摘要
针对现有保护技术方法均无法有效防止攻击者通过监控系统调用并分析二进制程序功能的攻击手段的现状,文章提出基于调用中枢的软件系统调用保护技术PTBCC的实现。PTBCC通过二进制依赖关系提取模块获取导入表和系统调用的交叉引用信息,通过基于程序供应链的无污染加载模块手动内存化程序依赖的动态链接库,获取函数偏移,并计算函数完整性,由基于调用中枢的函数分发模块完成系统调用的统一保护和管理。选取Sysinternals中的软件作为测试用例,从程序性能、保护效果等多方面进行对比分析。实验结果表明,PTBCC处理目标二进制文件速度快,且保护后的程序性能方面损失微小,同传统保护方案相比,在保护系统调用、抗静态分析和动态调试等方面均表现突出。PTBCC从系统调用出发,以新的角度提出软件保护方法,而非专注于代码的保护,保护效果明显。
In view of the fact that the existing protection techniques and methods are unable to resist the attacker’s attacks by monitoring system calls to analyze the functions of binary programs, a software system call protection technology called PTBCC based on call center is proposed. PTBCC obtains the cross reference information of import table and system call through binary dependency extraction module, obtains the function offset and calculates the function integrity by the manual memory of the pollution-free loading module based on the program supply chain, and completes the unified protection and management of system call through the function distribution module based on call center. This paper selects the software in Sysinternals as the test case, and makes a comparative analysis from the aspects of program performance, protection effect and so on. From the experimental data, PTBCC processes the target binary file fast, and the protected program has little performance loss. Compared with the current traditional protection scheme, it is outstanding in the protection system call, anti static analysis and dynamic debugging. PTBCC presents software protection method from a new point of view, instead of focusing on code protection, which has obvious protection effect.
作者
朱朝阳
周亮
朱亚运
唐宏艺
林晴雯
陈锦山
ZHU Chaoyang;ZHOU Liang;ZHU Yayun;TANG Hongyi;LIN Qingwen;CHEN Jinshan(Institute of Information and Communication,China Electric Power Research Institute Co.,Ltd.,Beijing 100192,China;Beijing Huaxia Xin’an Technology Co.,Ltd.,Beijing 100084,China;Electric Power Research Institute,State Grid Fujian Electric Power Co.,Ltd.,Fuzhou 350007,China;School of Cyberspace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China)
出处
《电力信息与通信技术》
2022年第8期66-75,共10页
Electric Power Information and Communication Technology
基金
国家电网有限公司总部科技项目资助“一体化电力网络安全仿真验证环境关键技术研究”(521304190004)。
关键词
系统调用保护
交叉引用
调用中枢
静态分析
动态调试
system call protection
cross reference
call center
static analysis
dynamic debugging