基于Spark的大规模软件完整性校验行为识别框架
|
摘要
软件完整性校验广泛应用于反篡改防御,保护软件知识产权,防止盗版。因此,了解不同完整性校验方法的强度和弱点很重要。针对传统检测方法处理大规模数据时效率较低的问题,描述了一个基于Spark的大规模软件完整性校验行为识别框架。对于单个文件检测,使用后向污点分析识别可执行或者用来计算可执行位置值的内存位置,然后使用前向污点分析识别校验过程。该方法适用于多种不同完整性校验防御方案,提供的信息可以用来辅助绕过防御。实验表明,该方法可以有效识别常见软件完整性校验行为。
Software integrity verification is widely used in anti-tamper defense to protect software intellectual property and prevent piracy.Therefore,it is important to understand the strengths and weaknesses of different integrity verification methods.Traditional detection methods are less efficient when dealing with large-scale data.This paper describes a framework for identifying large-scale software integrity check behavior based on Spark.For an executable,backward taint analysis is used to identify memory locations that are executable or used to calculate executable locations,and then use forward taint analysis to identify the verification process.The method in this paper is applicable to a variety of different integrity check defense schemes,and the information provided can be used to assist in bypassing these defenses.Experiments show that the proposed method can successfully identify common integrity check behaviors.
Software integrity verification is widely used in anti-tamper defense to protect software intellectual property and prevent piracy.Therefore,it is important to understand the strengths and weaknesses of different integrity verification methods.Traditional detection methods are less efficient when dealing with large-scale data.This paper describes a framework for identifying large-scale software integrity check behavior based on Spark.For an executable,backward taint analysis is used to identify memory locations that are executable or used to calculate executable locations,and then use forward taint analysis to identify the verification process.The method in this paper is applicable to a variety of different integrity check defense schemes,and the information provided can be used to assist in bypassing these defenses.Experiments show that the proposed method can successfully identify common integrity check behaviors.
引文
[1]AHMADVAND M,PRETSCHNER A,KELBERT F.A taxonomy of software integrity protection techniques[J].Advances in Computers,2019,112:413-486.
[2]CAPPAERT J,PRENEEL B,ANCKAERT B,et al.Towards tamper resistant code encryption:practice and experience[C].Information Security Practice and Experience,2008:86-100.
[3]AUCSMITH D.Tamper resistant software:an implementation[C].Information Hiding,1996:317-333.
[4]HORNE B,MATHESON L,SHEEHAN C,et al.Dynamic self-checking techniques for improved tamper resistance[C].Security and Privacy in Digital Rights Management,2002:141-159.
[5]MARTIGNONI L,PALEARI R,BRUSCHI D.Conqueror:tamperproof code execution on legacy systems[C].Detection of Intrusions and Malware,and Vulnerability Assessment,2010:21-40.
[6]CHANG H,ATALLAH M J.Protecting software code by guards[C].Security and Privacy in Digital Rights Management,2002:160-175.
[7]GIFFIN J T,CHRISTODORESCU M,KRUGER L.Strengthening software self-checksumming via self-modifying code[C].Computer Security Applications Conference,21st Annual,2005:10-32.
[8]TSANG H C,LEE M C,PUN C M.A robust anti-tamper protection scheme[C].Availability,Reliability and Security(ARES),2011 Sixth International Conference,2011:109-118.
[9]WANG P,KANG S,KIM K.Tamper resistant software through dynamic integrity checking[C].Proceedings of the 2005 Symposium on Cryptography and Information Security,2005:25-28.
[10]TAN G,CHEN Y,JAKUBOWSKI M H.Delayed and controlled failures in tamper-resistant software[C].Information Hiding,2007:216-231.
[11]AHMADVAND M,HAYRAPETYAN A,BANESCU S,et al.Practical integrity protection with oblivious hashing[C].Proceedings of the34th Annual Computer Security Applications Conference,2018:40-52.
[12]QIU J,YADEGARI B,JOHANNESMEYER B,et al.Identifying and understanding self-checksumming defenses in software[C].Proceedings of the 5th ACM Conference on Data and Application Security and Privacy,2015:207-218.
[13]汤战勇,郝朝辉,房鼎益,等.基于进程级虚拟机的软件防篡改方法[J].华中科技大学学报:自然科学版,2016(3):13.
[14]张恬恬,孙绍华.基于Spark的云计算平台在实验室的应用与实现[J].软件导刊,2018,17(4):191-193.
[15]兰云旭,王俊峰,唐鹏.基于Spark的并行医学图像处理研究[J].四川大学学报:自然科学版,2017,54(1):65-70.
[16]GUPTA D,RANI R.Big data framework for zero-day malware detection[J].Cybernetics and Systems,2018,49(2):103-121.
[17]CHUPRAT S,ARIFFIN A,SAHIBUDDIN S,et al.Malware forensic analytics framework using big data platform[C].Proceedings of the Future Technologies Conference,2018:261-274.
[18]王蕾,李丰,李炼,等.污点分析技术的原理和实践应用[J].软件学报,2017,28(4):860-882.
[19]LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].ACM Sigplan Notices,2005,40(6):190-200.
[20]DINABURG A,ROYAL P,SHARIF M,et al.Ether:malware analysis via hardware virtualization extensions[C].Proceedings of the15th ACM Conference on Computer and Communications Security,2008:51-62.
[21]MOSER A,KRUEGEL C,KIRDA E.Exploring multiple execution paths for malware analysis[C].Security and Privacy,2007:231-245.
[22]BHANSALI S,CHEN W K,DE JONG S,et al.Framework for instruction-level tracing and analysis of program executions[C].Proceedings of the 2nd International Conference on Virtual Execution Environments,2006:154-163.
[2]CAPPAERT J,PRENEEL B,ANCKAERT B,et al.Towards tamper resistant code encryption:practice and experience[C].Information Security Practice and Experience,2008:86-100.
[3]AUCSMITH D.Tamper resistant software:an implementation[C].Information Hiding,1996:317-333.
[4]HORNE B,MATHESON L,SHEEHAN C,et al.Dynamic self-checking techniques for improved tamper resistance[C].Security and Privacy in Digital Rights Management,2002:141-159.
[5]MARTIGNONI L,PALEARI R,BRUSCHI D.Conqueror:tamperproof code execution on legacy systems[C].Detection of Intrusions and Malware,and Vulnerability Assessment,2010:21-40.
[6]CHANG H,ATALLAH M J.Protecting software code by guards[C].Security and Privacy in Digital Rights Management,2002:160-175.
[7]GIFFIN J T,CHRISTODORESCU M,KRUGER L.Strengthening software self-checksumming via self-modifying code[C].Computer Security Applications Conference,21st Annual,2005:10-32.
[8]TSANG H C,LEE M C,PUN C M.A robust anti-tamper protection scheme[C].Availability,Reliability and Security(ARES),2011 Sixth International Conference,2011:109-118.
[9]WANG P,KANG S,KIM K.Tamper resistant software through dynamic integrity checking[C].Proceedings of the 2005 Symposium on Cryptography and Information Security,2005:25-28.
[10]TAN G,CHEN Y,JAKUBOWSKI M H.Delayed and controlled failures in tamper-resistant software[C].Information Hiding,2007:216-231.
[11]AHMADVAND M,HAYRAPETYAN A,BANESCU S,et al.Practical integrity protection with oblivious hashing[C].Proceedings of the34th Annual Computer Security Applications Conference,2018:40-52.
[12]QIU J,YADEGARI B,JOHANNESMEYER B,et al.Identifying and understanding self-checksumming defenses in software[C].Proceedings of the 5th ACM Conference on Data and Application Security and Privacy,2015:207-218.
[13]汤战勇,郝朝辉,房鼎益,等.基于进程级虚拟机的软件防篡改方法[J].华中科技大学学报:自然科学版,2016(3):13.
[14]张恬恬,孙绍华.基于Spark的云计算平台在实验室的应用与实现[J].软件导刊,2018,17(4):191-193.
[15]兰云旭,王俊峰,唐鹏.基于Spark的并行医学图像处理研究[J].四川大学学报:自然科学版,2017,54(1):65-70.
[16]GUPTA D,RANI R.Big data framework for zero-day malware detection[J].Cybernetics and Systems,2018,49(2):103-121.
[17]CHUPRAT S,ARIFFIN A,SAHIBUDDIN S,et al.Malware forensic analytics framework using big data platform[C].Proceedings of the Future Technologies Conference,2018:261-274.
[18]王蕾,李丰,李炼,等.污点分析技术的原理和实践应用[J].软件学报,2017,28(4):860-882.
[19]LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].ACM Sigplan Notices,2005,40(6):190-200.
[20]DINABURG A,ROYAL P,SHARIF M,et al.Ether:malware analysis via hardware virtualization extensions[C].Proceedings of the15th ACM Conference on Computer and Communications Security,2008:51-62.
[21]MOSER A,KRUEGEL C,KIRDA E.Exploring multiple execution paths for malware analysis[C].Security and Privacy,2007:231-245.
[22]BHANSALI S,CHEN W K,DE JONG S,et al.Framework for instruction-level tracing and analysis of program executions[C].Proceedings of the 2nd International Conference on Virtual Execution Environments,2006:154-163.