白盒环境中防动态攻击的软件保护方法研究

发布时间：2018-03-16 10:08

本文选题：软件保护　切入点：有限状态自动机　出处：《西北大学》2014年博士论文　论文类型：学位论文

【摘要】：信息化时代,软件已成为人们生产和生活中不可缺少的部分。由此引起的软件盗版、篡改和逆向攻击等问题也日趋增多,严重影响了软件产业的可持续发展。软件保护已受到各国政府、工业界和学术界的重视,由此使得软件保护也已成为关键和热点研究问题。目前,已有很多软件保护方法,如应用于软件特征识别的保护方法—软件水印,在发生版权纠纷时提供法律依据；应用于软件核心算法或机密信息的保护方法—代码自修改、代码加密、代码混淆等,增加软件核心算法或机密信息被逆向分析的难度,这也是本文重点研究的对象。现有的软件保护方法可有效防止静态分析,但由于当前软件生存的白盒环境,攻击者通过调试等动态分析技术可以直接获取软件核心算法或机密信息。因此,软件保护在防攻击者动态分析方面依然面临许多挑战。从攻击者动态分析过程的角度,防动态攻击的软件保护方法可分为三个阶段：①禁止攻击者动态调试或执行软件,由于相应的反调试等保护方法具有明显的特征,保护强度较小,需要灵活应用；②增加攻击者在动态分析过程中的理解难度,大部分软件保护的研究都属于该阶段,如代码混淆、虚拟机软件保护等,但存在性能消耗大或保护强度不足等问题；③防止攻击者基于经验累积的攻击或成功攻击后共享、传播攻击经验,该阶段主要的保护方法是多样性,但多样性效果依然需要提高。因此,论文展开了白盒环境中防动态攻击的软件保护方法的研究,为构建更有效的软件保护方法提供理论分析和技术支撑。论文的主要创新性研究内容概括如下： 1.提出一种软件保护有限状态自动机模型软件保护方法通常是多种保护技术的组合,而保护技术间具有一定的依存关系。本文基于正则表达式描述保护技术之间的依存关系,提出了软件保护有限状态自动机模型,保护技术间的依存关系即为模型的状态转移函数,模型中起始状态到任一可接受状态的路径都是一种合理的保护方法。通过提出的软件保护有限状态自动机模型,可以合理组织保护技术生成软件保护方法。最后构造了具体的软件保护有限状态自动机模型,基于模型提出了本文重点研究的三种软件保护方法。 2.提出一种基于指令变形与反调试技术相结合的软件保护方法通过对指令变形和反调试技术的理解和研究,结合两种保护技术研究保护方法。通过程序差异构造待保护指令片段的变形子引擎；利用一些指令片段执行时间控制变形子引擎的调度,实现反调试。同时,用动态加解密技术对变形子引擎进行保护,提高变形子引擎的安全性。通过分析,基于指令变形与反调试技术相结合的软件保护方法即可有效抵抗攻击者的静态分析,又可在一定程度上抵抗动态分析。 3.提出一种具有版本多样性的混淆变换软件保护方法通过指令拆分或替换操作,以及算术和逻辑等价式,研究等价变换规则及对应的等价变换模板函数,提高了混淆保护强度以及版本多样性效果；针对混淆变换的时间开销,深入分析被保护指令对时间开销的影响因素,提出了基于指令循环深度降低时间开销的方法。设计了混淆变换保护原型系统MEPE(Metamorphic Engine of Portable Executable File),并通过实验说明了该方法具有较好的版本多样性效果,可有效抵抗基于“经验共享”的攻击,同时也有效降低了软件保护的时间开销。 4.提出一种具有时间多样性的虚拟机软件保护方法针对虚拟机指令集的功能单一性(为解释x86指令而设计),对虚拟机指令集进行扩展,提出了安全虚拟指令,从反调试能力、执行环境变化、无效分析等多方面增强虚拟机保护效果；另一方面,提出虚拟机软件保护的时间多样性方法,分析了多样性效果。最后实现原型系统IVMP(Improved Virtual Machine based Software Protection System),通过实验说明了该方法具有较好的时间多样性效果,可有效抵抗“累积经验”的攻击,同时未对保护软件造成较大的性能开销。 5.提出一种基于攻击模型的软件保护有效性评测方法从理论上分析软件保护有效性评测方法,提出基于软件攻击模型进行评测具有普适性。基于对软件攻击过程的分析,利用Petri网对软件攻击过程进行建模,提出了攻击模型在软件攻击过程指导、软件保护方法有效性评测和改进等方面的应用方法。实现了软件攻击指导及保护方法有效性评测平台SASPEE(Software Attack and Software Protection Effectiveness Evaluation Platform),通过实验说明了攻击模型可以有效度量软件保护强度,并有助于改进软件保护方法。
[Abstract]:The information age, software has become an indispensable part in people's production and life. The resulting software piracy, tampering and reverse attack problems are also increasing, which affect the sustainable development of the software industry. Software protection has been by the governments, industry and academia's attention, which makes the software protection has become the key and the focus of the research.
At present, there are many software protection methods, such as for protection of software watermarking method of feature recognition software, to provide a legal basis in the case of copyright disputes; code protection method used in the software algorithm or confidential information from the modified code encryption, code obfuscation, software to increase the core algorithm or confidential information by reverse analysis the difficulty is the focus of the research object. The existing software protection method can effectively prevent static analysis, but due to the current software white box environment to survive, the attacker through dynamic analysis technology debugging software can directly obtain the core algorithm or confidential information. Therefore, software protection still faces many challenges in preventing the attacker dynamic analysis.
Analysis from the perspective of the attacker dynamic software protection method against dynamic attack can be divided into three stages: the prohibition of the attacker or perform dynamic debugging software, because the corresponding different test methods to protect the distinctive feature, the protection strength is small, flexible application; increase the attacker in the dynamic analysis in the process of understanding difficult. Most of the research on software protection belong to the stage, such as code obfuscation, virtual machine software protection, but there are problems or lack of protection strength consumption performance; to prevent the attacker's attack based on the accumulated experience of success or attack after attack experience sharing, communication, protection method of the main stage is diversity, but diversity the effect still needs to be improved. Therefore, this paper carries out research on software protection methods against dynamic attack of the white box in the environment, to provide for the construction of a more effective method of software protection Theoretical analysis and technical support.
The main innovative research contents of this paper are summarized as follows:
1. a finite state automata model for software protection is proposed
Software protection method is usually a combination of various protection technology, and protection technology has a certain dependency relation. In this paper, regular expressions describing the dependency relation between protection technology based on the proposed software protection model of finite state automaton, dependency relation between protection technology is the state of the model transfer function model, in the initial state to any acceptable the path is a protection method for reasonable protection. Finite state automaton model proposed by the software, can organize protection technology generation software protection method. The final structure of the specific software model of finite state automaton model put forward three kinds of protection, this paper focuses on the research of software protection method based on.
2. a software protection method based on the combination of instruction deformation and anti debugging technology is proposed.
Through the understanding and study of the instruction of deformation and anti debugging techniques, combined with the two kinds of protection technology research and protection method. Through the program to be protected instruction fragments of differential structural deformation sub engine; using some instruction fragment execution control engine deformation time scheduling, to achieve anti debugging. At the same time, for the protection of the engine with the deformation of dynamic encryption and decryption technology, to improve the safety of the engine. Through the analysis of deformation, static analysis and anti debugging software protection method can be combined effectively resist the attacker's deformation based instruction can resist dynamic analysis to a certain extent.
3. a software protection method for confusion transformation with version diversity is proposed.
Through the instruction split or replace operation, and the arithmetic and logical equivalence, equivalent transformation of template function equivalence transformation rules and corresponding, improves the strength and diversity of version confusion protection effect; at last transform time overhead, in-depth analysis of the protected instruction influence factors of time cost, and puts forward the method of instruction cycle time reduced depth based on the design of the overhead obfuscation prototype system (Metamorphic MEPE Engine of Portable Executable File), and the experimental results shows that this method has a better version of diversity effect, can effectively resist attacks based on experience sharing ", at the same time to reduce the time overhead of software protection.
4. a virtual machine software protection method with time diversity is proposed
For the virtual machine instruction set single function (designed to explain the x86 command), to expand the virtual machine instruction set, put forward the virtual instruction, from the anti debugging ability, execution environment changes, invalid enhanced virtual machine protection effect analysis and other aspects; on the other hand, the method of software protection virtual machine time diversity, analyzes the diversity effect. Finally the prototype system realization of IVMP (Improved Virtual Machine based Software Protection System), the experimental results show that the method has the effect of time varied, can effectively resist the "experience" attacks, but did not cause large performance overhead on the protection of software.
5. a method of evaluating the effectiveness of software protection based on attack model is proposed
Analysis of software protection effectiveness evaluation method in theory, put forward software attack model based on the evaluation of universality. Analysis of the software attack process based on modeling the software attack process using Petri net, put forward the attack model in software attack guidance process, the application method of software protection method of the effective evaluation and improvement the realization of the software. The validity of the method of attack guidance and protection evaluation platform SASPEE (Software Attack and Software Protection Effectiveness Evaluation Platform), the experiment shows that the attack model can effectively measure software protection strength, and contribute to the improvement of software protection method.

【学位授予单位】：西北大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】