KR102462541B1 - Methods and systems for validating licenses for open source software - Google Patents

Abstract

Disclosed are methods and systems for verifying licenses of open source software. The license verification method according to embodiments of the present invention may check the license of open source software. In one embodiment, the license verification method can verify the license of the open source software even through the binary code in the built state without the developer's source code by using a preset code form such as smali code in the Android environment. In another embodiment, the license verification method may verify the license of the open source software even for the code in which the string is obfuscated by comparing the form according to the structure of the package file.

Description

Methods and systems for validating licenses for open source software

The description below relates to a method and system for verifying the license of open source software, and in more detail, a license verification method that can check the license of open source software, a computer device performing the license verification method, and combination with a computer It relates to a computer program stored in a computer-readable recording medium and the recording medium to execute the license verification method on a computer.

Open source software is freely used for software development, but when used for commercial purposes, the license agreement must be followed. Different licenses apply depending on the organization or nature of the open source software. Representative examples include BSD (Berkeley Software Distribution), GPL (General Public License), and Apache. While there is a license that allows freely use, duplication, adaptation, and redistribution after modification, a license that requires the disclosure of the modified source code. there is also

In addition, as the use of open source software increases, cyberattacks that exploit open source security vulnerabilities are also increasing year by year. Even security vulnerabilities that have already been discovered due to poor open source security management are being left unpatched, causing damage. Since open source including vulnerabilities can be included and distributed in software, it is necessary to manage the used open source.

In the prior art, the open source software used was determined by comparing the developer's code with the code of the open source software by receiving the developer's source code as an input from the open source license inspection system. In this case, the developer must deliver the source code to the system for open source license inspection, and the leakage of the source code, which is the developer's property, can be a security risk from the developer's point of view, so inconvenience and rejection may occur. There is a problem that there is

A license verification method capable of examining the license of open source software, a computer device performing the license verification method, and a computer program stored in a computer-readable recording medium in combination with a computer to execute the license verification method on the computer; A recording medium is provided.

A license verification method that can verify the license of open source software even through a binary code built without a developer's source code by using a preset code form such as smali code in the Android environment, a computer device that performs the license verification method, And it is combined with a computer to provide a computer program and the recording medium stored in a computer-readable recording medium to execute the license verification method on the computer.

A license verification method capable of verifying the license of open source software even for a code whose string is obfuscated by comparing the form according to the structure of the package file, a computer device that performs the license verification method, and the license verification method in combination with a computer Provided are a computer program stored in a computer-readable recording medium to be executed by a computer and the recording medium.

A license verification method comprising: downloading open source software; extracting method call information from the downloaded open source software; generating a pattern in the form of a preset code using the extracted method call information; and storing the generated pattern in a database in association with the identifier of the downloaded open source software.

According to one side, the license verification method includes the steps of receiving a package file to be inspected; extracting an executable file of the package file; converting the extracted executable file into the preset code form; extracting method call information from the executable file converted into the preset code form; and comparing the extracted method call information with a pattern stored in the database.

A license verification method comprising: downloading open source software; generating data of a first tree structure corresponding to the directory structure of the downloaded open source software; and storing the data of the first tree structure in a database in association with the identifier of the corresponding open source software.

According to one side, the license verification method, the step of receiving a package file to be inspected; generating data of a second tree structure corresponding to the directory structure of the input package file; and comparing the data of the second tree structure with the data of the first tree structure stored in the database.

It provides a computer program stored in a computer-readable recording medium in combination with a computer to execute the license verification method on the computer.

There is provided a computer-readable recording medium in which a program for executing the license verification method on a computer is recorded.

A computer device comprising: at least one processor implemented to execute computer-readable instructions, the at least one processor to download open source software, extract method call information from the downloaded open source software; , to generate a pattern in the form of a preset code using the extracted method call information, and to store the generated pattern in a database in association with the identifier of the downloaded open source software.

A computer device comprising: at least one processor embodied to execute instructions readable by a computer, wherein the at least one processor is configured to download an open source software and a second processor corresponding to a directory structure of the downloaded open source software. There is provided a computer device characterized in that it generates data of a one tree structure, and stores the data of the first tree structure in a database in association with an identifier of the corresponding open source software.

A license verification method capable of examining the license of open source software, a computer device performing the license verification method, and a computer program stored in a computer-readable recording medium in combination with a computer to execute the license verification method on the computer; A recording medium may be provided.

By using a preset code form such as smali code in the Android environment, it is possible to verify the license of open source software even through the binary code built without the developer's source code.

The license of open source software can be verified even for code whose string is obfuscated by comparing the format according to the structure of the package file.

1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention.
2 is a block diagram illustrating an example of a computer device according to an embodiment of the present invention.
3 is a flowchart illustrating an example of a method for collecting patterns of open source software according to an embodiment of the present invention.
4 is a flowchart illustrating an example of a method of checking whether open source software is used using a pattern according to an embodiment of the present invention.
5 is a diagram illustrating an example of generating a smali code type pattern from a source code of an open source software according to an embodiment of the present invention.
6 and 7 are diagrams illustrating an example of converting a Dex file into a smali code according to an embodiment of the present invention.
8 is a diagram illustrating an example of a Java code and a smali code corresponding to the Java code according to an embodiment of the present invention.
9 is a flowchart illustrating an example of a method of collecting the structure of a package file as a pattern of an open source software according to an embodiment of the present invention.
10 is a flowchart illustrating an example of a method of checking whether an open source software is used by comparing a shape according to a structure of a package file according to an embodiment of the present invention.
11 is a diagram illustrating an example of a directory structure of a package file according to an embodiment of the present invention.
12 is a diagram illustrating an example of a tree structure corresponding to a directory structure according to an embodiment of the present invention.
13 is a diagram illustrating an example of an ordered tree structure according to an embodiment of the present invention.
14 is a diagram illustrating an example of serialized and stored data according to an embodiment of the present invention.
15 and 16 are diagrams illustrating a comparative example of a tree structure according to an embodiment of the present invention.

Best mode for carrying out the invention

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings.

The license verification system according to embodiments of the present invention may be implemented through a computer device such as a server, which will be described later. In this case, the computer program according to an embodiment of the present invention may be installed and driven in the computer device, and the computer device may perform the license verification method according to the embodiments of the present invention under the control of the driven computer program. . The above-described computer program may be stored in a computer-readable recording medium in combination with a computer device to execute the license verification method on the computer.

1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention. The network environment of FIG. 1 shows an example including a plurality of electronic devices 110 , 120 , 130 , 140 , a plurality of servers 150 , 160 , and a network 170 . 1 is an example for explaining the invention, and the number of electronic devices or the number of servers is not limited as in FIG. 1 .

The plurality of electronic devices 110 , 120 , 130 , and 140 may be a fixed terminal implemented as a computer device or a mobile terminal. Examples of the plurality of electronic devices 110 , 120 , 130 , 140 include a smart phone, a mobile phone, a navigation device, a computer, a notebook computer, a digital broadcasting terminal, a personal digital assistant (PDA), and a portable multimedia player (PMP). ), tablet PCs, etc. As an example, although the shape of a smartphone is shown as an example of the electronic device 1110 in FIG. 1 , in the embodiments of the present invention, the electronic device 1110 substantially communicates with the network 170 using a wireless or wired communication method. It may refer to one of various physical computer devices capable of communicating with other electronic devices 120 , 130 , 140 and/or servers 150 and 160 through the communication system.

The communication method is not limited, and not only a communication method using a communication network (eg, a mobile communication network, a wired Internet, a wireless Internet, a broadcasting network) that the network 170 may include, but also short-range wireless communication between devices may be included. For example, the network 170 may include a personal area network (PAN), a local area network (LAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN), and a broadband network (BBN). , the Internet, and the like. In addition, the network 170 may include any one or more of a network topology including a bus network, a star network, a ring network, a mesh network, a star-bus network, a tree, or a hierarchical network, etc. not limited

Each of the servers 150 and 160 communicates with the plurality of electronic devices 110 , 120 , 130 , 140 and the network 170 through a computer device or a plurality of computers providing commands, codes, files, contents, services, etc. It can be implemented in devices. For example, the server 150 may be a system that provides a first service to a plurality of electronic devices 110 , 120 , 130 , 140 connected through the network 170 , and the server 160 is also a network ( It may be a system that provides the second service to the plurality of electronic devices 110 , 120 , 130 , and 140 connected through 170 . As a more specific example, the server 150 transmits a file for installing and driving an application to the plurality of electronic devices 110 , 120 , 130 , and 140 as a first service to the plurality of electronic devices 110 , 120 , 130 , and 140 . ) can be distributed. In addition, the server 160 may provide a service targeted by the corresponding application to the plurality of electronic devices 110 , 120 , 130 , and 140 as a second service through the above-described application.

In this case, the server 150 may implement a license verification system according to embodiments of the present invention. The license verification system may detect the use of the open source software for a file for installing and driving an application registered in the server 150 from the developer, and may provide license information of the detected open source software to the administrator. According to an embodiment, the license verification system may be implemented as a separate computer device distinct from the server 150 , and may be linked with the server 150 through the network 170 .

2 is a block diagram illustrating an example of a computer device according to an embodiment of the present invention. Each of the plurality of electronic devices 110 , 120 , 130 , 140 or servers 150 , 160 and the license verification system according to embodiments of the present invention described above are installed in the computer device 200 shown in FIG. 2 . may be implemented by, and the license verification method according to an embodiment may be performed by a license verification system implemented by the computer device 200 . If the license verification system is implemented in the server 150 , the license verification method according to the embodiments of the present invention may be performed by the computer device 200 implementing the server 150 . For example, a computer program according to an embodiment may be installed and driven in the computer device 200 , and the computer device 200 is a license verification method according to embodiments of the present invention under the control of the driven computer program. can be performed. According to an embodiment, the license verification system may be implemented through a combination of a plurality of computer devices.

As shown in FIG. 2 , the computer device 200 may include a memory 210 , a processor 220 , a communication interface 230 , and an input/output interface 240 . The memory 210 is a computer-readable recording medium and may include a random access memory (RAM), a read only memory (ROM), and a permanent mass storage device such as a disk drive. Here, a non-volatile mass storage device such as a ROM and a disk drive may be included in the computer device 200 as a separate permanent storage device distinct from the memory 210 . Also, the memory 210 may store an operating system and at least one program code. These software components may be loaded into the memory 210 from a computer-readable recording medium separate from the memory 210 . The separate computer-readable recording medium may include a computer-readable recording medium such as a floppy drive, a disk, a tape, a DVD/CD-ROM drive, and a memory card. In another embodiment, the software components may be loaded into the memory 210 through the communication interface 230 instead of a computer-readable recording medium. For example, the software components may be loaded into the memory 210 of the computer device 200 based on a computer program installed by files received through the network 170 .

The processor 220 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input/output operations. The instructions may be provided to the processor 220 by the memory 210 or the communication interface 230 . For example, the processor 220 may be configured to execute a received instruction according to a program code stored in a recording device such as the memory 210 .

The communication interface 230 may provide a function for the computer device 200 to communicate with other devices (eg, the storage devices described above) through the network 170 . For example, a request, command, data, file, etc. generated by the processor 220 of the computer device 200 according to a program code stored in a recording device such as the memory 210 is transmitted to the network ( 170) to other devices. Conversely, signals, commands, data, files, etc. from other devices may be received by the computer device 200 through the communication interface 230 of the computer device 200 via the network 170 . A signal, command, or data received through the communication interface 230 may be transmitted to the processor 220 or the memory 210 , and the file may be a storage medium (described above) that the computer device 200 may further include. persistent storage).

The input/output interface 240 may be a means for an interface with the input/output device 250 . For example, the input device may include a device such as a microphone, keyboard, or mouse, and the output device may include a device such as a display or a speaker. As another example, the input/output interface 240 may be a means for an interface with a device in which functions for input and output are integrated into one, such as a touch screen. The input/output device 250 may be configured as one device with the computer device 200 .

Also, in other embodiments, the computer device 200 may include fewer or more components than those of FIG. 2 . However, there is no need to clearly show most of the prior art components. For example, the computer device 200 may be implemented to include at least a portion of the above-described input/output device 250 or may further include other components such as a transceiver and a database.

3 is a flowchart illustrating an example of a method for collecting patterns of open source software according to an embodiment of the present invention. The method according to the present embodiment may be included in the license verification method according to the embodiment, and may be performed by the computer device 200 described above. For example, the processor 220 of the computer device 200 may be implemented to execute a control instruction according to a code of an operating system included in the memory 210 or a code of at least one program. Here, the processor 220 causes the computer device 200 to perform steps 310 to 340 included in the method of FIG. 3 according to a control command provided by a code stored in the computer device 200 . can control

In step 310 , the computer device 200 may download open source software. For example, the computer device 200 may download a plurality of open source software from at least one of a plurality of sites sharing the source code of the open source software, For the following steps 320 to 340 may be performed.

In step 320, the computer device 200 may extract method call information from the downloaded open source software. For example, method call information is information required to call a specific method, and in Java code, it may include a class path name, a class name, a method name, the number of method arguments, and the type of each argument. In this case, the computer device 200 may extract at least a class path name, a class name, and a method name as the method call information. According to an embodiment, at least one of the number of method arguments and the types of each argument may be further extracted as method call information.

In operation 330, the computer device 200 may generate a pattern in the form of a preset code using the extracted method call information. For example, the computer device 200 may generate a pattern in the form of a smali code used in an Android application package (APK) file, which is a package file for an Android application, by using the extracted method call information. As will be described in more detail later, the smali code type pattern may include a class path name, a class name, and a method name.

In operation 340, the computer device 200 may store the generated pattern in a database in association with an identifier of the corresponding open source software. For example, the identifier of the open source software may be a name of the corresponding open source software. In addition, at least one pattern may be generated for each of the plurality of downloaded open source software, and the generated patterns may be stored in a database in association with an identifier of each of the plurality of open source software.

4 is a flowchart illustrating an example of a method of checking whether open source software is used using a pattern according to an embodiment of the present invention. The method according to the present embodiment may also be included in the license verification method according to the embodiment. For example, after patterns for each of various open source software are created and databased through the method according to the embodiment of FIG. 3 , open source software inspection is performed for a specific application through the method according to the embodiment of FIG. 4 . can be performed. The method according to the present embodiment may also be performed by the computer device 200 described above. For example, the processor 220 of the computer device 200 may be implemented to execute a control instruction according to a code of an operating system included in the memory 210 or a code of at least one program. Here, the processor 220 causes the computer device 200 to perform the steps 410 to 440 included in the method of FIG. 4 according to a control command provided by the code stored in the computer device 200 . can control

In step 410, the computer device 200 may receive a package file to be tested. For example, when an Android application is the target of inspection, the computer device 200 may receive an APK file for installing and driving the Android application.

In step 420 , the computer device 200 may extract an executable file of the package file. In the above-described example of the Android application, the computer device 200 may extract a Dalvik Executable (DEX) file such as 'classes.dex' as an executable file by decompressing the input APK file. After decompression, the dex file exists in the root path of the uncompressed directory.

In step 430 , the computer device 200 may convert the extracted executable file into a preset code form. For example, when using the smali code form described in FIG. 3 , the computer device 200 may convert an executable file into smali code using the baksmali library. If the baksmali library is built-in in apktool, which is a tool for decompressing the APK file in step 420 , compression of the APK file and conversion of the dex file into smali code may be simultaneously performed.

In step 440 , the computer device 200 may extract method call information from an executable file converted into a preset code form. At this time, the extracted method call information may have the same or similar form as the pattern generated in step 330 of FIG. 3 because the executable file has already been converted into a preset code form, and at least a class path name, class name, and method name. may include According to an embodiment, at least one of the number of method arguments and the types of each argument may be further included in the method call information extracted in step 440 .

In step 450 , the computer device 200 may compare the extracted method call information with a pattern stored in a database. At this time, if there is a pattern matching the extracted method call information (or including the extracted method call information) in the database, the data input in step 410 according to the identifier of the open source software stored in the database corresponding to the pattern exists. You can see that the package file uses the corresponding open source software.

Thereafter, the computer device 200 may provide an identifier of the searched open source software and license information matched to the corresponding open source software. In this case, the administrator can determine which open source software the package file to be searched uses and which license is applied.

5 is a diagram illustrating an example of generating a smali code type pattern from a source code of an open source software according to an embodiment of the present invention. 5 is an example of open source software, and shows examples of Java code 520 included in Java code files 'Square.java' 510 and 'Square.java' 510 for the open source software. According to the Java code 520 , the 'Square' class shown in the second dotted box 522 is defined in the package path of 'com.sample.math' shown in the first dotted box 521, and 'Square' It can be seen that the class includes the 'getWidth()' method shown in the third dotted line box 523 .

The computer device 200 extracts the package path name 'com.sample.math', the class name 'Square', and the method name 'getWidth()' as method call information from the Java code 520 in step 320, respectively. can

In this case, the computer device 200 may generate information 530 in the form of a corresponding smali code as shown in FIG. 5 by using the information extracted in step 330 . The 'invoke-virtual' command in the smali code form information 530 is a command for calling a virtual method in the smali code form, and in this case, the called method must not be a static method, a private method, a final method, or a constructor method. 'v0' is the instance of the class, the 'L' in front of the class path name 'com.sample.math' can mean that the class is an object type, and the 'V' after the method name 'getWidth()' is the return type. It may mean that it is void. In addition, the 'invoke-super' command to call the virtual method of the parent class, the 'invoke-direct' command to call the direct method B, the 'invoke-static' command to call the static method, and the 'invoke- command to call the interface method. interface' command may be used. In this case, the method called through the 'invoke-super' command must not be a static method, a private method, a final method, or a constructor method. Also, the method called through the 'invoke-direct' command must not be a static method, and the 'invoke-direct' command can be used to call methods that cannot be overridden, such as private methods and constructor methods. .

In this case, when 'getWidth()' of the 'Square' class is called through the 'com.sample.math' class path in the executable file of a specific package file, the Java code file 'Square.java' (510) is included. You will know that you are using open source software.

Since the package name, which is the path of the class, generally contains unique names such as company name and software name, the risk of duplication is low, and when a pattern is generated and inspected for two or more classes and methods, the probability of false positives is close to zero.

In this case, the computer device 200 may store, for example, 'Lcom/sample/math/Square;->getWidth()V' shown in the fourth dotted line box 540 as a pattern in the database.

6 and 7 are diagrams illustrating an example of converting a Dex file into a smali code according to an embodiment of the present invention. The first box 610 of FIG. 6 shows a part of the code of the dex file 'classes.dex', and the second box 620 of FIG. 7 is the result of converting the dex file 'classes.dex' using the baksmali library. Some of the codes of the smali file 'class.smali' are shown. For example, the computer device 200 converts the dex file 'classes.dex' into the smali file 'class.smali' through a command such as '$ java -jar baksmali.jar -o <output directory> classes.dex' can do.

In this case, the computer device 200 may identify a code for calling a method through the 'invoke-virtual' command in the converted smali file 'class.smali', and extract method call information from the code.

8 is a diagram illustrating an example of a Java code and a smali code corresponding to the Java code according to an embodiment of the present invention. In FIG. 7 , the first box 710 shows an example of Java code that outputs a simple message “Toast Hello” to the screen using 'Toast' of Android, and the second box 720 is the first box 710 ) of Java code is converted into smali code. Actually, after converting the Java code into the code form of the dex file, a process of converting the dex file back into the form of a smali file is required as shown in FIG. 6 .

At this time, as shown in the dotted line box 830, looking at the code for calling the method 'show()' of the class 'Toast', 'v1' is an instance of the class 'Toast', and 'android/widget/Toast' is Class path and class, 'show()' indicates method, and 'V' indicates return type void. As such, the computer device 200 is able to extract method call information from the executable code converted to the smali code form, and preferably for comparison with the pattern stored in the database in FIG. 3 "Landroid/widget/Toast; ->show()V", method call information can be extracted.

The computer device 200 may compare the extracted method call information with the pattern read from the database to determine whether it is a match. It can be determined that the package file used is using the corresponding open source software. Since the package name (class path name), class name, and method name mean a company name and function name, respectively, the risk of duplication is small, but if there is a risk of duplication, the probability of false positives can be reduced by comparing two or more patterns.

In addition, when it is determined that the package file uses the corresponding open source software, the computer device 200 includes an identifier (eg, an open source software name) of the corresponding open source software and a license used in the corresponding open source software. An identifier (eg, a license name) may be provided.

Hereinafter, an embodiment in which the license is verified by comparing the form according to the structure of the package file will be described.

9 is a flowchart illustrating an example of a method of collecting the structure of a package file as a pattern of an open source software according to an embodiment of the present invention. The method according to the present embodiment may be included in the license verification method according to the embodiment, and may be performed by the computer device 200 described above. For example, the processor 220 of the computer device 200 may be implemented to execute a control instruction according to a code of an operating system included in the memory 210 or a code of at least one program. Here, the processor 220 causes the computer device 200 to perform steps 910 to 940 included in the method of FIG. 9 according to a control command provided by a code stored in the computer device 200 . can control

In step 910 , the computer device 200 may download open source software. For example, the computer device 200 may download a plurality of open source software from various sites sharing the source code of the open source software, and the following step 920 for each of the plurality of downloaded open source software ) to step 940 may be performed. This step 910 may correspond to the step 310 described with reference to FIG. 3 , and when the license verification method includes both the method of FIG. 3 and the method of FIG. 9 , steps 310 and 910 are the same. may be a step.

In operation 920, the computer device 200 may generate data of a tree structure corresponding to the directory structure of the downloaded open source software. Java source code collects Java classes with similar characteristics and creates directories to classify them. The form of such a directory structure may be a characteristic of open source software and may be expressed as a tree structure. For example, a directory may be a branch node, and Java code files stored in the directory may be expressed as a leaf node. The directory structure and tree structure will be described in more detail later.

In operation 930 , the computer device 200 may align the nodes of the generated tree structure. The arrangement of nodes in the tree structure may be performed later to compare whether they coincide with another tree structure, and may be omitted according to embodiments. A detailed sorting method will be described in more detail later.

In operation 940, the computer device 200 may store the sorted tree-structured data in a database in association with the identifier of the corresponding open source software. The tree-structured data may be stored in the database as it is, but in consideration of the complexity of the tree-structured database, it may be serialized and stored. Serialization of data in such a tree structure will be described in more detail later.

In addition, data of such a tree structure may be generated for each of the plurality of open source software to be downloaded, and the generated data of the tree structure may be stored in a database in association with identifiers of each of the plurality of open source software.

10 is a flowchart illustrating an example of a method of checking whether an open source software is used by comparing a shape according to a structure of a package file according to an embodiment of the present invention. The method according to the present embodiment may also be included in the license verification method according to the embodiment. For example, after data of a tree structure is generated and databased for each of various open source software through the method according to the embodiment of FIG. 9 , open source for a specific application through the method according to the embodiment of FIG. 10 . A software check may be performed. The method according to the present embodiment may also be performed by the computer device 200 described above. For example, the processor 220 of the computer device 200 may be implemented to execute a control instruction according to a code of an operating system included in the memory 210 or a code of at least one program. Here, the processor 220 causes the computer device 200 to perform steps 1010 to 1040 included in the method of FIG. 10 according to a control command provided by a code stored in the computer device 200 . can control

In operation 1010, the computer device 200 may receive a package file to be tested. For example, when an Android application is the target of inspection, the computer device 200 may receive an APK file for installing and driving the Android application.

In operation 1020 , the computer device 200 may generate tree-structured data corresponding to the directory structure of the input package file. This step 1020 may be the same as the process of generating data of a tree structure in step 920 .

In operation 1030, the computer device 200 may align the nodes of the generated tree structure. This step 1030 may be the same as the process of arranging data in a tree structure in step 930 .

In operation 1040, the computer device 200 may compare the sorted tree-structured data with the tree-structured data stored in the database. At this time, when the data of the tree structure extracted from the database and the data of the tree structure sorted in step 1030 match, the computer device 200 is inputted in step 1010 through the identifier of the open source software stored in the database. You can see that the package file uses the corresponding open source software.

Thereafter, the computer device 200 may provide an identifier of the searched open source software and license information matched to the corresponding open source software. In this case, the administrator can determine which open source software the package file to be searched uses and which license is applied.

If obfuscation is applied to the string in the package file, the class path name, class name, method name, etc. may be changed. However, in this embodiment, rather than comparing the contents of the source code, since the use of open source software is checked based on the directory and the structure of the package file such as the Java code file stored in the directory, even when obfuscation is applied to the package file can be used

11 is a diagram showing an example of a directory structure of a package file according to an embodiment of the present invention, and FIG. 12 is a diagram showing an example of a tree structure corresponding to the directory structure according to an embodiment of the present invention to be.

First, FIG. 11 shows nine directories and eight Java code files as an example of a directory structure of a package file. In this case, in FIG. 12 , the directory is expressed as a circle-shaped branch node, and the Java code file is expressed as a square-shaped leaf node. In this case, the first number in the circle may mean a degree that is the number of child nodes, and the second number may mean the sum of degrees that is the number of all nodes below it. For example, the first directory 'com' of FIG. 11 is expressed as a root node having order 1 and order sum 16 in FIG. 12 . The second directory 'sample' of FIG. 11 is expressed as a branch node having order 1 and order sum 15 in FIG. 12 . In addition, when the depth of the root node is 0 in FIG. 12 , the first Java code file 'Internet.java' of FIG. 11 is expressed as a first leaf node having a depth of 5 and a rectangular shape.

As such, the computer device 200 may generate tree-structured data while traversing the directory structure of the package file of FIG. 11 from left to right and from top to bottom. As already described, a branch node may mean a directory, and may have a branch node or a leaf node as a sub-node (child node). Each node may have degree and order sum information. Also, a leaf node can mean a Java code file and cannot have child nodes. Information on the class may be included, and information on the included class includes the number of member variables, the number of member functions, the signature of each member function, the method return type, the number of arguments, and corresponding information among the types of each argument. may include. For example, in the code 'public static void main(String[] args), the return type is 'void', the number of arguments is 2, and the argument types are 'String[]' and 'args'.

As already described, the alignment of the tree structure may be performed in order to compare whether the tree structure coincides with another tree structure later. As a criterion for sorting, a branch node may have a higher priority than a leaf node, and branch nodes having the same parent may be sorted in descending or ascending order using a degree. Branch nodes having the same degree among branch nodes sorted using the degree may be sorted in descending order or ascending order using the degree sum. Leaf nodes with the same parent can be sorted in descending or ascending order based on the number of methods (number of member functions). The sorting method is not limited to the above-described embodiment as long as the sorting method can be applied in the same way to the tree structure generated for the directory structure of the open source software and the tree structure generated for the directory structure of the package file.

13 is a diagram illustrating an example of an ordered tree structure according to an embodiment of the present invention. Comparing FIGS. 12 and 13 , the second branch node 1220 is the first branch node 1210 because the degree of the first branch node 1210 is 1 and the degree of the second branch node 1220 is 2 . ) shows an example arranged to be placed on the left. According to the arrangement change between the first branch node 1210 and the second branch node 1220 , it can be seen that all the nodes of the tree structure are arranged according to the above-described arrangement method.

Also, the computer device 200 may serialize data of a tree structure using Java object serialization and then store the data in a database. More specifically, the computer device 200 traverses the directory, makes each directory a Java object, and stores objects arranged in descending or ascending order according to the order. In order to store a tree-structured nonlinear data structure in a relational database, the implementation becomes complicated because the parent and child relationship of each node must be checked and then stored in the database. Accordingly, in order to easily store this, the computer device 200 may serialize the tree-structured data using Java object serialization based on the root node and then store it in the database. At this time, the objects required for storage must implement 'java.io.Serializable', and information necessary for storage must be entered as a member variable. In the case of a branch node object, the degree, sum of degrees, parent node information, and child node information can be defined as member variables. In the case of a leaf node, the number of member variables, the number of member functions, and the signature of each member function (method return type) , number of arguments, type of each argument), and parent node information can be defined as member variables.

Table 1 below shows an example of information defining the relationship between parent and child, Table 2 shows an example of information defining a branch node, and Table 3 shows an example of information defining a leaf node.

public class Node<T> implements Serializable { private T data; private Node<T> parent; private List<Node<T>> children;

public class Branch { private int degree; //degree private int degreeSum; // order sum

public class Leaf { private int cntField; //Number of member variables private int cntMethod; //Number of methods private List<MethodSignature> methodList; // Signature of each member function

14 is a diagram illustrating an example of serialized and stored data according to an embodiment of the present invention. The Java serialization process may be a process of transforming data into continuous data to write an object to the heap area of memory created in the form of a class. It may be a process of transformation into The serialized and stored data may be stored in a form that is difficult for a human to recognize as shown in FIG. 14 .

In order to determine whether open source software is used for the package file to be inspected, the computer device 200 may first traverse the sub-directories from the root directory of the package file to generate and sort data in a tree structure. . Also, the computer device 200 may deserialize serialized data stored in the database and read it into the memory 210 . The deserialization process may be the opposite of the serialization process. When the deserialization process is completed, an object is created in the form before serialization and can be loaded into the heap area of memory. The computer device 200 may use this object to compare two tree structures.

15 and 16 are diagrams illustrating a comparative example of a tree structure according to an embodiment of the present invention. A dotted line box 1510 of FIG. 15 shows an example of a tree structure (hereinafter, referred to as an 'open source tree structure') corresponding to the directory structure of the open source software. In addition, the first dotted line box 1610 of FIG. 16 shows an example of a tree structure (hereinafter, referred to as a 'package file tree structure') corresponding to the directory structure of the package file. In this case, the second dotted line box 1620 of FIG. 16 indicates a subtree structure that matches the tree structure indicated by the dotted line box 1510 of FIG. 15 .

For example, the computer device 200 may traverse the nodes of the package file tree structure and find a node that matches information (degree, sum of degrees) of the root node of the open source tree structure. When a matching node is found, the subtree including the found node and the open source tree structure can be traversed and compared. Branch node comparison can compare whether node information (degree, sum of degrees) matches, and leaf node comparison can determine whether or not the match is made by comparing the number of member variables, number of member functions, and signatures of each member function. can However, in the function signature comparison, only Java primitive types are compared, and non-primitive types may not be included in the comparison target because there is a possibility of obfuscation.

The two embodiments described above (the embodiment using the pattern described with reference to FIGS. 3 to 8 and the embodiment using the tree structure described with reference to FIGS. 9 to 16) may be used individually or in combination. . For example, when obfuscation is not applied to a package file to be inspected, an embodiment using a pattern may be applied, and when obfuscation is applied to a package file, an embodiment using a tree structure may be applied.

As described above, according to the embodiments of the present invention, it is possible to verify the license of the open source software even through the binary code in the built state without the developer's source code by using a preset code form such as smali code in the Android environment. can In addition, the license of the open source software can be verified even for the code whose string is obfuscated by comparing the shape according to the structure of the package file.

The system or apparatus described above may be implemented as a hardware component, a software component, or a combination of a hardware component and a software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that may include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. may be embodied in The software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Such a recording medium may be various recording means or storage means in the form of a single or a combination of several hardware, and is not limited to a medium directly connected to any computer system, and may be distributed over a network. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.

Modes for carrying out the invention

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible by those skilled in the art from the above description. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (18)

In the license verification method,
receiving a package file to be inspected;
extracting an executable file of the package file;
converting the extracted executable file into a preset code form;
extracting first method call information from the executable file converted into the preset code form; and
Comparing the extracted first method call information with a pattern stored in a database
including,
In the database, the pattern in the form of a preset code generated using the second method call information extracted from the open source software is stored in association with the identifier of the corresponding open source software.
License verification method, characterized in that. According to claim 1,
The first method call information and the second method call information are information required to call a specific method, and include a class path name, a class name, and a method name in Java code. . According to claim 1,
The preset code form includes a smali code form used in an APK (Android application package) file that is a package file for an Android application,
The pattern is generated in a form including the second method call information required to extract a method from the smali code form. delete According to claim 1,
The comparing step is
License verification method, characterized in that the search for a pattern including the first method call information in the database. According to claim 1,
When the pattern including the first method call information exists in the database, providing an identifier of an open source software stored in the database and an identifier of a license used in the open source software in association with the existing pattern
License verification method, characterized in that it further comprises. According to claim 1,
More than one pattern is created for one open source software,
The comparing step is
Comparing the two or more first method call information extracted from the executable file converted into the preset code form with the two or more patterns, respectively
License verification method, characterized in that. In the license verification method,
receiving a package file to be inspected;
generating data of a first tree structure corresponding to the directory structure of the input package file; and
Comparing the data of the first tree structure with the data of the second tree structure stored in the database
including,
In the database, the data of the second tree structure corresponding to the directory structure of the open source software is stored in association with the identifier of the open source software.
License verification method, characterized in that. 9. The method of claim 8,
The data of the second tree structure includes a directory of the directory structure as a branch node, and a Java code file of the directory structure as a leaf node. 10. The method of claim 9,
The branch node includes a degree corresponding to the number of child nodes and a degree sum corresponding to the number of all lower nodes,
wherein the leaf node includes the number of member variables, the number of member functions, and the signature of each member function of a corresponding Java code file. 9. The method of claim 8,
The license verification method, characterized in that the nodes of the second tree structure are arranged. 9. The method of claim 8,
The nodes of the second tree structure are arranged based on the degree and sum of degrees included in each of the branch nodes of branch nodes having the same parent included in the second tree structure, and the same branch nodes included in the second tree structure are identical. A method of verifying a license, characterized in that leaf nodes having a parent are sorted based on the number of member functions of a Java code file corresponding to each of the leaf nodes. 9. The method of claim 8,
The license verification method, characterized in that the data of the second tree structure is serialized and stored in the database using Java object serialization. 14. The method of claim 13,
In the Java object serialization, each of the nodes of the second tree structure is defined as a Java object, and the data of the second tree structure is transformed into data of a continuous Java object. delete 9. The method of claim 8,
The comparing step is
The license verification method, characterized in that it is checked whether the data of the second tree structure is included as data of the subtree structure of the first tree structure. 17. The method of claim 16,
The comparing step is
Comparison between degrees and sums of degrees included in branch nodes of the first tree structure and the second tree structure, the number of member variables included in the leaf nodes of the first tree structure and the second tree structure, and the number of member functions and comparing the data of the first tree structure with the data of the second tree structure stored in the database based on the comparison between the signatures of each member function. A computer-readable recording medium in which a program for executing the method of any one of claims 1 to 3, 5 to 14, 16 or 17 in a computer is recorded.

Images