CN108804913B - Application program running method and device - Google Patents
Application program running method and device Download PDFInfo
- Publication number
- CN108804913B CN108804913B CN201810392434.9A CN201810392434A CN108804913B CN 108804913 B CN108804913 B CN 108804913B CN 201810392434 A CN201810392434 A CN 201810392434A CN 108804913 B CN108804913 B CN 108804913B
- Authority
- CN
- China
- Prior art keywords
- function
- encrypted
- virtual machine
- application program
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention provides an application program running method and device, wherein the method comprises the following steps: in the process of running the application program, if the byte code ciphertext in the application program is executed, loading the byte code ciphertext into a started process virtual machine, wherein the process virtual machine is embedded in the application program, and the byte code ciphertext comprises one or more independently encrypted function ciphertexts; the control process virtual machine decrypts the function ciphertext of the current target function to be executed to obtain the plaintext of the current target function to be executed; allocating memory for the plaintext of the current target function to be executed; controlling a process virtual machine to run a target function plaintext in a memory; and when the operation of the target function plaintext is finished, clearing the target function plaintext in the memory. The invention increases the difficulty of identifying the byte codes related to important logic in the application program by an attacker and the difficulty of one-time complete stealing during program operation.
Description
Technical Field
The invention relates to the technical field of computer software, in particular to an application program running method and device.
Background
In the related art, when a process virtual machine is hardened, mainly byte codes (such as account login logic, video decryption logic and the like) related to important logic in software are encrypted at one time and then stored in the software in a whole manner. Before the bytecode of the software is run, the encrypted bytecode needs to be decrypted once, and then the decrypted bytecode is run in a process virtual machine to realize the running of the encrypted bytecode in the software.
The process virtual machine is a virtual closed environment for the running of a single process. The code logic running on the virtual machine is confined to the resources provided by the virtual machine, i.e., its rights cannot exceed the virtual environment in which it is located. The purpose of designing and implementing the process virtual machine is to encapsulate an interface between an operating system and bottom hardware and provide an independent closed running environment for byte codes running in the operating system.
However, there is a security risk in the process virtual machine reinforcing method in the conventional technology, as shown in fig. 1, first, an encrypted bytecode is loaded into a virtual machine; then, the virtual machine decrypts the encrypted bytecode into a plaintext bytecode, and stores the plaintext bytecode in the memory applied by the virtual machine, and at the moment, an attacker can take the plaintext bytecode. (payload refers to the bytecode in plaintext); finally, the virtual machine loads the plaintext bytecode into the memory and executes each instruction of the bytecode. That is, starting at the time point after the encrypted bytecode is decrypted once, the decrypted bytecode is released into the memory as a whole, and then the process virtual machine loads and runs the decrypted bytecode in the memory. In the process of operating the bytecode, because the decrypted bytecode is completely exposed in the memory, an attacker can observe that a long code segment appears in the memory at one time in the time period of operating the bytecode, and the code segment is complete and large code logic, so that the attacker can easily see the characteristics of the code logic and further determine that the code logic relates to important information. The attacker can obtain the complete unencrypted bytecode logic from the memory in a memory dump (i.e., copy) manner, so that the unencrypted bytecode related to important logic in the software is stolen by the attacker.
Therefore, the running scheme of the application program in the related art has the common problem that an attacker can easily identify and steal the byte codes related to important logic in the application program at one time.
Disclosure of Invention
The invention provides an application program running method and device, and aims to solve the problem that an attacker easily identifies and steals byte codes related to important logic in an application program at one time in an application program running scheme in the related technology.
In order to solve the above problem, according to an aspect of the present invention, the present invention discloses an application program running method, including:
in the process of running the application program, if a byte code ciphertext in the application program is executed, loading the byte code ciphertext into a started process virtual machine, wherein the process virtual machine is embedded in the application program, and the byte code ciphertext comprises one or more independently encrypted function ciphertexts;
controlling the process virtual machine to decrypt a function ciphertext of a current target function to be executed to obtain a plaintext of the current target function to be executed;
allocating memory for the current target function plaintext to be executed;
controlling the process virtual machine to run the target function plaintext in the memory;
and when the plaintext operation of the target function is finished, clearing the plaintext of the target function in the memory.
Optionally, the allocating a memory for the plaintext of the current target function to be executed includes:
and distributing a plurality of registers to operate the plaintext of the target function according to the function logic of the plaintext of the target function to be executed currently.
Optionally, when the process virtual machine is embedded with decryption information of each separately encrypted function corresponding to the bytecode ciphertext, the controlling the process virtual machine to decrypt the function ciphertext of the current target function to be executed to obtain a plaintext of the current target function to be executed includes:
and controlling the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the target function to be executed at present to obtain the plaintext of the target function to be executed at present.
Optionally, before the running the application, the method further includes:
determining a program code to be encrypted in an application program to be issued;
independently encrypting each function in the program code to be encrypted to obtain a byte code ciphertext, wherein the byte code ciphertext comprises one or more independently encrypted function ciphertexts;
acquiring decryption information corresponding to each independently encrypted function;
replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function;
and issuing the application program after the replacement processing.
Optionally, the performing, according to the process virtual machine, the bytecode ciphertext, and the decryption information corresponding to each function, replacement processing on the program code to be encrypted in the application program to be issued includes:
embedding decryption information corresponding to each function into a process virtual machine;
and replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
Optionally, the replacing, according to the process virtual machine, the bytecode ciphertext, and the decryption information corresponding to each function, the program code to be encrypted in the application program to be issued, further includes:
and replacing the program code to be encrypted in the application program to be issued with a process virtual machine, the byte code ciphertext and decryption information corresponding to each function.
Optionally, the determining a program code to be encrypted in an application program to be issued includes:
determining a code to be encrypted in an application program to be issued;
performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
and compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
According to another aspect of the present invention, the present invention also discloses an application program running device, including:
the loading module is used for loading the bytecode ciphertext into a started process virtual machine if the bytecode ciphertext in the application program is executed in the process of running the application program, wherein the process virtual machine is embedded in the application program, and the bytecode ciphertext comprises one or more individually encrypted function ciphertexts;
the decryption module is used for controlling the process virtual machine to decrypt a function ciphertext of the current target function to be executed to obtain a plaintext of the current target function to be executed;
the allocation module is used for allocating memory for the plaintext of the current target function to be executed;
the control module is used for controlling the process virtual machine to run the target function plaintext in the memory;
and the clearing module is used for clearing the target function plaintext in the memory when the target function plaintext operation is finished.
Optionally, the allocation module comprises:
and the distribution submodule is used for distributing a plurality of registers to operate the plaintext of the target function according to the function logic of the plaintext of the target function to be executed currently.
Optionally, the decryption module includes:
and the decryption submodule is used for controlling the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the current target function to be executed when the process virtual machine is embedded with the decryption information of each independently encrypted function corresponding to the byte code ciphertext so as to obtain the plaintext of the current target function to be executed.
Optionally, the apparatus further comprises:
the determining module is used for determining a program code to be encrypted in the application program to be issued;
the encryption module is used for independently encrypting each function in the program code to be encrypted to obtain a bytecode ciphertext, wherein the bytecode ciphertext comprises one or more independently encrypted function ciphertexts;
the acquisition module is used for acquiring decryption information corresponding to each independently encrypted function;
the replacing module is used for replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function;
and the issuing module is used for issuing the application program after the replacement processing.
Optionally, the replacement module comprises:
the embedding submodule is used for embedding the decryption information corresponding to each function into the process virtual machine;
and the first replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
Optionally, the replacement module further comprises:
and the second replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function.
Optionally, the determining module includes:
the determining submodule is used for determining a code to be encrypted in the application program to be issued;
the analysis submodule is used for performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
and the compiling submodule is used for compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
Compared with the prior art, the invention has the following advantages:
according to the invention, each function in the program code to be encrypted is independently decrypted, so that the data volume of the plaintext data stored in the memory is less, and the bytecode of which the plaintext data belongs to important logic is not easy to be identified by an attacker; and the function ciphertext to be executed at present is decrypted once according to the code execution progress, the decrypted function plaintext is stored in the memory, the function plaintext is cleared from the memory after the function plaintext is executed, and the execution time length of a single function is far shorter than the execution time length of all the byte codes of the whole important logic, so that the storage time of the plaintext data of the function in the memory is shorter, and an attacker is difficult to identify and analyze whether the data in the memory is the byte codes of the important logic in a shorter time. Finally, when the program runs, the difficulty of identifying the byte codes related to important logic in the application program by an attacker and the difficulty of one-time complete stealing are increased.
Drawings
FIG. 1 is a flow chart of a method of running an application in the prior art;
FIG. 2 is a flow chart of an application encryption method according to an embodiment of the present invention;
FIG. 3A is a diagram illustrating a byte code encryption method in the prior art;
FIG. 3B is a diagram illustrating a bytecode encryption method according to an embodiment of the invention;
FIG. 4 is a flow chart of a method for running an application program according to an embodiment of the present invention;
fig. 5 is a block diagram of an embodiment of an apparatus for running an application according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 2, a flowchart illustrating steps of an embodiment of an application encryption method according to the present invention is shown, where the method may be applied to a server, and specifically may include the following steps:
when a piece of software is developed, only part of the logic codes of the functions relate to the information security problem, so that only the code part related to important logic in the software to be issued, namely the program code to be encrypted, needs to be determined in the step.
The program code to be encrypted is the program code that needs to be protected in the software, and the program code may include machine code and bytecode.
Optionally, in an embodiment, when the program code to be encrypted includes the bytecode to be encrypted, in executing step 101, the following may be implemented:
determining a code to be encrypted in an application program to be issued;
the development language of the software may be C, C + +, Java, and the like, which is not limited in this respect, and only part of code logic related to information security in the piece of software obtained through programming needs to be encrypted, so that the code to be encrypted in the software may be determined according to actual needs, and the form of the code is not limited.
Performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
wherein, the syntax analyzer can be used to perform lexical and syntax analysis on the code to be encrypted, so as to obtain an Abstract Syntax Tree (AST). Fig. 3A and fig. 3B both show an AST structure of "a ═ B/2+ c × 5", where the AST may embody which function executes first, which function executes later, and a logical relationship between the functions in the code to be encrypted.
And compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
The AST of the code to be encrypted can be compiled into byte codes which can be identified by a virtual machine, so that the logic relation of each function expressed by the AST can be embodied in the form of the byte codes which can be identified by a computer.
The embodiment of the invention expresses the important code logic related to information security by converting the important code logic into the AST form, and compiles the AST into byte codes which can be recognized by the virtual machine, thereby transferring the logic to be executed in the virtual machine.
Of course, the embodiment of the present invention only schematically illustrates a method for determining a program code to be encrypted in software by using AST, and the present invention also includes other methods that can determine a program code to be encrypted in software in the prior art, which is not limited by the present invention.
102, independently encrypting each function in the program code to be encrypted to obtain a byte code ciphertext, wherein the byte code ciphertext comprises one or more independently encrypted function ciphertexts;
with continuing reference to fig. 3A and 3B, the encryption process of the bytecode (corresponding to AST in fig. 3A and 3B) of the prior art and the embodiment of the present invention, respectively, is schematically illustrated. Fig. 3A and 3B are shown. In fig. 3A of the prior art, when it is determined that the program code to be encrypted in the software is the bytecode corresponding to "a ═ b/2+ c × 5" through step 101, as shown in fig. 3A, the method of the prior art is to perform overall encryption on the bytecode corresponding to the entire AST structure (i.e., "a ═ b/2+ c × 5").
In order to improve the reliability of the bytecode encryption and the difficulty of stealing the encrypted bytecode in the software by a thief, in the embodiment of the invention, as shown in fig. 3B, 2 functions "B/2" and "c 5" in "a ═ B/2+ c × 5" are encrypted individually, so that a plurality of function ciphertexts can be obtained, and the function ciphertexts constitute a bytecode ciphertext.
Of course, in other embodiments, the bytecode ciphertext may include only one function ciphertext.
It should be noted that, when each function in the program code to be encrypted is encrypted, the encryption algorithm and the encryption key used by the different functions may be the same or different. In addition, in the encryption, the encryption algorithm and the encryption key used for each function may be randomly selected from existing encryption algorithms and encryption keys and may be configured, or the encryption algorithm and the encryption key may be configured in advance for each function.
103, acquiring decryption information corresponding to each independently encrypted function;
in order to decrypt the encrypted bytecode during subsequent software running, it is necessary to obtain decryption information of each individual encryption function after encryption is completed.
The decryption information of each encrypted function comprises a decryption function and a decryption key. Since the algorithm used in encryption may be a symmetric algorithm or an asymmetric algorithm, the decryption key in the decryption information may be the same as or different from the encryption key, and the decryption algorithm in the decryption information also corresponds to the encryption algorithm.
104, replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the bytecode ciphertext and decryption information corresponding to each function;
in one embodiment, when step 104 is executed, the decryption information corresponding to each function may be embedded into the process virtual machine; and replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
Each encrypted function corresponds to a decryption function and a decryption key, and the decryption function and the decryption key can be embedded into the process virtual machine in a data table mode.
The structure of the table is schematically shown in table 1.
| Function ID/name | Encryption algorithm | Encryption key | Decrypting functions | Decryption key |
TABLE 1
As shown in table 1, the data table may further include an encryption algorithm and an encryption key used by the encrypted function in encryption. Wherein, since the encryption algorithm may be a symmetric algorithm or an asymmetric algorithm, the encryption key and the decryption key may be the same.
In addition, in other embodiments, when the decryption information of each encrypted function is embedded in the process virtual machine, the storage form of the decryption information is not limited to the data table, and may be a form such as a correspondence relationship between the encrypted function and the decryption information.
In this way, the embodiment of the present invention embeds the decryption information of each encrypted function in the encrypted bytecode into the process virtual machine in which the encrypted bytecode is embedded, so that when the encrypted bytecode portion in the software is run, the decryption information in the virtual machine is used to decrypt each encrypted function quickly, thereby increasing the running speed of the software.
In one embodiment, when step 104 is executed, the program code to be encrypted in the application program to be issued may be replaced with a process virtual machine, the bytecode ciphertext, and decryption information corresponding to each function.
That is, the decryption information corresponding to each function is separately stored in the application program, and is not embedded in the process virtual machine.
Therefore, when the application program is operated, the started process virtual machine has no content, namely the process virtual machine is in an idle state, and when a certain target function is executed, if the target function is an encrypted function ciphertext, decryption information of the target function and the ciphertext of the target function can be extracted from the application program at any time and loaded into the running process virtual machine, so that the process virtual machine does not need to operate all encrypted function decryption information after being started, and the load of the process virtual machine is reduced.
For the definition and the storage form of the decryption information of each function, reference may be made to the above embodiments, which are not described herein again.
The process virtual machine has a data processing function similar to a CPU.
And 105, issuing the application program after the replacement processing.
Through the processing of the above steps 101 to 103, the program code to be encrypted in the software to be issued, for example, the listed logic "a ═ b/2+ c × 5" may be replaced by the bytecode ciphertext and the process virtual machine embedded with the decryption information in step 104; or replacing the process virtual machine without any embedded data, the byte code ciphertext and the decryption information corresponding to each function. Finally, the software after the replacement process can be released for the client to download through step 105.
When the bytecode (namely the decoding code logic) is operated in the process virtual machine, the process virtual machine can be used for achieving the effect of cross-platform operation of the bytecode. I.e. the same set of bytecodes can run on different operating systems.
For example, the software released by the embodiment of the invention can run on various operating system platforms such as Linux/iOS/Android and the like, and is not limited by differences of the operating systems, so that the security level of the software is comprehensively improved.
Therefore, each function of the byte codes in the software to be issued is encrypted independently, the byte code plain texts in the software to be issued are replaced according to the multiple function ciphertexts, the decryption information of each function and the process virtual machine, then the software is issued, and the risk of software attack and crack caused by unified and integral encryption of the multiple functions in the byte codes can be avoided through multiple times of encryption of the single function, so that the attack difficulty of the software is improved.
After the process of encrypting the application program in the embodiment of fig. 2, referring to fig. 4, a flowchart of steps of an embodiment of a method for running the encrypted application program published in fig. 2 according to the present invention is shown, where the method may be applied to a client or a mobile terminal, and specifically may include the following steps:
wherein, the mobile terminal downloads the software issued by the method of the embodiment of fig. 2 from the server. The byte code ciphertext and the process virtual machine are stored in the hard disk.
For example, if the account login logic in the software is an encrypted bytecode ciphertext, in the process of running the software, if an account login function is executed (where the account login function involves multiple encryption functions), the bytecode ciphertext in the hard disk needs to be executed, and therefore, a process virtual machine stored in the hard disk needs to be started, where the process virtual machine is embedded in the software in advance;
in order to enable the application program of the present invention to be executed across platforms, the bytecode ciphertext pre-embedded in the application program may be loaded into the started process virtual machine for execution.
When software is run, memory needs to be allocated to the process virtual machine (for simulating the CPU). Wherein, part of the memory (memory area A) is used for storing the process virtual machine, and part of the memory (memory area B) is used for storing the current decrypted function plaintext.
however, when the process virtual machine is started, the running process virtual machine does not have the bytecode ciphertext, and therefore, the method of the embodiment of the present invention needs to load the bytecode ciphertext in the hard disk into the started process virtual machine (i.e., into the memory area a allocated to the system) for running.
Wherein the bytecode ciphertext may include one or more function ciphertexts that are separately encrypted;
and decrypting each encryption function in the bytecode ciphertext currently executed in the software execution process to obtain the plaintext of the decrypted encryption function.
Specifically, when the process virtual machine decrypts the bytecode, a function plaintext (also a machine instruction in the form of the bytecode) can be obtained every time a currently executed function ciphertext is decrypted on the process virtual machine in the memory area a.
As can be seen from the embodiment of the encryption method for an application program in the foregoing embodiment, the decryption information of each function may be stored in the issued application program separately, or may be embedded in a process virtual machine in the application program.
In one embodiment, when the process virtual machine embeds decryption information of each individually encrypted function corresponding to the bytecode ciphertext, after the process virtual machine is started in step 201, the running process virtual machine already stores the decryption information of each individually encrypted function, and then, when step 203 is executed, the process virtual machine may be controlled to decrypt the function ciphertext of the target function according to the decryption information of the target function to be currently executed.
For example, the process virtual machine may be controlled to decrypt the ciphertext of a certain encrypted function to be currently executed, using the decryption information (including at least the decryption function and the decryption key) embedded for each encrypted function.
In an example, the data table mentioned in the embodiment of fig. 2 may be used to find the decryption function and the decryption key corresponding to the target function to be currently executed for decryption.
In another embodiment, if the decryption information of each function corresponding to the bytecode ciphertext of the application is not stored in the process virtual machine but is separately stored in the application when the application is issued, in step 203, the method according to the embodiment of the present invention may load the decryption information of the target function to be currently executed into the started process virtual machine, and control the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the target function, so as to obtain the plaintext of the target function to be currently executed.
the process virtual machine (simulated CPU) may allocate a memory to a function plaintext (i.e., a plaintext of a target function to be currently executed), that is, allocate a part or all of the memory region B to the plaintext of the target function to be currently executed, so as to run the plaintext of the target function;
in one embodiment, in step 204, a plurality of registers may be allocated to run the plaintext of the objective function according to the function logic of the plaintext of the objective function to be executed currently.
The process virtual machine may allocate a certain number of registers from the memory area B (e.g., 10 registers) to run the plaintext of the objective function according to the function logic of the plaintext of the objective function to be executed currently.
For example, if the target function is x ═ c × 5 (here, the operation result is indicated by x) shown in fig. 3B, register 1 is used to store the multiplicand (here, c), register 2 is used to store the multiplier (here, 5), register 3 is used to mark the multiplication operation, and register 4 is used to store the calculation result.
Thus, by storing the logical relationship of each function in each register, although the thief can see the machine instruction (i.e., bytecode) stored in each register, it is difficult to intuitively and accurately determine the code logic to which the data stored in each register belongs, for example, only the machine instruction c seen in register 1 can be stored, and the machine instruction … … 5 seen in register 2 is difficult to quickly analyze the logical relationship between the registers, and when each function is decrypted, the code logic represented by each register is flexibly transformed, which further increases the logical relationship of the thief to the data in each register, thereby making it difficult to analyze the code logic expressed by each function, and further making it difficult to analyze the code logic of the entire logic function (including a plurality of functions).
the process virtual machine may be controlled to run an objective function logic formed by, for example, each register in the memory area B.
In step 206, when the plaintext operation of the objective function is finished, the plaintext of the objective function in the memory is cleared.
When a function, for example, x ═ c × 5, ends its operation, the target function logic in the memory area B may be cleared.
Then, during the software execution, another encryption function, for example, B/2, as shown in fig. 3B, is executed, and the decryption process and execution process of the encryption function, for example, c × 5, are continued, so that when an important encrypted logic function is executed, only one encryption function of the logic function is decrypted and executed each time. Compared with the process of integrally encrypting and decrypting all the byte codes of a certain logic function in the related art, the method of the invention has the advantages that the code logic (only a simple function) cached in the memory is short, so that the logic characteristics among all the encrypted functions are not obvious, even if an attacker visually sees the code logic of a small segment and a small segment of the memory area B, the code logic is difficult to be spliced together, because a logic function comprises a plurality of functions, each function comprises a plurality of short codes, and the functions are stored in the memory in a machine instruction mode for a short time, so that the attacker is difficult to analyze the logic relationship between each small segment of codes and other small segments of codes, thereby improving the splicing difficulty of the attacker on each small segment of codes in the plain text of the logic function, and hardly obtaining the integral plain text of the logic function, and the logical relationship between the various small segments contained therein in plaintext.
In the related art, after all the bytecode ciphertexts of the entire encrypted logic function (e.g. account login function) are decrypted, the entire ciphertexts are released into the memory (different from the memory area a of the process virtual machine), e.g. login main function 2k includes sub-functions (several tens of bytes), wherein the main function is large in memory after decryption, so that a bytecode plaintext with a very long logically complete code segment suddenly appears in the memory, thus, a thief can easily find the bytecode plaintext in the memory and analyze the functional meaning (e.g. account login verification) expressed by the bytecode plaintext, and during the operation of the entire bytecode plaintext by the process virtual machine, the bytecode plaintext always remains stored in the memory, thereby giving the thief more time to find and analyze the decrypted bytecode in the memory, so that the thief can easily identify and steal all the bytecode cleartext of the complete functions in the memory at one time.
Different from the related art, in the above process of the embodiment of the present invention, after the process virtual machine decrypts the currently executed function in its own memory to obtain the machine instruction, dispersively stores each instruction in the machine instruction into each register, then, after the process virtual machine (analog CPU) obtains each machine instruction, executes the machine instruction in the register, and after the execution of the decrypted function is finished, each machine instruction in the memory (i.e., the register) is automatically deleted. Obviously, the code amount of a single function in a logic function is far less than the total code amount of the logic function, only one byte code of a decrypted function is stored in the memory each time, the process virtual machine executes one function each time, and after the execution is finished, the byte code of the function in the memory is automatically cleared. The time for operating a single function is obviously much shorter than the operating time of all codes of the whole logic function, so that the storage time of the bytecode of each function in the memory is very short, the difficulty for a stealer to analyze the stored machine instruction from the memory as the function of the important function is very high, and the difficulty for the stealer to crack all the bytecodes of the important function of the software is further improved.
The account login logic function is taken as an example for explanation, the function relates to dozens of functions such as obtaining login information, checking each login information, performing regular matching on each login information, judging whether a password is empty, judging whether the password length meets the requirement and the like, and each function comprises one or more sub-functions, so that the method of the invention decrypts ciphertext of each function (comprising the sub-functions) in the logic function in the memory respectively, for an attacker, each decrypted function (the retention time of each function in a byte code in the memory is very short compared with the scheme of the traditional technology) temporarily stored in the memory is tracked manually, and the functions are spliced together completely and correctly with great difficulty, thereby greatly increasing the identification difficulty and the cracking difficulty of part of important logics in software by the stealer, and an attacker is difficult to steal the byte codes related to the important logic in the application program at one time, and even if a small segment of codes in the important logic is stolen for many times, the exact byte codes of the original important logic are difficult to be spliced completely and correctly, so that the running safety of software is ensured.
By means of the technical scheme of the embodiment of the invention, each function in the program code to be encrypted is respectively decrypted independently, so that the data volume of the plaintext data stored in the memory is less, and the bytecode of the plaintext data belonging to important logic is not easy to be identified by an attacker; and the function ciphertext to be executed at present is decrypted once according to the code execution progress, the decrypted function plaintext is stored in the memory, the function plaintext is cleared from the memory after the function plaintext is executed, and the execution time length of a single function is far shorter than the execution time length of all the byte codes of the whole important logic, so that the storage time of the plaintext data of the function in the memory is shorter, and an attacker is difficult to identify and analyze whether the data in the memory is the byte codes of the important logic in a shorter time. Finally, when the program runs, the difficulty of identifying the byte codes related to important logic in the application program by an attacker and the difficulty of one-time complete stealing are increased.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Corresponding to the method provided by the embodiment of the present invention, referring to fig. 5, a block diagram of an embodiment of an application running apparatus according to the present invention is shown, and specifically, the method may include the following modules:
a loading module 51, configured to, in a process of running the application program, if a bytecode ciphertext in the application program is executed, load the bytecode ciphertext into a started process virtual machine, where the process virtual machine is embedded in the application program, and the bytecode ciphertext includes one or more function ciphertexts that are encrypted separately;
the decryption module 52 is configured to control the process virtual machine to decrypt the function ciphertext of the current target function to be executed, so as to obtain a plaintext of the current target function to be executed;
an allocating module 53, configured to allocate a memory to the plaintext of the current target function to be executed;
a control module 54, configured to control the process virtual machine to run the target function plaintext in the memory;
a clearing module 55, configured to clear the plaintext of the objective function in the memory when the plaintext of the objective function ends.
Optionally, the allocating module 53 includes:
and the distribution submodule is used for distributing a plurality of registers to operate the plaintext of the target function according to the function logic of the plaintext of the target function to be executed currently.
Optionally, the decryption module 52 includes:
and the decryption submodule is used for controlling the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the current target function to be executed when the process virtual machine is embedded with the decryption information of each independently encrypted function corresponding to the byte code ciphertext so as to obtain the plaintext of the current target function to be executed.
Optionally, the apparatus further comprises:
the determining module is used for determining a program code to be encrypted in the application program to be issued;
the encryption module is used for independently encrypting each function in the program code to be encrypted to obtain a bytecode ciphertext, wherein the bytecode ciphertext comprises one or more independently encrypted function ciphertexts;
the acquisition module is used for acquiring decryption information corresponding to each independently encrypted function;
the replacing module is used for replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function;
and the issuing module is used for issuing the application program after the replacement processing.
Optionally, the replacement module comprises:
the embedding submodule is used for embedding the decryption information corresponding to each function into the process virtual machine;
and the first replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
Optionally, the replacement module further comprises:
and the second replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function.
Optionally, the determining module includes:
the determining submodule is used for determining a code to be encrypted in the application program to be issued;
the analysis submodule is used for performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
and the compiling submodule is used for compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The above detailed description is provided for the method and device for operating an application program, and the specific examples are used herein to explain the principles and embodiments of the present invention, and the descriptions of the above embodiments are only used to help understand the method and the core ideas of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (12)
1. An application program running method, comprising:
in the process of running the application program, if a byte code ciphertext in the application program is executed, loading the byte code ciphertext into a started process virtual machine, wherein the process virtual machine is embedded in the application program, and the byte code ciphertext comprises one or more independently encrypted function ciphertexts;
controlling the process virtual machine to decrypt a function ciphertext of a current target function to be executed to obtain a plaintext of the current target function to be executed;
allocating memory for the current target function plaintext to be executed;
controlling the process virtual machine to run the target function plaintext in the memory;
when the operation of the target function plaintext is finished, clearing the target function plaintext in the memory;
wherein, before the running the application program, the method further comprises:
determining a program code to be encrypted in an application program to be issued;
independently encrypting each function in the program code to be encrypted to obtain a byte code ciphertext, wherein the byte code ciphertext comprises one or more independently encrypted function ciphertexts, and the encryption algorithms and encryption keys used by different functions are different;
acquiring decryption information corresponding to each independently encrypted function, wherein the decryption information comprises a decryption function and a decryption key, the decryption key is different from the encryption key, and a decryption algorithm corresponds to the encryption algorithm;
replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function;
and issuing the application program after the replacement processing.
2. The method according to claim 1, wherein said allocating memory for the current target function to be executed in plaintext comprises:
and distributing a plurality of registers to operate the plaintext of the target function according to the function logic of the plaintext of the target function to be executed currently.
3. The method according to claim 1, wherein when the process virtual machine embeds decryption information of each individually encrypted function corresponding to the bytecode ciphertext, the controlling the process virtual machine to decrypt the function ciphertext of the current target function to be executed to obtain a plaintext of the current target function to be executed includes:
and controlling the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the target function to be executed at present to obtain the plaintext of the target function to be executed at present.
4. The method according to claim 1, wherein the replacing, according to the process virtual machine, the bytecode ciphertext, and the decryption information corresponding to each function, the program code to be encrypted in the application program to be issued includes:
embedding decryption information corresponding to each function into a process virtual machine;
and replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
5. The method according to claim 1, wherein the replacing, according to the process virtual machine, the bytecode ciphertext, and the decryption information corresponding to each function, the program code to be encrypted in the application program to be issued, further comprises:
and replacing the program code to be encrypted in the application program to be issued with a process virtual machine, the byte code ciphertext and decryption information corresponding to each function.
6. The method of claim 1, wherein the determining program code to be encrypted in the application program to be published comprises:
determining a code to be encrypted in an application program to be issued;
performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
and compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
7. An apparatus for running an application program, comprising:
the loading module is used for loading the bytecode ciphertext into a started process virtual machine if the bytecode ciphertext in the application program is executed in the process of running the application program, wherein the process virtual machine is embedded in the application program, and the bytecode ciphertext comprises one or more individually encrypted function ciphertexts;
the decryption module is used for controlling the process virtual machine to decrypt a function ciphertext of the current target function to be executed to obtain a plaintext of the current target function to be executed;
the allocation module is used for allocating memory for the plaintext of the current target function to be executed;
the control module is used for controlling the process virtual machine to run the target function plaintext in the memory;
the clearing module is used for clearing the target function plaintext in the memory when the target function plaintext finishes running;
wherein the apparatus further comprises:
the determining module is used for determining a program code to be encrypted in the application program to be issued;
the encryption module is used for independently encrypting each function in the program code to be encrypted to obtain a bytecode ciphertext, wherein the bytecode ciphertext comprises one or more independently encrypted function ciphertexts, and the encryption algorithm and the encryption key used by different functions are different;
the acquisition module is used for acquiring decryption information corresponding to each independently encrypted function, wherein the decryption information comprises a decryption function and a decryption key, the decryption key is different from the encryption key, and a decryption algorithm corresponds to the encryption algorithm;
the replacing module is used for replacing the program code to be encrypted in the application program to be issued according to the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function;
and the issuing module is used for issuing the application program after the replacement processing.
8. The apparatus of claim 7, wherein the assignment module comprises:
and the distribution submodule is used for distributing a plurality of registers to operate the plaintext of the target function according to the function logic of the plaintext of the target function to be executed currently.
9. The apparatus of claim 7, wherein the decryption module comprises:
and the decryption submodule is used for controlling the process virtual machine to decrypt the function ciphertext of the target function according to the decryption information of the current target function to be executed when the process virtual machine is embedded with the decryption information of each independently encrypted function corresponding to the byte code ciphertext so as to obtain the plaintext of the current target function to be executed.
10. The apparatus of claim 7, wherein the replacement module comprises:
the embedding submodule is used for embedding the decryption information corresponding to each function into the process virtual machine;
and the first replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the byte code ciphertext and the process virtual machine embedded with the decryption information.
11. The apparatus of claim 7, wherein the replacement module further comprises:
and the second replacing submodule is used for replacing the program code to be encrypted in the application program to be issued with the process virtual machine, the byte code ciphertext and the decryption information corresponding to each function.
12. The apparatus of claim 7, wherein the determining module comprises:
the determining submodule is used for determining a code to be encrypted in the application program to be issued;
the analysis submodule is used for performing lexical and syntactic analysis on the code to be encrypted to obtain an abstract syntax tree;
and the compiling submodule is used for compiling the abstract syntax tree into byte codes to obtain the byte codes to be encrypted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810392434.9A CN108804913B (en) | 2018-04-27 | 2018-04-27 | Application program running method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810392434.9A CN108804913B (en) | 2018-04-27 | 2018-04-27 | Application program running method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108804913A CN108804913A (en) | 2018-11-13 |
| CN108804913B true CN108804913B (en) | 2021-04-06 |
Family
ID=64093473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810392434.9A Active CN108804913B (en) | 2018-04-27 | 2018-04-27 | Application program running method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108804913B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110442422B (en) * | 2019-07-03 | 2023-01-31 | 创新先进技术有限公司 | Active response type trusted Python virtual machine and execution method thereof |
| CN113127100B (en) * | 2021-05-14 | 2022-07-12 | 武汉深之度科技有限公司 | Heterogeneous program execution method and device, computing device and readable storage medium |
| CN113392416B (en) * | 2021-06-28 | 2024-03-22 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN113590166B (en) * | 2021-08-02 | 2024-03-26 | 腾讯数码(深圳)有限公司 | Application program updating method and device and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1790268A (en) * | 2004-12-14 | 2006-06-21 | 艾克斯麦提克方案私人有限公司 | Compile time linking via hashing technique |
| CN102346834A (en) * | 2011-11-25 | 2012-02-08 | 武汉钢铁(集团)公司 | Method for encrypting and protecting Java application software |
| CN106599627A (en) * | 2016-11-22 | 2017-04-26 | 江苏通付盾科技有限公司 | Method and apparatus for protecting application security based on virtual machine |
| CN106663025A (en) * | 2014-03-31 | 2017-05-10 | 耶德托公司 | Method, apparatus, and computer-readable medium for obfuscating execution of application on virtual machine |
| CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150332043A1 (en) * | 2014-05-15 | 2015-11-19 | Auckland Uniservices Limited | Application analysis system for electronic devices |
-
2018
- 2018-04-27 CN CN201810392434.9A patent/CN108804913B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1790268A (en) * | 2004-12-14 | 2006-06-21 | 艾克斯麦提克方案私人有限公司 | Compile time linking via hashing technique |
| CN102346834A (en) * | 2011-11-25 | 2012-02-08 | 武汉钢铁(集团)公司 | Method for encrypting and protecting Java application software |
| CN106663025A (en) * | 2014-03-31 | 2017-05-10 | 耶德托公司 | Method, apparatus, and computer-readable medium for obfuscating execution of application on virtual machine |
| CN106599627A (en) * | 2016-11-22 | 2017-04-26 | 江苏通付盾科技有限公司 | Method and apparatus for protecting application security based on virtual machine |
| CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108804913A (en) | 2018-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108804913B (en) | Application program running method and device | |
| US9230113B2 (en) | Encrypting and decrypting a virtual disc | |
| KR102433011B1 (en) | Method of apk file protection, apk file protection system performing the same, and storage medium storing the same | |
| CN111143869B (en) | Application package processing method and device, electronic equipment and storage medium | |
| US20160275019A1 (en) | Method and apparatus for protecting dynamic libraries | |
| CN108898008B (en) | Application program running method and device | |
| US20120317421A1 (en) | Fingerprinting Executable Code | |
| KR20120032477A (en) | Interlocked binary protection using whitebox cryptography | |
| US20110271350A1 (en) | method for protecting software | |
| US10482221B2 (en) | Protecting a computer program against reverse engineering | |
| CN109284585B (en) | Script encryption method, script decryption operation method and related device | |
| CN107077540B (en) | Method and system for providing cloud-based application security services | |
| CN104866739A (en) | Application program encryption method and application program encryption system in Android system | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| EP2575043A1 (en) | Method to secure an application executable in a distant server accessible via a public computer network, and improved virtual server. | |
| CN114547558A (en) | Authorization method, authorization control method and device, equipment and medium | |
| US8918653B2 (en) | Protection of interpreted source code in virtual appliances | |
| US8972745B2 (en) | Secure data handling in a computer system | |
| CN103530169B (en) | Method for protecting virtual machine files and user terminal | |
| CN107209815B (en) | Method for code obfuscation using return-oriented programming | |
| CN110535642B (en) | Method for distributing storage keys, intelligent terminal and storage medium | |
| CN105278954A (en) | Anti-cracking Android APP and operation mode thereof | |
| CN116249980A (en) | Software access through heterogeneous encryption | |
| CN108804880B (en) | Software generation method and device | |
| KR20200017121A (en) | Method and system for protecting code using onetime code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |