基于指令虛擬化的安卓本地代碼加固方法
doi: 10.11999/JEIT191036
-
復(fù)旦大學(xué)計算機學(xué)院 上海 201203
Protecting Android Native Code Based on Instruction Virtualization
-
School of Computer Science, Fudan University, Shanghai 201203, China
-
摘要: 安卓系統(tǒng)越來越廣泛地被應(yīng)用于各種類型的智能設(shè)備,比如智能手機、智能手表、智能電視、智能汽車。與此同時,針對這些平臺應(yīng)用軟件的逆向攻擊也日益增多,這不僅極大地侵犯了軟件開發(fā)者的合法權(quán)益,也給終端用戶帶來了潛在的安全風(fēng)險。如何保護運行在各種類型設(shè)備上的安卓應(yīng)用軟件不被逆向攻擊成為一個重要的研究問題。然而,現(xiàn)有的安卓軟件保護方法比如命名混淆、動態(tài)加載、代碼隱藏等雖然可在一定程度上增加安卓軟件的逆向難度,但是原理相對簡單容易被繞過。一種更為有效的方法是基于指令虛擬化的加固方法,但已有的指令虛擬化方法只針對特定架構(gòu)(x86架構(gòu)),無法兼容運行于多種架構(gòu)的安卓設(shè)備。該文針對安卓應(yīng)用軟件中的本地代碼提出了一種架構(gòu)無關(guān)的指令虛擬化技術(shù),設(shè)計并實現(xiàn)了基于虛擬機打包保護(VMPP)的加固系統(tǒng)。該系統(tǒng)包含一套基于寄存器架構(gòu)的定長虛擬指令集、支持該虛擬指令集的解釋器以及可以與現(xiàn)有開發(fā)環(huán)境集成的工具鏈。在大量C/C++代碼以及真實安卓軟件上的測試表明,VMPP在引入較低的運行時開銷下,能夠顯著提升安卓本地代碼的防逆向能力,并且可被用于保護不同架構(gòu)上的安卓本地代碼。Abstract: Android system is now increasingly used in different kinds of smart devices, such as smart phones, smart watches, smart TVs and smart cars. Unfortunately, reverse attacks against Android applications are also emerging, which not only violates the intellectual right of application developers, but also brings security risks to end users. Existing Android application protection methods such as naming obfuscation, dynamic loading, and code hiding can protect Java code and native (C/C++) code, but are relatively simple and easy to be bypassed. A more promising method is to use instruction virtualization, but previous binary-based methods target specific architecture (x86), and cannot be applied to protect Android devices with different architectures. An architecture-independent instruction virtualization method is proposed, a prototype named Virtual Machine Packing Protection (VMPP) to protect Android native code is designed and implemented. VMPP includes a register-based fix-length instruction set, an interpreter to execute virtualized instructions, and a set of tool-chains for developers to use to protect their code. VMPP is tested on a large number of C/C++ code and real-world Android applications. The results show that VMPP can effectively protect the security of Android native code for different architectures with low overhead.
-
Key words:
- Android security /
- Software protection /
- Android packer /
- Instruction virtualization
-
表 1 VMPP虛擬指令格式
指令類型 典型指令 1* 2 3 4 5 6 7 8 指令示例 示例含義 R add 0x51 Dst Size – – – Src1 Src2 51 01 04 0000 00 02 03 r1=r2+r3 I addi 0x30 Dst Src Size Immediate 30 01 02 0400 00 00 01 r1 = r2+1 B jmp 0x22 Flag – PC 22 00 00 0000 00 00 04 jmp 4 CMP cmp 0xc0 Dst Mode Src1 Src2 – – – c0 01 00 0203 00 00 00 r1=r2>r3 W load 0xe4 Dst Size Src – – – – e4 01 04 0200 00 00 00 r1=[r2] C call 0x90 Num – – – – – – 90 01 00 0000 00 00 00 call 01 M malloc 0xa0 Dst – Immediate a0 01 00 0000 00 00 08 r1=malloc(8) E throw 0x11 Type – – ExceptionPC 11 01 00 0000 00 00 06 throw 01 下載: 導(dǎo)出CSV
表 2 VMPP有效性測試結(jié)果
序號 APP包名 本地代碼主要功能 代碼行數(shù) 運行時間(ms) 二進制體積(kB) 加固前 加固后 加固前 加固后 用例A com.zizuzi.verificationdemo 通過設(shè)備ID等生成加密密鑰 123 6 7 10 285 用例B com.masonliu.testndk 計算SHA1值驗證簽名 230 5 6 18 297 用例C com.chenneyu.security 反射獲取APP簽名并校驗 221 3 4 11 241 用例D com.panxw.aes 實現(xiàn)AES算法加密字符串 2301 2 29 20 308 用例E com.ss.jni 反射Java函數(shù)修改界面UI 174 37 42 10 237 用例F com.dean.vmp01 字符串運算操作 57 <1 <1 6 103 用例G com.dean.vmp02 多維數(shù)組的運算 96 <1 <1 6 92 下載: 導(dǎo)出CSV
表 3 VMPP防逆向效果實驗
分析人員 逆向所需時間(min):加固前 / 加固后 加固后、加固前逆向時間比值 用例A 用例B 用例C 用例E 用例F 用例G 合計 A 3 / 35 6 / 65 8 / 71 9 / 92 7 / 78 7 / 82 40 / 423 10.6 B 5 / 40 9 / 59 7 / 80 10 / 112 8 / 75 9 / 96 48 / 462 9.6 C 5 / 58 7 / 82 7 / 134 8 / 165 7 / 117 9 / 122 43 / 678 15.8 下載: 導(dǎo)出CSV
表 4 VMPP兼容性測試
序號 設(shè)備名稱 系統(tǒng)版本 手機架構(gòu) 是否兼容 1 Nexus 5 Android 5.0 arm32 是 2 Samsung S7 Android 6.0 arm64 是 3 Pixel 2XL Android 8.1 arm64 是 4 Samsung S9+ Android 9.0 arm64 是 5 Genymotion Emulator Android 8.0 x86 是 下載: 導(dǎo)出CSV
表 5 VMPP加固和幾維加固運行時開銷對比
序號 APP包名 加固前運行時間(ms) 加固后運行時間(ms) 加固前體積(kB) 加固后體積(kB) VMPP 幾維加固 VMPP 幾維加固 用例D com.panxw.aes 2 29 4 20 308 583 用例E com.ss.jni 37 42 38 10 237 553 下載: 導(dǎo)出CSV
-
360安全互聯(lián)網(wǎng)中心. 2015年Android手機應(yīng)用盜版情況調(diào)研報告[EB/OL]. http://zt.#/1101061855.php?dtid=1101061451&did=1101657409, 2019.360 Security Internet Center. Investigation report on piracy of Android mobile applications[EB/OL]. http://zt.#/1101061855.php?dtid=1101061451&did=1101657409, 2019. HUO Meimei, WU Jianzhong, CAI Jianping, et al. An Anti-piracy method based on encryption and dynamic loading for android applications[J]. Applied Mechanics and Materials, 2014, 644/650: 2740–2743. doi: 10.4028/www.scientific.net/AMM.644-650.2740 KIM N Y, SHIM J, CHO S J, et al. Android application protection against static reverse engineering based on multidexing[J]. Journal of Internet Services and Information Security, 2016, 6(4): 54–64. FALSINAT L, FRATANTONIO Y, ZANERO S, et al. Grab’n run: Secure and practical dynamic code loading for android applications[C]. The 31st Annual Computer Security Applications Conference, Los Angeles, USA, 2015: 201–210. doi: 10.1145/2818000.2818042. 張震, 張龍. Android平臺的Native層加固技術(shù)研究與實現(xiàn)[J]. 計算機與現(xiàn)代化, 2016(10): 88–91. doi: 10.3969/j.issn.1006-2475.2016.10.018ZHANG Zhen and ZHANG Long. Research and implementation of native layer reinnforcement technology based on android platform[J]. Computer and Modernization, 2016(10): 88–91. doi: 10.3969/j.issn.1006-2475.2016.10.018 趙奇. 基于LLVM的Android應(yīng)用代碼保護技術(shù)研究與實現(xiàn)[D]. [碩士論文], 北京郵電大學(xué), 2018.ZHAO Qi. Research and implementation of android application code protection based on LLVM[D]. [Master dissertation], Beijing University of Posts and Telecommunications, 2018. 張一峰, 方勇. 基于LLVM的Android Native文件保護方法[J]. 通信技術(shù), 2017, 50(3): 533–538. doi: 10.3969/j.issn.1002-0802.2017.03.026ZHANG Yifeng and FANG Yong. Android native file protection based on LLVM[J]. Communications Technology, 2017, 50(3): 533–538. doi: 10.3969/j.issn.1002-0802.2017.03.026 胡恒偉. 基于動態(tài)虛擬指令集的Android應(yīng)用保護技術(shù)研究[D]. [碩士論文], 南京理工大學(xué), 2018.HU Hengwei. Research on android application protection technology based on dynamic virtual instruction set[D]. [Master dissertation], Nanjing University of Science and Technology, 2018. 李振. 基于LLVM的Android應(yīng)用程序編譯時虛擬化保護研究[D]. [碩士論文], 西北大學(xué), 2019.LI Zhen. LLVM-based android application compiletime virtualization protection method research[D]. [Master dissertation], Northwest University, 2019. YANG Wenbo, ZHANG Yuanyuan, LI Juanru, et al. AppSpear: Bytecode decrypting and DEX reassembling for packed android malware[C]. The 18th International Symposium on Recent Advances in Intrusion Detection, Kyoto, Japan, 2015: 359–381. doi: 10.1007/978-3-319-26362-5_17. KIM D, KWAK J, and RYOU J. Dwroiddump: Executable code extraction from android applications for malware analysis[J]. International Journal of Distributed Sensor Networks, 2015, 11(9): 379682. doi: 10.1155/2015/379682 張漢寧. 基于精簡指令集的軟件保護虛擬機技術(shù)研究[D]. [碩士論文], 西北大學(xué), 2010.ZHANG Hanning. Research on software protection virtual machine technology based on reduced instruction set[D]. [Master dissertation], Northwest University, 2010. 湯戰(zhàn)勇, 李光輝, 房鼎益, 等. 一種具有指令集隨機化的代碼虛擬化保護系統(tǒng)[J]. 華中科技大學(xué)學(xué)報: 自然科學(xué)版, 2016, 44(3): 28–33. doi: 10.13245/j.hust.160306TANG Zhanyong, LI Guanghui, FANG Dingyi, et al. A code virtualization protection system with instruction set randomization[J]. Journal of Huazhong University of Science and Technology:Natural Science Edition, 2016, 44(3): 28–33. doi: 10.13245/j.hust.160306 杜春來, 孔丹丹, 王景中, 等. 一種基于指令虛擬化的代碼保護模型[J]. 信息網(wǎng)絡(luò)安全, 2017(2): 22–28. doi: 10.3969/j.issn.1671-1122.2017.02.004DU Chunlai, KONG Dandan, WANG Jingzhong, et al. A code protection model based on instruction virtualization[J]. Netinfo Security, 2017(2): 22–28. doi: 10.3969/j.issn.1671-1122.2017.02.004 C-testsuite[EB/OL]. https://github.com/c-testsuite/c-testsuite, 2019. 幾維安全. 移動應(yīng)用加固系統(tǒng)[EB/OL]. https://www.kiwisec.com/product/app-encrypt.html, 2019. SALWAN J, BARDIN S, and POTET M L. Symbolic deobfuscation: From virtualized code back to the original[C]. The 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Saclay, France, 2018: 372–392. doi: 10.1007/978-3-319-93411-2_17. 梁光輝, 龐建民, 單征. 基于代碼進化的惡意代碼沙箱規(guī)避檢測技術(shù)研究[J]. 電子與信息學(xué)報, 2019, 41(2): 341–347. doi: 10.11999/JEIT180257LIANG Guanghui, PANG Jianmin, and SHAN Zheng. Malware sandbox evasion detection based on code evolution[J]. Journal of Electronics &Information Technology, 2019, 41(2): 341–347. doi: 10.11999/JEIT180257 -