一种结合混淆思想的代码虚拟化保护方法
|
摘要
为了提高虚拟机软件保护方法的抗逆向效果,研究并实现了保护系统OB-VMP(obscure virtual machine protection)。在OB-VMP中,多套虚拟机环境被随机选择来执行构造的混淆基本块和关键代码,私有的虚拟环境使得混淆基本块难以去除;同时混淆基本块让攻击者难以定位关键代码和关键代码所基于的虚拟环境,提高了虚拟机的保护效果。另外,在被保护代码的不同执行阶段,字节码和不同的虚拟指令映射,攻击者不能基于累积的字节码知识进行后续分析,进一步增加了OBVMP的抗逆向效果。理论分析和实验结果显示:OB-VMP能够在较小时空消耗基础上,显著提高逆向分析的难度,提高软件的安全性。
In order to improve the anti-reverse effect of the virtual machine software protection method,the protection system obscure virtual machine protection( OB-VMP) was researched and implemented. In OB-VMP,multiple virtual machine environments were randomly selected to execute the basic blocks for confusion and key code.The private virtual environment made it difficult to remove the basic blocks for confusion,and the basic blocks for confusion made it difficult for attackers to locate critical code and its virtual environment. This greatly improved the protection effect of the virtual machine. In addition,in the different execution stages of the protected code,the mapping between bytecode and virtual instruction was different,the attacker can't perform subsequent analysis with the accumulated bytecode knowledge,which further increased the anti-reverse effect of OB-VMP. Theoretical analysis and experimental results shows that OB-VMP can significantly improve the difficulty of reverse analysis and improve the security of software on the basis of small space-time consumption.
In order to improve the anti-reverse effect of the virtual machine software protection method,the protection system obscure virtual machine protection( OB-VMP) was researched and implemented. In OB-VMP,multiple virtual machine environments were randomly selected to execute the basic blocks for confusion and key code.The private virtual environment made it difficult to remove the basic blocks for confusion,and the basic blocks for confusion made it difficult for attackers to locate critical code and its virtual environment. This greatly improved the protection effect of the virtual machine. In addition,in the different execution stages of the protected code,the mapping between bytecode and virtual instruction was different,the attacker can't perform subsequent analysis with the accumulated bytecode knowledge,which further increased the anti-reverse effect of OB-VMP. Theoretical analysis and experimental results shows that OB-VMP can significantly improve the difficulty of reverse analysis and improve the security of software on the basis of small space-time consumption.
引文
1 BSA.Software management:security imperative,business opportunity[EB/OL].(2018-06)[2018-11-10].https://gss.bsa.org/
2 Linn C,Debray S.Obfuscation of executable code to improve resistance to static disassembly[C]//Proceedings of the 10th ACM Conference on Computer and Communications Security.New York:ACMPress,2003:290-299
3 Strong BitTechnology.EXECryptor-bulletproof software protection[EB/OL].[2018-11-10].http://www.strongbit.com/execryptor.asp
4 Oberhumer M,Molnár L,Reiser J F.UPX:The ultimate packer for executables[EB/OL].(2017-05-12)[2018-11-10].https://upx.github.io/
5 Barak B,Goldreich O,Impagliazzo R,et al.On the impossibility of obfuscating programs[C]//Advances in Cryptology-CRYPTO 2001.Berlin:Springer,2001:1-18
6 Wu Z,Gianvecchio S,Xie M,et al.Mimimorphism:a new approach to binary code obfuscation[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.New York:ACMPress,2010:536-546
7 Wang H,Fang D,Li G,et al.NISLVMP:improved virtual machinebased software protection[C]//Proceedings of the 2013 9th International Conference on Computational Intelligence and Security.New York:IEEE Computer Society,2013:479-483
8 Fang H,Wu Y,Wang S,et al.Multistage binary code obfuscation using improved virtual machine[C]//Information Security,Lecture Notes in Computer Science.Berlin:Springer,2011:168-181
