Summary of the invention
At the defective that exists in the prior art, the technical problem to be solved in the present invention provides a kind of application program of mobile phone anti-crack method and system, and these method and system can prevent effectively that the application program on the mobile phone is cracked.
For solving the problems of the technologies described above, the technical solution used in the present invention is as follows:
A kind of application program of mobile phone adds shell and encryption method, may further comprise the steps:
(1) treats and add shell and encrypted applications program and carry out body and carry out segmentation, determine that according to the protection intensity of this application program that sets in advance needs add the fragment of shell and encryption;
The key m and the PKI r-private key r that use when (2) generation adds shell and encryption are right, utilize described key m and private key r respectively to determining that the fragment that need add shell and encryption adds shell and encryption;
(3) file header, shell side preface and application program are carried out the synthetic file F of body fragment, described file header comprises the execution body fragment positional information that adds shell and encryption, adds shell side formula sign and cryptographic algorithm sign.
Aforesaid application program of mobile phone adds shell and encryption method, and the intensity of protection described in the step (1) is divided into some grades, and grade is high more, and the fragment that adds shell and encryption is many more.Select the fragment of respective numbers to add shell and encryption at random according to the protection intensity of application program.
Aforesaid application program of mobile phone adds shell and encryption method, and key m described in the step (2) asks byte and generation by the part of the execution body fragment front that added shell is carried out the body fragment; If the Cipher Strength height is then selected the more execution body fragment in front to carry out computing, otherwise is selected less execution body fragment to carry out computing.
Aforesaid application program of mobile phone adds shell and encryption method, also comprises synthetic key k and the step of using described key k that described PKI r is encrypted.Described key k is synthetic according to user's unique code.
Aforesaid application program of mobile phone adds shell and encryption method, also comprises the encrypted applications program and encrypt corresponding relation between the employed PKI r of this application program being kept at step in the authority.
Aforesaid application program of mobile phone adds shell and encryption method, also comprises the described file F r that uses public-key is carried out the step of digital signature, and described file header also comprises digital signature identification information.
A kind of application program of mobile phone adds shell and encryption system, comprise and be used to be provided with the segmented mode that application programs is carried out body, what application programs carried out that the body fragment adds shell adds the shell side formula, application programs is carried out the cryptographic algorithm that the body fragment is encrypted, the setting device of the protection intensity of shell program library and application programs;
Be used to scan the application program installation kit, the call relation between the analysis application each several part, identification application is carried out the pretreatment unit of body file;
Be used for application program being carried out body and be divided into some fragments, and determine that according to the protection intensity that is provided with needs add the sectioning of the execution body fragment of shell and encryption this application program according to the segmented mode of setting;
Be used for synthesizing the key m that uses when adding shell, and utilize described key m that the application program that needs add shell is carried out the body fragment according to the housing apparatus that adds that the shell side formula adds the shell processing that adds that is provided with;
It is right to be used to generate a PKI r-private key r, and utilizes described private key r to carry out the fragment encryption device that the body fragment is encrypted to needing the encrypted applications program;
Be used for application program carry out the body file file header, shell side preface, add shell and encrypt after application program carry out the synthesizer of the synthetic file F of body fragment.
Aforesaid application program of mobile phone adds shell and encryption system, also comprises being used for using private key r to carry out the digital signature device of digital signature to file F.
Aforesaid application program of mobile phone adds shell and encryption system, also comprises being used for according to application reference number or ID and the synthetic key k of user's unique code, the public key encryption device that uses described key k that PKI r is encrypted.
A kind of shelling and decryption method that adds the application program of mobile phone of shell and encryption may further comprise the steps:
(1) if described file F has been carried out digital signature, then advanced line number word signature authentication; If, then enter next step, otherwise finish by checking; If described file F is not carried out digital signature, then directly enter next step;
(2) obtain the PKI r of this application program correspondence, if described PKI r has used key k to encrypt, the then synthetic earlier key k that described PKI r is decrypted uses described key k that described PKI r is decrypted; If PKI r is not encrypted, then directly enter next step;
(3) utilizing described PKI r that the encrypted applications program is carried out the body fragment is decrypted;
(4) the key m that uses during synthetic shelling reduction utilizes described key m that the application program that adds shell is carried out the processing that shells of body fragment.
A kind of shelling and decryption system that adds the application program of mobile phone of shell and encryption, comprise that being used for carrying out the cryptographic algorithm sign that the file header of body file writes down according to application program obtains corresponding decipherment algorithm, utilize PKI r to adopt described decipherment algorithm to be decrypted the fragment decryption device of processing the execution body fragment of the encryption that identifies in the file header;
Be used for the synthetic key m that shells and use when reducing, obtain corresponding shelling mode, the hulling device that utilizes described key m to adopt described shelling mode to shell and handle according to the shell side formula sign that adds that writes down in the file header that adds shell and encrypted applications program execution body file to the execution body fragment that adds shell that identifies in the file header.
The shelling of aforesaid application program of mobile phone and decryption system comprise that also the r that is used to use public-key treats the digital signature identification device that the application program of deciphering and shelling is carried out digital signature identification.
The shelling of aforesaid application program of mobile phone and decryption system, also comprise the PKI r that is used for obtaining the encryption of this application program correspondence from authority, according to the application code of waiting to decipher and shelling or ID and the synthetic key k that the PKI r of described encryption is decrypted of user's unique code, and the PKI decryption device that uses described key k that the PKI r of described encryption is decrypted.
A kind of application program of mobile phone operational system that adds shell and encryption comprises starting drive, safe operation device and housing apparatus:
Described starting drive is used to start application program, and the housing apparatus in the application program at first starts;
Described safe operation device comprises the load operating unit that is used for the load operating application program; Be used for obtaining the PKI r of the encryption of application program correspondence from authority, the synthetic key k that PKI r is decrypted, utilize described key k that PKI r is decrypted, utilize the PKI r after deciphering to carry out body fragment station location marker is decrypted reduction to the execution body fragment of encrypting decrypting device again encrypting in the file header;
Described housing apparatus is added in the application program, comprises being used for security vault that application program may be relied on, and shelling unit, application program are carried out the loading start unit that body fragment and internal memory flushing unit are loaded into the safe operation device; Be used to adopt the described mode application programs of claim 7 to carry out the shelling unit that the body fragment shells and handles; The application program that is used for having carried out is carried out the body fragment and is washed the unit from the internal memory that internal memory rinses out.
Aforesaid application program of mobile phone operational system, wherein, the safe operation device also comprises the housing apparatus dispensing unit of pattern conversion that is used for can carrying out according to application program the file header housing apparatus conversion sign configuration housing apparatus of body file; Shell dress also comprises the converter unit that is used for according to the pattern conversion conversion self structure of the housing apparatus dispensing unit configuration of safe operation device.
Aforesaid application program of mobile phone operational system, wherein, the safe operation device carries out dormancy when not required, preserves less necessary data in internal memory.
Aforesaid application program of mobile phone operational system, wherein, the safe operation device also comprises the digital signature identification unit A that the digital signature of the 2 pairs of safe operation devices that are used to use public-key authenticates; Housing apparatus comprises that also the r application programs that is used for using public-key carries out the digital signature identification unit B that the digital signature of the file header of body file authenticates; Loading start unit in the housing apparatus also is used to load described digital signature identification unit B.
Aforesaid application program of mobile phone operational system, wherein, housing apparatus also comprises to be attacked monitor unit and attacks processing unit, and described loading start unit also is used for loading to be attacked monitor unit and attacks processing unit;
Described attack monitor unit is used for the monitor application operation exception, the characteristic of debugger, tracker and other crack tools in the internal memory, and the operating system debugging is unusual, and the processor adjustment is unusual;
Described attack processing unit is used for entering the attack tupe according to the response of attacking monitoring arrangement, according to the attack judged result of attacking monitoring arrangement respective handling is carried out in attack.
A kind of application program of mobile phone operation method that adds shell and encryption may further comprise the steps:
(1) starting drive starts application program, and the housing apparatus that adds in the application program at first starts;
(2) housing apparatus activates the safe operation device, and application program is loaded into the safe operation device;
(3) the safe operation device obtains authority, encrypts if current pending application program is carried out the body fragment, then calls decrypting device application programs execution body fragment earlier and is decrypted;
(4) fragment has carried out adding shell if current pending application program is carried out body, then calls shelling unit application programs by housing apparatus earlier and carries out the processing that shells of body fragment;
(5) the execution body that in the safe operation device, runs application;
(6) carry out in the body implementation in application program, housing apparatus loads and starts internal memory flushing unit, the application program of having carried out is carried out the body fragment rinse out from internal memory; Housing apparatus loads to start attacks monitor unit, attacks the operation exception of monitor unit with monitor application, the characteristic of debugger, tracker and other crack tools in the internal memory, and the operating system debugging is unusual and the processor adjustment is unusual; When attacking monitoring unit monitors when unusual, housing apparatus starts attacks processing unit, attacks processing unit and according to the judged result of attacking monitor unit respective handling is carried out in attack.
Aforesaid application program of mobile phone operation method comprises also in the step (2) that the housing apparatus 2 pairs of safe operation devices that use public-key carry out the operation of digital signature identification; If by authentication, then continue operation; Otherwise carry out abnormality processing.
Aforesaid application program of mobile phone operation method before application programs execution body fragment is decrypted, comprises also and reads in the file header that application program is carried out the body file that the r application programs that uses public-key is carried out the operation of digital signature identification in the step (3); If authentication is passed through, then carry out body fragment order executive utility according to application program; Otherwise application program is withdrawed from the safe operation device.
Aforesaid application program of mobile phone operation method comprises that also the housing apparatus conversion that the safe operation device is carried out according to application program in the file header of body file identifies the step that disposes the housing apparatus pattern conversion;
In the safe operation device, run application and carry out before the body, also comprise the step of housing apparatus according to described pattern conversion conversion self structure.
Described pattern conversion comprises instruction sequences conversion, register conversion, do-nothing instruction conversion, code upset conversion and flower instruction map.
The method of the invention and system by application program of mobile phone being carried out the body segmentation, add the mode of shell and encryption to fragment, make to protect application program of mobile phone can reduce power consumption to handset capability again effectively as far as possible.And select the fragment of respective numbers to encrypt according to the significance level of application program of mobile phone, make protection controllable intensity to application program of mobile phone.By in safe operation system of the present invention, moving application program of mobile phone, prevented that effectively the cracker from utilizing crack tools such as debugger, tracker to crack the behavior of application program of mobile phone.
Embodiment
Describe the present invention below in conjunction with embodiment and accompanying drawing.
Execution mode 1
Present embodiment has been put down in writing a kind of application program of mobile phone and has been added shell and encryption system and method.As shown in Figure 1, this system comprises setting device 11, pretreatment unit 12, sectioning 13, adds housing apparatus 14, fragment encryption device 15, file synthesizer 16, digital signature device 17 and public key encryption device 18.
Setting device 11 is used to be provided with the segmented mode that application programs is carried out body, and what application programs carried out that the body fragment adds shell adds the shell side formula, and application programs is carried out the cryptographic algorithm that the body fragment is encrypted, the protection intensity of shell program library and application programs.The shell program library mainly comprises various shell templates, cryptographic algorithm, program control code library, antitracking mechanism etc.; its major function is that application programs (as java applet etc.) is carried out conversion and encryption; simultaneously partial code and data are embedded in the protected application program, this part code and data that are embedded in the protected application program is called " shell ".Application programs adds shell can prevent the code of assailant by the method update routine of static decompiling or dynamic tracking, the flow process of reprogramming.
Pretreatment unit 12 is used to scan the application program installation kit, the call relation between the analysis application each several part, and identification application is carried out the body file.Described application program is carried out the body file and is comprised executable file and dynamic library file.
Sectioning 13 is used for according to the segmented mode of setting application program being carried out body and is divided into some fragments, and determines that according to the protection intensity to this application program that is provided with needs add the execution body fragment of shell and encryption.
Add housing apparatus 14 and be used for synthesizing the key m that uses when adding shell, and utilize described key m that the application program execution body fragment that needs add shell is added the shell processing according to the shell side formula that adds that is provided with.Add housing apparatus 14 and from the shell program library, select suitable shell template and cryptographic algorithm that shielded application program and shell template are carried out conversion, and the shell template after the conversion is embedded in the protected application program according to protected Application Type etc.Like this, when shielded application program was being carried out, the shell side preface that embeds wherein at first obtained control; the shell side preface is after self initialization; shielded program is carried out inverse transformation, and control shielded program and carry out, prevent that the assailant from carrying out dynamic tracking to shielded application program and cracking.
It is right that fragment encryption device 15 is used to generate a PKI r-private key r, and utilize described private key r that needs encrypted applications program is carried out the body fragment and encrypt.
Synthesizer 16 be used for application program carry out the body file file header, shell side preface, add shell and encrypt after application program carry out the synthetic file F of body fragment.
Digital signature device 17 is used for using private key r to carry out digital signature to file F, and described digitized signature record is carried out in the file header of body file to application program.Described file header comprises: the file header length mark, add shell side formula sign, information such as headspace that station location marker, cryptographic algorithm sign, encrypted applications program that the application program that adds shell is carried out the body fragment are carried out station location marker, digital signature and the expansion usefulness of body fragment.
As shown in Figure 4, adopt said system that the smart mobile phone application program is added shell and method of encrypting comprises the steps:
(1) sectioning 13 is treated and is added shell and encrypted applications program and carry out body and carry out segmentation, determines that according to the protection intensity of this application program that is provided with needs add the number of fragments of shell and encryption.
Before application programs adds shell and encrypts; at first need the segmented mode that application programs is carried out body to be set by setting device 11; what application programs carried out that the body fragment adds shell adds the shell side formula; application programs is carried out the cryptographic algorithm that the body fragment is encrypted, the protection intensity of shell program library and application programs.And then by pretreatment unit 12 scanning application program installation kits, the call relation between the analysis application each several part finds application program to carry out the body file from the application program installation kit, comprises executable file and dynamic library file, identifies these files.The purpose of the call relation between the analysis application each several part is: 1. find and can carry out the body file, so that add the shell protection to carrying out the body file; 2. determine to add the mode of shell according to the type of carrying out the body file.
The protection intensity of application programs can be divided into some grades, can carry out synthetic setting according to the performance of smart mobile phone and the importance of application program.If the better performances of smart mobile phone and application program are more important, can increase the protection intensity of this application program, otherwise then reduce protection intensity.Different protection intensity can be carried out different realization of number of fragments that body adds shell and encryption by application programs; protection intensity is directly proportional with the execution body number of fragments that need add the shell encryption; promptly protect the grade of intensity high more, the fragment that need add shell and encryption is many more.For example, will protect intensity to be divided into 10 grades, and application program be carried out body be divided into 100 sections; If setting the protection intensity of application program is 0, then each fragment is not all added shell and encryption; If will protect intensity to be set at 10, then each fragment all be added shell and encryption; If will protect intensity to be set at 5, then 50 fragments are added shell and encryption.Obviously, protection intensity is strong more, and high more to the performance requirement of smart mobile phone, the fail safe of application program is also high more.
(2) adding housing apparatus 14 adds the application program execution body of shell as required and protects intensity to add shell key m for each execution body fragment generates; select the application program of quantification to carry out the body fragment at random, utilize described key m that the application program of selecting is at random carried out the body fragment and add the shell processing according to the shell side formula that adds that is provided with.
Described key m asks byte and generation by the part of the execution body fragment front that added shell is carried out the body fragment; If the Cipher Strength height is then selected the more execution body fragment in front to carry out computing, otherwise is selected less execution body fragment to carry out computing.In this way, can prevent effectively that the assailant from revising the purpose that the realization of execution body code cracks by static state.In case be modified because encrypt some code of front of carrying out body, owing to can't correctly obtain key m, the execution body of encryption can't correctly be deciphered.
(3) to generate a PKI r-private key r at random right for fragment encryption device 15, selects the application program of quantification to carry out the body fragment at random, utilizes described private key r that the application program of selecting is at random carried out the body fragment and carry out encryption.
Carrying out in the body fragment in the encrypted applications program, may comprise the application program execution body fragment that has added shell, may comprise the application program execution body fragment that does not add shell yet, is not only the application program that adds shell to be carried out the body fragment to encrypt.
(4) synthesizer 16 with file header, shell side preface, add shell and encrypt after application program carry out the body fragment according to specified order composite document F, and in file header, insert relevant parameter.Use private key r that file header and shell side preamble section are carried out digital signature by signature apparatus 17 again, and this digital signature is written in the file header.To repack with raw mode through the application program after the above-mentioned processing at last, and add specific identifier therein.Described specific identifier is by the representation of file of a fixed name, and this identification document comprises following content: the version of packing time, cryptor and verification mode etc.By described specific identifier, for the distribution of protected program and installation etc. facilitate.In the present embodiment, add shell and encrypt after application program can carry out the body file structure as shown in Figure 6.
Generate PKI r-private key r to after, the corresponding relation between encrypted applications program number or ID and the described PKI r is kept among the Token File (authority), Token File can be kept at database of public keys.Preferably, PKI r is encrypted.The specific implementation method is: synthetic to PKI r encrypted secret key k by public key encryption device 18 according to application reference number or ID and user's unique code, and use described key k that PKI r is encrypted.Described user's unique code can be user ID, PIN code, handset identity code, mobile phone card identification code, as mobile phone IMSI sign indicating number etc.Authority is associated with user's unique code.
Execution mode 2
Present embodiment has been put down in writing a kind of deciphering and shelling system and method that adopts the smart mobile phone application program that execution mode 1 described method adds shell and encryption.As shown in Figure 2, this system comprises digital signature identification device 21, PKI decryption device 22, fragment decryption device 23 and hulling device 24.
Digital signature identification device 21 application program that r treats deciphering and shelling that is used to use public-key is carried out digital signature identification.
PKI decryption device 22 is used for obtaining from authority the PKI r of the encryption of this application program correspondence, according to the application code or ID and the synthetic key k that the PKI r of described encryption is decrypted of user's unique code that wait to decipher and shell, and use described key k that the PKI r of described encryption is decrypted.
Fragment decryption device 23 is used for carrying out the cryptographic algorithm sign that the file header of body file writes down according to application program and obtains corresponding decipherment algorithm, utilizes PKI r to adopt described decipherment algorithm to be decrypted processing to the execution body fragment of the encryption that identifies in the file header.
Hulling device 24 is used for the synthetic key m that shells and use when reducing, carry out the shell side formula sign that adds that writes down in the file header of body file and obtain corresponding shelling mode according to adding shell and encrypted applications program, utilize described key m that the execution body fragment that adds shell that identifies in the file header is adopted the processing that shells of described shelling mode.
As shown in Figure 5, adopt said system that the smart mobile phone application program that adds shell and encryption is decrypted and the method that shells may further comprise the steps:
(1) digital signature identification device 21 treat the deciphering and the shelling application program carry out digital signature identification; If by checking, then enter next step, otherwise deciphering and shelling process finish;
(2) PKI decryption device 22 obtains the PKI r of the encryption of this application program correspondence from authority, according to the application code or ID and the synthetic key k that the PKI r of described encryption is decrypted of user's unique code that wait to decipher and shell, and use described key k that the PKI r of described encryption is decrypted.
(3) fragment decryption device 23 is carried out the cryptographic algorithm sign that writes down in the file header of body file according to application program and is obtained corresponding decipherment algorithm, and decipherment algorithm is stored in the decipherment algorithm storehouse, can therefrom search or download from network.Utilize PKI r to adopt described decipherment algorithm to be decrypted processing to the execution body fragment of the encryption that identifies in the file header.
The key m that uses when (4) hulling device 24 synthetic shellings are reduced carries out the shell side formula sign that adds that writes down in the file header of body file and obtains corresponding shelling mode according to application program, can search from this locality or download from network.Utilize described key m that the execution body fragment that adds shell that identifies in the file header is adopted the processing that shells of described shelling mode.The shelling process as shown in Figure 7.
Execution mode 3
Present embodiment has been put down in writing a kind of operational system and method that adopts execution mode 1 described method to add the smart mobile phone application program of shell and encryption.As shown in Figure 3, this system comprises starting drive 31, safe operation device 32 and housing apparatus 33.Safe operation device 32 and housing apparatus 33 can call mutually.Safe operation device 32 comprises load operating unit 321, digital signature identification unit 322, decrypting device 323, housing apparatus dispensing unit 324.Housing apparatus 33 is added in the application program, comprises converter unit 331, loading start unit 332, digital signature identification unit 333, shelling unit 334, internal memory flushing unit 335, attacks monitor unit 336 and attack processing unit 337.
Starting drive 31 is used to start application program, and the housing apparatus 33 in the application program at first starts.
Load operating unit 321 in the safe operation device 32 is used for the load operating application program.Digital signature identification unit 322 is used for reading the digital signature that application program is carried out the file header of body file, and the r application programs that uses public-key is carried out digital signature identification.Decrypting device 323 is used for obtaining from authority the PKI r of the encryption of application program correspondence, the synthetic key k that PKI r is decrypted, utilize described key k that PKI r is decrypted, utilize the PKI r after deciphering the execution body fragment of encrypting to be decrypted reduction again encrypting execution body fragment station location marker in the file header.Housing apparatus dispensing unit 324 is used for the pattern conversion according to file header housing apparatus conversion sign configuration housing apparatus.The safe operation device carries out dormancy when not required, preserves less necessary data in internal memory, to reduce the power consumption of processor and internal memory.
Converter unit 331 in the housing apparatus 33 is used for the pattern conversion conversion self structure according to the housing apparatus dispensing unit configuration of safe operation device.Pattern conversion comprises: instruction sequences conversion, register conversion, do-nothing instruction conversion, code are upset conversion and flower instruction map.Described instruction sequences conversion is meant puts upside down the front and back of instruction in proper order; Described register conversion is meant exchanges register used between the different instruction; Described do-nothing instruction conversion is meant the do-nothing instruction in the shell template is replaced with function command; Described code upset conversion is meant by non-common mode uses instruction; Described colored instruction map is meant before the routine instruction inserts jump instruction.The main purpose of using these pattern conversions is to prevent that the assailant from analyzing shielded program by the mode of static decompiling, thus the purpose that realization cracks.
Security vault, shelling unit, application program execution body fragment, digital signature identification unit, attack monitor unit, internal memory flushing unit, attack processing unit that loading start unit 332 is used for application program may be relied on are loaded into the safe operation device.Digital signature identification unit 333 be used to the to use public-key digital signature of 2 pairs of safe operation devices authenticates.Shelling unit 334 adopts execution modes 2 described mode application programs to carry out the processing that shells of body fragments.The application program that internal memory flushing unit 335 is used for having carried out is carried out the body fragment and is rinsed out from internal memory, prevents that the cracker from using the mode of dump internal memory to attack.Attack the operation exception that monitor unit 336 is used for monitor application, the characteristic of debugger, tracker and other crack tools in the internal memory, the debugging of operating system is unusual, and the adjustment of processor is unusual.Attacking monitoring arrangement will following unusual condition of being attacked as quilt: 1. application program operation exception, for example do-nothing instruction, address blank, the instruction of going beyond one's commission, the address etc. of going beyond one's commission; 2. in internal memory, find the data vestige of debugger, tracker and other crack tools; 3. it is tracked or be monitored to judge self in some way; 4. find that the operating system debugging is unusual; 5. find that processor debugging is unusual.Attack processing unit 337 and be used for entering the attack tupe, respective handling is carried out in attack according to the attack judged result of attacking monitoring arrangement according to attacking the monitoring arrangement response.
The method that is added shell and encrypted applications program in above-mentioned operational system operation may further comprise the steps:
(1) starting drive starts application program, and the housing apparatus that adds in the application program at first starts.
(2) housing apparatus activates the safe operation device.The housing apparatus 2 pairs of safe operation devices that use public-key carry out digital signature identification (the safe operation device uses the private key 2 corresponding with PKI 2 to carry out digital signature).If by authentication, then continue operation; If authentification failure then carries out abnormality processing.The safe operation device obtains authority.
The safe operation device also can be activated by mobile phone erector or starter.
(3) application program is loaded into the safe operation device.
Application program can be loaded by housing apparatus, mobile phone erector or starter.
(4) the safe operation device reads in the certain applications routine data, comprises file header and housing apparatus.The r application programs that uses public-key is carried out digital signature identification.If authentication is passed through, then carry out body fragment order executive utility according to application program; Otherwise application program is withdrawed from the safe operation device.
(5) if the execution body fragment of current execution is encrypted, then call decrypting device application programs execution body fragment earlier and be decrypted.Decryption method is referring to execution mode 2.
(6) the safe operation device is according to the pattern conversion of the sign of the housing apparatus conversion in file header configuration housing apparatus.This mechanism is to make that the conversion of housing apparatus is more various, allows the cracker be difficult to analyze and find rule.
(7) housing apparatus is according to the changing pattern conversion self structure of configuration.
(8) the housing apparatus loading application programs security vault that may rely on.
Described security vault is made up of multiple enciphering and deciphering algorithm.In application, the cryptographic algorithm that adopts when adding shell is chosen corresponding decipherment algorithm from security vault, so that loading unit can correctly be deciphered the execution body fragment of encrypting when adding shell.Security vault can requiredly call more local repository according to self.
(9) housing apparatus calls shelling unit application programs and carries out the processing that shells of body fragment.Hulling method can be referring to execution mode 2.
The synthetic method of key m is as follows: carry out related computing according to carrying out the body fragment with the band shell application program moved, as ask band shell fragment verification and etc., generate shelling key m.If the cracker changes any one in the band shell application program execution body fragment data that had moved, just can cause checksum error, make the execution body fragment data of shelling reduction make a mistake, cause application program to occur unusually.Attack monitor unit and can monitor this kind unusually, and handle accordingly by attack processor.
(10) the execution body that in the safe operation device, runs application.Running is referring to Fig. 8.
(11) carry out in the body implementation in application program, housing apparatus loads to start attacks monitor unit and internal memory flushing unit.Attack the operation exception of monitor unit with monitor application, the characteristic of debugger, tracker and other crack tools in the internal memory, the debugging of operating system is unusual, and the debugging of processor is unusual.Attack monitoring arrangement with following unusual as the condition of being attacked:
1. application program operation exception, for example do-nothing instruction, address blank, the instruction of going beyond one's commission, the address etc. of going beyond one's commission;
2. in internal memory, find the data vestige of debugger, tracker and other crack tools;
3. by judging whether trace debug mechanism that CPU or JAVA virtual machine provide has automatic recovery ability and judge that self is tracked or be monitored;
4. find that the operating system debugging is unusual;
5. find that processor debugging is unusual.
When attacking monitoring unit monitors when unusual, housing apparatus starts attacks processing unit, attacks processing unit and according to the judged result of attacking monitor unit respective handling is carried out in attack.Attack monitor unit and can carry out scanning monitoring to running environment by the mode of timesharing.For example, attack monitor unit, internally deposit into capable active scan during the free time, to have determined whether that crack tools such as debugger and tracker are in operation in system every 10~30 minutes.
(12) application programs execution body in internal memory flushing unit is cleared up.
1. clean application initialization and carry out body.
The application initialization that internal memory flushing unit will have been carried out is carried out the body fragment and is rinsed out from internal memory, prevents that the cracker from using the mode of dump internal memory to attack.
The beginning of each application program part all can executive system initialization, for the normal operation of whole application system provides operational environment.Setup code is the key code of each application program, and setup code only can carry out once, in case setup code is finished, application program all can not called this section code again thereafter in service.Therefore, after application program executes setup code, just it can be removed from internal memory.In order to prevent that the assailant from finding that easily setup code is destroyed, for example by simply putting 0 mode etc., internal memory flushing unit reaches the purpose of destroying internal storage data by the code of other memory headroom in this process or data are filled memory headroom to be washed by the mode of duplicating.
2. the processing after application program withdraws from.
After whole application program was finished, withdraws from, internal memory flushing unit washed the partial code space of application program by putting 0 mode, prevented from that memory headroom that application program move from withdrawing from application program then to be gone out by dump.
By said method as can be seen, present embodiment has adopted the bi-directional verification mode between safe operation device and application program, referring to the step in the said method (2), step (4) and Fig. 9.Whole anti-cracking in the system, two groups of unsymmetrical key are arranged, one group of unsymmetrical key is PKI 2 and the private key 2 that generates in advance; Another group unsymmetrical key is PKI r and the private key r that generates at random when adding shell.
The unsymmetrical key of Sheng Chenging is used for the safe operation device is carried out digital signature and signature verification in advance; wherein private key 2 secrets are preserved; PKI 2 leaves in and adds in the shell encryption system, when the protection application program, adds the shell encryption system PKI 2 is delivered in the shielded application file head.
The private key r of the unsymmetrical key centering of Sheng Chenging at random is used to encrypt the fragment of protected application program and to shielded application signature, after finishing aforesaid operations, private key r is destroyed.PKI r is used to decipher the fragment of protected application program and shielded application program is carried out signature verification, and PKI r is kept in the authority, and is delivered on the mobile phone by authority.
When shielded application program is moved; housing apparatus at first obtains control; housing apparatus carries out digital signature authentication by the 2 pairs of safe operation devices of PKI that are kept in the agent-protected file head, (the safe operation device has carried out digital signature by private key 2 and left among the digital signature identification unit A of safe operation device).If by checking, then continue operation; If authentication failed is then carried out abnormality processing.
Be employed the housing apparatus activation of program when the safe operation device after, the safe operation device obtains PKI r by authority, and the r application programs that uses public-key is then carried out digital signature authentication (the application program file header of carrying out the body file has carried out digital signature by private key r and left in the digital signature identification unit B in the file header).If the verification passes, then carry out body fragment order executive utility according to application program; Otherwise application program is withdrawed from the safe operation device.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technology thereof, then the present invention also is intended to comprise these changes and modification interior.