KR101616793B1 - Method for checking integrity of application - Google Patents

Method for checking integrity of application Download PDF

Info

Publication number
KR101616793B1
KR101616793B1 KR1020150181836A KR20150181836A KR101616793B1 KR 101616793 B1 KR101616793 B1 KR 101616793B1 KR 1020150181836 A KR1020150181836 A KR 1020150181836A KR 20150181836 A KR20150181836 A KR 20150181836A KR 101616793 B1 KR101616793 B1 KR 101616793B1
Authority
KR
South Korea
Prior art keywords
application
forgery
detected
determination step
forged
Prior art date
Application number
KR1020150181836A
Other languages
Korean (ko)
Inventor
이상훈
김훈규
권미영
이노복
이성근
Original Assignee
국방과학연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 국방과학연구소 filed Critical 국방과학연구소
Priority to KR1020150181836A priority Critical patent/KR101616793B1/en
Application granted granted Critical
Publication of KR101616793B1 publication Critical patent/KR101616793B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F17/30097
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A method for checking integrity of a mobile device in which at least one application is installed, the method comprising the steps of: performing an integrity check on the application at the time of execution of the application; A first forgery-falsed judgment step, in the case where it is determined that the application is falsified in the first forgery - falsification step, adding identification information of the application to a previously stored forgery list, In real time.

Description

METHOD FOR CHECKING INTEGRITY OF APPLICATION [0002]

And more particularly, to a method for performing an integrity check in real time for a specific application or program in a military mobile environment.

Generally, an integrity check is performed for an application program or an application program, and for stored data related to an application and an execution program. That is, the user can perform an integrity check on a specific application or an application program to determine whether or not the user is infected with a malicious code or a virus.

Generally, the non-deterministic testing apparatus generates and stores stat information (file size, generation time, etc.) for the inspection target and a hash value for the entire target data for integrity check in advance and stores the hash value And performs an integrity check by comparing the hash value with the stored hash value.

In the conventional mobile environment, the integrity check is performed at a predetermined time period. However, such an integrity checking method has a disadvantage in that it is difficult to immediately respond to an integrity violation that occurs at the point of time when the integrity check is not performed.

In particular, if an integrity infringement occurs on an executable program such as a deamon or an application installed in a military mobile environment, serious damage such as the leakage of classified secret information may occur.

Therefore, it is necessary to improve the reliability of the integrity check and prevent the leakage of related information for the execution program installed in the military mobile environment.

The present invention proposes a real-time integrity verification method for performing an integrity check at the time of program execution by improving the conventional time-period integrity checking method for solving the execution program integrity verification problem in a military mobile environment and a kernel level execution control method for the program do.

In order to solve the problems of the present invention, a method for inspecting an integrity of a mobile device in which at least one application according to the present invention is installed includes the steps of: performing an integrity check on the application at the time when the application is executed; A first forgery-determining step of determining whether the application is forged or falsified based on an inspection; a step for adding identification information of the application to a pre-stored forgery-proof list when it is determined that the application is forged or falsified in the first forgery- And blocking execution of an application determined to be forged based on the forgery list in real time.

In one embodiment, the method further includes determining whether a predetermined time interval has elapsed after the first forgery determination step is completed.

In one embodiment, when the predetermined time interval has elapsed, the step of performing the integrity check is performed again.

In one embodiment, there is provided a method comprising: detecting execution of an application in an operating system (OS) kernel; determining a forgery or falsification of the application based on the forgery list when execution of the application is detected; A third hash value determination process for determining whether the application is forged or not by comparing the generated hash value with a previously stored hash value, if it is determined that the detected application is not forgiven; Adding the detected application identification information to the forgery list if it is determined in the third forgery determination step that the detected application has been falsified; and, in the third forgery determination step, If it is determined that no forgery has occurred, It characterized in that it further comprises the step of allowing the execution of the indications.

In one embodiment, the second forgery determination step may include blocking the execution of the detected application in the OS kernel if it is determined that the detected application is forged.

In one embodiment, the method further comprises blocking execution of an application added to the forgery list in the OS kernel.

In one embodiment, the generated hash value is related to the stat information of the detected application.

In one embodiment, the stat information includes information related to at least one of a file size and a generation time of the detected application.

In one embodiment, the second forgery determination step may include determining whether identification information of the detected application is present in the forgery list.

According to the present invention, by performing an integrity check on an application in real time, the effect of improving the integrity reliability of the application and the data associated therewith is derived.

Further, according to the present invention, by providing a safe application or a program execution environment, it is possible to establish a military mobile environment ensuring reliability.

In addition, according to the present invention, by improving the reliability of a system in which a military mobile environment is installed, it is possible to more flexibly cope with a violation response situation.

1 is a flowchart illustrating a method for generating a forgery list in an integrity checking method according to the present invention.
FIG. 2 is a flowchart illustrating a method for blocking a forgery-and-fake application in real time in an integrity checking method according to the present invention.

An integrity checking apparatus and an inspection method according to embodiments of the present invention are described. However, the configuration of the integrity check apparatus and the inspection method may be changed or deleted, or other components may be added, as needed.

The present invention relates to a real-time integrity verification method for an execution program in a military mobile environment and an execution control method for an integrity infringement execution program.

Although not shown, the integrity checking apparatus may include a communication unit, a storage unit, and a control unit. For example, the integrity checking apparatus may be provided in the integrity checking server.

In one embodiment, the integrity checking server may be a program developer, a manager in an enterprise, or a management server operated by an authorized certification authority.

The communication unit may perform communication with the user terminal. In this case, the user terminal may be an electronic device equipped with a mobile mobile environment.

The storage unit is implemented as a data storage device such as a memory. In one embodiment, the storage unit stores program file information or a storage location of the program file and a unique code of the program file. In addition, you can store the installation size of the program files, the date of the last change of the original, and the original version information.

The control unit generates a unique code of the program file using the encryption table whose arrangement has been changed according to a preset rule, and stores the code in the storage unit. Preferably, the control unit generates and stores the unique code before the program file is generated and distributed.

Here, the preset rule may be set differently for any one of a program, an operating system, a user terminal, and a down period. The predetermined rule is shared with the user terminal so that the encryption table referring to the changed encryption table in the same form is implemented.

The control unit compares the received unique code with the unique code stored in the storage unit and checks the integrity according to whether the unique code generated in the user terminal is received from the user terminal together with the integrity check request for the program file from the user terminal through the communication unit . And transmits the integrity check result to the user terminal through the communication unit.

The control unit compares the unique code with the byte unit and confirms whether or not the program matches the program code. In this case, the control unit can determine that the program file is an integrity program file.

Referring to FIG. 1, the control unit of the integrity checking apparatus may perform an integrity check on the application at the time when the application is executed (S101).

The control unit may perform a first forgery determination step of determining whether the application is forged or falsified based on the performed inspection (S102).

If it is determined in the first forgery determination step that the application is forged, the control unit may add the identification information of the application to the stored forgery list (S103).

The control unit can block the execution of the application judged to be forged based on the forgery list in real time.

When the first forgery determination step is completed, the controller may determine whether a predetermined time interval has elapsed (S104).

When the predetermined time interval elapses, the control unit performs the integrity check step (S101), the first forgery determination step (S102), and the step of adding the identification information of the application to the pre-stored forgery list step (S103) .

As shown in FIG. 1, it is based on performing an integrity check of a set time period for a program existing in an integrity check target list, and when a forgery is generated, a forgery program list is created, It is a way to block execution of programs in the list at the kernel level in real time.

Also, referring to FIG. 2, the control unit may detect execution of an application in an operating system (OS) kernel (S201).

When the execution of the application is detected, the control unit may perform a second forgery determination step (S202) for determining whether the application is forged or falsified based on the forgery list.

In the second forgery determination step, the controller may generate a hash value if it is determined that the detected application is not forged (S203).

On the other hand, if it is determined that the detected application is falsified in the second forgery determination step, the control unit may block the execution of the detected application (S207).

The controller may compare the generated hash value with a previously stored hash value to perform a third forgery determination step (S204) to determine whether the application is forged or not.

If it is determined in the third forgery determination step (S204) that the detected application is forged, the control unit may add the detected application identification information to the forgery list (S205). The control unit may block the execution of the detected application after adding the detected application identification information to the forgery list.

In the third forgery determination step, if the detected application is determined not to be forged, the control unit may allow execution of the detected application (S206).

As shown in FIG. 2, when the OS kernel detects the execution of a program existing in the integrity check target list, it determines whether or not the program exists in the forgery program list created in FIG. 1 and blocks the execution of the forgery verification in real time. Even if the program does not exist in the forgery-and-fake list, the integrity check is performed to determine whether forgery or falsification has occurred in the integrity check cycle of FIG. 1, and added to the forgery-inhibited program list when forgery has occurred and the execution of the program is blocked in real time from the OS kernel .

The integrity checking method according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CDROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like. , Computer-readable code in a distributed fashion can be stored and executed. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. Therefore, the scope of the present invention is not limited to the above-described embodiments, but should be construed to include various embodiments within the scope of the claims and equivalents thereof.