9 Averbuch A,Kiperberg M,Zaidenberg N J.Truly-Protect:an efficient VM-based software protection[J].IEEE Systems Journal,2013,7(3):455-466
10房鼎益,赵媛,王怀军,等.一种具有时间多样性的虚拟机软件保护方法[J].软件学报,2015,26(6):1322-1339Fang Dingyi,Zhao Yuan,Wang Huaijun,et al.Software protection based on virtual machine with time diversity[J].Journal of Software,2015,26(6):1322-1339
11 Hosseinzadeh S,Rauti S,Laurén S,et al.Diversification and obfuscation techniques for software security:a systematic literature review[J].Information and Software Technology,2018,104:72-93
12房鼎益,张恒,汤战勇,等.一种抗语义攻击的虚拟化软件保护方法[J].工程科学与技术,2017,49(1):159-168Fang Dingyi,Zhang Heng,Tang Zhanyong,et al.DAS-VMP:a virtual machine-based software protection method for defending against semantic attacks[J].Advanced Engineering Sciences,2017,49(1):159-168
13 Wikipedia.Turing completeness[EB/OL].[2018-11-10].http://en.wikipedia.org/wiki/Turing-completeness
14汤战勇,李光辉,房鼎益,等.一种具有指令集随机化的代码虚拟化保护系统[J].华中科技大学学报(自然科学版),2016,44(3):28-33Tang Zhanyong,Li Guanghui,Fang Dingyi,et al.Code virtualized protection system with instruction set randomization[J].Journal of Huazhong University of Science and Technology(Natural Science Edition),2016,44(3):28-33
15 Osnat L.Pin-a dynamic binary instrumentation tool[EB/OL].(2012-06-13)[2018-11-10].https://software.intel.com/en-us/articles/pin-a-dynamic-binary
2 Linn C,Debray S.Obfuscation of executable code to improve resistance to static disassembly[C]//Proceedings of the 10th ACM Conference on Computer and Communications Security.New York:ACMPress,2003:290-299
3 Strong BitTechnology.EXECryptor-bulletproof software protection[EB/OL].[2018-11-10].http://www.strongbit.com/execryptor.asp
4 Oberhumer M,Molnár L,Reiser J F.UPX:The ultimate packer for executables[EB/OL].(2017-05-12)[2018-11-10].https://upx.github.io/
5 Barak B,Goldreich O,Impagliazzo R,et al.On the impossibility of obfuscating programs[C]//Advances in Cryptology-CRYPTO 2001.Berlin:Springer,2001:1-18
6 Wu Z,Gianvecchio S,Xie M,et al.Mimimorphism:a new approach to binary code obfuscation[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.New York:ACMPress,2010:536-546
7 Wang H,Fang D,Li G,et al.NISLVMP:improved virtual machinebased software protection[C]//Proceedings of the 2013 9th International Conference on Computational Intelligence and Security.New York:IEEE Computer Society,2013:479-483
8 Fang H,Wu Y,Wang S,et al.Multistage binary code obfuscation using improved virtual machine[C]//Information Security,Lecture Notes in Computer Science.Berlin:Springer,2011:168-181
9 Averbuch A,Kiperberg M,Zaidenberg N J.Truly-Protect:an efficient VM-based software protection[J].IEEE Systems Journal,2013,7(3):455-466
10房鼎益,赵媛,王怀军,等.一种具有时间多样性的虚拟机软件保护方法[J].软件学报,2015,26(6):1322-1339Fang Dingyi,Zhao Yuan,Wang Huaijun,et al.Software protection based on virtual machine with time diversity[J].Journal of Software,2015,26(6):1322-1339
11 Hosseinzadeh S,Rauti S,Laurén S,et al.Diversification and obfuscation techniques for software security:a systematic literature review[J].Information and Software Technology,2018,104:72-93
12房鼎益,张恒,汤战勇,等.一种抗语义攻击的虚拟化软件保护方法[J].工程科学与技术,2017,49(1):159-168Fang Dingyi,Zhang Heng,Tang Zhanyong,et al.DAS-VMP:a virtual machine-based software protection method for defending against semantic attacks[J].Advanced Engineering Sciences,2017,49(1):159-168
13 Wikipedia.Turing completeness[EB/OL].[2018-11-10].http://en.wikipedia.org/wiki/Turing-completeness
14汤战勇,李光辉,房鼎益,等.一种具有指令集随机化的代码虚拟化保护系统[J].华中科技大学学报(自然科学版),2016,44(3):28-33Tang Zhanyong,Li Guanghui,Fang Dingyi,et al.Code virtualized protection system with instruction set randomization[J].Journal of Huazhong University of Science and Technology(Natural Science Edition),2016,44(3):28-33
15 Osnat L.Pin-a dynamic binary instrumentation tool[EB/OL].(2012-06-13)[2018-11-10].https://software.intel.com/en-us/articles/pin-a-dynamic-binary