CN104123510A - Method for verifying running mapping files - Google Patents

Method for verifying running mapping files Download PDF

Info

Publication number
CN104123510A
CN104123510A CN201410379381.9A CN201410379381A CN104123510A CN 104123510 A CN104123510 A CN 104123510A CN 201410379381 A CN201410379381 A CN 201410379381A CN 104123510 A CN104123510 A CN 104123510A
Authority
CN
China
Prior art keywords
image file
verification
verification value
initial
file
Prior art date
Application number
CN201410379381.9A
Other languages
Chinese (zh)
Inventor
常玉芳
刘驰
Original Assignee
上海斐讯数据通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海斐讯数据通信技术有限公司 filed Critical 上海斐讯数据通信技术有限公司
Priority to CN201410379381.9A priority Critical patent/CN104123510A/en
Publication of CN104123510A publication Critical patent/CN104123510A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention provides a method for verifying running mapping files. The method includes the steps that an initial verification value is obtained through calculation according to an algorithm, and then the initial verification value and a first mapping file are merged to form a second mapping file; the second mapping file is loaded through a bootstrap program, the initial verification value is fetched and stored in a nonvolatile memory first, and the first mapping file is run; a verification module is activated through an initialization system and a verification module, and the algorithm is applied through the verification module periodically to work out a verification value of the first mapping file; the verification value of the first mapping file is compared with the initial verification value, verification is to be carried out on the verification value of the first mapping file for the next time if the verification value of the first mapping file is equal to the initial verification value, and a warning is prompted if the verification value of the first mapping file is unequal to the initial verification value. The method aims to verify the running mapping files; when the mapping files in the memory are run, the verification module in the mapping files can verify the mapping files periodically, and the situation that a system runs unstably or collapses and users lose important data due to the fact that the mapping files are tampered or damaged in the running process is prevented.

Description

运行中映像文件验证的方法 The method of operation of the image file verification

技术领域 FIELD

[0001] 本发明涉及一种可执行系统的映像文件的验证方法,尤其是在映像文件的运行中验证。 [0001] The present invention relates to a method of verification of an executable image file system, in particular to verify the operation of the image file.

背景技术 Background technique

[0002] 目前,对于可执行系统的映像文件的验证方法,主要是将未运行的映像文件本身进行加密,防止映像文件在存储或传输过程中被篡改。 [0002] Currently, the method for verification of an image file executable system, mainly to the image file itself is not running encryption, to prevent the image file being stored or tampered with during transmission. 而对运行过程中的映像文件则没有相关的技术方法进行验证。 While the image file during operation is not related technical methods of verification.

[0003] 2008年10月15日公开、公告号为CN101288083、名称为"程序可执行映像加密"的专利文献公开了一种对未运行的映像文件进行加密的方法,通过使用源文件中的命令将可执行映像的节区标记为要被加密,并编译所述可执行映像以生产目标文件,使用连接器来连接所述可执行映像中的一个或更多个,以产生最终的可执行映像,将所述连接的可执行映像传递至连接器之后的加密引擎,以对重定位修正补丁表以及被标记为加密的可执行映像的节区进行加密,并在加载时间对该可执行映像进行解密、重定位和执行。 [0003] October 15, 2008 public announcement No. CN101288083, titled "executable image encryption program," the patent document discloses a method for the image file is not running encrypted by using the source file command the section labeled region executable image to be encrypted, and compiling the object file to produce an executable image, using a connector to connect one of said executable image or more, to produce a final executable image , the executable image is transmitted to the encryption engine is connected after the connector, to encrypt a relocation patch-up table and the correction is marked as encrypted executable image area sections, and loading the executable image at time decryption, relocation and execution.

[0004] 另,2014年3月26日公开、公开号为CN103679052A的专利技术文献也是公开了一种对未运行的映像文件进行加密的方法,将整个映像文件实施认证算法以得到一个固定大小的数据作为认证摘要,并将所述认证摘要添加到映像文件尾部;将含认证摘要的映像文件经过加密引擎进行加密以生成一个加密映像文件。 [0004] Also, March 26, 2014 disclosed in Patent Publication No. CN103679052A technical literature also discloses a method of operating the image file is not encrypted, the authentication algorithm is implemented to obtain the entire image file of a fixed size summary data for authentication and the digest authentication added to the image end of the file; summary of the authentication image file containing encrypted encryption engine to generate an encrypted image file. 在验证时,将加密的映像文件经过解密引擎进行解密,去除解密后的映像文件尾部的认证摘要,然后再试试相同的认证算法以得到新的认证摘要;将新的认证摘要与之前的认证摘要进行对比,如果两者相同,则说明映像文件未被篡改,若两者不同,则说明映像文件已经被篡改。 In the verification, the encrypted image files after decryption engine to decrypt, digest authentication image file to remove the tail decrypted, and then try the same authentication algorithm to obtain the new certification summary; a summary of the new certification before certification summary of comparison, if the two are identical, the image file has not been tampered if they are different, then the image file has been tampered with.

[0005] 现有的验证方法只能在映像文件存储或传输过程中,对映像进行加密保护,但是在运行映像文件之后被篡改或破坏之后,用户就无法得知,当映像文件遭到严重的破坏时可能会导致系统瘫痪和用户丢失重要的数据。 [0005] existing authentication method can only be in the image file storage or transmission process, the image is encrypted and protected, but after being tampered with or destroyed after running the image file, the user can not know, when the image file was severely It could lead to system failures and loss of important user data destruction.

发明内容 SUMMARY

[0006] 本发明需解决的技术问题是提供一种运行中映像文件验证的方法,是针对运行中的映像文件进行验证的,防止映像文件在运行过程中被篡改或损坏而导致系统运行不稳定或崩溃和用户丢失重要数据。 [0006] The present invention is a technical problem to be solved is to provide a method for operating the image file verified, is verified against the image file in operation, to prevent the image file being tampered with or damaged during operation resulting in unstable operation of the system or crash and loss of important user data.

[0007] 为了解决上述的问题,本发明设计了一种运行中映像文件验证的方法,其包括以下步骤:步骤1 :根据算法将由源文件编译生成的第一映像文件计算得到初始的验证值,再将所述初始的验证值与第一映像文件合并生成第二映像文件;步骤2 :由引导程序加载第二映像文件,先取出所述初始的验证值保存到非易失存储器,再运行第二映像文件中的第一映像文件;步骤3 :在第一映像文件运行的过程中,初始化系统和验证模块以激活验证模块,验证模块定期运用所述算法计算出第一映像文件的验证值;步骤4 :比较所述验证值和所述初始的验证值,若相等,则等待验证模块进行下次验证;若不相等,则提示告警。 [0007] To solve the above problems, the present invention contemplates a method of operation of the verified image file, which comprises the following steps: Step 1: The initial verification value calculated in accordance with a first algorithm by the image file generated by compiling a source file, then the verification value with the first initial image file to generate a second combined image file; step 2: the second image file from the boot loader, first remove the initial verification value stored in the nonvolatile memory, the first run the first two image files in the image file; step 3: in the process of the first image file that is run, the system is initialized to activate the authentication module and the authentication module, the authentication module periodically using a first algorithm to calculate the verification value image file; step 4: comparing the verification value and the initial value of the verification, if equal, then waits for the next authentication verification module; if not equal, the alarm is prompted.

[0008] 作为本发明进一步改进,所述第一映像文件包括代码段、数据段和BSS段,通过所述算法得到验证值的步骤是计算第一映像文件中的代码段。 [0008] As a further improvement of the present invention, the image file comprises a first code segment, the data segment and the BSS, the step of verification value obtained by the algorithm is to calculate the first code segment in the image file.

[0009] 作为本发明进一步改进,所述非易失存储器包括电可擦可编程只读存储器。 [0009] As a further improvement of the present invention, said nonvolatile memory comprises an electrically erasable programmable read only memory.

[0010] 作为本发明进一步改进,所述提示告警的方式包括不间断通告用户系统不稳定或打开蜂鸣器。 [0010] As a further improvement of the present invention, the prompt comprises a continuous manner alarm notify users of system instability or beeper.

[0011] 作为本发明进一步改进,在初始化验证模块时,创建一个定时器,验证模块首先判断定时器是否超时,若未超时,则继续等待,若超时,则再运用所述算法计算出第一映像文件的验证值。 [0011] As a further improvement of the present invention, upon initialization authentication module, to create a timer, authentication module determines whether the first timer expires, if not timed out, continue to wait, if the timeout is then calculated using the first algorithm verify the value of the image file.

[0012] 作为本发明进一步改进,在所述验证值和所述初始的验证值相等时,创建新的定时器,验证模块根据新的定时器超时进行下次验证。 [0012] As a further improvement of the present invention, when the verification value is equal to the verification value and the initial, create a new timer, timeout for the next authentication module to verify the new timer.

[0013] 本发明是针对运行中的映像文件进行验证,当内存中的映像文件运行时,映像文件中的验证模块会定期的对映像文件进行验证,防止映像文件在运行过程中被篡改或损坏而导致系统运行不稳定或崩溃和用户丢失重要数据。 [0013] The present invention was verified for the image file in operation, when the image file in memory at runtime, the image file authentication module periodically the image file authentication to prevent the image file has been tampered with during operation or damage and cause the system unstable or crash and loss of important user data.

附图说明 BRIEF DESCRIPTION

[0014] 图1是本发明运行中映像文件验证的方法的流程图; [0014] FIG. 1 is a flowchart illustrating operation of the present invention, a method of verification of an image file;

[0015] 图2是本发明第二映像文件的结构图; [0015] FIG. 2 is a configuration diagram of a second image file of the present invention;

[0016] 图3是本发明第一映像文件的结构图。 [0016] FIG. 3 is a configuration diagram of a first image file of the present invention.

具体实施方式 Detailed ways

[0017] 为了使本领域相关技术人员更好地理解本发明的技术方案,下面将结合附图和实施方式,对本发明实施方式中的技术方案进行清楚、完整地描述,显然,所描述的实施方式仅仅是本发明一部分实施方式,而不是全部的实施方式。 [0017] In order that those skilled in the relevant art better understand the technical solution of the present invention, the accompanying drawings and the following embodiments, in the embodiment of the present invention, technical solutions clearly and completely described, obviously, the described embodiment It is merely part of embodiments of the present invention rather than all embodiments.

[0018] 本发明提供了一种运行中映像文件验证的方法,是针对运行中的映像文件进行验证的,防止映像文件在运行过程中被篡改或损坏而导致系统运行不稳定或崩溃和用户丢失重要数据。 [0018] The present invention provides a method of operation of the image file verified, is verified against the image file in operation, to prevent the image file being tampered with or damaged during operation resulting in unstable operation or a system crash and loss of user important data.

[0019] 本发明是对运行中的映像文件进行验证,其包括以下步骤,如图1所示: [0019] The present invention is an image file in the verify operation, which comprises the following steps, shown in Figure 1:

[0020] 步骤1 :首先,映像文件是通过源文件编译而生成的,本发明根据算法将由源文件编译生成的第一映像文件计算得到初始的验证值VI,再将初始的验证值与第一映像文件合并生成第二映像文件,如图2所示第二映像文件的结构。 [0020] Step 1: First of all, the image file is generated by compiling the source file, the present invention is to obtain an initial verification value calculation VI algorithm according to the first image file generated by compiling a source file, then the first initial verification value generating a second image file combined image file, the image file of the second configuration shown in Figure 2. 在本实施例中,算法是成熟的算法MD5,但不限于此算法。 In the present embodiment, the algorithm is the MD5 algorithm mature, but is not limited thereto algorithm. 如图3所示,所述第一映像文件包括代码段、数据段和BSS段,本实施例,通过算法得到验证值的步骤是计算第一映像文件中的代码段。 3, the image file comprises a first code segment, the data segment and the BSS, the present embodiment, the step of verification value obtained by the algorithm is to calculate the first code segment in the image file. 代码段又称文本段,通常用来存放程序执行代码,属于只读,验证模块包含在代码段中。 Also known as the code of text paragraphs, commonly used to store program code execution, are read-only, it included in the authentication module snippet. 数据段通常用来存放程序中已经出售的全局变量,可读写。 Data segments typically used to store global variables in the program have been sold, and can read and write. BSS段通常用来存放程序中未初始化的全局变量,内容一般会由系统初始化为0,不占用可执行文件的空间。 BSS segments are typically used to store global variables in the program uninitialized contents usually by the system is initialized to 0, does not occupy space executable file. 由于只有代码段是只读,本发明的验证手段可只针对映像文件的代码段进行验证即可。 Since only code segment is read, the verification means of the present invention can be verified only to the image file for the snippet.

[0021] 步骤2 :由引导程序加载第二映像文件,先取出初始的验证值VI保存到非易失存储器,再运行第二映像文件中的第一映像文件。 [0021] Step 2: the boot program loaded by the second image file, first remove the initial verification value VI is stored in nonvolatile memory, and then a second operation of the first image file in the image file. 在本实施例中,非易失存储器为电可擦可编程只读存储器,但不限于此存储器。 In the present embodiment, the nonvolatile memory is electrically erasable programmable read only memory, the memory is not limited thereto. 由于初始的验证值VI保存在非易失存储器中,因而,运行第一映像文件时,不会影响到初始的验证值VI。 Since the initial VI verification value stored in nonvolatile memory, and therefore, when the operation of the first image file, does not affect the initial verification value VI.

[0022] 步骤3 :在第一映像文件运行的过程中,首先系统和验证模块会进行初始化以激活验证模块,验证模块定期运用算法计算出第一映像文件的验证值V2。 [0022] Step 3: In the process of the first image file that is run, the system is first initialized and verification module to activate the authentication module, authentication module periodically verification value V2 using a first algorithm to calculate the image file. 该算法与步骤1中的算法应当保持一致。 Algorithm of step 1 of the algorithm should be consistent. 在本实施例中,在初始化验证模块,会创建一个定时器从而实现验证模块定期运用算法计算出第一映像文件的验证值。 In the present embodiment, the authentication module initialization, creates a periodic timer enabling verification module using the first image file verification value calculated with the algorithm. 首先,验证模块判断定时器是否超时,若未超时,则继续等待,若超时(即到了定时器定制的时间),验证模块运用算法计算出第一映像文件的验证值V2。 First, the verification module determines whether the timer expires, if not timed out, continue to wait, if the time-out (ie, to the custom timer time), the verification module using the verification algorithm to calculate the value V2 of the first image file.

[0023] 步骤4 :得到运行中第一映像文件的验证值V2后,再比较验证值V2和初始的验证值VI,若验证值V2和初始的验证值VI相等,说明第一映像文件未被修改,等待下次验证。 [0023] Step 4: After the operation to obtain the first verification value V2 of the image file, and then compare the verification value V2 and the initial verification value VI, V2 and the initial value when verification of the verification value is equal to VI, a first image file is not modify, waiting for the next validation. 本实施例中,再创建出新的定时器,验证模块根据新的定时器是否超时进行下次验证。 In this embodiment, then create a new timer, the verification module to verify whether the new timeout for the next timer. 若验证值V2和初始的验证值VI不相等,说明第一映像文件已经被修改或损坏,验证模块会提示告警,提示告警的方式包括不间断通告用户系统不稳定或打开蜂鸣器。 If the verification value V2 and the initial verification value is not equal to VI, a first image file has been modified or damaged, the module will be prompted to verify the alarm, the alarm prompt manner include uninterruptible notify users of system instability or beeper.

[0024] 本发明是针对运行中的映像文件进行验证,当内存中的映像文件运行时,映像文件中的验证模块会定期的对映像文件进行验证,防止映像文件在运行过程中被篡改或损坏而导致系统运行不稳定或崩溃和用户丢失重要数据。 [0024] The present invention was verified for the image file in operation, when the image file in memory at runtime, the image file authentication module periodically the image file authentication to prevent the image file has been tampered with during operation or damage and cause the system unstable or crash and loss of important user data.

[0025] 以上仅表达了本发明的一种实施方式,其描述较为具体和详细,但并不能因此而理解为对本发明专利范围的限制。 [0025] The above expression only one embodiment of the present invention, and detailed description thereof is more specific, but can not therefore be understood as limiting the scope of the present invention. 应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变形和改进,这些都属于本发明的保护范围。 It should be noted that those of ordinary skill in the art, without departing from the spirit of the present invention, can make various changes and modifications, which fall within the protection scope of the present invention. 因此,本发明专利的保护范围应以所附权利要求为准。 Therefore, the protection scope of the present invention should be subject to the appended claims.

Claims (6)

1. 一种运行中映像文件验证的方法,其特征在于,包括以下步骤: 步骤1 :根据算法将由源文件编译生成的第一映像文件计算得到初始的验证值,再将所述初始的验证值与第一映像文件合并生成第二映像文件; 步骤2:由引导程序加载第二映像文件,先取出所述初始的验证值保存到非易失存储器,再运行第二映像文件中的第一映像文件; 步骤3 :在第一映像文件运行的过程中,初始化系统和验证模块以激活验证模块,验证模块定期运用所述算法计算出第一映像文件的验证值; 步骤4 :比较所述验证值和所述初始的验证值,若相等,则等待验证模块进行下次验证;若不相等,则提示告警。 1. A method of operating an image file in a verification method characterized by comprising the following steps: Step 1: a first image file generated by compiling the calculated initial verification value by the algorithm according to the source file, then the initial verification value generating a first image file combined with a second image file; step 2: a second boot loader image file, first remove the initial verification value stored in the nonvolatile memory, and then a second operation of the first image in the image file file; step 3: in the process of the first image file that is run, the system is initialized to activate the authentication module and the authentication module, the authentication module periodically using a first algorithm to calculate the verification value image file; step 4: comparing the verification value and the initial value of the verification, if equal, then waits for the next authentication verification module; if not equal, the alarm is prompted.
2. 根据权利要求1所述的运行中映像文件验证的方法,其特征在于,所述第一映像文件包括代码段、数据段和BBS段,通过所述算法得到验证值的步骤是计算第一映像文件中的代码段。 The operation of the image file in a verification method as claimed in claim, wherein said image file comprises a first code segment, the data segment and segment BBS, step verification value obtained by said first calculation algorithm the image file in the code segment.
3. 根据权利要求1所述的运行中映像文件验证的方法,其特征在于,所述非易失存储器包括电可擦可编程只读存储器。 3. The method of operation of the image file 1 according to claim verified, wherein said nonvolatile memory comprises an electrically erasable programmable read only memory.
4. 根据权利要求1所述的运行中映像文件验证的方法,其特征在于,所述提示告警的方式包括不间断通告用户系统不稳定或打开蜂鸣器。 The operation of the image file in a verification method as claimed in claim, wherein the prompt comprises a continuous manner alarm notify users of system instability or beeper.
5. 根据权利要求1所述的运行中映像文件验证的方法,其特征在于,在初始化验证模块时,创建一个定时器,验证模块首先判断定时器是否超时,若未超时,则继续等待,若超时,则再运用所述算法计算出第一映像文件的验证值。 The operation of the image file in a verification method as claimed in claim, wherein, upon initialization authentication module, to create a timer, authentication module determines whether the first timer expires, if not timed out, continue to wait, if expires, the re-use of the algorithm to calculate the first image file verification value.
6. 根据权利要求5所述的运行中映像文件验证的方法,其特征在于,在所述验证值和所述初始的验证值相等时,创建新的定时器,验证模块根据新的定时器超时进行下次验证。 6. The method of claim 5 operating image file verification claim, wherein, when the verification value is equal to the verification value and the initial, create a new timer, the new authentication module timeout timer for the next verification.
CN201410379381.9A 2014-08-04 2014-08-04 Method for verifying running mapping files CN104123510A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410379381.9A CN104123510A (en) 2014-08-04 2014-08-04 Method for verifying running mapping files

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410379381.9A CN104123510A (en) 2014-08-04 2014-08-04 Method for verifying running mapping files

Publications (1)

Publication Number Publication Date
CN104123510A true CN104123510A (en) 2014-10-29

Family

ID=51768918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410379381.9A CN104123510A (en) 2014-08-04 2014-08-04 Method for verifying running mapping files

Country Status (1)

Country Link
CN (1) CN104123510A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101344904A (en) * 2008-09-02 2009-01-14 中国科学院软件研究所 Dynamic measurement method
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN103593617A (en) * 2013-10-27 2014-02-19 西安电子科技大学 Software integrity verifying system and method based on VMM (virtual machine monitor)
CN103617095A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 VxWorks mapping file accuracy checking method
CN103679052A (en) * 2012-09-24 2014-03-26 上海斐讯数据通信技术有限公司 Method for encrypting, verifying and protecting image file
CN103914650A (en) * 2012-12-31 2014-07-09 腾讯科技(深圳)有限公司 Method and device for virus detection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101344904A (en) * 2008-09-02 2009-01-14 中国科学院软件研究所 Dynamic measurement method
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN103679052A (en) * 2012-09-24 2014-03-26 上海斐讯数据通信技术有限公司 Method for encrypting, verifying and protecting image file
CN103914650A (en) * 2012-12-31 2014-07-09 腾讯科技(深圳)有限公司 Method and device for virus detection
CN103593617A (en) * 2013-10-27 2014-02-19 西安电子科技大学 Software integrity verifying system and method based on VMM (virtual machine monitor)
CN103617095A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 VxWorks mapping file accuracy checking method

Similar Documents

Publication Publication Date Title
US6820063B1 (en) Controlling access to content based on certificates and access predicates
JP4769608B2 (en) Information processing apparatus having start verification function
KR101397637B1 (en) Method and apparatus including architecture for protecting multi-user sensitive code and data
DE102008011925B4 (en) Safe initialization of computer systems
JP4099039B2 (en) Program update method
McCune et al. Flicker: An execution infrastructure for TCB minimization
TWI498813B (en) Trusted component update system and method
US20060236122A1 (en) Secure boot
US8688967B2 (en) Secure booting a computing device
US8464037B2 (en) Computer system comprising a secure boot mechanism on the basis of symmetric key encryption
CN100380348C (en) Semiconductor device with encrypted part or external interface and content reproducing method
US20140298026A1 (en) Information processing device and computer program product
US20090259854A1 (en) Method and system for implementing a secure chain of trust
US8543839B2 (en) Electronic device and method of software or firmware updating of an electronic device
US9336394B2 (en) Securely recovering a computing device
JP5493951B2 (en) Information processing apparatus, validity verification method, and program
US20100082960A1 (en) Protected network boot of operating system
US20130054979A1 (en) Sector map-based rapid data encryption policy compliance
JP2005227995A (en) Information processor, information processing method and computer program
JP2010073193A5 (en)
KR101471589B1 (en) Method for Providing Security for Common Intermediate Language Program
EP1953666A2 (en) Method of booting electronic device and method of authenticating boot of electronic device
CN101436141A (en) Firmware upgrading and encapsulating method and device based on digital signing
EP2681689B1 (en) Protecting operating system configuration values
CN102236757A (en) Software protection method and system applicable to Android system

Legal Events

Date Code Title Description
C06 Publication
EXSB Decision made by sipo to initiate substantive examination
RJ01