CN109067713A - Software security means of defence, device, electronic equipment and computer storage medium - Google Patents
Software security means of defence, device, electronic equipment and computer storage medium Download PDFInfo
- Publication number
- CN109067713A CN109067713A CN201810781960.4A CN201810781960A CN109067713A CN 109067713 A CN109067713 A CN 109067713A CN 201810781960 A CN201810781960 A CN 201810781960A CN 109067713 A CN109067713 A CN 109067713A
- Authority
- CN
- China
- Prior art keywords
- file
- library file
- binary library
- binary
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 38
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 10
- 229910002056 binary alloy Inorganic materials 0.000 claims description 6
- 230000001681 protective effect Effects 0.000 claims description 5
- 241000208340 Araliaceae Species 0.000 claims 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 claims 1
- 235000003140 Panax quinquefolius Nutrition 0.000 claims 1
- 235000008434 ginseng Nutrition 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 6
- 230000002441 reversible effect Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 23
- 238000005516 engineering process Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 230000008859 change Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000009466 transformation Effects 0.000 description 9
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 230000007480 spreading Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000008014 freezing Effects 0.000 description 2
- 238000007710 freezing Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000036544 posture Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Technology Law (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
Abstract
This application involves internet security fields, disclose a kind of software security means of defence, device, electronic equipment and computer readable storage medium, wherein, software security means of defence includes: that the sound code file for each program library for constituting target software is compiled into corresponding at least two binary libraries file respectively;When meeting scheduled update condition, the original binary library file of predetermined number in target software is updated to corresponding object binary library file respectively, original binary library file is to compile to generate and indicated with different instruction sequence based on identical sound code file with object binary library file.The method of the embodiment of the present application realizes the polymorphic effect of target software, effectively increases reverse attack difficulty, the safety of all types network and terminal device is greatly improved, and stop externally service without target software, so that it may update at any time, greatly enhance user experience.
Description
Technical field
This application involves internet security technical fields, specifically, this application involves a kind of software security means of defence,
Device, electronic equipment and computer storage medium.
Background technique
In recent years, APT (Advanced Persistent Threat, advanced duration threaten) becomes cyberspace and fights
Mainstream form, it makes security threat become the attack of purposeful, organized, premeditated group formula from random attack.Wherein,
Reverse-engineering is a kind of common basic means of APT attack, and most attack is all based on reverse-engineering.Reverse-engineering
Simply say to be exactly that the operation logic of program is derived, or according to binary system journey according to binary program and run entity
The fortune feature and rule of sequence achieve the purpose that attack and distorting original operation logic.
The core of APT is malicious attacker by careful observation, and meticulous layout is quiet using various means
So invasion, long-term latent, search finds confidential data, high price Value Data, steals data without triggering any warning, and user is allowed to lose
It has lost data also to have no to discover, and the attacker of APT is continuously finding the problem, it is military continuously to develop attack
Device is also continuously watching close target, this makes traditional rule-based, Knowledge based engineering firewall, intrusion detection and pre-
The static defense technique of anti-system is difficult first Mr. Yu and threatens to carry out Accurate Prediction, i.e., traditional safe machine to the threat
System is faced with new challenges, cause attack become impossible to guard against, and certainty, similitude, inactive be existing software systems and
Schema information system fatal safety defect, these defects cause current software information system to be in office passive and vulnerable to attack always
Face.
In addition, since attacker and defender are in not reciprocity status, defender in the open, and the operating status of system
Completely can by attacker grasp or observe, cause no matter how advanced guard technology, how advanced securing software and
System is all unable to undergo the long-term observation of attacker, analysis and is attacked repeatedly, and once gone smoothly by attacker, it will causes big
The attack of area is spread.
Summary of the invention
To overcome above-mentioned technical problem or at least being partially solved above-mentioned technical problem, spy proposes following technical scheme:
In a first aspect, providing a kind of software security means of defence, comprising:
The sound code file for constituting each program library of target software is compiled into corresponding at least two binary library respectively
File;
When meeting scheduled update condition, the original binary library file of the predetermined number in target software is updated respectively
For corresponding object binary library file, original binary library file is based on identical sound code file with object binary library file
Compiling is generated and is indicated with different instruction sequence.
Second aspect provides a kind of software security protective device, comprising:
Collector, for the sound code file for constituting each program library of target software to be compiled into accordingly at least respectively
Two binary library files;
Update module, for when meeting scheduled update condition, by the original binary of the predetermined number in target software
Library file is updated to corresponding object binary library file respectively, and original binary library file and object binary library file are bases
It is compiled in identical sound code file and generates and indicated with different instruction sequence.
The third aspect, provides a kind of electronic equipment, including memory, processor and storage on a memory and can located
The computer program run on reason device, processor realize above-mentioned software security means of defence when executing described program.
Fourth aspect provides a kind of computer readable storage medium, calculating is stored on computer readable storage medium
Machine program, the program realize above-mentioned software security means of defence when being executed by processor.
The application implements the software security means of defence provided, will constitute the sound code file of each program library of target software
It is compiled into corresponding at least two binary libraries file respectively, the dynamic change for the target software during follow-up operation is established
Necessary basis;When meeting scheduled update condition, respectively more by the original binary library file of the predetermined number in target software
It is newly corresponding object binary library file, original binary library file is based on identical source code text with object binary library file
Part compiling is generated and is indicated with different instruction sequence, can will be in target software thus when meeting scheduled update condition
Original binary library file dynamic is updated to corresponding object binary library file, not only realizes the polymorphic effect of target software
Fruit enables APT attacker be difficult to find attack laws and abandon, and even if APT attacker obtains a certain binary library file and adopts
It is carried out breaking through success with reverse-engineering, not can be carried out reference but for other binary library files of same target software, avoid
Identical attack method sprawling, effectively increases APT and inversely attacks difficulty, the peace of all types network and terminal device is greatly improved
Quan Xing, and even if target software is currently running in, without externally service is stopped, can updating at any time, greatly enhance use
Family experience.
The additional aspect of the application and advantage will be set forth in part in the description, these will become from the following description
It obtains obviously, or recognized by the practice of the application.
Detailed description of the invention
The application is above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the structural schematic diagram of the operating system dynamic security system of the embodiment of the present application;
Fig. 2 is the flow diagram of the software security means of defence of the embodiment of the present application;
Fig. 3 is the schematic diagram of multiple versions of the binary library file of the embodiment of the present application;
Fig. 4 is the schematic diagram of the transparent switching binary library file of the embodiment of the present application;
Fig. 5 is the schematic diagram for freezing to convert binary library file of the embodiment of the present application;
Fig. 6 is the basic structure schematic diagram of the software security protective device of the embodiment of the present application;
Fig. 7 is the detailed construction schematic diagram of the software security protective device of the embodiment of the present application;
Fig. 8 is the structural schematic diagram of the electronic equipment of the embodiment of the present application.
Specific embodiment
Embodiments herein is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, and is only used for explaining the application, and cannot be construed to the limitation to the application.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one
It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in the description of the present application
Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange
Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with attached drawing to the application embodiment party
Formula is described in further detail.
As APT becomes the mainstream form of current cyberspace confrontation, attack invasion becomes impossible to guard against, and traditional static is anti-
Imperial technology is difficult prior to threatening generation accurately to be predicted that conventional security mechanism is faced with new challenges.The application is according to current peace
Dynamic security mechanism is dexterously introduced OS (Operation System, operating system) architecture by the new change of full ambient engine
Safe design, by detecting real-time perceptual computing, actively transformation, camouflage etc., actively change before attacker finds loophole, make
It cannot effectively find forever can be using target, to meet the needs of high safety scene.
A kind of dynamic security system of operating system is as shown in Figure 1, include three parts: Situation Awareness, situation calculates and master
Dynamic defence.Wherein, Situation Awareness is that probe is added in the key node of program execution path, to may cause system safe condition
The abnormal behaviour of variation is recorded and is reported, including failed authentication, it is abnormal the various abnormal behaviours such as exit, it is thin with detecting real-time
Micro- detection;Situation calculating is calculated in local or cloud by artificial intelligence according to the dynamic changing data of each security factor, comprehensive
It closes and determines current safety situation;Initiative Defense is the dynamic mapping strategy according to the output of current safety situation to system, and accordingly
Transformation system form actively reduces the risk of systems face.
The application provides a kind of software security means of defence, in rogue program in the dynamic mapping stage of Initiative Defense
Vulnerability scanning is carried out, before generating attack code and being attacked, is just completed by the transformation of target of attack, it is difficult that increase attacker attacks
Degree.Integral Thought may be summarized to be: by configuring different compiling parameters, it is identical but with not that software kernels library being compiled into function
With the version that binary machine code indicates, in software operation, the version in switching at runtime different core library reduces the wind attacked
Danger, the different binary code versions of core library are combined, and will generate very huge variant space, to allow rogue program
It is difficult lock onto target.
Software security means of defence, device, electronic equipment and computer readable storage medium provided by the present application, it is intended to solve
The certainly technical problem as above of the prior art.
How the technical solution of the application and the technical solution of the application are solved with specifically embodiment below above-mentioned
Technical problem is described in detail.These specific embodiments can be combined with each other below, for the same or similar concept
Or process may repeat no more in certain embodiments.Below in conjunction with attached drawing, embodiments herein is described.
Embodiment one
The embodiment of the present application provides a kind of software security means of defence, as shown in Figure 2, comprising:
The sound code file for constituting each program library of target software is compiled into corresponding at least two by step S210 respectively
Binary library file.
Specifically, the either objective software for realizing any function is by corresponding programming language (such as C/C++, JAVA etc.
Programming language) program library realize, by tissue and call library realize that corresponding function, program library refer to available
Routine program and other computer programs set, a program library includes several functions.Wherein, operational objective software is real
It is the corresponding binary library file of each program library for executing the target software on border, binary library file is by corresponding
Program library is generated by compiling.
Further, the dynamic change of target software refer to by any one binary library file of target software (such as
Binary library file A), other binary library files identical with function but different instruction sequence (such as binary library file A',
A " etc.) it replaces, it to realize the replacement process, need the binary system library text that at least two functions are identical but instruction sequence is different
Otherwise part will be unable to the dynamic change for completing target software, i.e. binary library file A, A' and A " is to realize identical function, only
Be with cannot instruction sequence indicate namely binary program A, A' and A " are the sources by realizing the program library of above-mentioned function
The binary library file that code file compiling generates.
Further, the sound code file for constituting each program library of target software is compiled into accordingly by terminal system respectively
At least two binary library files, the dynamic change for the target software during follow-up operation establish necessary basis.
Step S220, when meeting scheduled update condition, by the original binary library text of the predetermined number in target software
Part is updated to corresponding object binary library file respectively, and original binary library file is based on phase with object binary library file
It is indicated with sound code file compiling generation and with different instruction sequence.
Specifically, predetermined number can be 1,2 and 5 etc., and the application is without limitation.
For example, the original binary library file A in target software can be updated to corresponding object binary library file
A', in another example, the original binary library file A in target software can be updated to corresponding object binary library with B respectively
File A " and B'.Wherein, A, A' and A " are that the sound code file compiling based on identical program library generates and with different instruction sequence table
Show, sound code file compiling that B and B' are also based on identical program library is generated and indicated with different instruction sequence.
Further, at no point in the update process, a corresponding object binary library file can be randomly selected to replace this
Original binary library file, such as binary library file A, A' and A " are to realize identical function but indicated with different instruction sequence
, i.e., A, A' are the sound code file compiling generations based on identical program library with A " and are indicated with different instruction sequence, if currently
Original binary function file in the target software being currently running is A, then at this time can from object binary library file A' with
One is randomly selected in A ", to replace original binary library file A.
Software security means of defence provided by the embodiments of the present application will constitute each of target software compared with prior art
The sound code file of a program library is compiled into corresponding at least two binary libraries file respectively, is the target during follow-up operation
The dynamic change of software establishes necessary basis;When meeting scheduled update condition, by the original of the predetermined number in target software
Binary library file is updated to corresponding object binary library file, original binary library file and object binary library text respectively
Part is to compile to generate and indicated with different instruction sequence based on identical sound code file, thus when meeting scheduled update condition,
Original binary library file dynamic in target software can be updated to corresponding object binary library file, not only realized
The polymorphic effect of target software, enables APT attacker be difficult to find attack laws and abandon, and even if APT attacker acquisition is a certain
Binary library file simultaneously carries out breaking through success using reverse-engineering, for same target software other binary library files but not
It can be carried out reference, avoid identical attack method from spreading, effectively increase APT and inversely attack difficulty, all types net is greatly improved
The safety of network and terminal device, and even if target software is currently running in, can at any time more without externally service is stopped
Newly, user experience is greatly enhanced.
Embodiment two
The embodiment of the present application provides alternatively possible implementation, further includes implementing on the basis of example 1
Method shown in example two, wherein
Step S210 includes step S2101 (being not marked in figure) and step S2102 (being not marked in figure), wherein
Step S2101: for the sound code file in any program library, at least two compiling modes point of the sound code file are determined
Not corresponding compiling parameter.
Step S2102: the sound code file is compiled according to the compiling parameter of any compiling mode, is obtained and any compiling side
The corresponding binary function file of formula.
Scheduled update condition in step S220 includes at least one of the following: starting target software;Target software operation is pre-
If duration;Monitor abnormal behaviour;Wherein, abnormal behaviour include failed authentication, it is abnormal exit, resource access conflict and it is illegal in
Deposit at least one of access.
Specifically, terminal system is using different Compilation Methods, inside the sound code file that can make the same program library
Binary structure is also had nothing in common with each other.In the embodiment of the present application, for the sound code file in any program library, the sound code file is determined
A variety of compiling modes corresponding compiling parameter, to execute step S2102, to generate the sound code file of the program library
A variety of binary library FileVersions, such as A, A' and A ".
Further, different Compilation Methods corresponds to the Different Optimization rank of the sound code file of program library.Wherein optimize
Rank can respectively correspond the out-of-order degree of binary structure, for example, compiling needed for optimizing the higher Compilation Method of rank is joined
Number is more complicated, but the degree of difficulty that attacker can be made to capture is higher.Those skilled in the art can be according to the actual situation for not
The suitable optimization rank of target software matching under same domain or scene.
Further, when generating binary library file, it can be directed to the sound code file in any program library of target software,
The optimization rank for determining the sound code file obtains the compiling parameter of corresponding compiling mode, then according to optimization rank to hold
Row step S2102.
Further, the program library source code (such as C language code) of identical function can be with by different compiling options
Generate the different binary library file of machine instruction sequence.Fig. 3 is that the comparison diagram after decompiling is carried out to certain binary library file,
C language code and assembly code (the binary library file indicated with machine instruction sequence) in Fig. 3 mix, identical
Different assembly codes can be compiled into C language code, but the function being finally completed is identical, that is, realizes the program library source of identical function
Code can be compiled into the binary library file that function is identical but is indicated with different instruction sequence.
Further, multiple versions of program library A, such as A', A " etc., for certain leakages are produced by the above method
Hole, may there is only (such as A) in specific compiled version, although each version it is all leaky, rogue program using leakage
The method difference in hole is very big or rogue program is needed using multiple loopholes, but the uncertainty of binary library file, greatly
Attacker's research, locking, the difficulty for attacking particular vulnerability are increased greatly.Because of multiple executable versions of multiple program libraries, group
Variant space altogether, will be very huge, if selecting 21 libraries, there are 3 versions in each library, then variant space is 321=100
Hundred million, system can evade loophole attack by huge uncertainty.
Further, suitable opportunity is thought in terminal system, such as when starting target software, in another example target software is transported
When row preset duration (such as 30 minutes, 50 minutes), then for example monitor that abnormal behaviour (for example failed authentication, abnormal exited, provided
Source access conflict and illegal memory access) when, terminal system can be by the predetermined number in the target software being currently running
Original binary library file be updated to corresponding object binary library file respectively.
It further, can when determining the original binary library file of predetermined number from currently running target software
To randomly select the original binary library file of predetermined number, such as randomly select original binary library file A, B, E, H, M etc.;
The original binary library text of predetermined number can also be successively chosen according to the logic execution sequence of each original binary library file
Part, wherein logic execution sequence refers to that successive in logical relation of original binary library file executes sequence, such as original two
The processing of system library file A should be before original binary library file B, and the processing of original binary library file B should be in original
Before beginning binary library file C etc., it can successively be chosen according to the logic execution sequence of each original binary library file at this time
Original binary library file A and B;It can also successively be chosen according to the priority level of each original binary library file, wherein excellent
First rank refers to that the significance level of each original binary library file, such as the priority of original binary library file B are higher than original
The priority of beginning binary library file C, original binary library file C are higher than original binary library file D, at this time can be according to each
The logic execution sequence of a original binary library file successively chooses original binary library file B and C.
For the embodiment of the present application, by running preset duration in starting target software or target software or monitoring
When abnormal behaviour, the binary library file of switching at runtime target software enables attacker be difficult to find attack laws and abandon, and i.e.
Attacker is set to obtain a certain binary library file and carry out breaking through success using reverse-engineering, for other of same target software
Binary library file not can be carried out reference but, and identical attack method is avoided to spread, and effectively increases reverse attack difficulty, improves each
The safety of grade disparate networks and terminal device.
Embodiment three
The embodiment of the present application provides alternatively possible implementation, further includes implementing on the basis of example 2
Method shown in example three, wherein
Step S220 specifically: the operating status based on target software, from corresponding with any original binary library file
Optional one in multiple object binary library files, to replace any original binary library file.
Specifically, when target program is currently running, load any mesh corresponding with any original binary library file
Mark binary library file, and by the either objective binary library file execute subsequent kainogenesis to any original binary library
The calling of file continues to execute original still unclosed calling by any original binary library file.Wherein, it is loading and is being somebody's turn to do
After the corresponding either objective binary library file of any original binary library file, further includes: when detecting that this is any original
When all original still unclosed calling are completed in binary library file, any original binary library file is unloaded.
Further, it when target program is in suspended state, loads corresponding with any original binary library file
Either objective binary library file, and unload any original binary library file.
Wherein, the uncertainty in variant space, although can evade rogue program attack, how to ensure can convert and
It can ensure that core business stable operation is unaffected, be only most crucial problem.Due to each program library operation logic difference very
Greatly, the slight change in timing, it is likely that lead to whole logic error, influence the stable operation of system.The embodiment of the present application
The transformation of the binary library file of target software is realized by following several methods:
Random loading when a) starting
Specifically, process is the basic unit of system operation, and system service and application program are processes.One process
When starting, the binary library file loaded, if there is multiple versions, such as A, A', A " etc., then therein of random loading
One, so that the same service or application, will all have different forms when starting every time.
" transparent redundancy transformation " technology when b) running
Specifically, the basic skills of the technology is: in the conversion stages of the same binary library file, if occurring one always
Library (such as A) He Xinku (such as A') simultaneous stage, then to the calling for not terminating function in old library, still after reforwarding
Row, and the function call of kainogenesis, will be ported in new library.After all function calls in old library all exit, then will be old
Library unloading, is responsible for follow-up operation by new library.Whole process, to exterior clear, business is not disrupted.It should " transparent redundancy transformation " skill
Art is as shown in figure 4, may include steps of:
1. as shown in figure 4, target program is made of multiple binary library file A, B ... .N.Binary library file has multiple
Version, such as A', A " etc..
2. it provides function service call before transformation by taking binary library file A as an example.
3. transformation starts, object binary library file A' is loaded, A and A' are existed simultaneously at this time.To the letter of the library A kainogenesis
Number calls, and will all go to A', and the calling not returned in A, continues to run.
4. the service call in A is returned, when new calling is transferred A', A is unloaded.
5. finishing switching, A' is provided out service completely.Whole process is realized by redundancy Transform and becomes binary library file
Transparent switching.
" freeze to convert " technology when c) running
Specifically, the basic skills of the technology is: when the corresponding process of target program (such as process 1) enters suspended state
When, operating status will be frozen.At this point, carry out the replacement of other version binary library files, target program it is corresponding into
When journey is waken up, the operating status that system is saved, to binary library file access pattern and update after newly replacing.It is somebody's turn to do " freezing to convert "
Technology is as shown in figure 5, may include steps of:
1. process 1 enters suspended state, state is frozen;
2. binary library file A is transformed to A';
3. state Restoration stage updates the state of binary library file A to A';
4. after process 1 is restored, calling and service are externally provided by A'.
For the embodiment of the present application, random loading reliability highest when starting, cost is minimum, can produce very big difference
Variant, but trigger condition is limited, such as application is restarted, server resets, terminal are restarted, and conversion frequency cannot be very high, otherwise shadow
The business of sound uses.And " transparent redundancy transformation " technology when running, it is possible to provide very high conversion frequency ensures service operation not by shadow
It rings, there is very high flexibility, real-time, but since technical difficulty is relatively large, risk is higher, therefore the variant generated is poor
It is different be not easy it is excessive." freeze to convert " technology when operation, using the process dormant stage, operation stops, the special rank that state is saved
Section, completes new library replacement and state updates, and technical difficulty and risk are moderate, but real-time is inadequate, all industry of palpus waiting process
Business processing is completed, and entering dormant state by idle state can.Therefore, as Situation Awareness -> situation calculating -> Initiative Defense
Active conversion stages need to select according to current security postures rank and be suitble to varying one's tactics for means.For example, in safe prestige
When coercing very low, random loading when only need to trigger starting;When security threat is moderate, " freeze to convert " technology when restarting operation,
The each suspend mode of process is allowed all to generate a variant;When threatening scanning that is higher or detecting particular vulnerability, trigger " transparent superfluous
Remaining variation " technology, generates variant, immediately to attack resistance in real time;It, can be " transparent in triggering if threatening very high, attack constantly
Triggering server resets while redundancy variation " technology, using restarting or terminal is restarted, to generate the variant of bigger difference.
Example IV
Fig. 6 is a kind of structural schematic diagram of software security protective device provided by the embodiments of the present application, as shown in fig. 6, should
Device 60 may include collector 61 and update module 62, wherein
Collector 61 is used to for the sound code file for each program library for constituting target software being compiled into respectively accordingly extremely
Few two binary library files;
Update module 62 is used for when meeting scheduled update condition, by the original binary of the predetermined number in target software
Library file is updated to corresponding object binary library file respectively, and original binary library file and object binary library file are bases
It is compiled in identical sound code file and generates and indicated with different instruction sequence.
Specifically, scheduled update condition includes at least one of the following:
Start target software;Target software runs preset duration;Monitor abnormal behaviour;
Wherein, during abnormal behaviour includes failed authentication, exception exits, resource access conflict and illegal memory access at least
It is a kind of.
Further, update module 62 be specifically used for the operating status based on target software, from any original binary
Optional one in the corresponding multiple object binary library files of library file, to replace any original binary library file.
Further, update module 62 is specifically also used to when target program is currently running, load with this any original two
The corresponding either objective binary library file of system library file, and subsequent kainogenesis is executed by the either objective binary library file
The calling to any original binary library file, being continued to execute by any original binary library file originally not yet terminated
Calling.
Further, update module 62 is specifically also used to when target program is in suspended state, load and any original
The corresponding either objective binary library file of beginning binary library file, and unload any original binary library file.
Further, update module 62 is specifically also used to all when detecting that any original binary library file is completed
Original still unclosed calling when, unload any original binary library file.
Further, collector 61 includes determining submodule 611 and compiling submodule 612, as shown in Figure 7, wherein
Determine submodule 611 for be directed to any program library sound code file, determine at least two volumes of the sound code file
Translate the corresponding compiling parameter of mode;
Compiling submodule for 612 for according to the compiling parameter of any compiling mode compiling the sound code file, obtain with
The corresponding binary library file of any compiling mode.
Device provided by the embodiments of the present application will constitute the source of each program library of target software compared with prior art
Code file is compiled into corresponding at least two binary libraries file respectively, is that the dynamic of the target software during follow-up operation becomes
Necessary basis is established in change;When meeting scheduled update condition, by the original binary library file of the predetermined number in target software
It is updated to corresponding object binary library file respectively, original binary library file is based on identical with object binary library file
Sound code file compiling is generated and is indicated with different instruction sequence, thus when meeting scheduled update condition, it can be soft by target
Original binary library file dynamic in part is updated to corresponding object binary library file, not only realizes the more of target software
State effect enables APT attacker be difficult to find attack laws and abandon, and even if APT attacker obtains a certain binary library file
And carry out breaking through success using reverse-engineering, it not can be carried out reference but for other binary library files of same target software,
It avoids identical attack method from spreading, effectively increases APT and inversely attack difficulty, all types network and terminal device is greatly improved
Safety, and even if target software is currently running in, without externally service is stopped, can updating, greatly enhance at any time
User experience.
Embodiment five
The embodiment of the present application provides a kind of electronic equipment, as shown in figure 8, electronic equipment shown in Fig. 8 800 includes: place
Manage device 801 and memory 803.Wherein, processor 801 is connected with memory 803, is such as connected by bus 802.Further,
Electronic equipment 800 can also include transceiver 804.It should be noted that transceiver 804 is not limited to one in practical application, it should
The structure of electronic equipment 800 does not constitute the restriction to the embodiment of the present application.
Wherein, processor 801 is applied in the embodiment of the present application, for realizing collector shown in fig. 6 and updates mould
The function of block.Transceiver 804 include Receiver And Transmitter, transceiver 804 be applied to the embodiment of the present application in, for realizing with
The related function of data transmit-receive.
Processor 801 can be CPU, general processor, DSP, ASIC, FPGA or other programmable logic device, crystalline substance
Body pipe logical device, hardware component or any combination thereof.It, which may be implemented or executes, combines described by present disclosure
Various illustrative logic blocks, module and circuit.Processor 801 is also possible to realize the combination of computing function, such as wraps
It is combined containing one or more microprocessors, DSP and the combination of microprocessor etc..
Bus 802 may include an access, and information is transmitted between said modules.Bus 802 can be pci bus or EISA
Bus etc..Bus 802 can be divided into address bus, data/address bus, control bus etc..For convenient for indicating, in Fig. 8 only with one slightly
Line indicates, it is not intended that an only bus or a type of bus.
Memory 803 can be ROM or can store the other kinds of static storage device of static information and instruction, RAM
Or the other kinds of dynamic memory of information and instruction can be stored, it is also possible to EEPROM, CD-ROM or other CDs
Storage, optical disc storage (including compression optical disc, laser disc, optical disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium
Or other magnetic storage apparatus or can be used in carry or store have instruction or data structure form desired program generation
Code and can by any other medium of computer access, but not limited to this.
Memory 803 is used to store the application code for executing application scheme, and is held by processor 801 to control
Row.Processor 801 is for executing the application code stored in memory 803, to realize that embodiment illustrated in fig. 6 provides soft
The movement of part safety device.
Electronic equipment provided by the embodiments of the present application, including memory, processor and storage on a memory and can located
The computer program that runs on reason device, when processor executes program, compared with prior art, it can be achieved that: target software will be constituted
The sound code file of each program library be compiled into corresponding at least two binary libraries file respectively, during being follow-up operation
The dynamic change of target software establishes necessary basis;When meeting scheduled update condition, by the predetermined number in target software
Original binary library file is updated to corresponding object binary library file, original binary library file and object binary respectively
Library file is to compile to generate and indicated with different instruction sequence based on identical sound code file, thus meeting scheduled update condition
When, the original binary library file dynamic in target software can be updated to corresponding object binary library file, it is not only real
The polymorphic effect for having showed target software, enables APT attacker be difficult to find attack laws and abandon, and even if APT attacker obtains
A certain binary library file simultaneously carries out breaking through success using reverse-engineering, for other binary library files of same target software
But it not can be carried out reference, avoid identical attack method from spreading, effectively increase APT and inversely attack difficulty, be greatly improved at different levels each
The safety of class network and terminal device, and even if target software is currently running in, without stopping externally service, Ji Kesui
Shi Gengxin greatly enhances user experience.
The embodiment of the present application provides a kind of computer readable storage medium, is stored on the computer readable storage medium
Computer program realizes method shown in embodiment one when the program is executed by processor.Compared with prior art, mesh will be constituted
The sound code file for marking each program library of software is compiled into corresponding at least two binary libraries file respectively, is follow-up operation mistake
The dynamic change of target software in journey establishes necessary basis;It, will be default in target software when meeting scheduled update condition
The original binary library file of number is updated to corresponding object binary library file, original binary library file and target respectively
Binary library file is to compile to generate and indicated with different instruction sequence based on identical sound code file, to make a reservation for more meeting
When New Terms, the original binary library file dynamic in target software can be updated to corresponding object binary library file,
The polymorphic effect for not only realizing target software, enables APT attacker be difficult to find attack laws and abandon, and even if APT is attacked
Person obtains a certain binary library file and carries out breaking through success using reverse-engineering, for other binary systems of same target software
Library file not can be carried out reference but, avoids identical attack method from spreading, effectively increases APT and inversely attack difficulty, be greatly improved
The safety of all types network and terminal device, and even if target software is currently running in, without stopping externally service,
It can update at any time, greatly enhance user experience.
Computer readable storage medium provided by the embodiments of the present application is suitable for any embodiment of the above method.Herein not
It repeats again.
It should be understood that although each step in the flow chart of attached drawing is successively shown according to the instruction of arrow,
These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps
Execution there is no stringent sequences to limit, can execute in the other order.Moreover, at least one in the flow chart of attached drawing
Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps
Completion is executed, but can be executed at different times, execution sequence, which is also not necessarily, successively to be carried out, but can be with other
At least part of the sub-step or stage of step or other steps executes in turn or alternately.
The above is only some embodiments of the application, it is noted that for the ordinary skill people of the art
For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered
It is considered as the protection scope of the application.
Claims (10)
1. a kind of software security means of defence characterized by comprising
The sound code file for constituting each program library of target software is compiled into corresponding at least two binary libraries file respectively;
When meeting scheduled update condition, the original binary library file of the predetermined number in target software is updated to phase respectively
The object binary library file answered, the original binary library file are based on identical source code with the object binary library file
File compiling is generated and is indicated with different instruction sequence.
2. the method according to claim 1, wherein scheduled update condition includes at least one of the following:
Start target software;Target software runs preset duration;Monitor abnormal behaviour;
Wherein, at least one during abnormal behaviour includes failed authentication, exception exits, resource access conflict and illegal memory access
Kind.
3., will be in target software according to the method described in claim 2, it is characterized in that, when meeting scheduled update condition
The original binary library file of predetermined number is updated to corresponding object binary library file respectively, comprising:
Based on the operating status of the target software, from multiple object binary libraries corresponding with any original binary library file
Optional one in file, to replace any original binary library file.
4. according to the method described in claim 3, it is characterized in that, the operating status based on the target software, from it is any
Optional one in the corresponding multiple object binary library files of original binary library file, to replace any original binary library
File, comprising:
When target program is currently running, load either objective binary system library text corresponding with any original binary library file
Part, and the calling to any original binary library file of subsequent kainogenesis is executed by the either objective binary library file,
Original still unclosed calling is continued to execute by any original binary library file.
5. according to the method described in claim 3, it is characterized in that, the operating status based on the target software, from it is any
Optional one in the corresponding multiple object binary library files of original binary library file, to replace any original binary library
File, comprising:
When target program is in suspended state, load either objective binary system corresponding with any original binary library file
Library file, and unload any original binary library file.
6. according to the method described in claim 4, it is characterized in that, corresponding with any original binary library file loading
After either objective binary library file, further includes:
When detecting that all original still unclosed calling are completed in any original binary library file, it is any to unload this
Original binary library file.
7. method according to claim 1-6, which is characterized in that each program library of target software will be constituted
Sound code file is compiled into corresponding at least two binary libraries file respectively, comprising:
For the sound code file in any program library, the corresponding compiling ginseng of at least two compiling modes of the sound code file is determined
Number;
The sound code file is compiled according to the compiling parameter of any compiling mode, obtains binary system corresponding with any compiling mode
Library file.
8. a kind of software security protective device characterized by comprising
Collector, for the sound code file for constituting each program library of target software to be compiled into corresponding at least two respectively
Binary library file;
Update module, for when meeting scheduled update condition, by the original binary library text of the predetermined number in target software
Part is updated to corresponding object binary library file, the original binary library file and the object binary library file respectively
It is to compile to generate and indicated with different instruction sequence based on identical sound code file.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes the described in any item software securities of claim 1-7 when executing described program
Means of defence.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes claim 1-7 described in any item software security means of defences when the program is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810781960.4A CN109067713A (en) | 2018-07-17 | 2018-07-17 | Software security means of defence, device, electronic equipment and computer storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810781960.4A CN109067713A (en) | 2018-07-17 | 2018-07-17 | Software security means of defence, device, electronic equipment and computer storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109067713A true CN109067713A (en) | 2018-12-21 |
Family
ID=64816743
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810781960.4A Pending CN109067713A (en) | 2018-07-17 | 2018-07-17 | Software security means of defence, device, electronic equipment and computer storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109067713A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110333872A (en) * | 2019-07-09 | 2019-10-15 | 广州虎牙科技有限公司 | A kind of processing method of application, device, equipment and medium |
CN113254065A (en) * | 2021-07-14 | 2021-08-13 | 广州易方信息科技股份有限公司 | Application software compatibility method and device |
CN114297643A (en) * | 2022-03-10 | 2022-04-08 | 众连智能科技有限公司 | Defense method and device of intelligent contract and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101916194A (en) * | 2010-06-01 | 2010-12-15 | 浙江大学 | Method for deploying node procedure of wireless sensing network |
CN104866369A (en) * | 2015-05-22 | 2015-08-26 | 广州华多网络科技有限公司 | Data processing method and apparatus |
CN107133036A (en) * | 2017-04-26 | 2017-09-05 | 武汉斗鱼网络科技有限公司 | The management method and device of a kind of module |
CN108021792A (en) * | 2017-12-04 | 2018-05-11 | 北京元心科技有限公司 | Mirror image software generation method and device and corresponding terminal |
-
2018
- 2018-07-17 CN CN201810781960.4A patent/CN109067713A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101916194A (en) * | 2010-06-01 | 2010-12-15 | 浙江大学 | Method for deploying node procedure of wireless sensing network |
CN104866369A (en) * | 2015-05-22 | 2015-08-26 | 广州华多网络科技有限公司 | Data processing method and apparatus |
CN107133036A (en) * | 2017-04-26 | 2017-09-05 | 武汉斗鱼网络科技有限公司 | The management method and device of a kind of module |
CN108021792A (en) * | 2017-12-04 | 2018-05-11 | 北京元心科技有限公司 | Mirror image software generation method and device and corresponding terminal |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110333872A (en) * | 2019-07-09 | 2019-10-15 | 广州虎牙科技有限公司 | A kind of processing method of application, device, equipment and medium |
CN110333872B (en) * | 2019-07-09 | 2023-06-16 | 广州虎牙科技有限公司 | Application processing method, device, equipment and medium |
CN113254065A (en) * | 2021-07-14 | 2021-08-13 | 广州易方信息科技股份有限公司 | Application software compatibility method and device |
CN113254065B (en) * | 2021-07-14 | 2021-11-02 | 广州易方信息科技股份有限公司 | Application software compatibility method and device |
CN114297643A (en) * | 2022-03-10 | 2022-04-08 | 众连智能科技有限公司 | Defense method and device of intelligent contract and storage medium |
CN114297643B (en) * | 2022-03-10 | 2022-07-08 | 众连智能科技有限公司 | Defense method and device of intelligent contract and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3477569A1 (en) | Method and system for securing smart contracts in blockchains | |
CN109067713A (en) | Software security means of defence, device, electronic equipment and computer storage medium | |
US11991203B2 (en) | Method and system for generating stateful attacks | |
US11288090B1 (en) | Methods, systems, and media for injecting code into embedded devices | |
JP6212548B2 (en) | Kernel-level security agent | |
US8271608B2 (en) | System and method for a mobile cross-platform software system | |
US10887340B2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
CN108875320A (en) | Software security means of defence, device, electronic equipment and computer storage medium | |
Ellis | Worm anatomy and model | |
CN104573497B (en) | A kind for the treatment of method and apparatus of startup item | |
CN108810014B (en) | Attack event warning method and device | |
CN110750793B (en) | Vulnerability scanning method and device | |
CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
CN102902921B (en) | The method and apparatus of a kind of detection and dump virus | |
CN112544054A (en) | Automatically generating threat remediation steps through crowdsourcing security solutions | |
CN108694320A (en) | The method and system of sensitive application dynamic measurement under a kind of more security contexts | |
Brantly | Risk and uncertainty can be analyzed in cyberspace | |
Li et al. | An optimal defensive deception framework for the container‐based cloud with deep reinforcement learning | |
CN108021792B (en) | Mirror image software generation method and device and corresponding terminal | |
EP2815350B1 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
Wigness et al. | Efficient and resilient edge intelligence for the internet of battlefield things | |
CN115208601B (en) | Method and system for actively defending malicious scanning | |
CN115186269A (en) | Vulnerability mining method and device, storage medium and electronic equipment | |
WO2023085984A1 (en) | Protecting a model against an adversary | |
Araujo et al. | Software Deception Steering through Version Emulation. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181221 |