《2022客户端安全风控技术.docx》由会员分享,可在线阅读,更多相关《2022客户端安全风控技术.docx(45页珍藏版)》请在第壹文秘上搜索。
1、风控技术客户端安全难题困扰公开资料或多或少存在不足传统方案老,攻击下限底,对抗难度大;效率、稳定、可信等缺乏大量验证安全、调优、合规J办同难度高现实环境极其复杂,没有银色子弹安全固重要,业务更优先;最小化原则,不可侵犯隐私并非所有设计都能符合预期;没有“一劳永逸”的解决方案;现网教你做人孤岛的执行流程设计异构调用栈,操控函数的执行流程实现孤岛的可行性条件(最好)使用寄存器传参栈回溯实现方式简单在arr32位汇编中:进入子函数时,使用R0R3传参;退出子函数时,使用RO(R1)表示返回值AAPCS(ARMArchitectureProcedureCallStandard):C1.ANG编译(Gc
2、C不支持)ARM模式:寄存器Rll表示栈顶ThUmb模式(默认):寄存器R7表示栈顶在arm32位汇编中:进入子函数时,使用R0R3传参;退出子函数时,使用RO(R1)表示返回值(Ildb)dis-p1ibnative-lib.sotest_main:_attribute_(noinline)unsignedintfunc_l(unsignedintpl,boolp2)pid_tpid=O;讦92)pid=getpid();return(pl+pid);)-0x8dl6eef8Ox8dl6eefa0x8dl6eefc0x8dl6ef00:movsmovsblstrr,#0x3rl,#0x1Ii
3、bnative-1ib.sofunc_lr,spl#0x4_attribute_(noinline)voidtest_main()unsignedlongret=func_l(3,true);return;(Ildb)call(void*)getpid(void*)$0=0x00000c9b(Hdb)p/x(int)($0)+3)(int)$1=000000c9e(Ildb)dis-p1ibnative-1ib.sotest_main:0x8dl6eefc:blx0x8dl6ef00:StrIibnative-1ib.so_func_lr,sp,#0x4(Ildb)regreadrr=0000
4、00c9eAAPCS(ARMArchitectureProcedureCallStandard):C1.ANG编译(GCC不支持)ARM模式:寄存器Rll表示栈顶(Ildb)dis-aSpclibnafive-lib.sofunc_l:ThUmb模式(默认):寄存器R7表示栈顶0x8dlcde8c:pushr7,-lr)0xb3642d90:pushl0x8dlcde8e:movr7,三P0xb3642d91:movl0x8dlcde90:subsp,#0x180xb3642d93:pushl/./.08dlcdebe:addsp.#0x180xb3642de5:POPl08dlcdec0:P
5、OP(r7l,pc0b3642de6:PoPl0xb3642de7:retl%ebx%ebp(Ildb)dis-aSpcflibnative-lib.sofunc_l:%ebp%esp,%ebp%ebAAPCS(ARMArchitectureProcedureCallStandard):C1.ANG编译(GCC不支持)ARM模式:寄存器Rll表示栈顶ThUmb模式(默认):寄存器R7表示栈顶(Ildb)CKS-aSpcIibnative-Iib.sofunc_l:08dlcde8c:push08dlcde8e:mov0x8dlcde90:sub/.08dlcdebe:add0x8dlcdec0
6、:POPr7flr)r7,spsp,#0x18sp,#0x18r7,pc)0xb3642d90:pushl0xb3642d91:movl0b3642d93:pushl/.0b3642de5:POPl0b3642de6:POPl0b3642de7:retl(Ildb)dis-aSpcflibnafive-lib.sofunc_l:%ebp%esp,%ebp%ebx%eb%ebp1.owAddressR7(ebp)Higharm32汇编示_attribute_(noinline)unsignedintfunc_l(unsignedintpllboolp2)pid_tpaid=0;if(p2)pid
7、=getpid();return(pl+pid);_attribute_(noinline)voidtest_main()unsignedlongret=func_l(3,true);return;externCvoid_init(void)test_main();现# 0:08dlc7ea0libnafive-lib.sofuncl(pl=3tp2=true)atnative-lib.cpp:26# 1:08dlc7ed011bnative-1ib.sotest-fnain()atnative-lib.cpp:33# 2:0x8dlc7eeeIibnative-Iib-So:三init()a
8、tnative-lib.cpp:42# 3:0xb6f7e72elinker(Ildb)btathread#1,name=com.test,lstopreason=breakpoint1.14frameframeframeframe(Ildb)regreadr7r7三OXbef22550(Ildb)memread.0xbef22550-C8OXbef22550:6025f2bedl7eIc8d(Ildb)p/x(0x8dlc-edl&-0xl)(unsignedint)$0=IOx8dlc7edOI(Ildb)memread0xbef22560-c8Obef22S6O:7825f2beef7e
9、Ic8d(Ildb)p/x(08dlcefef&-0xl)(unsignedint)$1-IOXSdIfp_:(unsignedlong*)(fp+szeof(void6)StData*p.data二(stData*)argsO;JavaVM-vm二(JavaVM*)p-data-p0_;arm32汇编示Ureturnresult./cleartheoriginalbacktrace(unsignedlong*)(fp)-0;/setold1.Rtonew1.R(unsignedIOng0(fp+sizof(void*),(unsignedIOnR)junped_pc.rtum5nt)(voi
10、d#(&g_st_data).fJN1.OnIoad-三Variables*1.1.DB-),(Ildb)bt.*thread1,namecorn.czl.labxxfram0:0x8dlc480cIibcsl.labstopreason-breakpoint2.1o.9.so:JNI-On1.oad(%三OxbT22fdO,rsrvtein.cpp:154arm32汇gIII1.l1._attribut_(destructor(201)op-JNIeOn1.oad(oidargs)args:OxSdlcdl78/etthePiraffletersstDatap.data(stData*)args;OxSdlcd!SJavaVMvmpO.;怙:DMbOedoJKIEcv.Qny.NU1.1.jinxresult;fjumpJNI_On1.oad三Variables-eElIlDBpJI)bt-thread三1.nan*,cc0.csl.labxx,stoprasonbreakpoint1.1frwo9三0:0x8dlc4560Iibczl.Iabo.9.sojiap.JNI.On1.oacKjirgsOOxScllcdlTS)frame三1:0x8dlcdl78Iibesl.labo.9.soi-Jv三4(Ildb)atjniMan.cpp:62
