representations of the bidirectional encoder from transformer), i.e. a non-recurring architecture with an attention mechanism. Since this type of neural network requires that the input function have a maximum length known in advance, the previous coding step 140 performs the function truncation operation as shown in figure 4c. For this reason, the last instruction of the function may not be the <end> pseudo-instruction at this juncture.

Are the particularities known to the person skilled in the art? of this neural network architecture and the exceeded limits present in architectures of neural networks of the recurring type.

Figure 6 shows a simplified architecture based on BERT where a semantic coding of the function contained in the coded sample CHMP_COD is added to a positional coding of the function to add a positional information from the assembly instructions contained in the coded sample CHMP_COD. This first operation is necessary to make explicit the position information of the instruction given that the transformer type neural network, having no recurrence, does not possess the notion of position of an element within a sequence. Positional coding? a prerequisite to the training phase and are coefficients calculated according to standard formulas memorized within a matrix.

The output result of the previous phase enters as input to a series of S_ENCOD encoding layers that analyze its content, where each encoding layer has an attention mechanism that ? used to evaluate the LIV_ATT attention levels of the assembly instructions in a similar way to what was said in the LSTM type neural network architecture. These levels of attention LIV_ATT correspond to values of the second index FAi,j,k, described above.

The output from the S_ENCOD encoding layers enters a final layer TRAS_LIN where a linear transformation and a sigmoid function are used to calculate the classification scores for each assembly instruction in a range between 0 and 1. Unlike what happens in the TRAS_LIN layer of an LSTM network, the value of the final score CLASS ? related to the first instruction contained in the CHMP_COD code sample, i.e. the <begin> pseudo-instruction. Also in this case the final CLASS score corresponds to the first probability index? PIi,j, introduced above. Note that in addition to the two examples described ? It is possible to proceed with the training of any architecture, among those able to manage sequences and/or having an attention mechanism using any standard training algorithm.

The solution described produces a qualitative metric of the identification of protection techniques that can be used as an estimate of the quality? of the chosen protection solution, introducing a high degree of automation in the identification of the protection techniques applied to a file and of the protected areas within the file itself.

It should be noted that the results obtained by applying the method of the present invention can be used as a tool for validating the risk exposure of the assets, as a validation of the invisibility of the assets. of protection techniques developed and how to identify methods by which viruses and malware are obfuscated to help update antivirus tools.

The solution described therefore allows you to achieve a higher level of software protection? elevated to parity of time employed or a level of protection equivalent to that obtainable by known techniques in a considerably shorter time interval.

Claims (16)

1. A method (100) of configuring neural networks, comprising the steps of: a) define (110; 120) a plurality? of functions (asm) and apply a plurality? software protections (P1,..,Pn) for these functions; b) construct (130) a data set comprising a plurality? of samples each including a function (asmj) of the plurality? and at least one of said software protections (P1,..,Pn) applied to the respective function; c) codify (140) each function (asmj) of the data set to obtain a plurality? of coded samples (CHMP_COD) each expressed as a sequence of numerical values; d) train (150) a neural network (NN(Pi)) using the plurality? of coded samples (CHMP_COD) so that it is able to process a file to be analyzed and provide information relating to software protections applied to said file to be analysed. The method (100) of claim 1, wherein: said phase to define the plurality? of functions (110, 120) also includes the definition of a plurality? of vanilla functions to which software protections are not applied; said data set includes a further plurality? of samples each including a function (asmj) of the plurality? of vanilla functions. 3. The method (100) of claim 1, wherein the step of defining (110, 120) the plurality of of functions includes the phases of: provide a source file including said plurality? of functions (asm); apply (110) the plurality? of software protections (P1,..,Pn) to the plurality? of functions (asm) of the source file and compile the source file provided with the software protections obtaining a binary compiled file; disassemble (120) the binary compiled file obtaining a file in assembly format and extract the plurality? of functions (asm) from the file in assembly format. 4. The method (100) of claim 1, wherein the step of defining (110, 120) the plurality of of functions includes the phases of: provide a binary file including said plurality? of functions (asm) to which are applied a plurality? of software protections (P1,..,Pn); disassemble (120) the binary file obtaining a file in assembly format and extract the plurality? of functions (asm) from the file in assembly format. 5. The method (100) of claim 1, wherein said neural network (NN(P1)) ? associated with a single type of software protection (P1). 6. The method (100) of claim 2, wherein said neural network (NN(P1)) ? configured so that said information includes a first probability index? (PI1,j) indicative of a probability? that a first function (asmj) of the plurality? of functions has been protected by the first protection (P1). 7. The method (100) of claim 3, wherein said neural network (NN(P1)) ? configured so that said information includes a second index (FAi,j,k) which represents a possibility? that the first protection (P1) has been applied to the instructions of a specific area of the first function. 8. The method (100) of claim 3, wherein the plurality? of software protections (P1,..,Pn) includes at least one of the following protections: control flow flattening, opaque predicates, branch functions, encode arithmetic, conversion of data into functions, merging or splitting of variables, recoding of variables, white-box cryptography, virtualization using virtual machines or JIT compilation, call stack controls, code guards, control flow tagging, anti-debugging, code mobility, client/server code splitting, anti-cloning and software attestation. 9. The method of claim 1, wherein said method is made to configure a plurality? of neural networks (NN(Pi) each associated with a relative software protection. The method (100) of claim 1, wherein said neural network (NN(Pi)) ? realized according to at least one of the following types of neural network: network capable of managing sequences, network having an attention mechanism. The method (100) of claim 9, wherein said neural network (NN(Pi)) ? built according to at least one of the following types of neural network: LSTM network, BERT network, GRU network, transformer-XL network. 12. The method (100) of claim 1, wherein the plurality? of coded samples includes a plurality? of sequences of numerical values and said coding step further comprises: a phase of masking in which you eliminate from the plurality? of sequences of numerical values repeated values in each sequence of the plurality?; a phase of rescaling of said numerical values within a pre-established interval. 13. A file processing method, including the steps of: - provide a binary file to parse including a plurality? of functions to analyze; - disassemble the binary file to be analyzed to obtain an assembly file; - extract from the assembly file the plurality? of functions to analyze(asm); - codify each function to be analyzed by expressing it as a relative sequence of numerical values; - provide a plurality? of neural networks (NN(Pi)), each associated with a relative software protection (P1,?,Pn), configured according to the configuration method (100) of at least one of the preceding claims; - process the plurality? of functions to analyze (asm) through the plurality? of neural networks (NN(Pi)) to search for information relating to software protections within the plurality? of functions to analyze. 14. The method of claim 13, wherein each of said neural networks (NN(Pi)) ? associated with a respective type of software protection (Pi). 15. The method of claim 14, in which to process the plurality? of functions to analyze (asm) through the plurality? of neural networks (NN(Pi)) returns classification information including a plurality? of probability indices? (IPi) each indicative of a probability? that a relative function (asmj) of the plurality? of functions is protected by one of these protections (Pi). 16. The method of claim 14, in which to process the plurality? of functions to analyze (asm) through the plurality? of neural networks (NN(Pi)) returns position information including a plurality? of second indices (FAi,j,k) each indicative of a possibility? that a corresponding protection (Pi) has been applied to instructions of a specific area of a function.