[go: up one dir, main page]

CN111538962A - Program control flow obfuscation method, system, storage medium, cloud server and application - Google Patents

Program control flow obfuscation method, system, storage medium, cloud server and application Download PDF

Info

Publication number
CN111538962A
CN111538962A CN202010193086.XA CN202010193086A CN111538962A CN 111538962 A CN111538962 A CN 111538962A CN 202010193086 A CN202010193086 A CN 202010193086A CN 111538962 A CN111538962 A CN 111538962A
Authority
CN
China
Prior art keywords
program
statement
control flow
branch
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010193086.XA
Other languages
Chinese (zh)
Inventor
沈玉龙
王博
何昶辉
赵迪
张志为
何嘉洪
康晓宇
刘家继
许王哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202010193086.XA priority Critical patent/CN111538962A/en
Publication of CN111538962A publication Critical patent/CN111538962A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本发明属于控制流混淆技术领域,公开了一种程序控制流混淆方法、系统、存储介质、云服务器及应用,将原始程序中分支语句判断条件进行隐藏,使用控制流查询函数替代分支语句的判断条件;通过在程序中插入伪分支语句进一步混淆控制流;将所述转换程序发送至不可信的公有云,控制流矩阵发送至可信的私有云;基于所述控制流矩阵,在所述公有云上运行所述转换程序时。本发明能够隐藏每个分支语句条件的变量,避免了应用程序逻辑被外部攻击者恶意获取和利用;插入伪分支语句,增大攻击者重建程序控制流的难度;插入关系约束语句并进行数据流一致性检查,抵御了攻击者主动更改程序的运行流程,通过在程序运行过程中有目的地加入新的数据收集有效信息。

Figure 202010193086

The invention belongs to the technical field of control flow obfuscation, and discloses a program control flow obfuscation method, system, storage medium, cloud server and application, which hide the judgment conditions of branch statements in an original program, and use a control flow query function to replace the judgment of branch statements Condition; further obfuscate the control flow by inserting pseudo-branch statements in the program; send the conversion program to an untrusted public cloud, and send the control flow matrix to a trusted private cloud; based on the control flow matrix, in the public cloud When running the conversion program on the cloud. The invention can hide the variables of the condition of each branch statement, avoiding malicious acquisition and utilization of application program logic by external attackers; inserting pseudo-branch statements increases the difficulty for attackers to reconstruct the program control flow; inserting relational constraint statements and performing data flow Consistency check prevents attackers from actively changing the running process of the program, and collects effective information by purposefully adding new data during the running of the program.

Figure 202010193086

Description

程序控制流混淆方法、系统、存储介质、云服务器及应用Program control flow obfuscation method, system, storage medium, cloud server and application

技术领域technical field

本发明属于控制流混淆技术领域,尤其涉及一种程序控制流混淆方法、系统、存储介质、云服务器及应用。The invention belongs to the technical field of control flow obfuscation, and in particular relates to a program control flow obfuscation method, system, storage medium, cloud server and application.

背景技术Background technique

目前,程序代码的安全保护是计算机安全领域的一个重点研究内容。随着互联网的飞速发展和大数据时代的到来,云端计算服务越来越流行,云计算环境能够给用户带来更强的计算能力和更好的扩展性。云计算使用户能够按需租用计算资源并远程执行他们的程序。然而,当远程环境不可信时,保护程序逻辑的机密性成为重要的安全要求。At present, the security protection of program code is a key research content in the field of computer security. With the rapid development of the Internet and the arrival of the era of big data, cloud computing services are becoming more and more popular, and the cloud computing environment can bring users stronger computing power and better scalability. Cloud computing enables users to rent computing resources on demand and execute their programs remotely. However, protecting the confidentiality of program logic becomes an important security requirement when the remote environment is not trusted.

程序代码的控制流决定要执行的指令序列,直接反映了程序的逻辑。控制流混淆将程序的控制流转换为无法理解的形式,可以有效保护程序逻辑的机密性。控制流混淆是保护程序逻辑机密性的直接方法,然而,现有的控制流混淆工作主要集中在基于软件的代码混淆上,没有一种可以抵抗所有分析攻击的代码混淆方案,只能一定程度缓解对程序的逆向工程和分析,且代码混淆方案都引入的性能开销往往不满足程序执行效率要求高的场景,存在安全性和性能开销方面的局限性的问题。The control flow of the program code determines the sequence of instructions to be executed and directly reflects the logic of the program. Control flow obfuscation converts the control flow of a program into an incomprehensible form, which can effectively protect the confidentiality of program logic. Control flow obfuscation is a direct method to protect the confidentiality of program logic. However, existing control flow obfuscation work mainly focuses on software-based code obfuscation. There is no code obfuscation scheme that can resist all analysis attacks, and can only be mitigated to a certain extent. The performance overhead introduced by the reverse engineering and analysis of the program and the code obfuscation scheme often does not meet the requirements of high program execution efficiency, and there are limitations in security and performance overhead.

通过上述分析,现有技术存在的问题及缺陷为:现有的控制流混淆工作主要集中在基于软件的代码混淆上,存在安全性和性能开销方面的局限性的问题。Through the above analysis, the existing problems and defects in the prior art are: the existing control flow obfuscation work mainly focuses on software-based code obfuscation, and there are limitations in security and performance overhead.

解决以上问题及缺陷的难度和意义为:The difficulty and significance of solving the above problems and defects are as follows:

(1)应用软件属于数字资产,一旦发布之后,恶意攻击者就可以通过逆向工程对软件进行破解和重组,对核心算法进或关键功能进行剽窃牟利,而控制流混淆是保护用户程序逻辑的最直接方法;(1) Application software is a digital asset. Once released, malicious attackers can crack and reorganize the software through reverse engineering, plagiarize core algorithms or key functions for profit, and control flow obfuscation is the best way to protect user program logic. direct method;

(2)用户将程序上传到云端执行,云端的环境是不可信的,用户程序逻辑和算法面临被窃取的风险。在此场景下,控制流混淆方法要同时兼顾安全性以及时间开销;(2) The user uploads the program to the cloud for execution. The cloud environment is untrustworthy, and the user program logic and algorithm face the risk of being stolen. In this scenario, the control flow obfuscation method should take into account both security and time overhead;

(3)本发明的主要思想是将分支语句中判断条件隐藏到控制流矩阵,并将控制流矩阵上传到可信的私有云,转换后的程序上传到公有云,公有云中的程序执行到分支语句时,根据控制流矩阵在私有云中完成条件评估。(3) The main idea of the present invention is to hide the judgment condition in the branch statement into the control flow matrix, upload the control flow matrix to the trusted private cloud, upload the converted program to the public cloud, and execute the program in the public cloud to When branching statements, condition evaluation is done in the private cloud according to the control flow matrix.

(4)私有云作为可信空间有效隐藏了程序中的分支语句逻辑,能够有效保护用户程序的逻辑机密性。因此,本发明的提出对于解决云端用户程序安全性和性能开销方面的局限性的问题具有深远的实践意义。(4) As a trusted space, the private cloud effectively hides the branch statement logic in the program, and can effectively protect the logic confidentiality of the user program. Therefore, the present invention has far-reaching practical significance for solving the limitations of cloud user program security and performance overhead.

发明内容SUMMARY OF THE INVENTION

针对现有技术存在的问题,本发明提供了一种程序控制流混淆方法、系统、存储介质、云服务器及应用。In view of the problems existing in the prior art, the present invention provides a program control flow obfuscation method, system, storage medium, cloud server and application.

本发明是这样实现的,一种程序控制流混淆方法,所述程序控制流混淆方法包括:The present invention is implemented in this way, a program control flow obfuscation method, the program control flow obfuscation method includes:

第一步,分支语句隐藏,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识、比较运算符左右两个操作数的标识以及比较运算符;The first step is to hide the branch statement, hide the judgment condition of the branch statement in the original program, convert the judgment condition of the branch statement into the first custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the judgment condition of the conversion in the original program. The unique identifier in the program, the identifier of the left and right operands of the comparison operator, and the comparison operator;

第二步,伪分支语句构造与插入方法,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;将伪分支语句的判断条件转换为第二自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识,以及True或者False;The second step is to construct and insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s; convert the judgment condition of the pseudo-branch statement into a second custom function to obtain a conversion program and the control flow matrix; the control flow matrix includes the unique identification of the judgment condition of the conversion in the original program, and True or False;

第三步,关系约束赋值语句构造与插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的整型变量进行两两随机约束;The third step is to construct and insert relational constraint assignment statements, construct and insert constraint assignment statements before the original branch statement b, construct variables that are unreachable by the branch statement b, and perform pairwise randomization on the integer variables in the random list in the branch statement constraint;

第四步,关系约束赋值语句隐藏,将原始程序中赋值语句进行隐藏,将赋值语句转换为第三自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的在原程序中的唯一标识、被赋值操作数的标识以及赋值语句。The fourth step is to hide the relationship constraint assignment statement, hide the assignment statement in the original program, convert the assignment statement into a third custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the converted unique identifier in the original program , the identifier of the assigned operand, and the assignment statement.

进一步,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数;第一自定义函数的一参数表示当前转换的分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识;Further, the judgment condition of the branch statement in the original program is hidden, and the judgment condition of the branch statement is converted into a first self-defined function; one parameter of the first self-defined function represents a random list of currently converted branch statements, and the other parameter represents the current The unique identification of the converted branch statement in the source program;

所述第一自定义函数可以表示如下:The first custom function can be expressed as follows:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program.

进一步,所述随机列表表示原程序中所有变量形成的随机列表;随机列表中的变量包括比较运算符左右两个操作数;控制流矩阵中比较运算符左右两个操作数的标识指向随机列表中比较运算符左右两个操作数。Further, the random list represents a random list formed by all variables in the original program; the variables in the random list include the left and right operands of the comparison operator; the identifiers of the left and right operands of the comparison operator in the control flow matrix point to the random list. Comparison operators have two operands on the left and right.

进一步,所述控制流矩阵M以多元组的形式表示:Further, the control flow matrix M is represented in the form of a tuple:

第一自定义函数,M={i(s),iop1,iop2,op};The first custom function, M={i(s), iop1, iop2, op};

第二自定义函数,M={i(s),res};The second custom function, M={i(s), res};

第三自定义函数,M={i(s),iop1,iop2,op};The third custom function, M={i(s), iop1, iop2, op};

其中,i(s)表示转换的程序语句在原程序中的唯一标识,iop1和iop2表示转换的语句在原程序中的左右操作数的标识,op表示转换的程序语句在原程序中的计算的操作符,res表示转换的伪分支语句的判断条件返回的评估结果,转换的程序语句在原程序中的唯一标识用转换的程序语句在原程序中的行号表示。Among them, i(s) represents the unique identifier of the converted program statement in the original program, iop1 and iop2 represent the identifiers of the left and right operands of the converted statement in the original program, and op represents the operator of the calculation of the converted program statement in the original program, res represents the evaluation result returned by the judgment condition of the converted pseudo-branch statement, and the unique identifier of the converted program statement in the original program is represented by the line number of the converted program statement in the original program.

进一步,所述第二自定义函数的一参数表示当前分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识;Further, a parameter of the second self-defined function represents the random list of the current branch statement, and the other parameter represents the unique identifier of the currently converted branch statement in the source program;

所述第二自定义函数表示如下:The second custom function is expressed as follows:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识;Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program;

所述第三自定义函数的一参数表示当前赋值语句的随机列表,另一参数表示当前转换的赋值语句在源程序的唯一标识;A parameter of the third self-defined function represents the random list of the current assignment statement, and another parameter represents the unique identification of the assignment statement of the current conversion in the source program;

所述第三自定义函数表示:The third custom function represents:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program.

本发明的另一目的在于提供一种接收用户输入程序存储介质,所存储的计算机程序使电子设备执行权利要求任意一项所述包括下列步骤:Another object of the present invention is to provide a program storage medium for receiving user input, and the stored computer program enables the electronic device to execute any one of the claims, including the following steps:

第一步,分支语句隐藏,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识、比较运算符左右两个操作数的标识以及比较运算符;The first step is to hide the branch statement, hide the judgment condition of the branch statement in the original program, convert the judgment condition of the branch statement into the first custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the judgment condition of the conversion in the original program. The unique identifier in the program, the identifier of the left and right operands of the comparison operator, and the comparison operator;

第二步,伪分支语句构造与插入方法,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;将伪分支语句的判断条件转换为第二自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识,以及True或者False;The second step is to construct and insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s; convert the judgment condition of the pseudo-branch statement into a second custom function to obtain a conversion program and the control flow matrix; the control flow matrix includes the unique identification of the judgment condition of the conversion in the original program, and True or False;

第三步,关系约束赋值语句构造与插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的整型变量进行两两随机约束;The third step is to construct and insert relational constraint assignment statements, construct and insert constraint assignment statements before the original branch statement b, construct variables that are unreachable by the branch statement b, and perform pairwise randomization on the integer variables in the random list in the branch statement constraint;

第四步,关系约束赋值语句隐藏,将原始程序中赋值语句进行隐藏,将赋值语句转换为第三自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的在原程序中的唯一标识、被赋值操作数的标识以及赋值语句。The fourth step is to hide the relationship constraint assignment statement, hide the assignment statement in the original program, convert the assignment statement into a third custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the converted unique identifier in the original program , the identifier of the assigned operand, and the assignment statement.

本发明的另一目的在于提供一种实施所述程序控制流混淆方法的程序控制流混淆系统,所述程序控制流混淆系统包括:Another object of the present invention is to provide a program control flow obfuscation system for implementing the program control flow obfuscation method. The program control flow obfuscation system includes:

伪分支语句插入模块,用于在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;The pseudo-branch statement insertion module is used to construct and insert a pseudo-branch statement before the original statement s. The pseudo-branch statement will eventually flow to s to ensure that the original control flow of the program is not tampered with;

关系约束赋值语句插入模块,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;The relationship constraint assignment statement insertion module is used to construct and insert the constraint assignment statement before the original branch statement b, and construct the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function;

变量隐藏模块,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵。The variable hiding module is used to convert and replace the judgment condition of the true and false branch statement and the relationship constraint assignment statement into the control flow query function, and obtain the conversion program and the control flow matrix.

本发明的另一目的在于提供一种搭载所述程序控制流混淆系统的云服务器。Another object of the present invention is to provide a cloud server equipped with the program control flow obfuscation system.

本发明的另一目的在于提供一种实施所述程序控制流混淆方法的面向云计算场景下的控制流混淆方法,所述面向云计算场景下的控制流混淆方法包括:Another object of the present invention is to provide a control flow obfuscation method in a cloud computing scenario that implements the program control flow obfuscation method, and the control flow obfuscation method in a cloud computing scenario includes:

步骤一,伪分支语句插入,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;Step 1: Insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s;

步骤二,关系约束赋值语句插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;Step 2, inserting a relationship constraint assignment statement, constructing and inserting a constraint assignment statement before the original branch statement b, and constructing unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function;

步骤三,变量隐藏,将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵;Step 3, variable hiding, converting and replacing the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function to obtain a conversion program and a control flow matrix;

步骤四,将转换程序和控制流矩阵发送至云端远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;Step 4, sending the conversion program and the control flow matrix to the cloud remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in a trusted private cloud;

步骤五,基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。Step 5: Based on the control flow matrix, the conversion program is executed in the remote computing unit, and the converted branch statement and assignment statement are moved to the trusted private cloud for operation, and the private cloud will determine the incoming parameter value based on the variable constraint relationship. Consistency check is performed, and when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit.

本发明的另一目的在于提供一种实施所述面向云计算场景下的控制流混淆方法的面向云计算场景下的控制流混淆系统,所述面向云计算场景下的程序控制流混淆系统包括:Another object of the present invention is to provide a control flow obfuscation system in a cloud computing scenario that implements the control flow obfuscation method in a cloud computing scenario. The program control flow obfuscation system in the cloud computing scenario includes:

伪分支语句插入模块,用于在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;The pseudo-branch statement insertion module is used to construct and insert pseudo-branch statements before the original statement s. These pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with;

关系约束赋值语句插入模块,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;The relationship constraint assignment statement insertion module is used to construct and insert the constraint assignment statement before the original branch statement b, and construct the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function;

变量隐藏模块,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵;The variable hiding module is used to convert and replace the judgment condition of the true and false branch statement and the relationship constraint assignment statement into the control flow query function, and obtain the conversion program and the control flow matrix;

程序发送模块,用于将转换程序和控制流矩阵发送至远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;The program sending module is used to send the conversion program and the control flow matrix to the remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in the trusted private cloud;

程序执行模块,用于基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。The program execution module is used to execute the conversion program in the remote computing unit based on the control flow matrix, and the converted branch statement and assignment statement are moved to the trusted private cloud for execution. Consistency check is performed on the parameter values of , and when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit.

结合上述的所有技术方案,本发明所具备的优点及积极效果为:本发明结合程序程序转换技术,通过隐藏程序中分支语句中的判断条件,插入伪分支语句,并利用上文敏感数据流一致性方法保证高控制流机密性;避免了云端执行的应用程序逻辑被外部攻击者获取和恶意篡改。Combined with all the above-mentioned technical solutions, the advantages and positive effects of the present invention are as follows: the present invention combines the program conversion technology, by hiding the judgment conditions in the branch statement in the program, inserting the pseudo branch statement, and using the above sensitive data flow consistent The secure method ensures high control flow confidentiality; avoids the application logic executed in the cloud from being acquired and maliciously tampered with by external attackers.

本发明能够隐藏每个分支语句条件的变量,避免了应用程序逻辑被外部攻击者恶意获取和利用;插入伪分支语句,增大攻击者重建程序控制流的难度;插入关系约束语句并进行数据流一致性检查,抵御了攻击者主动更改程序的运行流程,通过在程序运行过程中有目的地加入新的数据收集有效信息。The invention can hide the variables of each branch statement condition, avoid malicious acquisition and utilization of application program logic by external attackers; insert pseudo branch statements to increase the difficulty for attackers to reconstruct program control flow; insert relational constraint statements and perform data flow Consistency check prevents attackers from actively changing the running process of the program, and collects effective information by purposefully adding new data during the running of the program.

本发明结合云计算场景,通过转换每个分支语句的条件,并将其评估移动到可信的私有云环境中,保证了高控制流机密性。Combined with cloud computing scenarios, the present invention ensures high control flow confidentiality by transforming the condition of each branch statement and moving its evaluation to a trusted private cloud environment.

本发明的实验平台选择如图9所示的云计算平台,申请了一个由五台虚拟机组成Hadoop计算集群,其中包含一个主节点(Master)和四个工作节点(Slave),计算集群中的计算机安装了Ubuntu14.04系统,8g内存和500g硬盘。针对CPU 密集型应用程序,实验结果如表1所示,由表中数据可知,本发明提出的方案产生的性能开销较小。Lan等人提出使用λ演算来模拟条件指令的方案中评估每个被保护的条件平均耗时为38.19μs,而本发明提出的方案中单次cfQuery函数的计算时间平均耗时为8.31μs。本发明兼顾安全性的同时,具有较小的时间开销,可以高效的保护用户程序逻辑机密性。The experimental platform of the present invention selects the cloud computing platform as shown in Figure 9, and applies for a Hadoop computing cluster composed of five virtual machines, which includes a master node (Master) and four worker nodes (Slave). The computer is installed with Ubuntu14.04 system, 8g memory and 500g hard disk. For CPU-intensive applications, the experimental results are shown in Table 1. From the data in the table, it can be seen that the performance overhead generated by the solution proposed by the present invention is relatively small. In the scheme proposed by Lan et al. to simulate conditional instructions using λ calculus, the average time taken to evaluate each protected condition is 38.19 μs, while the average calculation time of a single cfQuery function in the scheme proposed by the present invention is 8.31 μs. While taking into account the security, the present invention has less time overhead, and can efficiently protect the logic confidentiality of the user program.

附图说明Description of drawings

图1是本发明实施例提供的程序控制流混淆方法流程图。FIG. 1 is a flowchart of a program control flow obfuscation method provided by an embodiment of the present invention.

图2是本发明实施例提供的程序控制流混淆系统的结构示意图。FIG. 2 is a schematic structural diagram of a program control flow obfuscation system provided by an embodiment of the present invention.

图3是本发明实施例的分支语句判断条件的程序变换图。FIG. 3 is a program transformation diagram of a branch statement judgment condition according to an embodiment of the present invention.

图4是本发明实施例的伪分支语句构造与插入的程序变换图。FIG. 4 is a program transformation diagram of constructing and inserting a pseudo-branch statement according to an embodiment of the present invention.

图5是本发明实施例的关系约束赋值语句构造与插入的程序变换图。FIG. 5 is a program transformation diagram of constructing and inserting a relational constraint assignment statement according to an embodiment of the present invention.

图6是本发明实施例的面向云计算场景下的控制流混淆方法流程图。FIG. 6 is a flowchart of a control flow obfuscation method in a cloud computing scenario according to an embodiment of the present invention.

图7是本发明实施例的面向云计算场景下的控制流混淆方法体系结构图。FIG. 7 is an architecture diagram of a control flow obfuscation method in a cloud computing-oriented scenario according to an embodiment of the present invention.

图8是本发明实施例的面向云计算场景下的控制流混淆系统结构图。FIG. 8 is a structural diagram of a control flow obfuscation system in a cloud computing-oriented scenario according to an embodiment of the present invention.

图中:1、伪分支语句插入模块;2、关系约束赋值语句插入模块;3、变量隐藏模块;4、伪分支语句插入模块;5、关系约束赋值语句插入模块;6、变量隐藏模块;7、程序发送模块;8、程序执行模块。In the figure: 1. Pseudo-branch statement insertion module; 2. Relationship constraint assignment statement insertion module; 3. Variable hiding module; 4. Pseudo-branch statement insertion module; 5. Relationship constraint assignment statement insertion module; 6. Variable hiding module; 7 , the program sending module; 8, the program execution module.

图9是本发明实施例的云计算平台示意图。FIG. 9 is a schematic diagram of a cloud computing platform according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

针对现有技术存在的问题,本发明提供了一种程序控制流混淆方法、系统、存储介质、云服务器及应用,下面结合附图对本发明作详细的描述。In view of the problems existing in the prior art, the present invention provides a program control flow obfuscation method, system, storage medium, cloud server and application. The present invention is described in detail below with reference to the accompanying drawings.

如图1所示,本发明提供的程序控制流混淆方法包括以下步骤:As shown in Figure 1, the program control flow obfuscation method provided by the present invention includes the following steps:

S101:伪分支语句构造与插入,在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;S101: construct and insert pseudo-branch statements, construct and insert pseudo-branch statements before the original statement s, and these pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with;

S102:关系约束赋值语句构造与插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的变量进行两两随机约束;S102: constructing and inserting relational constraint assignment statements, constructing and inserting constraint assignment statements before the original branch statement b, constructing variables that are unreachable by the branch statement b, and performing pairwise random constraints on the variables in the random list in the branch statement;

S103:分支语句以及关系约束赋值语句隐藏,将原始程序中分支语句以及关系约束赋值语句进行隐藏,将其转换为控制流查询函数,获得转换程序和控制流矩阵。S103: Hide the branch statement and the relationship constraint assignment statement, hide the branch statement and the relationship constraint assignment statement in the original program, convert them into a control flow query function, and obtain a conversion program and a control flow matrix.

本发明提供的程序控制流混淆方法可以在用户主机上实现,原程序可以是基于三地址码的程序。The program control flow obfuscation method provided by the present invention can be implemented on a user host, and the original program can be a program based on a three-address code.

控制流矩阵M可以以多元组的形式表示如下:The control flow matrix M can be represented in the form of a tuple as follows:

第一自定义函数,M={i(s),iop1,iop2,op};The first custom function, M={i(s), iop1, iop2, op};

第二自定义函数,M={i(s),res};The second custom function, M={i(s), res};

第三自定义函数,M={i(s),iop1,iop2,op};The third custom function, M={i(s), iop1, iop2, op};

其中,i(s)表示转换的程序语句在原程序中的唯一标识,iop1和iop2表示转换的语句在原程序中的左右操作数的标识,op表示转换的程序语句在原程序中的计算的操作符,res表示转换的伪分支语句的判断条件返回的评估结果。本发明中,转换的程序语句在原程序中的唯一标识用转换的程序语句在原程序中的行号表示。Among them, i(s) represents the unique identifier of the converted program statement in the original program, iop1 and iop2 represent the identifiers of the left and right operands of the converted statement in the original program, and op represents the operator of the calculation of the converted program statement in the original program, res represents the evaluation result returned by the judgment condition of the converted pseudo-branch statement. In the present invention, the unique identification of the converted program statement in the original program is represented by the line number of the converted program statement in the original program.

本发明将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数;第一自定义函数的一参数表示当前转换的分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识。The present invention hides the judgment condition of the branch statement in the original program, and converts the judgment condition of the branch statement into a first self-defined function; one parameter of the first self-defined function represents a random list of currently converted branch statements, and the other parameter represents the current The unique identification of the converted branch statement in the source program.

具体的,第一自定义函数可以表示如下:Specifically, the first custom function can be expressed as follows:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。需要说明的是函数名cfQuery只代表一个实例,具体实现时可以是其他函数名。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program. It should be noted that the function name cfQuery only represents an instance, and it can be other function names during specific implementation.

如图2所示,本发明提供的程序控制流混淆系统包括:As shown in Figure 2, the program control flow obfuscation system provided by the present invention includes:

伪分支语句插入模块1,用于在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改。The pseudo-branch statement insertion module 1 is used to construct and insert pseudo-branch statements before the original statement s, and these pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with.

关系约束赋值语句插入模块2,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束。The relational constraint assignment statement insertion module 2 is used to construct and insert a constraint assignment statement before the original branch statement b, and construct the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function .

变量隐藏模块3,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵。The variable hiding module 3 is used to convert and replace the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function, and obtain a conversion program and a control flow matrix.

下面结合附图对本发明的技术方案作进一步的描述。The technical solutions of the present invention will be further described below with reference to the accompanying drawings.

如图3所示,如下以原程序中包括分支语句if(cfQuery(a,y,b,x),B1)goto L1进行具体说明。根据控制流矩阵,其中x和y表示分支语句的判断条件中真实变量,此第一自定义函数返回值为x>y。As shown in FIG. 3 , the original program includes the branch statement if(cfQuery(a, y, b, x), B1) goto L1 for specific description as follows. According to the control flow matrix, where x and y represent the real variables in the judgment condition of the branch statement, the return value of this first custom function is x>y.

构造与插入伪分支语句,在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;将伪分支语句的判断条件转换为第二自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识,以及True或者False;所二自定义函数的一参数表示当前分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识。Construct and insert pseudo-branch statements, construct and insert pseudo-branch statements before the original statement s, and these pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with; convert the judgment conditions of the pseudo-branch statement to the second Custom function to obtain the conversion program and control flow matrix; the control flow matrix includes the unique identification of the conversion judgment condition in the original program, and True or False; one parameter of the two custom functions represents a random list of current branch statements, and the other The parameter represents the unique identifier of the currently converted branch statement in the source program.

随机列表表示原程序中所有变量形成的随机列表;随机列表中的变量包括比较运算符左右两个操作数;控制流矩阵中比较运算符左右两个操作数的标识指向随机列表中比较运算符左右两个操作数。The random list represents a random list formed by all variables in the original program; the variables in the random list include the left and right operands of the comparison operator; the identifiers of the left and right operands of the comparison operator in the control flow matrix point to the left and right of the comparison operator in the random list two operands.

具体的,第二自定义函数可以表示如下:Specifically, the second custom function can be expressed as follows:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。需要说明的是函数名cfQuery只代表一个实例,具体实现时可以是其他函数名。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program. It should be noted that the function name cfQuery only represents an instance, and it can be other function names during specific implementation.

如图4所示,如下以原程序中包括分支语句if(cfQuery(a,y,b,x),B2)goto L2进行具体说明。根据控制流矩阵,此第二自定义函数返回值为false。As shown in FIG. 4 , the original program includes the branch statement if(cfQuery(a, y, b, x), B2) goto L2 for specific description as follows. According to the control flow matrix, this second custom function returns false.

构造与插入关系约束赋值语句,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的整型变量进行两两随机约束。Construct and insert relational constraint assignment statements, construct and insert constraint assignment statements before the original branch statement b, construct variables that are unreachable by the branch statement b, and perform pairwise random constraints on the integer variables in the random list in the branch statement.

关系约束赋值语句隐藏,将原始程序中赋值语句进行隐藏,将赋值语句转换为第三自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的在原程序中的唯一标识、被赋值操作数的标识以及赋值语句。The relationship constraint assignment statement is hidden, the assignment statement in the original program is hidden, the assignment statement is converted into a third custom function, and the conversion program and the control flow matrix are obtained; the control flow matrix includes the unique identifier of the converted original program, and the assigned operation Number identification and assignment statements.

优选的,第三自定义函数的一参数表示当前赋值语句的随机列表,另一参数表示当前转换的赋值语句在源程序的唯一标识。Preferably, one parameter of the third custom function represents a random list of current assignment statements, and another parameter represents the unique identifier of the currently converted assignment statement in the source program.

具体的,第三自定义函数可以表示如下:Specifically, the third custom function can be expressed as follows:

cfQuery(L(s),i(s));cfQuery(L(s), i(s));

其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。需要说明的是函数名cfQuery只代表一个实例,具体实现时可以是其他函数名。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program. It should be noted that the function name cfQuery only represents an instance, and can be other function names during specific implementation.

如图5所示,如下以原程序中包括分支语句Ins0=cfQuery((a,y,b,x), B3)进行具体说明。根据控制流矩阵,此第三自定义函数返回值为x+y。As shown in FIG. 5 , the original program includes the branch statement Ins0=cfQuery((a, y, b, x), B3) for specific description as follows. According to the control flow matrix, the return value of this third custom function is x+y.

如图6所示,本发明提供的面向云计算场景下的控制流混淆方法包括以下步骤:As shown in FIG. 6 , the control flow obfuscation method for cloud computing scenarios provided by the present invention includes the following steps:

S601:伪分支语句插入,在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;S601: Inserting pseudo-branch statements, constructing and inserting pseudo-branch statements before the original statement s, and these pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with;

S602:关系约束赋值语句插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;S602: Inserting a relationship constraint assignment statement, constructing and inserting a constraint assignment statement before the original branch statement b, and constructing unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first custom function;

S603:变量隐藏,将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵;S603: Variable hiding, converting and replacing the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function to obtain a conversion program and a control flow matrix;

S604:将转换程序和控制流矩阵发送至云端远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;S604: Send the conversion program and the control flow matrix to the cloud remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in a trusted private cloud;

S605:基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。S605: Based on the control flow matrix, the conversion program is executed in the remote computing unit, and the converted branch statement and assignment statement are moved to a trusted private cloud for execution, and the input parameter value will be processed in the private cloud based on the variable constraint relationship. Consistency check, when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit.

本发明的S601至S603可以在用户主机上实现,的源程序可以是基于三地址码的程序。S601 to S603 of the present invention may be implemented on a user host, and the source program may be a program based on a three-address code.

的控制流矩阵M可以以多元组的形式表示如下:The control flow matrix M can be represented in the form of a tuple as follows:

第一自定义函数,M={i(s),iop1,iop2,op};The first custom function, M={i(s), iop1, iop2, op};

第二自定义函数,M={i(s),res};The second custom function, M={i(s), res};

第三自定义函数,M={i(s),iop1,iop2,op};The third custom function, M={i(s), iop1, iop2, op};

其中,i(s)表示转换的程序语句在原程序中的唯一标识,iop1和iop2表示转换的语句在原程序中的左右操作数的标识,op表示转换的程序语句在原程序中的计算的操作符,res表示转换的伪分支语句的判断条件返回的评估结果。本发明转换的程序语句在原程序中的唯一标识用转换的程序语句在原程序中的行号表示。Among them, i(s) represents the unique identifier of the converted program statement in the original program, iop1 and iop2 represent the identifiers of the left and right operands of the converted statement in the original program, and op represents the operator of the calculation of the converted program statement in the original program, res represents the evaluation result returned by the judgment condition of the converted pseudo-branch statement. The unique identification of the converted program statement in the original program in the present invention is represented by the line number of the converted program statement in the original program.

如图7所示,对于用户想要在公有云上执行的原始程序P,首先在用户环境将其转换为转换程序P'和控制流矩阵M。P'与P的不同之处在于每个分支语句的条件逻辑被移动到M中。转换后,P'将被上传到公有云上的云主机,并将在不受信任的区域中执行,用户需要将加密后的控制流矩阵M上传到可信的私有云。在执行P'期间,每个分支语句中的判断条件以及关系约束赋值语句将基于 M在私有云中进行评估。As shown in Figure 7, for the original program P that the user wants to execute on the public cloud, it is first converted into a conversion program P' and a control flow matrix M in the user environment. P' differs from P in that the conditional logic of each branch statement is moved into M. After conversion, P' will be uploaded to the cloud host on the public cloud and will be executed in an untrusted area, and the user needs to upload the encrypted control flow matrix M to the trusted private cloud. During the execution of P', the judgment condition in each branch statement and the relational constraint assignment statement will be evaluated in the private cloud based on M.

如图8所示,本发明提供的面向云计算场景下的程序控制流混淆系统包括:As shown in FIG. 8 , the program control flow obfuscation system for cloud computing scenarios provided by the present invention includes:

伪分支语句插入模块4,用于在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;The pseudo-branch statement insertion module 4 is used to construct and insert pseudo-branch statements before the original statement s, and these pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with;

关系约束赋值语句插入模块5,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;The relationship constraint assignment statement insertion module 5 is used for constructing and inserting a constraint assignment statement before the original branch statement b, and constructing the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function ;

变量隐藏模块6,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵。The variable hiding module 6 is used to convert and replace the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function to obtain a conversion program and a control flow matrix.

程序发送模块7,用于将转换程序和控制流矩阵发送至远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;The program sending module 7 is used to send the conversion program and the control flow matrix to the remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in a trusted private cloud;

程序执行模块8,用于基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。The program execution module 8 is used to execute the conversion program in the remote computing unit based on the control flow matrix, and the converted branch statement and assignment statement are moved to the trusted private cloud to run, and the internal private cloud will transfer the data based on the variable constraint relationship. The input parameter value is checked for consistency, and when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit.

下面结合实验对本发明的技术效果作详细的描述。The technical effects of the present invention will be described in detail below in conjunction with experiments.

本发明的实验平台选择如图9所示的云计算平台,申请了一个由五台虚拟机组成Hadoop计算集群,其中包含一个主节点(Master)和四个工作节点(Slave),计算集群中的计算机安装了Ubuntu14.04系统,8g内存和500g硬盘。针对CPU 密集型应用程序,实验结果如表1所示,由表中数据可知,本发明提出的方案产生的性能开销较小。Lan等人提出使用λ演算来模拟条件指令的方案中评估每个被保护的条件平均耗时为38.19μs,而本发明提出的方案中单次cfQuery函数的计算时间平均耗时为8.31μs。本发明兼顾安全性的同时,具有较小的时间开销,可以高效的保护用户程序逻辑机密性。The experimental platform of the present invention selects the cloud computing platform as shown in Figure 9, and applies for a Hadoop computing cluster composed of five virtual machines, which includes a master node (Master) and four worker nodes (Slave). The computer is installed with Ubuntu14.04 system, 8g memory and 500g hard disk. For CPU-intensive applications, the experimental results are shown in Table 1. From the data in the table, it can be seen that the performance overhead generated by the solution proposed by the present invention is relatively small. In the scheme proposed by Lan et al. to simulate conditional instructions using λ calculus, the average time taken to evaluate each protected condition is 38.19 μs, while the average calculation time of a single cfQuery function in the scheme proposed by the present invention is 8.31 μs. While taking into account the security, the present invention has less time overhead, and can efficiently protect the logic confidentiality of the user program.

表1针对CPU密集型程序的性能消耗Table 1 Performance consumption for CPU-intensive programs

Figure RE-GDA0002525564960000121
Figure RE-GDA0002525564960000121

应当注意,本发明的实施方式可以通过硬件、软件或者软件和硬件的结合来实现。硬件部分可以利用专用逻辑来实现;软件部分可以存储在存储器中,由适当的指令执行系统,例如微处理器或者专用设计硬件来执行。本领域的普通技术人员可以理解上述的设备和方法可以使用计算机可执行指令和/或包含在处理器控制代码中来实现,例如在诸如磁盘、CD或DVD-ROM的载体介质、诸如只读存储器(固件)的可编程的存储器或者诸如光学或电子信号载体的数据载体上提供了这样的代码。本发明的设备及其模块可以由诸如超大规模集成电路或门阵列、诸如逻辑芯片、晶体管等的半导体、或者诸如现场可编程门阵列、可编程逻辑设备等的可编程硬件设备的硬件电路实现,也可以用由各种类型的处理器执行的软件实现,也可以由上述硬件电路和软件的结合例如固件来实现。It should be noted that the embodiments of the present invention may be implemented by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using special purpose logic; the software portion may be stored in memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those of ordinary skill in the art will appreciate that the apparatus and methods described above may be implemented using computer-executable instructions and/or embodied in processor control code, for example on a carrier medium such as a disk, CD or DVD-ROM, such as a read-only memory Such code is provided on a programmable memory (firmware) or a data carrier such as an optical or electronic signal carrier. The device and its modules of the present invention can be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., It can also be implemented by software executed by various types of processors, or by a combination of the above-mentioned hardware circuits and software, such as firmware.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,都应涵盖在本发明的保护范围之内。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art is within the technical scope disclosed by the present invention, and all within the spirit and principle of the present invention Any modifications, equivalent replacements and improvements made within the scope of the present invention should be included within the protection scope of the present invention.

Claims (10)

1.一种程序控制流混淆方法,其特征在于,所述程序控制流混淆方法包括:1. a program control flow obfuscation method, is characterized in that, described program control flow obfuscation method comprises: 第一步,分支语句隐藏,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识、比较运算符左右两个操作数的标识以及比较运算符;The first step is to hide the branch statement, hide the judgment condition of the branch statement in the original program, convert the judgment condition of the branch statement into the first custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the judgment condition of the conversion in the original program. The unique identifier in the program, the identifier of the left and right operands of the comparison operator, and the comparison operator; 第二步,伪分支语句构造与插入方法,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;将伪分支语句的判断条件转换为第二自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识,以及True或者False;The second step is to construct and insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s; convert the judgment condition of the pseudo-branch statement into a second custom function to obtain a conversion program and the control flow matrix; the control flow matrix includes the unique identification of the judgment condition of the conversion in the original program, and True or False; 第三步,关系约束赋值语句构造与插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的整型变量进行两两随机约束;The third step is to construct and insert relational constraint assignment statements, construct and insert constraint assignment statements before the original branch statement b, construct variables that are unreachable by the branch statement b, and perform pairwise randomization on the integer variables in the random list in the branch statement constraint; 第四步,关系约束赋值语句隐藏,将原始程序中赋值语句进行隐藏,将赋值语句转换为第三自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的在原程序中的唯一标识、被赋值操作数的标识以及赋值语句。The fourth step is to hide the relationship constraint assignment statement, hide the assignment statement in the original program, convert the assignment statement into a third custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the converted unique identifier in the original program , the identifier of the assigned operand, and the assignment statement. 2.如权利要求1所述的程序控制流混淆方法,其特征在于,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数;第一自定义函数的一参数表示当前转换的分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识;2. The program control flow obfuscation method as claimed in claim 1, wherein the branch statement judgment condition in the original program is hidden, and the judgment condition of the branch statement is converted into a first self-defined function; One parameter represents a random list of currently converted branch statements, and the other parameter represents the unique identifier of the currently converted branch statement in the source program; 所述第一自定义函数可以表示如下:The first custom function can be expressed as follows: cfQuery(L(s),i(s));cfQuery(L(s), i(s)); 其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program. 3.如权利要求1所述的程序控制流混淆方法,其特征在于,所述随机列表表示原程序中所有变量形成的随机列表;随机列表中的变量包括比较运算符左右两个操作数;控制流矩阵中比较运算符左右两个操作数的标识指向随机列表中比较运算符左右两个操作数。3. The program control flow obfuscation method as claimed in claim 1, wherein the random list represents a random list formed by all variables in the original program; the variables in the random list include two operands left and right of a comparison operator; control The identifiers of the left and right operands of the comparison operator in the stream matrix point to the left and right operands of the comparison operator in the random list. 4.如权利要求3所述的程序控制流混淆方法,其特征在于,所述控制流矩阵M以多元组的形式表示:4. The program control flow obfuscation method of claim 3, wherein the control flow matrix M is represented in the form of a tuple: 第一自定义函数,M={i(s),iop1,iop2,op};The first custom function, M={i(s), iop1, iop2, op}; 第二自定义函数,M={i(s),res};The second custom function, M={i(s), res}; 第三自定义函数,M={i(s),iop1,iop2,op};The third custom function, M={i(s), iop1, iop2, op}; 其中,i(s)表示转换的程序语句在原程序中的唯一标识,iop1和iop2表示转换的语句在原程序中的左右操作数的标识,op表示转换的程序语句在原程序中的计算的操作符,res表示转换的伪分支语句的判断条件返回的评估结果,转换的程序语句在原程序中的唯一标识用转换的程序语句在原程序中的行号表示。Among them, i(s) represents the unique identifier of the converted program statement in the original program, iop1 and iop2 represent the identifiers of the left and right operands of the converted statement in the original program, and op represents the operator of the calculation of the converted program statement in the original program, res represents the evaluation result returned by the judgment condition of the converted pseudo-branch statement, and the unique identifier of the converted program statement in the original program is represented by the line number of the converted program statement in the original program. 5.如权利要求1所述的程序控制流混淆方法,其特征在于,所述第二自定义函数的一参数表示当前分支语句的随机列表,另一参数表示当前转换的分支语句在源程序的唯一标识;5. The program control flow obfuscation method according to claim 1, wherein a parameter of the second self-defined function represents a random list of current branch statements, and another parameter represents the currently converted branch statement in the source program. Uniquely identifies; 所述第二自定义函数表示如下:The second custom function is expressed as follows: cfQuery(L(s),i(s));cfQuery(L(s), i(s)); 其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识;Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program; 所述第三自定义函数的一参数表示当前赋值语句的随机列表,另一参数表示当前转换的赋值语句在源程序的唯一标识;A parameter of the third self-defined function represents the random list of the current assignment statement, and another parameter represents the unique identification of the assignment statement of the current conversion in the source program; 所述第三自定义函数表示:The third custom function represents: cfQuery(L(s),i(s));cfQuery(L(s), i(s)); 其中,L(s)表示当前转换的分支语句的随机列表,i(s)表示当前转换的分支语句在源程序的唯一标识。Among them, L(s) represents a random list of currently converted branch statements, and i(s) represents the unique identifier of the currently converted branch statement in the source program. 6.一种接收用户输入程序存储介质,所存储的计算机程序使电子设备执行权利要求任意一项所述包括下列步骤:6. A program storage medium for receiving user input, the stored computer program causing the electronic device to execute any one of the claims comprising the following steps: 第一步,分支语句隐藏,将原始程序中分支语句判断条件进行隐藏,将分支语句的判断条件转换为第一自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识、比较运算符左右两个操作数的标识以及比较运算符;The first step is to hide the branch statement, hide the judgment condition of the branch statement in the original program, convert the judgment condition of the branch statement into the first custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the judgment condition of the conversion in the original program. The unique identifier in the program, the identifier of the left and right operands of the comparison operator, and the comparison operator; 第二步,伪分支语句构造与插入方法,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;将伪分支语句的判断条件转换为第二自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的判断条件在原程序中的唯一标识,以及True或者False;The second step is to construct and insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s; convert the judgment condition of the pseudo-branch statement into a second custom function to obtain a conversion program and the control flow matrix; the control flow matrix includes the unique identification of the judgment condition of the conversion in the original program, and True or False; 第三步,关系约束赋值语句构造与插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量,对分支语句中的随机列表中的整型变量进行两两随机约束;The third step is to construct and insert relational constraint assignment statements, construct and insert constraint assignment statements before the original branch statement b, construct variables that are unreachable by the branch statement b, and perform pairwise randomization on the integer variables in the random list in the branch statement constraint; 第四步,关系约束赋值语句隐藏,将原始程序中赋值语句进行隐藏,将赋值语句转换为第三自定义函数,获得转换程序和控制流矩阵;控制流矩阵包括转换的在原程序中的唯一标识、被赋值操作数的标识以及赋值语句。The fourth step is to hide the relationship constraint assignment statement, hide the assignment statement in the original program, convert the assignment statement into a third custom function, and obtain the conversion program and the control flow matrix; the control flow matrix includes the converted unique identifier in the original program , the identifier of the assigned operand, and the assignment statement. 7.一种实施权利要求1~5任意一项所述程序控制流混淆方法的程序控制流混淆系统,其特征在于,所述程序控制流混淆系统包括:7. A program control flow obfuscation system for implementing the program control flow obfuscation method according to any one of claims 1 to 5, wherein the program control flow obfuscation system comprises: 伪分支语句插入模块,用于在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;The pseudo-branch statement insertion module is used to construct and insert a pseudo-branch statement before the original statement s. The pseudo-branch statement will eventually flow to s to ensure that the original control flow of the program is not tampered with; 关系约束赋值语句插入模块,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;The relationship constraint assignment statement insertion module is used to construct and insert the constraint assignment statement before the original branch statement b, and construct the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function; 变量隐藏模块,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵。The variable hiding module is used to convert the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function, and obtain the conversion program and the control flow matrix. 8.一种搭载权利要求7所述程序控制流混淆系统的云服务器。8. A cloud server equipped with the program control flow obfuscation system of claim 7. 9.一种实施权利要求1~5任意一项所述程序控制流混淆方法的面向云计算场景下的控制流混淆方法,其特征在于,所述面向云计算场景下的控制流混淆方法包括:9 . A control flow obfuscation method in a cloud computing scenario for implementing the program control flow obfuscation method according to any one of claims 1 to 5, wherein the control flow obfuscation method in a cloud computing scenario comprises: 步骤一,伪分支语句插入,在原始语句s之前构造并插入伪分支语句,伪分支语句最终将流向s;Step 1: Insert a pseudo-branch statement, construct and insert a pseudo-branch statement before the original statement s, and the pseudo-branch statement will eventually flow to s; 步骤二,关系约束赋值语句插入,在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;Step 2, inserting a relationship constraint assignment statement, constructing and inserting a constraint assignment statement before the original branch statement b, and constructing unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function; 步骤三,变量隐藏,将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵;Step 3, variable hiding, converting and replacing the judgment condition of the true and false branch statement and the relationship constraint assignment statement into a control flow query function to obtain a conversion program and a control flow matrix; 步骤四,将转换程序和控制流矩阵发送至云端远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;Step 4, sending the conversion program and the control flow matrix to the cloud remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in a trusted private cloud; 步骤五,基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。Step 5: Based on the control flow matrix, the conversion program is executed in the remote computing unit, and the converted branch statement and assignment statement are moved to the trusted private cloud for operation, and the private cloud will determine the incoming parameter value based on the variable constraint relationship. Consistency check is performed, and when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit. 10.一种实施权利要求9所述面向云计算场景下的控制流混淆方法的面向云计算场景下的控制流混淆系统,其特征在于,所述面向云计算场景下的程序控制流混淆系统包括:10. A control flow obfuscation system in a cloud computing scenario for implementing the control flow obfuscation method in a cloud computing scenario according to claim 9, wherein the program control flow obfuscation system in the cloud computing scenario comprises: : 伪分支语句插入模块,用于在原始语句s之前构造并插入伪分支语句,这些伪分支语句最终将流向s,以保证程序原本的控制流程不被篡改;The pseudo-branch statement insertion module is used to construct and insert pseudo-branch statements before the original statement s. These pseudo-branch statements will eventually flow to s to ensure that the original control flow of the program is not tampered with; 关系约束赋值语句插入模块,用于在原始分支语句b之前构造并插入约束赋值语句,构造分支语句b不可达的变量对第一自定义函数中的随机列表中的整型变量进行两两约束;The relationship constraint assignment statement insertion module is used to construct and insert the constraint assignment statement before the original branch statement b, and construct the unreachable variables of the branch statement b to perform pairwise constraints on the integer variables in the random list in the first self-defined function; 变量隐藏模块,用于将真伪分支语句的判断条件以及关系约束赋值语句进行转换替代成控制流查询函数,获得转换程序和控制流矩阵;The variable hiding module is used to convert and replace the judgment condition of the true and false branch statement and the relationship constraint assignment statement into the control flow query function, and obtain the conversion program and the control flow matrix; 程序发送模块,用于将转换程序和控制流矩阵发送至远程计算单元;转换程序存储在远程计算单元的不可信环境中,控制流矩阵存储在可信的私有云中;The program sending module is used to send the conversion program and the control flow matrix to the remote computing unit; the conversion program is stored in the untrusted environment of the remote computing unit, and the control flow matrix is stored in the trusted private cloud; 程序执行模块,用于基于控制流矩阵,在远程计算单元中执行转换程序,转换后的分支语句以及赋值语句被移动到可信的私有云中运行,私有云内部会基于变量约束关系对传入的参数值进行一致性检查,当满足变量约束关系后,将评估结束后的数据返回远程计算单元。The program execution module is used to execute the conversion program in the remote computing unit based on the control flow matrix, and the converted branch statement and assignment statement are moved to the trusted private cloud for execution. Consistency check is performed on the parameter values of , and when the variable constraint relationship is satisfied, the data after the evaluation is returned to the remote computing unit.
CN202010193086.XA 2020-03-18 2020-03-18 Program control flow obfuscation method, system, storage medium, cloud server and application Pending CN111538962A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010193086.XA CN111538962A (en) 2020-03-18 2020-03-18 Program control flow obfuscation method, system, storage medium, cloud server and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010193086.XA CN111538962A (en) 2020-03-18 2020-03-18 Program control flow obfuscation method, system, storage medium, cloud server and application

Publications (1)

Publication Number Publication Date
CN111538962A true CN111538962A (en) 2020-08-14

Family

ID=71974972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010193086.XA Pending CN111538962A (en) 2020-03-18 2020-03-18 Program control flow obfuscation method, system, storage medium, cloud server and application

Country Status (1)

Country Link
CN (1) CN111538962A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112199643A (en) * 2020-09-30 2021-01-08 常熟理工学院 Obfuscation method, device, device and storage medium for program flattening
CN112527307A (en) * 2020-11-18 2021-03-19 西安电子科技大学 Program control flow hiding method, system and application
CN113672922A (en) * 2021-08-17 2021-11-19 中国科学院软件研究所 Code reuse attack defense method and device based on RISC-V and O-CFI mechanism
CN113761485A (en) * 2021-08-25 2021-12-07 山东浪潮通软信息科技有限公司 Code obfuscation method, device, equipment and medium based on swift

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1447225A (en) * 2002-03-25 2003-10-08 日本电气株式会社 Disorder source program, souce program conversion method and equipment, and source conversion program
CN109614774A (en) * 2018-11-23 2019-04-12 西安电子科技大学 A method and system for program control flow obfuscation based on SGX

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1447225A (en) * 2002-03-25 2003-10-08 日本电气株式会社 Disorder source program, souce program conversion method and equipment, and source conversion program
CN109614774A (en) * 2018-11-23 2019-04-12 西安电子科技大学 A method and system for program control flow obfuscation based on SGX

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
苏翠翠: "基于SGX的程序控制流混淆技术研究" *
苏翠翠: "基于SGX的程序控制流混淆技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112199643A (en) * 2020-09-30 2021-01-08 常熟理工学院 Obfuscation method, device, device and storage medium for program flattening
CN112527307A (en) * 2020-11-18 2021-03-19 西安电子科技大学 Program control flow hiding method, system and application
CN112527307B (en) * 2020-11-18 2023-06-20 西安电子科技大学 Method, system and application of program control flow hiding
CN113672922A (en) * 2021-08-17 2021-11-19 中国科学院软件研究所 Code reuse attack defense method and device based on RISC-V and O-CFI mechanism
CN113672922B (en) * 2021-08-17 2022-03-25 中国科学院软件研究所 Code reuse attack defense method and device based on RISC-V and O-CFI mechanism
CN113761485A (en) * 2021-08-25 2021-12-07 山东浪潮通软信息科技有限公司 Code obfuscation method, device, equipment and medium based on swift

Similar Documents

Publication Publication Date Title
Ullah et al. Towards blockchain-based secure storage and trusted data sharing scheme for IoT environment
Wang et al. A three-layer privacy preserving cloud storage scheme based on computational intelligence in fog computing
Wang et al. A blockchain-based framework for data sharing with fine-grained access control in decentralized storage systems
US11127097B2 (en) Method, apparatus, and system for copyright rights defense detection
CN111538962A (en) Program control flow obfuscation method, system, storage medium, cloud server and application
CN109074433B (en) Method and system for verifying digital asset integrity using a distributed hash table and a peer-to-peer distributed ledger
JP6877448B2 (en) Methods and systems for guaranteeing computer software using distributed hash tables and blockchain
CN106796641A (en) The end-to-end security of the hardware of software is had verified that for operation
CN111931251A (en) Credible computing chip based on block chain
CN109587146A (en) Method for managing object and system based on block chain
CN104065651A (en) A Trusted Guarantee Mechanism for Information Flow Oriented to Cloud Computing
CN115208665B (en) Germplasm resource data safe sharing method and system based on blockchain
Wang et al. A blockchain-based system for secure image protection using zero-watermark
CN114880697A (en) Block chain-based data fingerprint generation method and device and storage medium
Peng et al. Blockchain data secure transmission method based on homomorphic encryption
CN110138557A (en) Data processing equipment and data processing method
WO2022120938A1 (en) Data sharing method, system and apparatus, and device and storage medium
CN109614774B (en) Program control flow confusion method and system based on SGX
CN110138556A (en) Data processing equipment and data processing method
CN112910870A (en) Collaborative privacy computation data communication method based on block chain
CN117009931A (en) Watermarking and watermarking application methods, devices, equipment and storage medium
WO2024250834A1 (en) Encryption method and apparatus, and device and storage medium
CN114793237B (en) Smart city data sharing method, equipment and medium based on block chain technology
CN117332831A (en) Distributed neural network accelerator system
CN212966171U (en) Credible computing chip based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200814

RJ01 Rejection of invention patent application after publication