CN109428885A - Method and apparatus for protecting equipment - Google Patents
Method and apparatus for protecting equipment Download PDFInfo
- Publication number
- CN109428885A CN109428885A CN201810952209.6A CN201810952209A CN109428885A CN 109428885 A CN109428885 A CN 109428885A CN 201810952209 A CN201810952209 A CN 201810952209A CN 109428885 A CN109428885 A CN 109428885A
- Authority
- CN
- China
- Prior art keywords
- equipment
- attribute
- file
- following
- personalized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Abstract
The method (10) that the present invention relates to a kind of for protecting equipment; it is characterized in that following steps: the runing time environment of personalized (20) described equipment, and the input data to be handled by the equipment is made to match (30) in through personalized runing time environment.
Description
Technical field
The present invention relates to a kind of methods for protecting equipment.The present invention additionally relates to a kind of corresponding device, Yi Zhongxiang
The computer program and a kind of corresponding storage medium answered.
Background technique
In information security field, each following mistake in software is referred to as security breaches: due to the mistake, having
Illeffects program (Malware, Malware) or attacker can invade computer system.
Security breaches are to threaten for the safety of computer system.There are following risks, it can makes full use of involved
And security breaches and computer system involved in making be in jeopardy.In addition, security breaches are since computer is to prevent next
Insufficient protection (such as lacking firewall or other security softwares) of the attack of automatic network and pass through operating system, webpage
Browser or the other software run in system application in misprogrammed and generate.
DE102015225651A1 discloses a kind of method for protecting equipment.Here, examiner generates the first random number
With the second random number, according to the second random number by means of the imitation of equipment or before the hardware capability that measures is close to calculate password
The ciphertext and the first random number are sent to the equipment by the key by the software cryptography at ciphertext by key, from institute
State equipment receive verification and, according to the working storage of the duplication of first random number and the equipment by means of the imitation
Or the hardware capability that measures before and predetermined Cryptographic Hash Function calculate reference value, made according to the reference value described
Verify and bear inspection, as long as and it is described inspection pass through, second random number is sent to the equipment.
Summary of the invention
The present invention is provided according to a kind of method for protecting equipment of independent claims, a kind of corresponding device, one
The corresponding computer program of kind and a kind of corresponding machine readable storage medium.
According to the solution of the present invention herein based on the insight that therefore known security breaches or defect can typically be used
In a large amount of attack, because of all examples security breaches having the same of vicious software.This is again for attacker
It can be realized: creating single file or other input, then can be used for attacking any in easy affected equipment
One (or disposably all).
Solution proposed below is therefore based on the idea that realize a kind of for reinforcing relative to this large amount of attacks
The novel method of device interconnected, effort needed for the method significantly improves attack.
Two advantages of the solution be the system strengthened according to the present invention relative to it is software-based attack,
Make full use of the attack of software defect and the resistance and the system that improve are about calculating power, code size and code
The minimum of complexity is additional to be expended.
It can be realized the basic thought illustrated in the independent claim by the measure enumerated in the dependent claims
Advantageous expansion scheme and improvement project.Therefore it can be stated that being randomly assigned so-called magic number to equipment to be protected(magic number)Or corresponding character string (string), according to it come personalization equipment and set input data.?
In informatics --- in addition to other meanings, with the special value of the representation of concept, which indicates determining file format.For this purpose,
Related value usually before file is initially placed at actual useful data and for example for auxiliary program or nucleus module and
Speech allows: the type of the file indicated in this way is determined in the case where not in depth Study document content.
It is assumed that hacker reconstructs the certain type of equipment protected in this way, such as family or heating installation control
Device or IP-based video camera.Even if hacker has found the software defect that can make full use of, the unique magic number that generates at random
Hacker is prevented to make full use of the security breaches being found in the other equipment of same type.To do this, i.e. hacker
Must layout one file, this document handles by related equipment by the intentional mode of hacker (such as by setting at these
The function of the determination in the library of the determination of standby upper installation).It is impossible for hacker to be however due to the randomness of magic number,
File as layout, this document are " effective " on that point for other equipment.If such equipment is during this period
The file with magic number is received, the evil spirit number and the magic number for distributing to the equipment are inconsistent, then the equipment will not be able to processing this article
Part, but for example simply discard this document and therefore attack is stopped to be attempted.
According on the other hand it can be stated that the magic number being randomly generated or other attribute are distributed to phase in the database
The equipment answered.Therefore, the consuming that hacker is used to successfully attack wants the number of the equipment of attack substantially linearly with him
Increase.This is obtained by following situation, i.e., if hacker makes database be in jeopardy not yet, hacker must reverse engineering
(reverse-engineer) he attempts each equipment of attack.This further means that, is made full use of in software with such degree
Each system of defect has the scalability of difference.Therefore, corresponding embodiment of the invention especially can be extremely efficient
Prevent refusal (the distributed denial of Internet service spread by a large amount of inquiries in network physical system
Of Service, DdoS: distributed denial of service).
As a result, the security risk for arbitrary system interconnected can be reduced significantly by described mode,
Its mode is to eliminate the Economic Stimulus of the attack to the system immediately.
The invention also includes following scheme:
A kind of method for protecting equipment of scheme 1., it is characterised in that following steps:
The runing time environment of personalized (20) described equipment, and
It is matched with the input data to be handled by the equipment through personalized runing time environment.
2. the method for claim 1 of scheme, which is characterized in that it is described personalized the following steps are included:
Random attribute is generated by randomizer, and
The attribute is distributed into the equipment in the database.
3. the method for claim 2 of scheme, which is characterized in that the personalization is further comprising the steps of:
The source code of the runing time environment is parameterized according to the attribute by personalized function unit, and
Parameterized source code is changed into the specific binary file of equipment.
4. the method for claim 3 of scheme, which is characterized in that it is described matching the following steps are included:
The attribute for distributing to the equipment is called from the database;And
It will be specifically literary comprising the source file of input data transformation forming apparatus according to the attribute by matching feature unit
Part.
5. the method for claim 4 of scheme, it is characterised in that following characteristics:
The source file is changed into the specific file of forming apparatus in the following manner, i.e., the attribute is inserted into the source file
In.
The method according to any one of scheme 3 to 5 of scheme 6., it is characterised in that at least one of following characteristics:
The attribute includes the number of the data block of magic number,
The attribute includes the document location of the data block of magic number, or
The attribute includes the value of magic number.
7. the method for claim 6 of scheme, it is characterised in that following characteristics:
The source code includes macro, and
The personalized function unit includes preprocessor.
A kind of computer program of scheme 8., is arranged for implementing the method according to any one of scheme 1 to 7.
A kind of machine readable storage medium of scheme 9., is stored with the meter according to scheme 8 on said storage
Calculation machine program.
A kind of device of scheme 10., is arranged for implementing the method according to any one of scheme 1 to 7.
Detailed description of the invention
It is shown in the accompanying drawings and elaborates the embodiment of the present invention in the following description.Wherein:
Fig. 1 shows the flow chart of method according to a kind of embodiment;
Fig. 2 schematically shows first process of the method;
Fig. 3 schematically shows second process of the method.
Specific embodiment
In the following, concept " file " is used for the input data of the equipment of networking in a broad sense.Example as file
Such as it should refer to software upgrading, multimedia file or may be comprising the text file of requirement to equipment.Generally, each file by
Head data and useful data composition.The useful data of file is related to the actual content of file, such as image, video or text.Text
The head of part includes the so-called metadata of file, the format such as file, the creation for file and the version of tool used, etc.
Deng.The metadata is especially included within the scope of the invention the magic number used.
A basic sides of the invention are, are tied to given file in determining equipment, so that file is only
(namely read and explain) can be correctly processed in the equipment being arranged thus.The general view of the method proposed is shown in Fig. 1
Out.
In device personality step (process 20) shown in figure 2, use (puppet) randomness source (21), so as to for
Determining equipment generates magic number (M) for determining file type.Substitution directly using the value of magic number (M), usually considers
The set of (puppet) randomly selected attribute, for example, magic number (M) data block (chunks) number or its position in file.
Magic number (M) is uniquely identified with defining for corresponding equipment (Identifier,ID: mark) it is associated with and passes through
This mode enduringly distributes to the equipment for inquiry later in database (Db).Meanwhile seemingly by magic number (M)
" injection " is arrived in the source code (22) of device build.For example, the C source code or C++ source code (22) in library can pass through institute
The macro of meaning parameterizes, described macro to be replaced by suitable instruction by evil spirit number (M).
The device personality step (20) the result is that for corresponding equipment customization binary file (24).This two
Binary file (24) is configured for determining file type according to magic number (M) to a certain extent.
Now it will be assumed that following situations: software upgrading should be for example executed, and equipment is in application.Then, show in Fig. 3
In file matching step (30) out, the magic number (M) for being used for the equipment is called from database (Db).It should be tied in the equipment
File (f) is handled by the matching feature unit (31) that magic number (M) is inserted into file (f).Therefore the result of the step is
It is merely capable of the file (f correctly handled by the equipmentM).
Claims (10)
1. a kind of method (10) for protecting equipment, it is characterised in that following steps:
The runing time environment of personalized (20) described equipment, and
The input data to be handled by the equipment is set to match (30) in through personalized runing time environment.
2. according to the method for claim 1 (10), which is characterized in that it is described personalization (10) the following steps are included:
Random attribute is generated by randomizer (21), and
The attribute is distributed into the equipment in database (Db).
3. according to the method for claim 2 (10), which is characterized in that the personalization (10) is further comprising the steps of:
The source code (22) of the runing time environment is parameterized according to the attribute by personalized function unit (23), with
And
Parameterized source code (22) is changed into the specific binary file of equipment (24).
4. according to the method for claim 3 (10), which is characterized in that the matching (30) the following steps are included:
The attribute of the equipment is distributed to from calling in the database (Db);And
Forming apparatus spy will be changed comprising the source file (f) of the input data according to the attribute by matching feature unit (31)
Fixed file (fM).
5. according to the method for claim 4 (10), it is characterised in that following characteristics:
The source file (f) is changed into the specific file (f of forming apparatus in the following mannerM), i.e., the attribute is inserted into described
In source file (f).
6. method (10) according to any one of claim 3 to 5, it is characterised in that at least one of following characteristics:
The attribute includes the number of the data block of magic number (M),
The attribute includes the document location of the data block of magic number (M), or
The attribute includes the value of magic number (M).
7. according to the method for claim 6 (10), it is characterised in that following characteristics:
The source code (22) includes macro, and
The personalized function unit includes preprocessor.
8. a kind of computer program is arranged for implementing method according to any one of claim 1 to 7 (10).
9. a kind of machine readable storage medium, is stored with computer according to claim 8 on said storage
Program.
10. a kind of device is arranged for implementing method according to any one of claim 1 to 7 (10).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102017214591.9 | 2017-08-22 | ||
DE102017214591.9A DE102017214591A1 (en) | 2017-08-22 | 2017-08-22 | Method and device for protecting a device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109428885A true CN109428885A (en) | 2019-03-05 |
CN109428885B CN109428885B (en) | 2022-11-08 |
Family
ID=65320917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810952209.6A Active CN109428885B (en) | 2017-08-22 | 2018-08-21 | Method and apparatus for protecting a device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109428885B (en) |
DE (1) | DE102017214591A1 (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040177168A1 (en) * | 2003-03-03 | 2004-09-09 | Microsoft Corporation | Verbose hardware identification for binding a software package to a computer system having tolerance for hardware changes |
CN102047220A (en) * | 2008-05-23 | 2011-05-04 | 爱迪德加拿大公司 | System and method for generating white-box implementations of software applications |
CN103052922A (en) * | 2010-07-07 | 2013-04-17 | Abb股份公司 | Method for configuring a control device |
CN103853943A (en) * | 2014-02-18 | 2014-06-11 | 优视科技有限公司 | Program protection method and device |
CN103975338A (en) * | 2011-10-06 | 2014-08-06 | 泰雷兹公司 | Method of generating, from an initial package file comprising an application to be secured and an initial configuration file, a package file for securing the application, and associated computer program product and computing device |
CN104378336A (en) * | 2013-08-16 | 2015-02-25 | 好看科技(深圳)有限公司 | Data processing method and system and server |
CN106126981A (en) * | 2016-08-30 | 2016-11-16 | 电子科技大学 | The software security means of defence replaced based on virtual function table |
KR101732679B1 (en) * | 2016-09-13 | 2017-05-04 | (주)이공감 | Method for managing security data of cyber security management apparatus |
CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102015225651A1 (en) | 2015-12-17 | 2017-06-22 | Robert Bosch Gmbh | Method and apparatus for transmitting software |
-
2017
- 2017-08-22 DE DE102017214591.9A patent/DE102017214591A1/en active Pending
-
2018
- 2018-08-21 CN CN201810952209.6A patent/CN109428885B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040177168A1 (en) * | 2003-03-03 | 2004-09-09 | Microsoft Corporation | Verbose hardware identification for binding a software package to a computer system having tolerance for hardware changes |
CN102047220A (en) * | 2008-05-23 | 2011-05-04 | 爱迪德加拿大公司 | System and method for generating white-box implementations of software applications |
CN103052922A (en) * | 2010-07-07 | 2013-04-17 | Abb股份公司 | Method for configuring a control device |
CN103975338A (en) * | 2011-10-06 | 2014-08-06 | 泰雷兹公司 | Method of generating, from an initial package file comprising an application to be secured and an initial configuration file, a package file for securing the application, and associated computer program product and computing device |
CN104378336A (en) * | 2013-08-16 | 2015-02-25 | 好看科技(深圳)有限公司 | Data processing method and system and server |
CN103853943A (en) * | 2014-02-18 | 2014-06-11 | 优视科技有限公司 | Program protection method and device |
CN106126981A (en) * | 2016-08-30 | 2016-11-16 | 电子科技大学 | The software security means of defence replaced based on virtual function table |
KR101732679B1 (en) * | 2016-09-13 | 2017-05-04 | (주)이공감 | Method for managing security data of cyber security management apparatus |
CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
Also Published As
Publication number | Publication date |
---|---|
DE102017214591A1 (en) | 2019-02-28 |
CN109428885B (en) | 2022-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110036613B (en) | System and method for providing identity authentication for decentralized applications | |
US11675880B2 (en) | Securing webpages, webapps and applications | |
US20170116410A1 (en) | Software protection | |
WO2017069915A1 (en) | Systems and methods for providing confidentiality and privacy of user data for web browsers | |
CN105610810A (en) | Data processing method, client and servers | |
CN105721135B (en) | Implement the method for cryptographic operation using replacement box | |
JP2005051734A (en) | Electronic document authenticity assurance method and electronic document disclosure system | |
KR101640902B1 (en) | Apparatus and method for protecting contents included in a Hyper-text Markup Language document | |
CN109614774B (en) | Program control flow confusion method and system based on SGX | |
CN105024992A (en) | Implementing use-dependent security settings in a single white-box implementation | |
Brandão et al. | Toward Mending Two Nation-Scale Brokered Identification Systems. | |
KR20190127124A (en) | Method and apparatus for verifying integrity of source code and related data using blockchain | |
CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
CN105022937A (en) | Interface compatible approach for gluing white-box implementation to surrounding program | |
CN105978680A (en) | Implementing padding in a white-box implementation | |
Saqib et al. | Reviewing risks and vulnerabilities in web 2.0 for matching security considerations in web 3.0 | |
WO2015163967A2 (en) | Cryptographic method and system of protecting digital content and recovery of same through unique user identification | |
Snyder et al. | Pro PHP security | |
CN112699404A (en) | Method, device and equipment for verifying authority and storage medium | |
CN109428885A (en) | Method and apparatus for protecting equipment | |
CN105024808A (en) | Security patch without changing the key | |
Uddin et al. | File upload security and validation in context of software as a service cloud model | |
GB2513494A (en) | Data verification | |
EP3267618B1 (en) | Equality check implemented with secret sharing | |
Park et al. | Cyber threats to mobile messenger apps from identity cloning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |