CN-121979765-A - Method, device, equipment and medium for tracking decrypted data in Go language program

Abstract

The invention provides a method, a device, equipment and a medium for tracking decrypted data in a Go language program, wherein the method comprises the steps of performing binary analysis on a target Go language binary program to identify at least one specific AES decryption function, deploying a eBPF program into an operating system kernel, wherein the eBPF program comprises a user state function entry probe uprobe and a user state function return probe uretprobe, attaching uprobe to the entry point of the identified AES decryption function, capturing the address and the length of a target buffer zone parameter from a CPU (Central processing Unit) register when the function entry is executed, running a user state application program, reading, analyzing and displaying the event data in real time, and realizing tracking of the decrypted data of the Go program under the premise of not invading the target program.

Inventors

• LIU ZHIHAI
• XU ZUOFEN
• QIU JIECHAO

Assignees

• 福建紫讯信息科技有限公司

Dates

Publication Date

20260505

Application Date

20251229

Claims (10)

1. 1. A method for tracking decrypted data in a Go language program is characterized by comprising the following steps: step 1, performing binary analysis on a target Go language binary program to identify at least one specific AES decryption function, the function signature including a target buffer parameter for storing decrypted plaintext data; step 2, deploying a eBPF program into the kernel of the operating system, wherein the eBPF program comprises a user mode function entry probe uprobe and a user mode function return probe uretprobe; Step 3, attaching the uprobe to the entry point of the identified AES decryption function, capturing the address and length of the target buffer parameter from the CPU register when the function entry is executed; Step 4, attaching uretprobe to the return point of the identified AES decryption function, and when the function returns to be executed, acquiring the address and the length of the target buffer area according to the current thread ID, reading the content of the target buffer area from a user state memory by using a kernel mode function, and acquiring decrypted plaintext data; And step 5, running a user mode application program, wherein the user mode application program is configured to load the eBPF program, attach the uprobe and uretprobe program and read, analyze and display the event data in real time.
2. 2. The method of tracking decrypted data in a Go language program according to claim 1, wherein step 1 is specifically to analyze the target Go language binary program using Go tool nm tool carried by Go language to identify at least one specific AES decryption function, the function signature comprising a target buffer parameter for storing decrypted plaintext data, the specific AES decryption function being crypto/internal/fips140/ae in Go standard library.
3. 3. The method for tracking decrypted data in Go language program according to claim 1, wherein said step 3 is specifically that said uprobe is added to an entry point of said identified AES decryption function, an address and a length of said target buffer parameter are captured from a CPU register at the time of function entry execution, and said address and length are stored in a map as a decryption context, wherein said map uses a thread ID as a key to distinguish concurrent calls, an address of said target buffer parameter is captured from a BX register, and said length is captured from a CX register, said decryption context map is a hash table for storing correspondence of a thread ID and a decrypt_context structure containing a target buffer address and a length; The step 4 specifically comprises the steps of attaching uretprobe to a return point of the identified AES decryption function, retrieving a corresponding decryption context from the map according to a current thread ID, obtaining an address and a length of the target buffer, reading the content of the target buffer from a user mode memory by using a kernel mode function to obtain decrypted plaintext data, packaging the plaintext data and setting related tracking information into event data, writing the event data into a ring buffer map for transferring the kernel mode to a user mode application program, and deleting the decryption context of the current thread from the map.
4. 4. The method for tracking decrypted data in Go language program as defined in claim 1, wherein step 5 is specifically implemented by running a user mode application program configured to load the eBPF program, append the uprobe and uretprobe, and read, parse and present the event data from the ring buffer map in real time, including displaying the decrypted plaintext data in hexadecimal and string format.
5. 5. An apparatus for tracking decrypted data in a Go language program, comprising: An identification function module for performing binary analysis on the target Go language binary program to identify at least one specific AES decryption function whose signature includes a target buffer parameter for storing decrypted plaintext data; a deployment program module for deploying a eBPF program into the operating system kernel, said eBPF program comprising a user mode function entry probe uprobe and a user mode function return probe uretprobe; a capture context module that appends the uprobe to an entry point of the identified AES decryption function, capturing the address and length of the target buffer parameters from a CPU register as the function entry executes; The acquisition data module is used for attaching the uretprobe to the return point of the identified AES decryption function, and acquiring the address and the length of the target buffer area according to the current thread ID when the function returns to be executed; And the analysis display module is used for running a user mode application program, wherein the user mode application program is configured to load the eBPF program, attach the uprobe and uretprobe and read, analyze and display the event data in real time.
6. 6. The apparatus for tracking decrypted data in a Go language program according to claim 5, wherein said identification function module is specifically configured to analyze said target Go language binary program using Go tool nm tool carried by Go language to identify at least one specific AES decryption function, the function signature comprising a target buffer parameter for storing decrypted plaintext data, said specific AES decryption function being crypto/internal/fips140/ae in Go standard library.
7. 7. The apparatus for tracking decrypted data in a Go language program according to claim 5, wherein the capture context module is specifically configured to append the uprobe to an entry point of the identified AES decryption function, capture an address and a length of the target buffer parameter from a CPU register when the function entry is executed, and store the address and the length in a map as a decryption context, wherein the map uses a thread ID as a key to distinguish concurrent calls, the address of the target buffer parameter is captured from a BX register, and the length is captured from a CX register, the decryption context map is a hash table storing a correspondence of a thread ID and a decrypt_context structure, the decrypt_context structure containing the target buffer address and the length; The data acquisition module is specifically configured to attach uretprobe to a return point of the identified AES decryption function, retrieve a corresponding decryption context from the map according to a current thread ID during function return execution, acquire an address and a length of the target buffer, read content of the target buffer from a user mode memory using a kernel mode function to obtain decrypted plaintext data, encapsulate the plaintext data and setting related trace information into event data, write the event data into a ring buffer map for kernel mode transfer to a user mode application, and delete the decryption context of the current thread from the map.
8. 8. The apparatus for tracking decrypted data in a Go language program as defined in claim 5, wherein said parse-reveal module is configured to run a user-mode application configured to load said eBPF program, attach said uprobe and uretprobe, and read, parse and reveal said event data from said ring buffer map in real time, including displaying said decrypted plaintext data in hexadecimal and string format.
9. 9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 4 when the program is executed by the processor.
10. 10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1 to 4.

Description

Method, device, equipment and medium for tracking decrypted data in Go language program Technical Field The present invention relates to the field of program tracking and security analysis technologies, and in particular, to a method, an apparatus, a device, and a medium for tracking decrypted data in a Go language program. Background In a bid analysis scene, the condition that a bid interface return value is encrypted by an encryption algorithm such as AES is often encountered, and plaintext data of the return value needs to be acquired to carry out subsequent analysis. When the bid is a Linux version binary program written in the Go language, due to the lack of access rights of a source code, the conventional technical scheme has a plurality of problems to be solved in the plaintext data acquisition process: 1. The source code dependency limitation is that the traditional source code instrumentation method needs to modify and recompile the program source codes, but the bid binary program is mostly closed source software, so that the method cannot be applicable at all, and meanwhile, even if the source codes can be acquired, new program loopholes can be introduced in the operation of modifying the source codes, the running stability of the original program is damaged, and the accuracy of data acquisition is affected. 2. The function output result acquisition is missing, namely the simple uprobe tracking scheme can only capture input parameters at the function entrance and can not acquire the output result after the function execution is completed. The plaintext data of the encryption interface is usually stored in the output parameters of the decryption function, and the plaintext data can be read only when the function returns, so that the existing scheme cannot meet the core requirement. 3. The context association mechanism is missing, namely parameter information such as an output buffer pointer and the like stored at a function entry is required to be used for matching and reading output results when the function is returned in the process of decrypting the function call, but an effective data sharing mechanism is lacking between uprobe and uretprobe in the traditional eBPF scheme, so that accurate association between the function call and the returned results cannot be realized, and plaintext data cannot be extracted correctly. 4. The Go language has insufficient compatibility, the traditional eBPF tracking scheme is not fully suitable for the function calling convention of the Go language, particularly the register calling convention adopted by Go1.17 and above, so that errors are easy to occur when function parameters are analyzed, tracking data is distorted, and related information of a decryption function cannot be accurately acquired. 5. Concurrent scenario data confusion-the bidding procedure often involves a multi-thread or concurrent call scenario in the actual running process, and multiple threads may trigger decryption function calls at the same time. The conventional tracking scheme lacks a distinguishing mechanism for different calling instance contexts, which easily causes confusion of calling data of different threads and causes extraction errors of plaintext data. The existence of the problems causes that the traditional technical scheme is difficult to efficiently, accurately and safely acquire the plaintext data of the return value of the Linux version bid encryption interface written in the Go language, and severely restricts the development of bid analysis work, so that a novel technical scheme is needed to solve the pain point. Disclosure of Invention The invention aims to solve the technical problems of tracking decrypted data in a Go language program, namely the technical problems of tracking a compiled binary program, accurately analyzing Go language function calling convention, transmitting context information between a function entry and return and acquiring decrypted plaintext data in real time without modifying source codes, and simultaneously realizing program data tracking with low performance cost and high automation degree, and providing technical support for application scenes such as third party bid analysis, program security analysis, encryption algorithm verification, data leakage tracing and the like. In a first aspect, the present invention provides a method for tracking decrypted data in a Go language program, comprising the steps of: step 1, performing binary analysis on a target Go language binary program to identify at least one specific AES decryption function, the function signature including a target buffer parameter for storing decrypted plaintext data; step 2, deploying a eBPF program into the kernel of the operating system, wherein the eBPF program comprises a user mode function entry probe uprobe and a user mode function return probe uretprobe; Step 3, attaching the uprobe to the entry point of the identified AES decryption function, capturing the addres