CN114168909A - Program protection method, device, equipment and storage medium based on code signature - Google Patents

Program protection method, device, equipment and storage medium based on code signature Download PDF

Info

Publication number
CN114168909A
CN114168909A CN202111505840.XA CN202111505840A CN114168909A CN 114168909 A CN114168909 A CN 114168909A CN 202111505840 A CN202111505840 A CN 202111505840A CN 114168909 A CN114168909 A CN 114168909A
Authority
CN
China
Prior art keywords
signature
section
current program
program
description file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111505840.XA
Other languages
Chinese (zh)
Inventor
安宏奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Technology Information Technology Co Ltd
Original Assignee
Jingdong Technology Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Information Technology Co Ltd filed Critical Jingdong Technology Information Technology Co Ltd
Priority to CN202111505840.XA priority Critical patent/CN114168909A/en
Publication of CN114168909A publication Critical patent/CN114168909A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs

Abstract

The present disclosure provides a program protection method, apparatus, device and storage medium based on code signature, the method comprising: when a current program is started, obtaining a description file of the current program; if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm; calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program. The technical scheme of the disclosure can improve the security of application program signature protection.

Description

Program protection method, device, equipment and storage medium based on code signature
Technical Field
The present disclosure relates to the field of computer network technologies, and in particular, to a method and an apparatus for protecting a program based on a code signature, an electronic device, and a non-transitory computer-readable storage medium.
Background
The Linux operating system is an efficient and safe operating system, but the open source code of the Linux operating system can reduce the safety performance of an open source program, so that information such as privacy of a user is leaked through an application program of a platform.
In order to ensure the security of the system, it is necessary to perform an effective authentication scheme on the application files to judge the validity thereof. At present, the authentication method mainly used is code authentication. The code identification is a method capable of effectively preventing viruses and other malicious codes from invading, and can be carried out through digital signature verification when an application program is installed.
In the related art, in a digital signature verification scheme of an application program, the content of a digital certificate may be written in a configuration file or code, so that there is a risk of certificate leakage. If the certificate is leaked, a cracker can use the certificate to sign a malicious application program, and the protection process of signature verification is bypassed, so that the security of signature protection of the application program cannot be ensured.
Disclosure of Invention
The disclosure provides a program protection method and device based on code signatures, an electronic device and a non-transitory computer readable storage medium, which are used for solving the problem that the application program signature protection security is not high in the prior art and improving the security of the application program signature protection.
The present disclosure provides a program protection method based on code signature, including: when a current program is started, obtaining a description file of the current program; if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm; calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
According to the program protection method based on the code signature provided by the disclosure, after the signature verification result is obtained, the method further comprises the following steps: and if the signature checking result represents that the signature is incorrect, generating and sending an interception instruction to intercept the current program.
According to the program protection method based on the code signature provided by the present disclosure, after the description file of the current program is acquired, the method further includes: and if the signature section data does not exist in the description file, generating and sending an interception instruction to intercept the current program.
According to the program protection method based on the code signature provided by the present disclosure, before the obtaining the description file of the current program, the method further includes: acquiring an original file of the current program; acquiring a second hash value of second section data according to the second section data of the original file by using the first encryption algorithm; calling a signature interface of a signature verification server, and obtaining a signature value after the signature verification server uses a second encryption algorithm to perform signature according to the second hash value; adding the signature value to the original file.
According to the program protection method based on the code signature provided by the present disclosure, before the obtaining the description file of the current program, the method further includes: acquiring current program information sent by a system kernel, wherein the current program information is obtained by monitoring a read event by the system kernel according to a monitor list; and acquiring the description file of the current program according to the current program information.
According to the program protection method based on code signature provided by the present disclosure, the obtaining a first hash value of a first section of data of the description file according to the first section of data by using a first encryption algorithm includes: respectively carrying out incremental hash value calculation on each first section of data of the description file to correspondingly obtain a plurality of single section hash values; and acquiring the first hash value according to the plurality of single hash values.
According to the program protection method based on the code signature provided by the present disclosure, before the obtaining the first hash value of the first section of data from the first section of data of the description file by using the first encryption algorithm, the method further includes: acquiring the size and the offset of a node head table according to the current program information; and acquiring the first section of data according to the size and the offset of the section head table.
The present disclosure provides a program protection apparatus based on code signing, the apparatus comprising: the device comprises an acquisition unit, a storage unit and a control unit, wherein the acquisition unit is used for acquiring a description file of a current program when the current program is started; the encryption unit is used for acquiring a first hash value of first section data according to the first section data of the description file by using a first encryption algorithm if the signature section data exists in the description file; the signature verification unit is used for calling a signature verification interface of the signature verification server, and acquiring a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and the generating unit is used for generating and sending a releasing instruction to release the current program when the signature verification result represents that the signature is correct.
According to the program protection device based on the code signature provided by the disclosure, the generation unit is further configured to: and if the signature checking result represents that the signature is incorrect, generating and sending an interception instruction to intercept the current program.
According to the program protection device based on the code signature provided by the disclosure, the generation unit is further configured to: and if the signature section data does not exist in the description file, generating and sending an interception instruction to intercept the current program.
According to the program protection device based on the code signature, the obtaining unit is further configured to obtain an original file of the current program; the encryption unit is further configured to obtain a second hash value of second section data according to the second section data of the original file by using the first encryption algorithm; the device further comprises: the signature unit is used for calling a signature interface of the signature verification server, and acquiring a signature value after the signature verification server uses a second encryption algorithm to perform signature according to the second hash value; an adding unit, configured to add the signature value to the original file.
According to the program protection device based on the code signature provided by the disclosure, the device further comprises a starting unit, which is used for: acquiring current program information sent by a system kernel, wherein the current program information is obtained by monitoring a read event by the system kernel according to a monitor list; and acquiring the description file of the current program according to the current program information.
According to the program protection device based on the code signature provided by the disclosure, the encryption unit is used for: respectively carrying out incremental hash value calculation on each first section of data of the description file to correspondingly obtain a plurality of single section hash values; and acquiring the first hash value according to the plurality of single hash values.
According to the program protection device based on the code signature provided by the disclosure, the device further comprises: the analysis unit is used for acquiring the size and the offset of the node head table according to the current program information; and acquiring the first section of data according to the size and the offset of the section head table.
The present disclosure also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the code signature-based program protection method as described in any of the above when executing the program.
The present disclosure also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the code signature-based program protection method as described in any of the above.
The code signature-based program protection method, device, electronic equipment and non-transitory computer-readable storage medium provided by the disclosure enhance the security of application program signature protection by using a signature verification server to verify a digital signature.
Drawings
In order to more clearly illustrate the technical solutions of the present disclosure or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is one of the flow diagrams of a code signature based program protection method provided by the present disclosure;
FIG. 2 is one of the flow diagrams of the process of code signing provided by the present disclosure;
FIG. 3 is a second flowchart of the process of code signing provided by the present disclosure;
FIG. 4 is a flow diagram of a process for code signing provided by the present disclosure;
FIG. 5 is a schematic structural diagram of a program protection device based on code signatures provided by the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device provided by the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the present disclosure more clear, the technical solutions of the present disclosure will be described clearly and completely below with reference to the accompanying drawings in the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The terminology used in the one or more embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the present disclosure. As used in one or more embodiments of the present disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present disclosure refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein to describe various information in one or more embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Technical terms in the embodiments of the present disclosure are explained below:
ELF (Extensible Linking Format): is the format of the binary application program of the Linux platform.
Section (Section): the components of the ELF format describe the information of the header table in the ELF header file, including the size and offset of the header table.
Signature verification server: the special server provides digital certificate-based signature service for electronic data authorized and produced by the China national crypto-administration, and verifies the signature authenticity and validity of the signature data.
SM 2: the asymmetric encryption algorithm formulated by the China State cipher administration replaces the unsafe RSA encryption algorithm with the improved elliptic curve algorithm, and has higher cipher complexity, higher processing speed and lower machine performance consumption.
SM 3: the cipher hash algorithm established by Chinese national cipher data is mainly used in the scenes of digital signature and verification, message authentication code generation and verification, etc., and its safety and efficiency are equivalent to those of SHA-256. Where SHA is Secure Hash algorithm.
In the related art, the security of signature protection of an application program of the Linux operating system is low.
To solve the problem, embodiments of the present disclosure provide a program protection method and apparatus based on code signatures, an electronic device, and a non-transitory computer-readable storage medium.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Fig. 1 is a flowchart illustrating a program protection method based on code signing according to an embodiment of the present disclosure. The method provided by the embodiment of the present disclosure can be executed by any electronic device with computer processing capability, such as a terminal device and/or a server. As shown in fig. 1, the program protection method based on code signature includes:
step 102, when a current program is started, obtaining a description file of the current program.
Specifically, the current program is an application program of the Linux system, and the format of the current program may be the ELF format. And analyzing the format of the description file in the ELF format to obtain the description file in the ELF format, namely the description file of the current program.
And 104, if signature section data exists in the description file, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm.
Specifically, the description file in the ELF format includes ELF header information, the ELF header information includes size and offset information of the section header table, and the section header table information can be read according to the size and offset information of the section header table, so as to acquire section data. The first section data is section data in the description file, which does not include signature section data. There may or may not be signature section data in the description file of the current program. Signature section data is generated in the signature section of the application program, and if the current program does not have signature section data, signature verification from step 104 to step 108 cannot be performed. In the disclosed embodiment, a first encryption algorithm may be used to calculate the SM3 hash value for the application.
And 106, calling a signature verification interface of the signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm.
Specifically, the signature and signature verification server is a Hardware Security Module (HSM), and needs to import an SM2 signature certificate in advance, where the signature certificate is a country secret signature certificate. The second encryption algorithm is used for signature verification and may be the SM2 algorithm. And the signature verification server receives the signature verification request through the signature verification interface, generates a signature verification result based on a second encryption algorithm and sends the signature verification result through the signature verification interface. The signature verification request comprises signature section data and a first hash value.
And 108, if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
In the technical scheme of the embodiment of the disclosure, the hash value of the application program is calculated by using the first encryption algorithm, and the signature verification is performed by using the hardware security module and the second encryption algorithm. The hardware security module adopts a hardware security module with the certification qualification of national password, and any third party cannot acquire the public key and the private key of the signature certificate through the hardware security module, so that the security of digital signature protection of the application program can be improved.
In the related art, the Linux system generally uses a foreign SHA-2 algorithm to perform hash value calculation, and uses an RSA algorithm to perform signature. The RSA algorithm is less secure and less efficient than the elliptic curve algorithm of SM 2.
In the technical scheme of the embodiment of the disclosure, a national cryptographic algorithm with higher security strength is adopted, for example, the SM3 algorithm is used as a first encryption algorithm to perform hash value settlement, and the SM2 algorithm is used as a second encryption algorithm to perform signature and signature verification, so that the signature and signature verification process in the embodiment of the disclosure is not easy to crack, and the security of signature and signature verification is enhanced.
A signing step is required before step 102 to sign the application. As shown in fig. 2, the signature method according to the embodiment of the present disclosure includes the following steps:
step 202, obtaining an original file of the current program.
Step 204, obtaining a second hash value of the second section of data according to the second section of data of the original file by using the first encryption algorithm.
And step 206, calling a signature interface of the signature verification server, and obtaining a signature value after the signature verification server uses a second encryption algorithm to perform signature according to the second hash value.
Step 208, adding the signature value to the original file.
Specifically, before an application is signed, a signature verification server needs to be initialized. When initializing the signature verification server, the SM2 certificate may be purchased from an authoritative CA organization, and the SM2 signature certificate may be imported into the signature verification server.
In one embodiment of the present disclosure, a process of signing an application program by using a signature and signature verification server according to a cryptographic algorithm is shown in fig. 3, which includes the following steps:
step 301, analyzing the ELF file, that is, performing format analysis on the application program in the ELF format, and generating a description file in the ELF format. Reading ELF header information in a format analysis process, acquiring information such as file types, coding formats, target platform system architectures, ELF version numbers and the like, and information such as program header table sizes and offsets, section header table sizes and offsets and the like, judging the file types according to the ELF header information, and returning failure information if the file types are not application programs.
Step 302, searching the code segment and the data segment, that is, reading the node header table information according to the node header table size and the offset information in the ELF header information. In the search process, the section header table information, including the section name, the section type, the section attribute, the section address, the section offset, the section size, the additional information, etc., may be read in a loop until all the section header table information is read.
In step 303, the SM3 digest is calculated, i.e. section data is obtained according to the section header table information, and the SM3 algorithm is used to perform hash value calculation. When the hash value calculation is performed, the SM3 algorithm is initialized by using a private initialization vector, then each second section of data is sequentially read, and the SM3 algorithm is used to perform incremental hash value calculation on each section of data.
The hash value calculation of the increment of the section data may specifically include the following:
the text section of the ELF format application is read and an incremental hash value calculation is performed on the data of this section using the SM3 algorithm. Wherein, the text section is machine code after the application program is compiled.
Read the data section of the ELF format application and perform an incremental hash value calculation on the data of this section using the SM3 algorithm. Wherein, the rodata section is read-only data of the application program.
Section data of the ELF format application is read and an incremental hash value calculation is performed on this section of data using the SM3 algorithm. Wherein the data section is an initialized global variable of the application.
Init section of ELF format application is read and incremental hash value calculations are performed on this section of data using SM3 algorithm. Wherein, init section is the machine code for application initialization.
Section fini of the ELF format application is read and an incremental hash value calculation is performed on this section of data using the SM3 algorithm. Wherein section fini is the machine code that the application exited.
Sections of. vectors of the ELF format application are read and incremental hash value calculations are performed on the data of this section using the SM3 algorithm. Wherein, the section of vectors is a pointer array of the global constructor of the application program.
Section dtors of the ELF format application is read and an incremental hash value calculation is performed on the data of this section using the SM3 algorithm. Wherein, the section dtors is a pointer array of a global destructor of the application program.
Section.dynamic of the ELF format application is read and an incremental hash value calculation is performed on the section's data using the SM3 algorithm. Wherein, the dynamic section is dynamic linker binding process address information.
The dynasym section of the ELF format application is read as a dynamically linked symbol table and incremental hash value calculations are performed on the data of this section using the SM3 algorithm. Wherein, the dynsym section is a dynamically connected symbol table.
Section. dyntr of the ELF format application is read and an incremental hash value calculation is performed on the data of this section using the SM3 algorithm. Wherein, section dynastr is the character string table of dynamic symbols.
After the SM3 data, which is the hash value of the increment of the second section of data, is obtained, the SM3 data is integrated to obtain the final SM3 hash value.
And step 304, signing by using the signature verification server, specifically, calling a signature interface of the signature verification server to obtain a signature value of the SM3 hash value. Specifically, GM/T0018-.
Step 305, generating an ELF format signature segment, specifically, generating a new section, namely, SM2sig section, according to SM2 data.
Step 306, the signature segment is appended to the ELF file. Specifically, the section header information of the SM2sig section is added to the section header table, and the SM2 signature section is written into the new ELF application program, i.e., the new ELF application program containing the signature information is generated according to the new ELF description information.
Fig. 4 shows a process of using a signature verification server to verify the signature of an application program by using a cryptographic algorithm. The process comprises the following steps:
in step 401, the program starts to call Exec.
At step 402, the SignHooker sends a program start notification.
At step 403, the token-based device driver sends a program launch notification.
In step 404, SignVerify reads the program start information.
In step 405, SignVerify requests the application's file.
In step 406, SignVerify obtains the files of the application from the program.
Step 407, SignVerify checks using the signature check server.
Step 408, SignVerify acquires the signature verification result.
In step 409, SignVerify notifies the device driver of the character to pass according to the result of the signature verification.
At step 410, the token-type device driver notifies the SignHooke release program.
In step 411, the S program starts successfully.
Before step 102, it is necessary to initialize a signature verification system, which can control the application program through signature verification. As shown in fig. 4, the signature verification system includes a SignVerify, a character-type device driver, a SignHooker, and an executable program. Wherein, the SignHooker is a Linux kernel module. SignVerify is a program module in a Linux system, and an executable program refers to a current application program. A character-type device is a device that can only access the device memory in the byte stream order, but not at random. A character-type device driver is a special program that enables a computer to communicate with a device, and corresponds to an interface of hardware.
When initializing the signature checking system, loading the kernel module SignHoker into a kernel of the Linux system, and transmitting the address of a system call table of the kernel into the SignHoker through a loading parameter. The addresses of the system call table may be sys _ call _ table and ia32_ sys _ call _ table.
In step 401, the executable program initiates a call Exec. Wherein Exec is sys _ Exec system call, and the operating system can map and read the executable file through sys _ Exec.
And the SignHooke intercepts sys _ exec system call through a system call table address, saves the sys _ exec address of the operating system and registers a new callback function. And starting the resident program SignVerify, initializing an application program list needing to be checked through the character type device, and then monitoring a read event of the character type device.
In steps 402 and 403, the SignHooker notifies SignVerify via a character-type device driver when an application requiring inspection starts. Specifically, the signhook intercepts sys _ exec system call, and if the name or path of the application program belongs to a list needing protection, the information is sent to SignVerify through a file _ operations. In step 404, SignVerify receives the read event of the token device, and then reads the name and path of the application to be checked from the token device.
In this embodiment of the present disclosure, after acquiring current program information sent by a system kernel, in steps 405 and 406, a description file of the current program is acquired according to the current program information, where the current program information is obtained by the system kernel monitoring a read event according to a list of monitoring programs.
And the SignVerify analyzes the file format of the ELF application program, acquires ELF header information and section header table information, calculates SM3 hash value according to section data and acquires the content of signature section data. Referring to step 303, the SM3 hash value of the ELF application may be calculated using the same algorithm as when signing, and the signature section data content of the application is obtained, i.e., the signature section SM2sig section of the ELF application is read.
Specifically, the size and offset of the header table may be obtained according to the current program information; and acquiring the first section of data according to the size and the offset of the section head table.
And respectively carrying out incremental hash value calculation on each first section of data of the description file, correspondingly obtaining a plurality of single section hash values, and acquiring the first hash value according to the plurality of single section hash values.
And if the signature section data content does not exist in the application program, informing the SignHooke to intercept. Specifically, if signature section data does not exist in the description file, the SignVerify can generate and send an interception instruction to the SignHooker through a character-type device, so as to intercept the current program.
In step 407, a signature verification interface of the signature verification server is called, the signature information and the SM3 hash value are sent to the signature verification server for signature verification, and in step 408, SignVerify obtains a signature verification result.
The GM/T0018 plus 2012 'password device application interface specification' is used for requiring the call of a signature verification interface of the signature verification server, signature data and an SM3 hash value are input, the signature verification server verifies the signature by using an SM2 algorithm, and a result of whether the signature is correct can be obtained.
In steps 409 and 410, the SignVerify decides whether to intercept according to the result of checking the signature, and notifies the result of the decision to the SignHooker through the character device driver. Wherein:
and if the signature checking result represents that the signature is correct, generating a release instruction and sending the release instruction to a SignHooke through character equipment so as to release the current program.
And if the signature checking result represents that the signature is incorrect, generating an interception instruction and sending the interception instruction to a SignHooke through character type equipment so as to intercept the current program.
In step 411, after receiving the instruction, the SignHooker performs the releasing operation in step 411 or performs the intercepting operation according to the instruction. Specifically, if the instruction is intercepted, an error code is returned, and the starting process of the application program is stopped; if the instruction is in a release state, a default sys _ exec function of the system is called, and the starting process of the application program is continued.
In the embodiment of the disclosure, a hardware security module with the certification qualification of the national crypto authority, namely a signature verification server, is used for protecting the certificate, and any third party cannot obtain the public key and the private key of the certificate through the hardware security module, so that the security of application program signature protection is enhanced; meanwhile, the cryptographic algorithm with higher safety intensity is used for calculating the hash value and signing, so that the whole signing and signature checking process is not easy to crack.
According to the program protection method based on the code signature, the signature verification of the digital signature is realized by using the signature verification server, and the safety of application program signature protection is enhanced.
The following describes a program protection device based on code signature provided in the present disclosure, and the program protection device based on code signature described below and the program protection method based on code signature described above may be referred to in correspondence with each other.
As shown in fig. 5, the program protection apparatus based on code signature according to the embodiment of the present disclosure includes:
the obtaining unit 502 may be configured to obtain a description file of a current program when the current program is started.
The encrypting unit 504 may be configured to, if signature section data exists in the description file, obtain a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm.
And the signature verification unit 506 may be configured to invoke a signature verification interface of the signature verification server, and obtain a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm.
The generating unit 508 may be configured to generate and send a release instruction to release the current program when the signature verification result indicates that the signature is correct.
In an embodiment of the present disclosure, the generating unit may be further configured to: and if the signature checking result represents that the signature is incorrect, generating and sending an interception instruction to intercept the current program.
In an embodiment of the present disclosure, the generating unit may be further configured to: and if the signature section data does not exist in the description file, generating and sending an interception instruction to intercept the current program.
In this embodiment of the present disclosure, the obtaining unit may be further configured to obtain an original file of the current program; the encryption unit may be further configured to obtain a second hash value of a second section of data of the original file according to the second section of data by using the first encryption algorithm; the apparatus may further include: the signature unit is used for calling a signature interface of the signature verification server, and acquiring a signature value after the signature verification server uses a second encryption algorithm to perform signature according to the second hash value; an adding unit, configured to add the signature value to the original file.
In an embodiment of the present disclosure, the apparatus may further include a starting unit, configured to: acquiring current program information sent by a system kernel, wherein the current program information is obtained by monitoring a read event by the system kernel according to a monitor list; and acquiring the description file of the current program according to the current program information.
In an embodiment of the present disclosure, the encryption unit may be further configured to: respectively carrying out incremental hash value calculation on each first section of data of the description file to correspondingly obtain a plurality of single section hash values; and acquiring the first hash value according to the plurality of single hash values.
In an embodiment of the present disclosure, the apparatus may further include: the analysis unit is used for acquiring the size and the offset of the node head table according to the current program information; and acquiring the first section of data according to the size and the offset of the section head table.
For details which are not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method for protecting a program based on code signature described above for the details which are not disclosed in the embodiments of the apparatus of the present disclosure.
The program protection device based on the code signature provided by the disclosure realizes signature verification on the digital signature by using the signature verification server, and enhances the security of application program signature protection.
Fig. 6 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 6: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 communicate with each other via the communication bus 640. Processor 610 may call logic instructions in memory 630 to perform a code signature based program protection method comprising: when a current program is started, obtaining a description file of the current program; if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm; calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present disclosure also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, enable the computer to perform the code signature-based program protection method provided by the above methods, the method comprising: when a current program is started, obtaining a description file of the current program; if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm; calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
In yet another aspect, the present disclosure also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the code signature-based program protection methods provided above, the method including: when a current program is started, obtaining a description file of the current program; if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm; calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm; and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solutions of the present disclosure, not to limit them; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.

Claims (10)

1. A method for protecting a program based on code signatures, the method comprising:
when a current program is started, obtaining a description file of the current program;
if the description file has signature section data, acquiring a first hash value of the first section data according to the first section data of the description file by using a first encryption algorithm;
calling a signature verification interface of a signature verification server, and obtaining a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm;
and if the signature checking result represents that the signature is correct, generating and sending a release instruction to release the current program.
2. The method of claim 1, wherein after obtaining the signature verification result, the method further comprises:
and if the signature checking result represents that the signature is incorrect, generating and sending an interception instruction to intercept the current program.
3. The method of claim 1, wherein after obtaining the description file of the current program, the method further comprises:
and if the signature section data does not exist in the description file, generating and sending an interception instruction to intercept the current program.
4. The method of claim 1, wherein prior to obtaining the description file of the current program, the method further comprises:
acquiring an original file of the current program;
acquiring a second hash value of second section data according to the second section data of the original file by using the first encryption algorithm;
calling a signature interface of a signature verification server, and obtaining a signature value after the signature verification server uses a second encryption algorithm to perform signature according to the second hash value;
adding the signature value to the original file.
5. The method of claim 1, wherein prior to obtaining the description file of the current program, the method further comprises:
acquiring current program information sent by a system kernel, wherein the current program information is obtained by monitoring a read event by the system kernel according to a monitor list;
and acquiring the description file of the current program according to the current program information.
6. The method of claim 1, wherein obtaining a first hash value of a first section of data from the first section of data of the description file using a first encryption algorithm comprises:
respectively carrying out incremental hash value calculation on each first section of data of the description file to correspondingly obtain a plurality of single section hash values;
and acquiring the first hash value according to the plurality of single hash values.
7. The method of claim 5, wherein prior to obtaining the first hash value of the first section of data from the first section of data of the description file using the first encryption algorithm, the method further comprises:
acquiring the size and the offset of a node head table according to the current program information;
and acquiring the first section of data according to the size and the offset of the section head table.
8. A program protection apparatus based on code signing, the apparatus comprising:
the device comprises an acquisition unit, a storage unit and a control unit, wherein the acquisition unit is used for acquiring a description file of a current program when the current program is started;
the encryption unit is used for acquiring a first hash value of first section data according to the first section data of the description file by using a first encryption algorithm if the signature section data exists in the description file;
the signature verification unit is used for calling a signature verification interface of the signature verification server, and acquiring a signature verification result after the signature verification server verifies whether the signature is correct according to the signature section data and the first hash value by using a second encryption algorithm;
and the generating unit is used for generating and sending a releasing instruction to release the current program when the signature verification result represents that the signature is correct.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202111505840.XA 2021-12-10 2021-12-10 Program protection method, device, equipment and storage medium based on code signature Pending CN114168909A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111505840.XA CN114168909A (en) 2021-12-10 2021-12-10 Program protection method, device, equipment and storage medium based on code signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111505840.XA CN114168909A (en) 2021-12-10 2021-12-10 Program protection method, device, equipment and storage medium based on code signature

Publications (1)

Publication Number Publication Date
CN114168909A true CN114168909A (en) 2022-03-11

Family

ID=80485323

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111505840.XA Pending CN114168909A (en) 2021-12-10 2021-12-10 Program protection method, device, equipment and storage medium based on code signature

Country Status (1)

Country Link
CN (1) CN114168909A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292746A (en) * 2022-07-28 2022-11-04 南京国电南自电网自动化有限公司 Credible compiling and running method for application program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292746A (en) * 2022-07-28 2022-11-04 南京国电南自电网自动化有限公司 Credible compiling and running method for application program

Similar Documents

Publication Publication Date Title
Shuai et al. Modelling analysis and auto-detection of cryptographic misuse in android applications
EP1695169B1 (en) Method and apparatus for incremental code signing
US10797868B2 (en) Shared secret establishment
CN109726588B (en) Privacy protection method and system based on information hiding
CN106899571B (en) Information interaction method and device
KR101729960B1 (en) Method and Apparatus for authenticating and managing an application using trusted platform module
CN112469036B (en) Message encryption and decryption method and device, mobile terminal and storage medium
CN112468478A (en) Attack interception method and device, computer equipment and storage medium
CN114499892B (en) Firmware starting method and device, computer equipment and readable storage medium
CN115248919A (en) Method and device for calling function interface, electronic equipment and storage medium
US9264234B2 (en) Secure authentication of identification for computing devices
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN111585995A (en) Method and device for transmitting and processing safety wind control information, computer equipment and storage medium
Zhao et al. A private user data protection mechanism in trustzone architecture based on identity authentication
US7779269B2 (en) Technique for preventing illegal invocation of software programs
CN114168909A (en) Program protection method, device, equipment and storage medium based on code signature
CN111327429B (en) Terminal starting processing method and device
CN110602051B (en) Information processing method based on consensus protocol and related device
CN115550060B (en) Trusted certificate verification method, device, equipment and medium based on block chain
Bhudia et al. RansomClave: ransomware key management using SGX
CN111949996A (en) Generation method, encryption method, system, device and medium of security private key
CN108242997B (en) Method and apparatus for secure communication
CN111046440B (en) Tamper verification method and system for secure area content
CN111490876B (en) Communication method based on USB KEY and USB KEY
CN116032509A (en) Mail encryption and decryption method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination