2022客户端安全风控技术.docx

风控技术客户端安全难题困扰公开资料或多或少存在不足传统方案老，攻击下限底，对抗难度大;效率、稳定、可信等缺乏大量验证安全、调优、合规J办同难度高现实环境极其复杂，没有银色子弹安全固重要，业务更优先；最小化原则，不可侵犯隐私并非所有设计都能符合预期；没有“一劳永逸”的解决方案;"现网教你做人"孤岛的执行流程设计异构调用栈，操控函数的执行流程实现孤岛的可行性条件（最好）使用寄存器传参栈回溯实现方式简单在arr32位汇编中：进入子函数时，使用R0R3传参；退出子函数时，使用RO（R1）表示返回值AAPCS（ARMArchitectureProcedureCallStandard）:C1.ANG编译（GcC不支持）ARM模式：寄存器Rll表示栈顶ThUmb模式（默认）：寄存器R7表示栈顶在arm32位汇编中：进入子函数时，使用R0R3传参；退出子函数时,使用RO(R1)表示返回值(Ildb)dis-p1ibnative-lib.so'test_main:_attribute_(noinline)unsignedintfunc_l(unsignedintpl,boolp2)pid_tpid=O;讦92)pid=getpid();return(pl+pid);)->0x8dl6eef8Ox8dl6eefa0x8dl6eefc0x8dl6ef00<+6>:<+8>:<+10>:<+14>:movsmovsbl×strr,#0x3rl,#0x1Iibnative-1ib.sofunc_lr,spl#0x4_attribute_(noinline)voidtest_main()unsignedlongret=func_l(3,true);return;(Ildb)call(void*)getpid(void*)$0=0x00000c9b(Hdb)p/x(int)($0)+3)(int)$1=0×00000c9e(Ildb)dis-p1ibnative-1ib.sotest_main:0x8dl6eefc<+10>:blx0x8dl6ef00<+14>:StrIibnative-1ib.so_func_lr,sp,#0x4(Ildb)regreadrr=0×00000c9eAAPCS（ARMArchitectureProcedureCallStandard）:C1.ANG编译（GCC不支持）ARM模式：寄存器Rll表示栈顶(Ildb)dis-aSpclibnafive-lib.so'func_l:ThUmb模式（默认）：寄存器R7表示栈顶0x8dlcde8c<+0>:pushr7,-lr)0xb3642d90<+0>:pushl0x8dlcde8e<+2>:movr7,三P0xb3642d91<+l>:movl0x8dlcde90<+4>:subsp，#0x180xb3642d93<+3>:pushl/./.0×8dlcdebe<+50>:addsp.#0x180xb3642de5<+85>:POPl0×8dlcdec0<+52>:POP(r7l,pc0×b3642de6<+86>:PoPl0xb3642de7<+87>:retl%ebx%ebp(Ildb)dis-aSpcflibnative-lib.so'func_l:%ebp%esp,%ebp%eb×AAPCS(ARMArchitectureProcedureCallStandard):C1.ANG编译(GCC不支持)ARM模式：寄存器Rll表示栈顶ThUmb模式（默认）：寄存器R7表示栈顶(Ildb)CKS-aSpcIibnative-Iib.so'func_l:0×8dlcde8c<+0>:push0×8dlcde8e<+2>:mov0x8dlcde90<+4>:sub/.0×8dlcdebe<+50>:add0x8dlcdec0<+52>:POPr7flr)r7,spsp,#0x18sp,#0x18r7,pc)0xb3642d90<+0>:pushl0xb3642d91<+l>:movl0×b3642d93<+3>:pushl/.0×b3642de5<+85>:POPl0×b3642de6<+86>:POPl0×b3642de7<+87>:retl(Ildb)dis-aSpcflibnafive-lib.so'func_l:%ebp%esp,%ebp%ebx%eb×%ebp1.owAddressR7(ebp)Higharm32汇编示_attribute_(noinline)unsignedintfunc_l(unsignedintpllboolp2)pid_tpaid=0;if(p2)pid=getpid();return(pl+pid);_attribute_(noinline)voidtest_main()unsignedlongret=func_l(3,true);return;extern"C"void_init(void)test_main();现# 0:0×8dlc7ea0libnafive-lib.so'funcl(pl=3tp2=true)atnative-lib.cpp:26# 1:0×8dlc7ed011bnative-1ib.so'test-fnain()atnative-lib.cpp:33# 2:0x8dlc7eeeIibnative-Iib-So':三init()atnative-lib.cpp:42# 3:0xb6f7e72elinker(Ildb)btathread#1,name='com.test,lstopreason=breakpoint1.14frameframeframeframe(Ildb)regreadr7r7三OXbef22550(Ildb)memread.0xbef22550-C8OXbef22550:6025f2bedl7eIc8d(Ildb)p/x(0x8dlc-edl&-0xl)(unsignedint)$0=IOx8dlc7edOI(Ildb)memread0xbef22560-c8O×bef22S6O:7825f2beef7eIc8d(Ildb)p/x(0×8dlcefef&-0xl)(unsignedint)$1-IOXSdI<efee(Ildb)memreadOxbef22578-c8Oxbef22578:78c6f8b62fe7f7b6(Ildb)p/x(0xb6f7e72f&0xl)(unsignedint)$2=1xb6f7o72oI1.owAddressarm32汇编示例异构栈编码JN1.on1.Oad函数需要跳转的新函数获取原始的栈信息并保存获取需要跳转的新函数入口清空原始栈顶，重置函数返回地址并设置为需要跳转的新函数入口函数返回二寄存器Ro既作为返回值又作为下一个函数的第一个参数return(nt)(void*)(&g_st_data);unsignedlongfp;_asm_volatile_(11mov%0,r7n',:,三r,'(fp);g-st.data.fp_=6(unsignedlongft)(fp);g_st_data.lr一=a(unsignedIOnga)(fpSizeof(void*);/cleartheoriginalbacktracec,(unsignedlong-)(fp)*(unsgnedlong*)(fpSizeof(void*)(unsignedlong)umped.pc;从第一个参数中读取原始栈信息,以及用于初始化的其它参数执行完成原计划的预设功能还原原始栈信息函数返回，将跳转到JN1.On1.Oad原本应该返回的地址，继续施行工作fr(unsignedlong*)(fp)=p-data->fp_:(unsignedlong*)(fp+szeof(void6)StData*p.data二(stData*)argsO;JavaVM-vm二(JavaVM*)p-data->p0_;arm32汇编示U"returnresult./cleartheoriginalbacktrace(unsignedlong*)(fp)-0;/setold1.Rtonew1.R(unsignedIOng0(fp+sizof(void*),(unsignedIOnR)junped_pc.rtum5nt)(void#(&g_st_data).fJN1.OnIoad-'三Variables*1.1.DB-),(Ildb)bt.*thread«1,name'corn.czl.labxx'fram«0:0x8dlc480cIibcsl.labstopreason-breakpoint2.1o.9.so:JNI-On1.oad(%三OxbT22fdO,rsrv<d三OxOOOOOOOO)atjni>tein.cpp:154arm32汇gIII1.l1._attribut_(<destructor(201)op-JNIeOn1.oad(oidargs)args:OxSdlcdl78/<etthePiraffletersstDatap.data(stData*)args;OxSdlcd!"SJavaVMvm<JavaVK)p.data->pO.;怙：DMbOedoJKIEcv.Qny.NU1.1.jinxresult;fjumpJNI_On1.oad三Variables-eElIlDB'pJI)bt-thread三1.nan*,cc0.csl.labxx',stoprasonbreakpoint1.1frwo9三0:0x8dlc4560Iibczl.Iabo.9.sojiap.JNI.On1.oacKjirgsOOxScllcdlTS)frame三1:0x8dlcdl78Iibesl.labo.9.so'i-Jv三4(Ildb)atjniMan.cpp:62