Claims (8)

A method for inspecting an integrity of a mobile device in which at least one application is installed,
Performing an integrity check on the application at the time the application is executed;
A first forgery determination step of determining whether the application is forged or falsified based on the performed inspection;
Adding the identification information of the application to the pre-stored forgery list if the application is determined to be forged in the first forgery determination step;
Blocking execution of an application determined to be forged based on the forgery list in real time;
Detecting execution of an application in an operating system (" OS ")kernel;
A second forgery-determining step of determining whether the application is forged or not based on the forgery-proof list when execution of the application is detected;
If it is determined in the second forgery determination step that the detected application is not forged, generating a hash value;
A third forgery determination step of comparing the generated hash value with a previously stored hash value to determine whether the application is forged or falsified;
Adding the detected identification information of the application to the forgery list if the detected application is determined to be forged in the third forgery determination step;
Allowing the execution of the detected application if it is determined in the third forgery determination step that the detected application is not forged; And
And blocking the execution of the detected application in the OS kernel if it is determined in the second forgery determination step that the detected application is falsified. The method according to claim 1,
When the first forgery determination step is completed, determining whether a predetermined time interval has elapsed,
Wherein the step of performing the integrity check is performed again when the predetermined time interval elapses. delete delete The method according to claim 1,
And blocking execution of an application added to the forgery-and-falsification list in the OS kernel. The method according to claim 1,
Wherein the generated hash value is related to the stat information of the detected application. The method according to claim 6,
Wherein the stat information includes information related to at least one of a file size and a generation time of the detected application. The method according to claim 1,
The second forgery determination step may include:
And determining whether the identification information of the detected application exists in the forgery list.
KR1020150181836A 2015-12-18 2015-12-18 Method for checking integrity of application KR101616793B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150181836A KR101616793B1 (en) 2015-12-18 2015-12-18 Method for checking integrity of application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150181836A KR101616793B1 (en) 2015-12-18 2015-12-18 Method for checking integrity of application

Publications (1)

Publication Number Publication Date
KR101616793B1 true KR101616793B1 (en) 2016-04-29

Family

ID=55915969

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150181836A KR101616793B1 (en) 2015-12-18 2015-12-18 Method for checking integrity of application

Country Status (1)

Country Link
KR (1) KR101616793B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060064883A (en) * 2004-12-09 2006-06-14 삼성전자주식회사 Apparatus and method for secure booting
KR20080057917A (en) * 2006-12-21 2008-06-25 주식회사 레드게이트 Method for real-time integrity check and audit trail connected with the security kernel
KR101537205B1 (en) * 2014-10-20 2015-07-16 숭실대학교산학협력단 User Terminal to Detect the Tampering of the Applications Using Hash Value and Method for Tamper Detection Using the Same
KR20150109200A (en) * 2014-03-19 2015-10-01 한국전자통신연구원 Software Integrity Checking System Based on Mobile Storage and the Method of

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060064883A (en) * 2004-12-09 2006-06-14 삼성전자주식회사 Apparatus and method for secure booting
KR20080057917A (en) * 2006-12-21 2008-06-25 주식회사 레드게이트 Method for real-time integrity check and audit trail connected with the security kernel
KR20150109200A (en) * 2014-03-19 2015-10-01 한국전자통신연구원 Software Integrity Checking System Based on Mobile Storage and the Method of
KR101537205B1 (en) * 2014-10-20 2015-07-16 숭실대학교산학협력단 User Terminal to Detect the Tampering of the Applications Using Hash Value and Method for Tamper Detection Using the Same

Similar Documents

Publication Publication Date Title
CN108268354B (en) Data security monitoring method, background server, terminal and system
KR101720686B1 (en) Apparaus and method for detecting malcious application based on visualization similarity
CN105608386A (en) Trusted computing terminal integrity measuring and proving method and device
CN108763951B (en) Data protection method and device
CN108351938B (en) Apparatus, system, and method for verifying a security value computed for a portion of program code
KR101710928B1 (en) Method for protecting malignant code in mobile platform, recording medium and device for performing the system
KR20160098912A (en) Method for Re-adjusting Application Permission and User terminal for performing the same Method
JP6000465B2 (en) Process inspection apparatus, process inspection program, and process inspection method
CN111368299A (en) Dynamic link library file hijacking detection method, device and storage medium
KR20190080591A (en) Behavior based real- time access control system and control method
JP6554249B2 (en) Granting apparatus, granting method and granting program
JP2013164732A (en) Information processor
US9965625B2 (en) Control system and authentication device
CN110941825B (en) Application monitoring method and device
WO2020233044A1 (en) Plug-in verification method and device, and server and computer-readable storage medium
US20220292201A1 (en) Backdoor inspection apparatus, backdoor inspection method, and non-transitory computer readable medium
KR101616793B1 (en) Method for checking integrity of application
CN105426749A (en) Method for controlling running of ELF files on basis of signature mechanism
KR101604891B1 (en) Method for detection software piracy and theft using partial information of executable file and apparatus using the same
JP6149523B2 (en) File tampering detection system
US10637877B1 (en) Network computer security system
KR101725670B1 (en) System and method for malware detection and prevention by checking a web server
KR101600178B1 (en) Method and apparatus for detecting illegally copied application
CN116737526A (en) Code segment dynamic measurement method and device and electronic equipment
JP2019008732A (en) Access control device, access control method and access control program

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant