Journal of Computer Applications ›› 2013, Vol. 33 ›› Issue (09): 2520-2524.DOI: 10.11772/j.issn.1001-9081.2013.09.2520

• Information security • Previous Articles     Next Articles

Software tamper resistance based on function-level control-flow monitoring

ZHANG Guimin,LI Qingbao,WANG Wei,ZHU Yi   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing (Information Engineering University), Zhengzhou Henan 450000, China
  • Received:2013-03-27 Revised:2013-05-02 Online:2013-10-18 Published:2013-09-01
  • Contact: ZHANG Guimin

基于函数级控制流监控的软件防篡改

张贵民,李清宝,王炜,朱毅   

  1. 数学工程与先进计算国家重点实验室(信息工程大学), 郑州 450000
  • 通讯作者: 张贵民
  • 作者简介:张贵民(1987-),男,山东济南人, 硕士研究生,主要研究方向:信息安全、可信计算;
    李清宝(1967-),男,四川乐山人,教授,博士生导师,博士,CCF会员,主要研究方向:计算机系统结构、信息安全、可信计算;
    王炜(1975-),男,湖北武汉人,讲师,博士,CCF会员,主要研究方向:计算机系统结构、信息安全、可信计算;
    朱毅(1986-),男,河北石家庄人,助理工程师,硕士研究生,主要研究方向:计算机系统结构、信息安全、可信计算。
  • 基金资助:

    国家核高基项目

Abstract: Software tamper resistance is an important method for software protection. Concerning the control-flow tampering invoked by buffer overflow as well as some other software attacks, a software tamper-proofing method based on Function-Level Control-Flow (FLCF) monitoring was proposed. This method described the software's normal behaviors by FLCF and instrumented one guard at every entrance of functions by binary rewriting technology. The monitoring module decided whether the software was tampered or not by comparing the running status received from the guards' reports with the expected condition. A prototype system was realized and its performance was analyzed. The experimental results show that this method can effectively detect the control-flow tampering with less overhead and no false positives. It can be easily deployed and transplanted as its implementation does not need source code or any modifications of underlying devices, and system security is strengthened by isolating the monitoring module with the software being protected.

Key words: software tamper resistance, Function-Level Control-Flow (FLCF), binary rewriting, guard, Trusted Platform Module(TPM)

摘要: 软件防篡改是软件保护的重要手段。针对由缓冲区溢出等攻击导致的控制流篡改,提出一种基于函数级控制流监控的软件防篡改方法。以函数级控制流描述软件正常行为,利用二进制重写技术在软件函数入口处植入哨兵,由监控模块实时获取哨兵发送的软件运行状态,通过对比运行状态和预期值判断程序是否被篡改。实现了原型系统并对其进行了性能分析,实验结果表明,基于函数级控制流监控的软件防篡改方法能有效检测对控制流的篡改攻击,无误报且开销较低,其实现不依赖程序源码,无需修改底层硬件和操作系统,监控机制与被保护软件隔离,提高了安全性。

关键词: 软件防篡改, 函数级控制流, 二进制重写, 哨兵, 可信平台模块

CLC Number: