Nothing Special   »   [go: up one dir, main page]

CN108259493B - A kind of Secure protocol message building method - Google Patents

A kind of Secure protocol message building method Download PDF

Info

Publication number
CN108259493B
CN108259493B CN201810040484.0A CN201810040484A CN108259493B CN 108259493 B CN108259493 B CN 108259493B CN 201810040484 A CN201810040484 A CN 201810040484A CN 108259493 B CN108259493 B CN 108259493B
Authority
CN
China
Prior art keywords
function
message
protocol message
cell
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810040484.0A
Other languages
Chinese (zh)
Other versions
CN108259493A (en
Inventor
孟博
鲁金钿
王德军
朱容波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South Central Minzu University
Original Assignee
South Central University for Nationalities
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South Central University for Nationalities filed Critical South Central University for Nationalities
Priority to CN201810040484.0A priority Critical patent/CN108259493B/en
Publication of CN108259493A publication Critical patent/CN108259493A/en
Application granted granted Critical
Publication of CN108259493B publication Critical patent/CN108259493B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Communication Control (AREA)

Abstract

The invention discloses a kind of efficient Secure protocol message building methods, firstly, proposing the algorithm parsed for the function mark of the safety-related function in the security protocol implementation obtained using function Hook Technique, the parsing of complete pairing functions mark;Then, propose the building method of protocol message, propose based on this model based on Secure protocol message building method.Message constructing includes the positioning for needing to be replaced protocol message cell, the reconstruct of safe function of being held as a hostage output, replaces the protocol message cell for needing to be replaced in former protocol message.Because meeting current application reality based on the security protocol Journal of Sex Research with high safety that can obtain security protocol client implementation hypothesis, this method is based on the hypothesis and constructs Secure protocol message, also meets current research reality.Because the present invention is to construct Secure protocol message in code level, technical solution is feasible and has higher accuracy and high efficiency.

Description

A kind of Secure protocol message building method
Technical field
The invention belongs to field of information security technology, are related to a kind of Secure protocol message building method, and in particular to a kind of Efficient Secure protocol message building method.
Background technique
Important component of the security protocol as cyberspace safety is the key that Logistics networks space safety and spirit Soul.So to the safety of the security protocol run in computer network, communication network and distributed system carry out analysis with Verifying, finds its logic error and security breaches, most important to Logistics networks space safety.
Implement (safety from Security Protocol Design, the analysis of security protocol abstract norm safety and verifying, to security protocol Protocol code), people are concentrated mainly on the safety analysis to security protocol abstract norm and verifying aspect, and practicability is poor. In recent years, the final form of expression of the people to security protocol: security protocol is implemented more and more interested.Because no matter any peace Full agreement, to play a role, it is necessary to carry out security protocol implementation, therefore its safety be analyzed, Logistics networks space is pacified It is of great significance entirely.It is not only more complicated than its abstract norm that security protocol implements itself, but also in security protocol implementation process, Because the specialized capability level of programmer is uneven, it not can guarantee and do not introduce logic error either code error, and then may make Implement at security protocol inconsistent with its abstract norm.In addition, it is many practice have shown that, even if being proved safety to formalization method Security protocol, in implementation process, it is also possible to introduce new safety problem because of artificial fault, become no longer to pacify Entirely.It can be seen that it is far from being enough for only carrying out safety analysis research in face of it in security protocol abstract model layer, it is necessary to The safety implemented to security protocol is studied, and is implemented with the security protocol being very practical, this is to guarantee letter Cease the basic premise of cyberspace safety, the even more important component of cyberspace safety.Security protocol is implemented main at present By artificial understanding and extraction.Implement code by program analysis and understanding, needs its semantic feature of accurate understanding and meaning, by In the limitation of priori mode, has led to security protocol and implement the error understood.In addition, some proprietary protocols are guaranteeing itself The functions such as customized encryption/decryption letter are used while specification, the foundation of the priori mode of these functions just has mode The defects of imperfect, this semantic feature implemented to security protocol and standardization, which understand, also results in larger difficulty, so to point The safety that analysis security protocol is implemented also produces very big challenge.
Security protocol implementation is implemented two parts and is formed by security protocol client implementation and secure protocol service device end.Currently Research be mainly based respectively on it is following three hypothesis: 1. the client implementation of security protocol and server end implementation cannot all obtain; 2. the client implementation of security protocol and server end implementation can obtain;3. the client implementation of security protocol can obtain.Root According to current real network security application, researcher implements at almost impossible acquisition secure protocol service device end.So from being pacified Implement, obtain two hypothesis of security protocol client implementation and the implementation of secure protocol service device end to analyze in full protocol server end Security protocol property with high safety, application value are smaller with meaning.
Based on above 3 hypotheses, property analysis with high safety to security protocol mainly applies program analysis at present The method of (code analysis), network path (net-trace), instruction analysis, software test and model extraction.Correlative study work There are following main problems:
1), implement to understand not comprehensive, inaccuracy to security protocol, cause to analyze result inaccuracy;
2) it is not high that the specification, implemented a bit to security protocol is abstracted accuracy rate.
Summary of the invention
In order to solve the above-mentioned technical problems, the present invention provides a kind of efficient Secure protocol message building methods.
The technical scheme adopted by the invention is that: a kind of efficient Secure protocol message building method, it is characterised in that: first Message constructing model is first established, function mark is then based on and carries out protocol message construction;
Described to establish message constructing model, setting fun () function first is monitored by function hook method JavaScript function, arg are the corresponding parameter of fun () function, argmFor the parameter after modification, SgIt is that fun () function is repaired Change the output valve obtained after parameter re-executes, TnIt is original protocol message, M for the message cell, M in protocol messagegFor construction The protocol message obtained afterwards;Then the workflow of the model includes following sub-step:
Step A1: arg is usedmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
Step A2: fun (arg is re-executedm) obtain new function output Sg, SgFor corresponding to position in alternate message cell The message blocks cell_T setn, n=1,2,3..., N;
Step A3: the message blocks cell_T for needing to be replaced is navigated in message Mn;Then new message M is obtainedg, should MgThe construction message that message is exactly;
Described to carry out protocol message construction based on function mark, specific implementation includes following sub-step:
Step B1: the function mark for using function hook method to obtain is parsed, function name fun is obtainednameAnd function The stack architecture of parameter arg;
Step B2: modification respective function parameter obtains new function output, calls the function parameter arg and letter in stack architecture Several funname, modify arg and obtain argm, then re-execute funnameCorresponding function obtains new function output Sg
Step B3: in the client protocol message M of interception, positioning needs the message blocks cell_T being replacedn, then from T is deleted in M messagen, then S obtained in step B2gValue is embedded into former TnPosition just obtains new message Mg, this disappears Breath i.e. construction message;The message is addressed to secure protocol service device end.
The present invention proposes the peace suitable for practical application firstly, carry out cell parsing to the Secure protocol messages of intercepting and capturing Full protocol message analytical algorithm, which targetedly parses Secure protocol message, to unnecessary in protocol message The protocol message for carrying out minimum cell parsing carries out cell parsing, efficiency with higher;Then, using the original of safe function Output carries out alignment with the function mark after parsing, with the protocol message cell for needing to be replaced in this location protocol message, Function output is carried out complete sequence comparison with cell block by the process, has very high-accuracy;Secondly, implementing from security protocol Hand accurately monitors the safety-related function that security protocol is implemented by using function Hook Technique, is tracked and function Output reconstruct is started with from security protocol implementation here, is accurately monitored to information such as parameter, the outputs of safety-related function, As a result accurate;Then, the cell being replaced using the needs that the safe function output substitution of reconstruct has been positioned, just obtains structure The Secure protocol message made, the message are sent to secure protocol service device end.
During the entire process of the present invention, to security protocol implement carry out code level analysis and processing, to protocol message into The parsing of row minimum unit cell and accurately cell are positioned, and are collected, are divided to the relevant minimum unit of security protocol Analysis and processing, have very high efficiency and accuracy rate.
Detailed description of the invention
Fig. 1 is the message constructing model of the embodiment of the present invention;
Fig. 2 is the function mark analytical algorithm of the embodiment of the present invention;
Fig. 3 is that the piecemeal of the protocol message in the embodiment of the present invention by taking HTTP 1.1 as an example divides schematic diagram;
Fig. 4 is the positioning for the replacement message blocks that the safe function of the embodiment of the present invention exports when directly forming protocol message block Schematic diagram;
Fig. 5 is that the protocol message that the safe function output of the embodiment of the present invention directly forms under protocol message block situation constructs Schematic diagram;
Fig. 6 is that the function that is hooked of the embodiment of the present invention exports replacing when forming protocol message block after the processing of other functions Change the positioning schematic diagram of message blocks;
Fig. 7 is that the function output that is hooked of the embodiment of the present invention forms protocol message cell after the processing of other functional transformations When protocol message organigram.
Specific embodiment
Understand for the ease of those of ordinary skill in the art and implement the present invention, with reference to the accompanying drawings and embodiments to this hair It is bright to be described in further detail, it should be understood that implementation example described herein is merely to illustrate and explain the present invention, not For limiting the present invention.
In order to analyze the implementation (agreement deployment code) for the security protocol disposed based on B/S mode lower network application system Safety, the method based on message constructing that proposes carry out security protocol property analysis with high safety.Herein, message constructing is meant certainly Metaplasia is moved into legal security protocol client message, which is addressed to secure protocol service device end.Below to server-side Response message is analyzed, and security protocol property with high safety is thus analyzed.
Protocol message is constructed, message constructing model is established, it is specific as shown in Figure 1.
Fun is the JavaScript function monitored by function Hook Technique in Fig. 1, and arg is the corresponding parameter of the function, argmFor the parameter (Modified argument) after modification, Sg(Generated statement) is fun function modification ginseng The output valve (return value) that number obtains after re-executing, TnIt is original protocol message, Mg for the message cell, M in protocol message For the protocol message obtained after construction.
The process of entire model is as follows:
(1) firstly, using argmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
(2) then, fun (arg is re-executedm) obtain new function output Sg, the SgFor corresponding in alternate message cell The message blocks cell_T of positionn, n=1,2,3..., N;
(3) finally, navigating to the message blocks cell_T for needing to be replaced in message Mn;Then new message M is obtainedg, should MgThe construction message that message is exactly, it is sent to secure protocol service device end.
Based on this model, the present embodiment proposes the protocol message building method based on function mark.This method is mainly used for Solve the problems, such as that message constructing part (Message Generated) generates construction message, the protocol message then constructed is sent out Toward server end.The key step of this method is as follows:
(1) firstly, parsing to the function mark for using function Hook Technique to obtain, function name fun is obtainednameAnd function The stack architecture of parameter arg;
(2) then, modification respective function parameter obtains new function output, call function parameter arg in stack architecture and Function name funname, modify arg and obtain argm, then re-execute funnameCorresponding function obtains new function output (as schemed S in 1g);
(3) it finally, in the client protocol message M of interception, positions current embodiment require that the Messages Message block being replaced cell_Tn, then T is deleted from M messagen, then S obtained in (2)gValue is embedded into former TnPosition just obtains new Message Mg, the message i.e. construction message.
The present embodiment has related generally to the construction of efficient protocol message, because of the function obtained by function Hook Technique Mark is original function mark data, data structure not applicable convenient for the present invention.In order to be gathered around in protocol message construction process There is better suited data structure, needs to carry out standardization dissection process to it.As can be known from Fig. 1, the protocol message building method Message cell for also relating to the replacement of message cell, and first needs must being replaced before carrying out message cell replacement It sets and is positioned, then the message cell of the position is abandoned, then the new function output that Modification growth function parameter is obtained is (as schemed 1 Sg) it is embedded into the position (T as shown in figure 1 of deleted message cell2The position message cell).It has thus obtained newly Message, M as shown in figure 1gMessage.It follows that the protocol message building method is broadly divided into the parsing of function mark and message constructing Two parts.
One, function mark parses
The parsing of function mark is the important prerequisite part of protocol message construction because in message constructing part, need to obtain by The new output of hook function, and what is newly exported generates then dependent on the parameter modification for being hooked function, the modification for being hooked function parameter is first It first needs to parse the mark for being hooked function, obtains the function name for being hooked function and its parameter, then obtained according to its parameter The parameter arg of modificationm.In message constructing part, obtained new function parameter arg is usedmSubstitution is hooked the initial parameter of function Arg completes message constructing function based on this.Therefore the safe function mark analytical algorithm proposed, as shown in Figure 2;
Firstly, the execution mark of the safe function obtained by function Hook Technique is stored in journal file.Again to this Journal file is traversed, until the end (1 row in Fig. 2 algorithm) of this document, the function mark of reading according to function name, letter The form of number input and function output is expressed as safe function mark-API of phasei(in Fig. 2 algorithm shown in 2-3 row).Then, if Obtained function mark (API in algorithmi) not empty, then (6 rows in Fig. 2 algorithm) are deposited into the stack architecture of foundation, directly To in the not empty function mark deposit stack of all function return values.Function mark parsing part is just completed with this, parsing result is with stack The form of structure saves.Two, protocol message constructs
1, a protocol message is obtained
Specific input data is inputted in security protocol client, client will generate a complete protocol message. At it by transmission process, (Proxy) is acted on behalf of using go-between and intercepts this message.Thus a complete agreement is just obtained to disappear Breath.
2, parsing division is carried out to protocol message and obtains message cell
In protocol message, it is known as protocol message section comprising one section of protocol message character at most, is denoted as set P, message The smallest unit is known as protocol message cell in block, is denoted as set T;By one or more protocol message cell in protocol message section The protocol message part of composition, and the part protocol message character that is included or protocol message cell quantitatively disappear than agreement Breath section is few, which is known as protocol message block, is denoted as set B, and T ∈ B ∈ P,
After obtaining protocol message, need to carry out the message cell parsing division operation, efficiently and accurately to position The message blocks cell_T for needing to be replaced in protocol message outn.The key problem that protocol message parsing division operation needs to solve It is the cell parsing of protocol message, i.e., identifies end mark, delimiter and the connector in outbound message, in protocol message to obtain The specific cell piecemeal of protocol message.
In protocol message, end-of-message character is " r " either " r n ", they are used to refer to certain protocol message Terminate or branch is carried out to protocol message.Delimiter is used to distinguish the different field or message section of different agreement message, commonly Delimiter has "/" etc..In general, occur from protocol message initial position to first delimiter, the message word occurred therebetween Section or message section are a protocol message section P, are between first protocol message delimiter and second protocol message delimiter Second protocol message section further comprises smaller protocol message in message section P.It can complete to assist according to delimiter with this The parsing for discussing the message section of message divides.
It include protocol message block B by the message section P that the delimiter in identification protocol message divides, such message blocks is usual It is to be formed by connecting by common protocol message connector.In general, being then one between delimiter connector adjacent thereto A protocol message block, while being partially also protocol message block between two connectors.The connection that this kind of message blocks pass through connector Just biggish protocol message block is constituted.Common connector have "? ", " & " and "=" etc..
Under normal conditions, also comprising the smallest composition unit in entire protocol message in protocol message block, the present embodiment claims Be protocol message unit (cell), any protocol message symbol is not included in these cell, is a string of determining characters, is assisting They can not carry out the cell parsing operation of protocol message again in view message.
In application scenarios in the present embodiment, directly carry out analysis protocol message with message delimiter and connector semanteme There are great difficulties because by the client implementation of surface sweeping security protocol can obtain delimiter used in protocol message and Connector, but cannot judge the type of these symbols, i.e., implement the semanteme that cannot judge some symbol by scan protocols Feature.
Therefore the present embodiment occur in protocol message by some protocol message symbol number based on carry out protocol message Cell parsing.Firstly, being scanned to security protocol client implementation, additional character included in the implementation is identified, And the number occurred to each symbol counts;Then, the more symbol of the frequency of occurrence in protocol message is subjected to descending Arrangement, and successively separate the message block on the protocol symbol periphery more than frequency of occurrence, just obtain protocol message section P;Then, exist Each protocol message Duan Zhongzai just obtains protocol message block B by identifying to the message symbol more than frequency of occurrence;Finally, after It is continuous that identification and message blocks parsing are carried out to protocol message symbol in frequency of occurrence relatively more ground in B, until all message blocks are agreement Thus message cell just completes the cell parsing of protocol message.
In order to according to actual needs and can efficiently complete protocol message parsing, in protocol message cell resolving In, certain message blocks are not necessarily to be parsed into the minimum cell of protocol message, can largely improve parsing side in this way The efficiency of method.Such as in the HTTP Get protocol message of Fig. 3, it is not required to IP address " 127.0.0.1 " parsing in protocol message At " 127 ", " 0 ", " 0 " and " 1 ".Because IP address is an entirety in protocol message, if to it actually answering in protocol message On the one hand the parsing for carrying out cell rank can reduce the efficiency that protocol message parsing divides, on the other hand may also can make agreement The positioning of message cell generates mistake, so that in the function output that cannot complete reconstruct to needing to replace protocol message cell's Substitution.Such as when protocol message cell is positioned, target is in order to replace the corresponding value of pw in protocol message " 127 ", if final peace The output of total correlation function is some the cell block constituted in protocol message, and its value is " 127 ", and the function output numerical value is with IP 127 successful match in location then can carry out telltale mark to the cell where in protocol message 127, replace in protocol message cell Just " 127 " field in IP address may be replaced when changing process, and security protocol client or intermediate generation will result in this Reason people and server establish the result of the message constructing method construct message failure of connection failure or the present embodiment proposition.In order to keep away Exempt from such mistake generation, therefore the present embodiment application in practice, to specific message cell groups certain in protocol message It closes and parses and divide without cell.By taking HTTP1.1 version as an example, the piecemeal parsing of protocol message is as shown in Figure 3;
(1) end-of-message character " r " in whole Get protocol message or " r n " (" r " symbol presentation protocol message are identified End, and after " r n " indicates certain area protocol end of message, remaining protocol message separately takes a line to show), just with this Certain partially complete message section P into protocol message;
(2) cell dissection process is carried out to P, identifies the protocol message cell-T after space character is just parsed1With into One step parses message blocks B2, wherein T1Content be Get method, message blocks B2To need further parsing part;
(3) to B2Cell dissection process is carried out, identifies delimiter "/", protocol message cell-T2 is just obtained and to be processed disappears Cease block B3, wherein T2For IP address, further parsing is not done here;
(4) to B3Progress cell dissection process, identification connector "? ", just obtain message cell-T3With message blocks to be processed B4, T here3It is a specific entry address for login.jsp, does not do more careful cell parsing, i.e. nonrecognition protocol message Symbol " ", which is parsed, is known as " login " and " jsp ".In this step, because "? " " & " is connector, therefore can be known simultaneously Both not.If when parsing, identification "? " it is different from the sequencing of " ", it is parsed in same level, obtained result can area Not, but not final cell parsing result is influenced;
(5) to B4Cell dissection process is carried out, distinguished symbol " & " obtains protocol message block B4And B5
(6) again to B4And B5Cell dissection process is carried out, identification protocol message accords with "=", just obtains protocol message cell, T4,T5,T6And T7
(7) to T derived above1~T7Message blocks combination, just obtains message blocks shown in (b) in Fig. 3.
Based on the above method, the cell parsing of protocol message is just completed, (b) partially show protocol message in Fig. 3 Cell parsing result, wherein TnIt needs to complete in protocol message construction and is hooked function and its correlation function output sequence matches The step of, the protocol message cell block for needing to be replaced in location protocol message is come with this.3, it is replaced protocol message cell's The construction of positioning and safe function output
There are two the main purposes of the part: first, positioning to needing to be replaced protocol message cell;Second, right The output for being hooked safe function is reconstructed.Need to be replaced position of the message cell in protocol message firstly, being accurately positioned, The position is marked, and removes the protocol message cell block of the position.Then, from the letter for using function hook method to obtain Number marks, which call in parsing results, is hooked function and its parameter, and modifies its parameter, rerun the function just obtain it is new Function output;Finally, needing alternative message cell by positioning using obtained function output substitution, thus just obtain new Protocol message, the message are referred to as to construct protocol message.Protocol server end will be sent to after the construction protocol message.
The final purpose of the part is construction protocol message, and needs to complete before constructing protocol message to protocol message The middle positioning for needing to be replaced message cell, and the positioning for being replaced protocol message cell is divided into and is hooked the output of function and directly makees Two kinds of situations of protocol message cell are formed after conversion process for the output that protocol message forms cell and is hooked function to beg for By.Because, in order to meet the needs of practical situation, needing to make accordingly the output of function in actual agreements implementation process Adjustment and processing are doing hash hash, encryption and signature operation as composition protocol message cell, such as to function-output.? In latter, it is necessary first to be implemented by scanning security protocol client JavaScript, and mainly to safety-related letter Several and its correlation function is paid close attention to, and is then established function and is dealt with relationship, which only needs to consider to deal with relationship downwards, i.e., from Safety-related function starts, concern processing safe function output sequence as next function input parameter functional-link. There is following relationship between these functions:
f1→f2→...→fn
In this relation, f1The output of function is as f2The input of function, fn-1Function output is used as fnFunction input.
3.1 are hooked the output of function directly as protocol message cell
Under the situation, the output of safe function is directly as the cell in protocol message.Firstly, using function is hooked most Output is carried out with the protocol message that piecemeal cell parsing is completed by cell sequences match eventually, and to the protocol message of successful match Cell makes marks.Then, protocol message cell is removed from protocol message.Finally, the function that is hooked using reconstruct exports The removed position protocol message cell of substitution.So far, protocol message construction complete.And the important prerequisite of message constructing is desirable The protocol message cell for needing to be replaced in first location protocol message, in the output for being hooked function directly composition protocol message In the case of certain cell, directly carrying out sequences match with the protocol message block for completing cell parsing using the output sequence of function is The achievable positioning that need to be replaced message cell.
Under the situation, firstly, being hooked function and its original function parameter from function mark parsing result calling.Then, it executes The function just obtains function output, reuses the output and agreement divides the message cell block after parsing and carries out sequences match, and Matching position is marked, the protocol message block that the protocol message cell in mark position needs to be replaced.Specific step It is rapid as shown in Figure 4:
In Fig. 4, f1For the safe function being hooked, arg1For the initial parameter of the function, sg1It is arg for the function parameter1 When output, sg1&&TnIt indicates to use function f1Export sg1Sequences match is done with the protocol message cell of division, as a result True indicates successful match.Origin message is original agreement protocol message, Tn(n=1 2 ..., n) disappears for agreement Message cell block after breath division.If sg in figure1With T2Successful match, then it represents that T2To need the protocol message block being replaced, Cell, that is, T of position2It will be removed.
After the completion of needing to be replaced protocol message cell positioning, agreement will be generated in next step and constructs message, process is such as Shown in Fig. 5;
In Fig. 5, argmFor the function f of modification1Parameter, Generated Message be complete protocol message cell replacement The construction protocol message obtained afterwards.
(1) function f is hooked firstly, parsing part from function mark and calling1And use the parameter arg of modificationmSubstitute original parameter arg1As the function input parameters.
(2) then, f is re-executed1Function obtains new function output sg1
(3) finally, using sg1The message cell block T positioned in alternative protocol message Origin Message2, just Obtain construction message, i.e. Generated Message.
In Fig. 5, no matter the number of f1 function parameter, argmDirectly replace initial parameter arg1?.
3.2 outputs for being hooked function constitute protocol message cell after conversion process
Under the situation, the safe function output being hooked is by being used as protocol message after correlation function/method conversion process Some cell, the position fixing process for being replaced protocol message cell is relative complex.Firstly, scanning security protocol client implementation is raw At protocol message code, its functional based method for exporting of processing is searched downwards from function is hooked, is obtained with this downward from function is hooked Function calling relationship.Then, it is hooked function and its parameter by calling from function mark part, execution obtains being hooked function thereafter Output the output of the last one function of call relation is obtained according to function call obtained in the previous step.Finally, by the function The protocol message for exporting and being completed cell parsing carries out sequences match, meanwhile, and the protocol message after record matching cell It sets.So far, the position cell that protocol message need to be replaced is positioned.The signal of its process is as shown in Figure 6;
In Fig. 6, argn(n=2 ..., n) is and the function parameter that is hooked function there are call relation, sgn(n=2,3 ..., It n) is the output valve of these functions, sgn&&TnIndicate sgnWith protocol message message blocks cell_Tn(n=1,2 ..., n) progress Match, value is that true then indicates successful match, that is, completes the positioning for needing to be replaced message cell in protocol message.
After it need to be replaced protocol message block and be successfully located, need to complete the construction to protocol message in next step.The feelings Message constructing has differences with the message constructing being hooked under function output directly composition protocol message block situation under shape: firstly, from Function mark parsing part, which is called, is hooked function and its parameter, and modifies to its parameter, obtains newly after reruning the function Function-output;Then, using the output valve as the next function for inputting incoming function calling relationship, the letter is re-executed Number obtains new output valve, then using the output as next function of the incoming call relation of input, and obtains its output, with this Regular iteration, until the last one function of function calling relationship.Finally, being disappeared with the output valve alternative of the last one function It needs to be replaced message cell block in breath, obtains new protocol message, as agreement constructs message.The following Fig. 7 of its detailed process It is shown;
(1) function f is hooked firstly, parsing part from function mark and calling1, and use the parameter arg of modificationmSubstitute the function Initial parameter arg1, re-execute the function and just obtain new f1Function exports sg1, the output valve will as input pass to down In one function, such as f in figure2Function;
(2) then, sg1By as f2Parameter substitute f2Original middle parameter arg2In certain part, re-execute the function call To new output sg2, it will be passed to next function that function is dealt with relationship as input parameter
(3) then, (2) step is repeated, until function fnParameter be function fn-1Output valve, the output sg of the functionn, it For message cell block T in alternative message Origin Message2
(4) finally, by sgnIt is put into T in Origin Message2The corresponding position of message cell just obtains new construction Message Generated message, the message will be sent to secure protocol service device end.
In upper figure, if it exists function calling relationship all functions only one parameter, fn-1The output of function can be direct Substitute fnThe input parameter of function, then sgn-1=argn, the last one function, which exports, at this time to need in direct alternative message The protocol message cell block substituted, i.e. arg in figuren=T2.If it exists the function of call relation there are two or more than two ginseng Number, argm=arg1, the f of modification1Function parameter can directly substitute initial parameter, and fn-1Function exports sgn-1F can only be used asnLetter Some composition part in number parameter, i.e., The output of last function is used directly to alternative Origin Some part cell of protocol message to be replaced is needed in Message message.
It should be understood that the part that this specification does not elaborate belongs to the prior art.
It should be understood that the above-mentioned description for preferred embodiment is more detailed, can not therefore be considered to this The limitation of invention patent protection range, those skilled in the art under the inspiration of the present invention, are not departing from power of the present invention Benefit requires to make replacement or deformation under protected ambit, fall within the scope of protection of the present invention, this hair It is bright range is claimed to be determined by the appended claims.

Claims (7)

1. a kind of Secure protocol message building method, it is characterised in that: initially set up message constructing model, be then based on function mark Carry out protocol message construction;
Described to establish message constructing model, setting fun () function first is the JavaScript letter monitored by function hook method Number, arg are the corresponding parameter of fun () function, argmFor the parameter after modification, SgIt is that fun () function modification parameter is held again The output valve obtained after row, TnIt is original protocol message, M for the message cell, M in protocol messagegFor the agreement obtained after construction Message;Then the workflow of the model includes following sub-step:
Step A1: arg is usedmIt replaces the parameter arg in fun (arg) and obtains the modified function fun (arg of parameterm);
Step A2: fun (arg is re-executedm) obtain new function output Sg, SgFor corresponding position in alternate message cell Message blocks cell_Tn, n=1,2,3..., N;
Step A3: the message blocks cell_T for needing to be replaced is navigated in message Mn;Then new message M is obtainedg, the MgDisappear The construction message that breath is exactly;
Described to carry out protocol message construction based on function mark, specific implementation includes following sub-step:
Step B1: the function mark for using function hook method to obtain is parsed, function name fun is obtainednameAnd function parameter The stack architecture of arg;
Step B2: modification respective function parameter obtains new function output, calls the function parameter arg and function name in stack architecture funname, modify arg and obtain argm, then re-execute funnameCorresponding function obtains new function output Sg
Step B3: in the client protocol message M of interception, positioning needs the message blocks cell_T being replacedn, then from M message Middle deletion Tn, then S obtained in step B2gValue is embedded into former TnPosition just obtains new message Mg, which is Construct message;The message is addressed to secure protocol service device end.
2. Secure protocol message building method according to claim 1, which is characterized in that using letter described in step B1 The function mark that number hook method obtains is parsed, and specific implementation includes following sub-step:
Step B1.1: the function mark of the safe function obtained by function hook method is stored in journal file;
Step B1.2: traversing the journal file, until the end of this document;The function mark of reading according to function name, The form of function input and function output is expressed as corresponding safe function mark-APIi
Step B1.3: it if obtained function mark is not empty, is deposited into the stack architecture of foundation, until all functions In the not empty function mark deposit stack of return value.
3. Secure protocol message building method according to claim 1, which is characterized in that the specific implementation of step B3 includes Following sub-step:
Step B3.1: a protocol message is obtained;
Specific input data is inputted in security protocol client, client will generate a complete protocol message;At it By in transmission process, Proxy is acted on behalf of using go-between and intercepts this message, thus just obtain a complete protocol message;
Step B3.2: parsing division is carried out to protocol message and obtains message cell;
In protocol message, it is known as protocol message section comprising most one section of protocol message character, is denoted as set P, in message blocks The smallest unit is known as protocol message cell, is denoted as set T;It is made of in protocol message section one or more protocol message cell Protocol message part, and the part protocol message character that is included or protocol message cell are quantitatively than protocol message section Few, which is known as protocol message block, is denoted as set B, and T ∈ B ∈ P,
After obtaining protocol message, cell is carried out to the message and parses division operation, orients and needs to be replaced in protocol message Message blocks cell_Tn, i.e., identify end mark, delimiter and the connector in outbound message, in protocol message to obtain agreement The specific cell piecemeal of message;
Step B3.3: it is replaced the reconstruct of positioning and the safe function output of protocol message cell;
Firstly, positioning needs to be replaced position of the message cell in protocol message, which is marked, and remove the position The protocol message cell block set;Then, it carries out calling function in parsing result from the function mark for using function hook method to obtain And its parameter, and its parameter is modified, it reruns the function and just obtains new function output;Finally, defeated using obtained function It substitutes out and alternative message cell is needed by positioning, thus just obtain new protocol message, which is to construct agreement Message.
4. Secure protocol message building method according to claim 3, it is characterised in that: obtained described in step B3.2 After obtaining protocol message, cell is carried out to the message and parses division operation, is gone out in protocol message with some protocol message symbol The cell parsing of protocol message is carried out based on existing number;Specific implementation includes following sub-step:
Step B3.2.1: being scanned security protocol client implementation, identifies that particular protocol included in the implementation disappears Symbol is ceased, and the number occurred to each symbol counts;
Step B3.2.2: carrying out descending arrangement according to the number that it occurs for the protocol message occurred in protocol message symbol, and Successively the message block on the protocol symbol periphery more than frequency of occurrence is separated, just obtains protocol message section P;
Step B3.2.3: it in each protocol message Duan Zhongzai by being identified to the message symbol more than frequency of occurrence, is just assisted Discuss message blocks B;
Step B3.2.4: continue to carry out identification and message blocks parsing, Zhi Daosuo to protocol message symbol in frequency of occurrence relatively more ground in B Having message blocks is protocol message minimum unit, thus just completes the cell parsing of protocol message.
5. Secure protocol message building method according to claim 3, it is characterised in that: in step B3.3, assisted in construction It needs to complete before view message to needing to be replaced the positioning of message cell in protocol message, and is replaced protocol message cell's Positioning, which is divided into, to be hooked the output of function directly as protocol message cell and is hooked the output of function and forms after conversion process Two kinds of situations of protocol message cell;
Directly as protocol message cell, specific implementation process is for the output for being hooked function: first using being hooked function Final output disappears with the protocol message progress that piecemeal cell parsing is completed by cell sequences match, and to the agreement of successful match Breath cell makes marks;Then, the protocol message cell of successful match is removed from protocol message;Finally, using the quilt of reconstruct The removed position protocol message cell of hook function output substitution, protocol message construction complete;
The output for being hooked function constitutes protocol message cell after conversion process, and specific implementation process is: from function mark Parsing part, which is called, is hooked function and its parameter, and modifies to its parameter, obtains new output after reruning the function Value;Then, using the output valve as the next function for inputting incoming function calling relationship, re-execute the function obtain it is new Output valve, then input using the output as next function of call relation, and obtains its output, with this regular iteration, until The last one function of function calling relationship;Finally, needing to be replaced in the output valve alternative message of the last one function Message cell block is changed, new protocol message is obtained, as agreement constructs message.
6. Secure protocol message building method according to claim 5, it is characterised in that: in step B3.3, when being hooked letter Several output is directly as protocol message cell, on condition that the protocol message for needing to need to be replaced in first location protocol message cell;Firstly, being hooked function and its original function parameter from function mark parsing result calling;Then, the function is executed just to obtain Function output, reuses the output and agreement and divides the message cell block after parsing and carry out sequences match, and to matching position into Line flag, the protocol message block that the protocol message cell in mark position needs to be replaced.
7. Secure protocol message building method according to claim 5, it is characterised in that: in step B3.3, when being hooked letter Several output constitutes protocol message cell after conversion process, on condition that need to need to be replaced in first location protocol message Protocol message cell;Firstly, scanning security protocol client implementation generates protocol message code, from being hooked function lookup place downwards The functional based method of its output is managed, is obtained with this from being hooked the downward function calling relationship of function;Then, by from function mark part Calling is hooked function and its parameter, executes the output for obtaining being hooked function thereafter, according to obtained function call, obtains calling and close It is the output of the last one function;Sequences match is carried out with the protocol message that cell parsing is completed finally, exporting the function, Meanwhile and record matching after the position protocol message cell.
CN201810040484.0A 2018-01-16 2018-01-16 A kind of Secure protocol message building method Active CN108259493B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810040484.0A CN108259493B (en) 2018-01-16 2018-01-16 A kind of Secure protocol message building method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810040484.0A CN108259493B (en) 2018-01-16 2018-01-16 A kind of Secure protocol message building method

Publications (2)

Publication Number Publication Date
CN108259493A CN108259493A (en) 2018-07-06
CN108259493B true CN108259493B (en) 2019-09-10

Family

ID=62740932

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810040484.0A Active CN108259493B (en) 2018-01-16 2018-01-16 A kind of Secure protocol message building method

Country Status (1)

Country Link
CN (1) CN108259493B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361710B (en) * 2018-12-14 2021-03-09 中国人民解放军战略支援部队信息工程大学 Security protocol reconstruction method and device
CN113890904B (en) * 2021-09-27 2023-10-27 新华三信息安全技术有限公司 Method, device, computer equipment and storage medium for message analysis

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070053663A (en) * 2004-05-25 2007-05-25 리플렉션 네트워크 솔루션즈, 인코포레이티드 A system and method for controlling access to an electronic message recipient
CN1925488A (en) * 2006-09-21 2007-03-07 上海交通大学 Method for realizing safety protocol checking experimental system supporting large-scale and multiple users
JP4421645B2 (en) * 2007-09-13 2010-02-24 富士通株式会社 Communication apparatus and network information collection program
CN101478458B (en) * 2009-01-20 2013-04-17 工业和信息化部电信传输研究所 SIP protocol security test method
CN103399813B (en) * 2013-06-30 2016-05-11 惠州市德赛西威汽车电子股份有限公司 A kind of embedded system off-line trace analysis method based on Trace information
CN104142888B (en) * 2014-07-14 2017-06-27 北京理工大学 A kind of regularization state machine model method for designing of stateful agreement
CN107273764B (en) * 2017-06-28 2020-03-10 中南民族大学 Security verification method of security protocol implemented by Swift language

Also Published As

Publication number Publication date
CN108259493A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
CN110493202B (en) Login token generation and verification method and device and server
Lichodzijewski et al. Host-based intrusion detection using self-organizing maps
JP2017538376A (en) System and method for detecting coverage channel network intrusion based on offline network traffic
CN111209262B (en) Large-scale distributed secure storage system based on block chain
KR20020004828A (en) Device and method for updating code
US11647032B2 (en) Apparatus and method for classifying attack groups
CN112039196A (en) Power monitoring system private protocol analysis method based on protocol reverse engineering
CN108259493B (en) A kind of Secure protocol message building method
CN111404692B (en) Block chain identity information confirmation system and confirmation method based on big data
CN114448654B (en) Block chain-based distributed trusted audit security evidence storing method
Marquis et al. SCL: a language for security testing of network applications
Antunes et al. ReverX: Reverse engineering of protocols
US20210390178A1 (en) Information processing device and information processing program
CN114254909A (en) Risk management method and platform based on decision engine
JPWO2006049072A1 (en) Firewall inspection system and firewall information extraction system
CN112199441B (en) Data synchronous processing method, device, equipment and medium based on big data platform
Park et al. Forensic investigation framework for cryptocurrency wallet in the end device
Munea et al. Design and implementation of fuzzing framework based on IoT applications
Wang et al. A model-based behavioral fuzzing approach for network service
Antunes et al. Automatically complementing protocol specifications from network traces
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
Alekseev et al. Finite state machine based flow analysis for webrtc applications
CN116614251A (en) Data security monitoring system
CN110569646B (en) File recognition method and medium
US20240202320A1 (en) System and method for auto repairing vulnerable code program fragments of a software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant