CN113946799B - Application program source code protection method and server - Google Patents

Application program source code protection method and server Download PDF

Info

Publication number
CN113946799B
CN113946799B CN202111567275.XA CN202111567275A CN113946799B CN 113946799 B CN113946799 B CN 113946799B CN 202111567275 A CN202111567275 A CN 202111567275A CN 113946799 B CN113946799 B CN 113946799B
Authority
CN
China
Prior art keywords
module
public key
server
application program
license certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111567275.XA
Other languages
Chinese (zh)
Other versions
CN113946799A (en
Inventor
宁蓉
刘国清
杨广
王启程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Youjia Innovation Technology Co ltd
Original Assignee
Shenzhen Minieye Innovation Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Minieye Innovation Technology Co Ltd filed Critical Shenzhen Minieye Innovation Technology Co Ltd
Priority to CN202111567275.XA priority Critical patent/CN113946799B/en
Publication of CN113946799A publication Critical patent/CN113946799A/en
Application granted granted Critical
Publication of CN113946799B publication Critical patent/CN113946799B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1011Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an application program source code protection method, which comprises the following steps: the method comprises the steps that a user side sends request information, wherein the request information comprises a target application program; the server receives the request information and generates a public key, a private key and a license certificate corresponding to the target application program according to the request information; the server side sends the license certificate to the user side; the server side packages the target application program, the public key and the private key to the container mirror image; the server receives the license certificate and sends the corresponding container mirror image to the user side; and the user side receives the container mirror image and starts the container mirror image. In addition, the invention also provides a server. The technical scheme of the invention can effectively protect the source code of the application program.

Description

Application program source code protection method and server
Technical Field
The invention relates to the technical field of network security, in particular to an application program source code protection method and a server side.
Background
Currently, a method for protecting program source code developed using interpreted languages generally includes the following steps: the server side provides a public key and a private key which are issued randomly through an asymmetric encryption algorithm; the client acquires the public key and the private key from the server and provides the equipment information and the public key of the client to the server when requesting to update the program; after the server side passes the verification request, encrypting the program source code by using the public key sent by the client side to obtain a publishing packet, and sending the publishing packet to the client side; and the client decrypts the issuing packet according to the private key to obtain the program source code.
Although the source code developed by using the interpreted language is protected by using the asymmetric encryption method, the program source code is finally stored in the client in a file form, so that the program source code is easily acquired and cracked by an attacker.
Disclosure of Invention
In view of the above, it is necessary to provide an application source code protection method and a server for protecting the source code of an application.
In a first aspect, an embodiment of the present invention provides an application program source code protection method, where the application program source code protection method includes:
a user side sends request information, wherein the request information comprises a target application program;
the server receives the request information and generates a public key, a private key and a license certificate corresponding to the target application program according to the request information;
the server side sends the license certificate to the user side;
the server side packages the target application program, the public key and the private key to a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for obtaining an encryption dependent library corresponding to the target application program according to the license certificate, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module;
the user side sends the license certificate to the server side;
the server receives the license certificate and sends a corresponding container mirror image to the user side; and
and the user side receives the container mirror image and starts the container mirror image.
In a second aspect, an embodiment of the present invention provides an application source code protection method, executed on a server, where the application source code protection method includes:
receiving request information from a user side, wherein the request information comprises a target application program;
generating a public key, a private key and a license certificate corresponding to the target application program according to the request information;
sending the license credential to the user end; and
and packaging the target application program, the public key and the private key to a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for acquiring an encryption dependent library corresponding to the target application program according to the license certificate, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module.
In a third aspect, an embodiment of the present invention provides an application source code protection method, which is executed by a user side, where the application source code protection method includes:
sending request information, wherein the request information comprises a target application program;
receiving a license certificate from a server;
sending the license certificate to the server;
receiving a container image corresponding to the license certificate, wherein the container image encapsulates the target application and a public key and a private key corresponding to the target application; and
and starting the container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for acquiring an encrypted dependent library corresponding to the target application program according to the license, the public key and the hardware address of the user side, and the importing module is used for decrypting the encrypted dependent library according to the private key and loading the decrypted dependent library into the memory of the starting module.
In a fourth aspect, an embodiment of the present invention provides a server, where the server includes a communication module, a packet management service module, and a container warehouse management service module, where the communication module is configured to receive request information sent by a user, where the request information includes a target application program;
the package management service module is used for generating a public key, a private key and a license certificate corresponding to the target application program according to the request information and sending the license certificate to the user side through the communication module; and
the container warehouse management service module comprises:
the packaging module is used for packaging the target application program, the public key and the private key according to the request information to form a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for obtaining an encryption dependent library corresponding to the target application program according to the license, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module;
the distribution module is used for sending the container mirror image to the user side according to the license certificate sent by the user side, wherein the license certificate is received from the user side through the communication module, and the container mirror image is sent to the user side through the communication module.
According to the application program source code protection method and the server, the user side sends the request information to request the target application program, the server side generates the public key, the private key and the license certificate corresponding to the target application program according to the request information, and the target application program, the public key and the private key are packaged to the container mirror image. And the user side acquires the container mirror image through the license certificate, and installs or upgrades the target application program after the container mirror image is started. The container mirror image has the function of a sandbox and can provide a safe and reliable execution environment, so that the isolation of the program at a user end from the environment is realized, and a safety protection mechanism can be provided for remote import. On one hand, the container mirror image does not influence other programs of the user side, and prevents hackers from illegally utilizing the import module to invade a system of the user side; on the other hand, the container mirror image can effectively avoid the interference of the target application program by the system process of the user terminal, and protect the files and programs issued by the server terminal from being illegally tampered. Through the container mirror image, the target application program is packaged into the container mirror image, the dependent library is not stored as a local file of a user side, but is loaded into a memory of the starting module, the source code of the dependent library cannot be stored in the container mirror image in any file form, so that the target application program and the source code of the dependent library are both located at a server side, and only related application programs are arranged in the container mirror image, so that the protection of the source code of the application program is realized, the source program can be effectively prevented from being stolen or tampered, and the hidden danger of copyright infringement after a user obtains the source code of the target application program can be effectively avoided. In addition, the container mirror image can load the target application program and the corresponding dependent library into the memory of the starting module by using a license certificate, a public key, a private key, a hardware address and the like, so that the source code can be effectively protected. The container mirror image and the server end form a remote import mode, and the license certificate, the public key, the private key, the hardware address and the like can provide safety guarantee for the remote import, so that the remote import mode is safer, more reliable and more feasible.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a flowchart of an application source code protection method according to a first embodiment of the present invention.
Fig. 2 is a first sub-flowchart of an application source code protection method according to a first embodiment of the present invention.
Fig. 3 is a second sub-flowchart of the method for protecting source code of an application according to the first embodiment of the present invention.
Fig. 4 is a schematic diagram of an internal structure of an application source code protection system according to an embodiment of the present invention.
Fig. 5 is a flowchart of an application source code protection method according to a second embodiment of the present invention.
Fig. 6 is a sub-flowchart of an application source code protection method according to a second embodiment of the present invention.
Fig. 7 is a flowchart of an application source code protection method according to a third embodiment of the present invention.
Fig. 8 is a schematic diagram of an internal structure of a server according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances, in other words that the embodiments described are to be practiced in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and any other variation thereof, may also include other things, such as processes, methods, systems, articles, or apparatus that comprise a list of steps or elements is not necessarily limited to only those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such processes, methods, articles, or apparatus.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
Referring to fig. 1 and fig. 4 in combination, fig. 1 is a flowchart of an application source protection method according to a first embodiment of the present invention, and fig. 4 is a schematic diagram of an internal structure of an application source protection system according to an embodiment of the present invention. The system 1000 for protecting source code of application program comprises a server 100, a client 200 and a database 300, wherein the server 100 is in communication connection with the client 200, and the server 100 can call the database 300. In this embodiment, the server 100 and the client 200 are communicatively connected through a network. The system 1000 for protecting source code of application program includes a server 100, a plurality of clients 200 and a database 300. In some possible embodiments, the application source code protection system 1000 may also include a plurality of servers 100, a plurality of clients 200, and a plurality of databases 300. The user 200 includes, but is not limited to, an electronic device such as a desktop computer, a tablet computer, and a mobile phone, and the database 300 includes, but is not limited to, MySQL, SQLite, Oracle, PostgreSQL, montodb, and the like. The source code protection method of the application program is used for protecting the source code programmed by the interpreted language. Interpreted languages include, but are not limited to, Python, JavaScript, Perl, Shell, Ruby, MATLAB, and the like. The method for protecting the source code of the application program specifically comprises the following steps.
Step S102, the user end sends request information. In this embodiment, the user can send the request message through the user terminal 200. Wherein the request information includes the target application. It is understood that the target application is an application that the user wants to install or upgrade at the user terminal 200. The same target application may be requested by different users through different user terminals 200.
And step S104, the server receives the request information and generates a public key, a private key and a license certificate corresponding to the target application program according to the request information. The license is a software license, and the public key corresponds to the private key one by one. The server 100 may generate the public key and the private key according to an RSA algorithm, a DSA algorithm, an ECC algorithm, a DH algorithm, and other asymmetric algorithms. Preferably, the server 100 generates a public key and a private key according to the RSA algorithm. It can be understood that, when different user terminals 200 all send request information, the service terminal 100 generates corresponding public key, private key and license certificate according to different request information. In the present embodiment, the license certificate also corresponds to the request information. That is, the server 100 generates different license certificates according to different user terminals 200. And when the same client 200 sends different request messages to request different target applications, the server 100 generates license certificates corresponding to the different target applications. After the server 100 generates the public key, the private key and the license certificate, the public key and the private key are also stored in the database 300. In this embodiment, the server 100 further generates a license credential corresponding to the license certificate according to the public key or the private key. Wherein the license ticket is used to activate the corresponding target application to enable the target application to be installed or upgraded. Preferably, the server 100 calculates the private key according to MD5 Message Digest Algorithm (MD 5 Message-Digest Algorithm), so as to obtain the license credential. In some possible embodiments, the server 100 may also compute the public key according to MD5 message digest algorithm to obtain the license credential.
Step S106, the server side sends the license certificate to the user side. In this embodiment, the server 100 also sends the license credential to the client 200. The user obtains the license credential and the license credential through the user terminal 200.
Step S108, the server side packages the target application program, the public key and the private key to a container mirror image. In this embodiment, the server 100 encapsulates the corresponding target application, public key, and private key into the same container image 40. Therein, the container mirror 40 comprises a start module 41 and a import module 42. The starting module 41 is used for obtaining the encryption dependent library corresponding to the target application program according to the license certificate, the public key and the hardware address of the user terminal 200. The import module 42 is configured to decrypt the encrypted dependent library according to the private key, and load the decrypted dependent library into the memory of the start module 41. It will be appreciated that the initial container image 40 is preconfigured with both a start-up module 41 and an import module 42. After the server 100 encapsulates the corresponding target application, public key, and private key into the initial container image 40, the container image 40 corresponds to the target application. Wherein the container mirror 40 serves a docker container.
Step S110, the user sends the license to the server. The user sends the license certificate through the user terminal 200 to request the server terminal 100 to send the container image 40 to the user terminal 200.
Step S112, the server receives the license certificate and sends the corresponding container image to the user side. It is understood that, the container image 40 encapsulates the target application, and the server 100 can match the container image 40 encapsulating the corresponding target application according to the license certificate and send the container image 40 to the corresponding user 200.
Step S114, the user receives the container image and starts the container image. In this embodiment, after the user end 200 receives the container image 40, the user can start the container image 40 through the user end 200. After the container image 40 is started, the relevant processes are automatically run until the corresponding dependent libraries are loaded into the memory of the start module 41. After loading is complete, the user may install the target application based on the license credential. The specific operation of the container image 40 after it is booted is described in detail below.
In the above embodiment, the user side sends the request information to request the target application program, the server side generates the public key, the private key and the license certificate corresponding to the target application program according to the request information, and encapsulates the target application program, the public key and the private key to the container mirror image. And the user side acquires the container mirror image through the license certificate, and installs or upgrades the target application program after the container mirror image is started. The container mirror image has the function of a sandbox and can provide a safe and reliable execution environment, so that the isolation of the program of the user side from the environment is realized, the program of the user side cannot be influenced, hackers are prevented from attacking user information, meanwhile, the interference of the system process of the user side is avoided, and a safety protection mechanism can be provided for remote import. On one hand, the container mirror image does not influence other programs of the user side, and prevents hackers from illegally utilizing the import module to invade a system of the user side; on the other hand, the container mirror image can effectively avoid the interference of the target application program by the system process of the user terminal, and protect the files and programs issued by the server terminal from being illegally tampered. Through the container mirror image, the target application program is packaged into the container mirror image, the dependent library is not stored as a local file of a user side, but is loaded into a memory of the starting module, the source code of the dependent library cannot be stored in the container mirror image in any file form, so that the target application program and the source code of the dependent library are both located at a server side, and only related application programs are arranged in the container mirror image, so that the protection of the source code of the application program is realized, the source program can be effectively prevented from being stolen or tampered, and the hidden danger of copyright infringement after a user obtains the source code of the target application program can be effectively avoided. In addition, the container mirror image can load the target application program and the corresponding dependent library into the memory of the starting module by using a license certificate, a public key, a private key, a hardware address and the like, so that the source code can be effectively protected. The container mirror image and the server end form a remote import mode, and the license certificate, the public key, the private key, the hardware address and the like can provide safety guarantee for the remote import, so that the remote import mode is safer, more reliable and more feasible. Wherein, the dependent libraries are all provided by corresponding suppliers, and have higher safety and effectiveness.
Please refer to fig. 2, which is a first sub-flowchart of a method for protecting source codes of an application according to a first embodiment of the present invention. After step S114 is executed, the method for protecting the source code of the application program further includes the following steps.
Step S202, the starting module sends the license, the public key and the hardware address to the server. After the container image 40 is started, the start module 41 obtains the hardware address of the user end 200 and sends the license certificate, the public key and the hardware address to the server end 100.
Step S204, the server side verifies the license certificate and the public key. In this embodiment, the server 100 compares whether the license certificate and the public key in the database 300 are consistent with the license certificate and the public key sent by the start module 41. Specifically, the server 100 compares whether the license in the database 300 and the license sent by the start module 41 are consistent with each other, and compares whether the public key in the database 300 and the public key sent by the start module 41 are consistent with each other. When the license certificate and the public key in the database 300 are consistent with the license certificate and the public key sent by the start module 41, the server 100 determines that the license certificate and the public key are verified.
Step S206, when the license certificate and the public key pass the verification, the server side binds the license certificate and the hardware address. In this embodiment, the server 100 determines whether the license certificate has a bound hardware address. When the license certificate does not bind to the hardware address, the server 100 binds the license certificate to the current hardware address. When the license certificate has bound the hardware address, the server 100 determines whether the bound hardware address is the same as the current hardware address. When the bound hardware address is the same as the current hardware address, the server 100 no longer needs to do any operation. When the bound hardware address is different from the current hardware address, the server 100 sends an acknowledgement to the ue 200. The user can select a unique hardware address for binding through the user terminal 200. It is understood that each license certificate can be bound to only one user terminal 200, and one user terminal 200 can bind a plurality of license certificates.
And S208, the server encrypts the dependency library corresponding to the target application program according to the public key to obtain an encrypted dependency library, and sends the encrypted dependency library to the starting module. The server 100 matches the corresponding dependency library according to the target application program, and then encrypts the dependency library according to the corresponding public key, thereby obtaining an encrypted dependency library.
In step S210, the start module receives the encryption dependent library.
Step S212, the import module decrypts the encrypted dependent library according to the private key, and loads the decrypted dependent library into the memory of the start module. It can be understood that, because the public keys correspond to the private keys one to one, the private keys can only decrypt the dependent libraries encrypted by the corresponding public keys, so that the container mirror image has higher security.
In the above embodiment, after the container mirror image is started, the server checks and binds the license certificate and the hardware address, so that unauthorized private copy and sharing of the dependency library can be effectively avoided. Meanwhile, the method protects the running environment of the user side, provides a safe sandbox environment for the running of the target application program, and avoids the abuse of the import module by attackers. Because the hardware address has uniqueness, the target application program can be prevented from being stolen through the binding of the hardware address and the license certificate, so that the container mirror image is safer and more reliable.
Please refer to fig. 3, which is a second sub-flowchart of the method for protecting source code of an application according to the first embodiment of the present invention. The container image 40 also includes a security module 43. The application program source code protection method also comprises the following steps.
Step S302, the security module monitors the container mirror image and judges whether the container mirror image is abnormal or not. In this embodiment, when the container image 40 starts, the entry point instruction (EntryPoint) of the container image 40 causes the security module 43 to start and run automatically in the background. That is, when the container image 40 starts, the security module 43 starts monitoring the container image 40. The security module 43 determines whether the container image 40 is abnormal by monitoring the files in the container image 40. The exception includes, but is not limited to, that the currently running secure module 43 is illegally tampered, the target application is illegally tampered, the license certificate is tampered, the currently bound hardware address is changed, and the like.
Step S304, when the container mirror image is abnormal, the safety module sends alarm information to the server side. When the server 100 receives the alarm information, the administrator of the server 100 can handle the abnormal phenomenon according to the alarm information. For example, if the administrator of the server 100 determines that the container image 40 is under an illegal attack according to the alarm information, and an attacker attempts to acquire the source code of the target application, the administrator can defend and protect against the attack by revoking the license certificate.
In some possible embodiments, if the server 100 detects that the boot module 41 of the container image 40 establishes a network connection with the server 100, but the security module 43 does not have a network connection with the server 100, it may be determined that the security module 43 may not establish a network connection with the server 100 because the attack is shielded. If the security module 43 is shielded and cannot monitor the container image 40, the target application may be attacked and stored locally at the user end 200. Therefore, the server 100 generates a prompt message. The administrator of the server 100 can view the condition of the container image 40 according to the prompt message. Meanwhile, the server 100 may also determine whether to stop providing the service to the ue 200 according to a preset policy. And the preset strategy is set according to the actual situation.
In the above embodiment, the security module is disposed in the container mirror image, and when the container mirror image is started, the security module simultaneously starts to monitor the container mirror image. When the security module is not connected with the server side through the network, the security module is judged to be possibly attacked and cannot continuously monitor the container mirror image. The server can stop providing services for the user side according to the preset strategy, so that the starting module and the import module are prevented from being tampered and attacked, the container mirror image has high safety, and the attack cost and difficulty of an attacker can be effectively improved.
In some possible embodiments, the container image 40 may also include a log module. If the supplier or user of the application program has other requirements, such as analysis and specific presentation of the process, the log module can be used for collecting the log, and the log is realized through the log collection process, and can also be used for detecting the health state of the whole system protected by the source code of the application program, so that a richer readable interface is provided for the supplier or user. Wherein the logging module can be implemented using simple standard input and file management, i.e. log file collection.
Please refer to fig. 5, which is a flowchart illustrating a method for protecting source codes of an application according to a second embodiment of the present invention. The method for protecting the source code of the application program provided by the second embodiment is executed by the server 100, and specifically includes the following steps.
Step S502, receiving a request message from a user. Wherein the request information includes the target application. The same target application may be requested by different clients 200.
Step S504, a public key, a private key and a license certificate corresponding to the target application program are generated according to the request information. The license is a software license, and the public key corresponds to the private key one by one. The server 100 may generate the public key and the private key according to an RSA algorithm, a DSA algorithm, an ECC algorithm, a DH algorithm, and other asymmetric algorithms. Preferably, the server 100 generates a public key and a private key according to the RSA algorithm. It can be understood that, when different user terminals 200 all send request information, the service terminal 100 generates corresponding public key, private key and license certificate according to different request information. In the present embodiment, the license certificate also corresponds to the request information. That is, the server 100 generates different license certificates according to different user terminals 200. And when the same client 200 sends different request messages to request different target applications, the server 100 generates license certificates corresponding to the different target applications. After the server 100 generates the public key, the private key and the license certificate, the public key and the private key are also stored in the database 300. In this embodiment, the server 100 further generates a license credential corresponding to the license certificate according to the public key or the private key. Wherein the license ticket is used to activate the corresponding target application to enable the target application to be installed or upgraded. Preferably, the server 100 calculates the private key according to MD5 Message Digest Algorithm (MD 5 Message-Digest Algorithm), so as to obtain the license credential. In some possible embodiments, the server 100 may also compute the public key according to MD5 message digest algorithm to obtain the license credential.
Step S506, the license is sent to the user side. In this embodiment, the server 100 also sends the license credential to the client 200. The user obtains the license credential and the license credential through the user terminal 200.
Step S508, the target application, the public key, and the private key are packaged into a container mirror image. In this embodiment, the server 100 encapsulates the corresponding target application, public key, and private key into the same container image 40. Therein, the container mirror 40 comprises a start module 41 and a import module 42. The starting module 41 is configured to obtain an encryption dependency library corresponding to the target application according to the license, the public key, and the hardware address of the user end. The import module 42 is configured to decrypt the encrypted dependent library according to the private key, and load the decrypted dependent library into the memory of the start module 41.
In some possible embodiments, the container image 40 also includes a security module 43. When the container image 40 starts, the entry point instruction (EntryPoint) of the container image 40 causes the security module 43 to start up as well, running automatically in the background. That is, when the container image 40 starts, the security module 43 starts monitoring the container image 40. The security module 43 determines whether the container image 40 is abnormal by monitoring the files in the container image 40. The exception includes, but is not limited to, that the currently running secure module 43 is illegally tampered, the target application is illegally tampered, the license certificate is tampered, the currently bound hardware address is changed, and the like. When the container image 40 is abnormal, the security module 43 sends an alarm message to the server 100. When the server 100 receives the alarm information, the administrator of the server 100 can handle the abnormal phenomenon according to the alarm information. For example, if the administrator of the server 100 determines that the container image 40 is under an illegal attack according to the alarm information, and an attacker attempts to acquire the source code of the target application, the administrator can defend and protect against the attack by revoking the license certificate.
If the server 100 monitors that the start module 41 of the container image 40 establishes a network connection with the server 100, but there is no network connection between the security module 43 and the server 100, it may be determined that the security module 43 may not establish a network connection with the server 100 because the attack is shielded. If the security module 43 is shielded and cannot monitor the container image 40, the target application may be attacked and stored locally at the user end 200. Therefore, the server 100 generates a prompt message. The administrator of the server 100 can view the condition of the container image 40 according to the prompt message. Meanwhile, the server 100 may also determine whether to stop providing the service to the ue 200 according to a preset policy. And the preset strategy is set according to the actual situation.
Please refer to fig. 6, which is a sub-flowchart illustrating a method for protecting source code of an application according to a second embodiment of the present invention. After step S508 is executed, the method for protecting source code of an application program according to the second embodiment further includes the following steps.
Step S602, determining whether the license, the public key, and the hardware address are received from the start module.
In step S604, when the license certificate, the public key, and the hardware address are received, the license certificate and the public key are verified. In this embodiment, the server 100 compares whether the license in the database 300 and the license sent by the start module 41 are consistent with each other, and compares whether the public key in the database 300 and the public key sent by the start module 41 are consistent with each other. When the license in the database 300 is consistent with the license sent by the starting module 41, and the public key in the database 300 is consistent with the public key sent by the starting module 41, the server 100 determines that the license and the public key are verified.
Step S606, when the license certificate and the public key pass the verification, the license certificate and the hardware address are bound. In this embodiment, the server 100 determines whether the license certificate has a bound hardware address. When the license certificate does not bind to the hardware address, the server 100 binds the license certificate to the current hardware address. When the license certificate has bound the hardware address, the server 100 determines whether the bound hardware address is the same as the current hardware address. When the bound hardware address is the same as the current hardware address, the server 100 no longer needs to do any operation. When the bound hardware address is different from the current hardware address, the server 100 sends an acknowledgement to the ue 200. The user can select a unique hardware address for binding through the user terminal 200. It is understood that each license certificate can be bound to only one user terminal 200, and one user terminal 200 can bind a plurality of license certificates.
Step S608, the dependent library corresponding to the target application is encrypted according to the public key to obtain an encrypted dependent library, and the encrypted dependent library is sent to the start module. The server 100 matches the corresponding dependency library according to the target application program, and then encrypts the dependency library according to the corresponding public key, thereby obtaining an encrypted dependency library.
Please refer to fig. 7, which is a flowchart illustrating a method for protecting source code of an application according to a third embodiment of the present invention. The method for protecting source code of an application program provided by the third embodiment is executed by the user terminal 200, and specifically includes the following steps.
Step S702, the request information is transmitted. In this embodiment, the user can send the request message through the user terminal 200. Wherein the request information includes the target application. It is understood that the target application is an application that the user wants to install or upgrade at the user terminal 200. Different users can request the same target application through different user terminals 200.
Step S704, receiving the license certificate from the server. In this embodiment, the user terminal 200 also receives the license credential from the service terminal 100.
Step S706, the license certificate is sent to the server. The user sends the license certificate through the user terminal 200 to request the server terminal 100 to send the container image 40 to the user terminal 200.
At step S708, a container image corresponding to the license certificate is received. Wherein the container image 40 encapsulates the target application and the public and private keys corresponding to the target application. It is understood that, the container image 40 encapsulates the target application, and the server 100 can match the container image 40 encapsulating the corresponding target application according to the license certificate and send the container image 40 to the corresponding user 200.
Step S710 starts a container mirror. In this embodiment, after the user end 200 receives the container image 40, the user can start the container image 40 through the user end 200. Therein, the container mirror 40 comprises a start module 41 and a import module 42. The starting module 41 is configured to obtain an encryption dependency library corresponding to the target application according to the license, the public key, and the hardware address of the user end. The import module 42 is configured to decrypt the encrypted dependent library according to the private key, and load the decrypted dependent library into the memory of the start module. After the container image 40 is started, the relevant processes are automatically run until the corresponding dependent libraries are loaded into the memory of the start module 41. After loading is complete, the user may install the target application based on the license credential.
Please refer to fig. 8, which is a schematic diagram of an internal structure of a server according to an embodiment of the present invention. The server 100 includes a communication module 10, a packet management service module 20, and a container warehouse management service module 30. The communication module 10 is used for receiving a request message sent by the user terminal 200. Wherein the request information includes the target application. The package management service module 20 is configured to generate a public key, a private key and a license corresponding to the target application according to the request information, and send the license to the user 200 through the communication module 10.
The container warehouse management service module 30 includes an encapsulation module 31 and a distribution module 32. The encapsulation module 31 is configured to encapsulate the target application, the public key, and the private key according to the request information to form a container image 40. Therein, the container mirror 40 comprises a start module 41 and a import module 42. The starting module 41 is configured to obtain an encryption dependency library corresponding to the target application according to the license, the public key, and the hardware address of the user end. The import module 42 is configured to decrypt the encrypted dependent library according to the private key, and load the decrypted dependent library into the memory of the start module 41. The distribution module 32 is configured to send the container image 40 to the user terminal 200 according to the license certificate sent by the user terminal 200. Wherein the license certificate is received from the user terminal 200 through the communication module 10. The container image 40 is sent to the user 200 through the communication module 10.
The package management service module 20 includes an authentication module 21, a binding module 22, and an encryption module 23. The verification module 21 is configured to perform verification according to the license certificate and the public key sent by the starting module 41. Wherein the license certificate and the public key are received from the starting module 41 through the communication module 10. The binding module 22 is used for binding the license certificate with the hardware address sent by the starting module 41 when the license certificate and the public key are verified. Wherein, the hardware address is received from the starting module 41 through the communication module 10. The encryption module 23 is configured to encrypt the dependency library corresponding to the target application according to the public key to obtain an encrypted dependency library. The communication module 10 sends the encryption dependency library to the starting module 41.
In the embodiment, the package management service module and the container warehouse management service module are arranged to provide security verification for the import and loading of the target application program and the dependent library thereof, so that the source codes of the target application program and the dependent library thereof can be effectively prevented from being stolen or tampered or attacked. The container mirror image and the service end form a remote leading-in mode, the package management service module and the container warehouse management service module can provide safety guarantee for remote leading-in, and the remote leading-in mode is safer, more reliable and more feasible. The target application program and the corresponding dependency library in the container warehouse management service module are provided by the corresponding supplier, so that the safety and the effectiveness are high.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, insofar as these modifications and variations of the invention fall within the scope of the claims of the invention and their equivalents, the invention is intended to include these modifications and variations.
The above-mentioned embodiments are only examples of the present invention, which should not be construed as limiting the scope of the present invention, and therefore, the present invention is not limited by the claims.

Claims (6)

1. An application program source code protection method is characterized by comprising the following steps:
a user side sends request information, wherein the request information comprises a target application program;
the server receives the request information and generates a public key, a private key and a license certificate corresponding to the target application program according to the request information;
the server side sends the license certificate to the user side;
the server side packages the target application program, the public key and the private key to a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for obtaining an encryption dependent library corresponding to the target application program according to the license certificate, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module;
the user side sends the license certificate to the server side;
the server receives the license certificate and sends a corresponding container mirror image to the user side;
the user side receives the container mirror image and starts the container mirror image;
the starting module sends the license certificate, the public key and the hardware address to the server;
the server side verifies the license certificate and the public key;
when the license certificate and the public key pass the verification, the server side binds the license certificate and the hardware address;
the server side encrypts the dependency library corresponding to the target application program according to the public key to obtain an encrypted dependency library, and sends the encrypted dependency library to the starting module;
the starting module receives the encryption dependent library; and
and the import module decrypts the encrypted dependent library according to the private key and loads the decrypted dependent library into the memory of the starting module.
2. The application source code protection method of claim 1, wherein the container image further comprises a security module, the application source code protection method further comprising:
the safety module monitors the container mirror image and judges whether the container mirror image is abnormal or not; and
and when the container mirror image is abnormal, the safety module sends alarm information to the server side.
3. The method for protecting source code of an application program according to claim 1, wherein the binding of the license credential and the hardware address by the server specifically comprises:
the server side judges whether the license certificate is bound with a hardware address or not;
when the license certificate is not bound with the hardware address, the server side binds the license certificate with the current hardware address;
when the license certificate has bound the hardware address, the server side judges whether the bound hardware address is the same as the current hardware address; and
and when the bound hardware address is different from the current hardware address, the server side sends confirmation information to the user side.
4. The method for protecting source code of an application program according to claim 1, wherein after the server receives the request information and generates a public key, a private key and a license certificate corresponding to the target application program according to the request information, the method for protecting source code of an application program further comprises:
the server stores the license certificate and the public key to a database; the verifying the license certificate and the public key by the server specifically includes:
the server compares whether the license and the public key in the database are consistent with the license and the public key sent by the starting module; and
and when the license certificate and the public key in the database are consistent with the license certificate and the public key sent by the starting module, the server side judges that the license certificate and the public key pass the verification.
5. An application source code protection method, executed on a server, is characterized in that the application source code protection method comprises:
receiving request information from a user side, wherein the request information comprises a target application program;
generating a public key, a private key and a license certificate corresponding to the target application program according to the request information;
sending the license credential to the user end;
packaging the target application program, the public key and the private key to a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for obtaining an encryption dependent library corresponding to the target application program according to the license certificate, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module;
judging whether a license certificate, a public key and a hardware address from the starting module are received;
when the license certificate, the public key and the hardware address are received, verifying the license certificate and the public key;
when the license certificate and the public key pass verification, binding the license certificate with the hardware address; and
and encrypting the dependency library corresponding to the target application program according to the public key to obtain an encrypted dependency library, and sending the encrypted dependency library to the starting module.
6. A server is characterized by comprising a communication module, a packet management service module and a container warehouse management service module, wherein the communication module is used for receiving request information sent by a client, and the request information comprises a target application program;
the package management service module is configured to generate a public key, a private key, and a license corresponding to the target application according to the request information, and send the license to the user side through the communication module, where the package management service module includes:
the verification module is used for verifying according to the license certificate and the public key sent by the starting module, wherein the license certificate and the public key are received from the starting module through the communication module;
the binding module is used for binding the license certificate and the hardware address sent by the starting module when the license certificate and the public key are verified, wherein the hardware address is received from the starting module through the communication module; and
the encryption module is used for encrypting the dependency library corresponding to the target application program according to the public key to obtain an encrypted dependency library, and the communication module sends the encrypted dependency library to the starting module; and
the container warehouse management service module comprises:
the packaging module is used for packaging the target application program, the public key and the private key according to the request information to form a container mirror image, wherein the container mirror image comprises a starting module and an importing module, the starting module is used for obtaining an encryption dependent library corresponding to the target application program according to the license, the public key and a hardware address of a user side, and the importing module is used for decrypting the encryption dependent library according to the private key and loading the decrypted dependent library into a memory of the starting module; and
the distribution module is used for sending the container mirror image to the user side according to the license certificate sent by the user side, wherein the license certificate is received from the user side through the communication module, and the container mirror image is sent to the user side through the communication module.
CN202111567275.XA 2021-12-21 2021-12-21 Application program source code protection method and server Active CN113946799B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111567275.XA CN113946799B (en) 2021-12-21 2021-12-21 Application program source code protection method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111567275.XA CN113946799B (en) 2021-12-21 2021-12-21 Application program source code protection method and server

Publications (2)

Publication Number Publication Date
CN113946799A CN113946799A (en) 2022-01-18
CN113946799B true CN113946799B (en) 2022-03-18

Family

ID=79339469

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111567275.XA Active CN113946799B (en) 2021-12-21 2021-12-21 Application program source code protection method and server

Country Status (1)

Country Link
CN (1) CN113946799B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491062A (en) * 2015-12-30 2016-04-13 北京神州绿盟信息安全科技股份有限公司 Client software protection method and device, and client
CN112596740A (en) * 2020-12-28 2021-04-02 北京千方科技股份有限公司 Program deployment method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200028848A1 (en) * 2017-08-11 2020-01-23 Nutanix, Inc. Secure access to application instances in a multi-user, multi-tenant computing environment
CN110222517B (en) * 2019-05-13 2023-04-18 深圳电通信息技术有限公司 Cloud software management method and system for charging according to needs
CN111324421B (en) * 2020-02-18 2023-04-07 支付宝(杭州)信息技术有限公司 Container mirror image providing method, loading method, related equipment and system
CN112751825B (en) * 2020-12-07 2022-09-16 湖南麒麟信安科技股份有限公司 Software source issuing authority control method and system based on SSL certificate
CN112966227A (en) * 2021-02-04 2021-06-15 南方电网深圳数字电网研究院有限公司 Code encryption and decryption method and device and storage medium
CN113360857A (en) * 2021-08-10 2021-09-07 支付宝(杭州)信息技术有限公司 Code starting method and system for software

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491062A (en) * 2015-12-30 2016-04-13 北京神州绿盟信息安全科技股份有限公司 Client software protection method and device, and client
CN112596740A (en) * 2020-12-28 2021-04-02 北京千方科技股份有限公司 Program deployment method and device

Also Published As

Publication number Publication date
CN113946799A (en) 2022-01-18

Similar Documents

Publication Publication Date Title
CN109522726B (en) Authentication method for applet, server and computer readable storage medium
US8799647B2 (en) Systems and methods for application identification
CN102891843B (en) Method for authorizing application program at android client side through local service unit
JP2003330365A (en) Method for distributing/receiving contents
CN111108735A (en) Asset update service
CN112019566A (en) Data transmission method, server, client and computer storage medium
CN111460410A (en) Server login method, device and system and computer readable storage medium
CN106549757B (en) Data authenticity identification method of WEB service, server and client
CN112311769A (en) Method, system, electronic device and medium for security authentication
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
US8355508B2 (en) Information processing apparatus, information processing method, and computer readable recording medium
CN110619194B (en) Upgrade package encryption and decryption methods and devices
CN117579338A (en) Method for processing streaming media file and related equipment
KR20090054774A (en) Method of integrated security management in distribution network
CN111953477B (en) Terminal equipment, generation method of identification token of terminal equipment and interaction method of client
JP2008176741A (en) Client terminal, service providing server, service providing system, control method, and service providing method
CN113946799B (en) Application program source code protection method and server
US7330982B1 (en) Secured automated process for signed, encrypted or validated content generation
CN114745115A (en) Information transmission method and device, computer equipment and storage medium
CN113031973A (en) Download installation method of paid vehicle-mounted application
CN112437923A (en) Information processing device, information processing method, information processing program, and information processing system
CN106953728B (en) Data transmission method and electronic equipment
CN115242440B (en) Block chain-based internet of things equipment trusted calling method, device and equipment
KR20150074128A (en) Method for downloading at least one software component onto a computing device, and associated computer program product, computing device and computer system
CN117828561B (en) Method, device, system and storage medium for safely burning chip firmware data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 518049 Floor 25, Block A, Zhongzhou Binhai Commercial Center Phase II, No. 9285, Binhe Boulevard, Shangsha Community, Shatou Street, Futian District, Shenzhen, Guangdong

Patentee after: Shenzhen Youjia Innovation Technology Co.,Ltd.

Address before: 518049 401, building 1, Shenzhen new generation industrial park, No. 136, Zhongkang Road, Meidu community, Meilin street, Futian District, Shenzhen, Guangdong Province

Patentee before: SHENZHEN MINIEYE INNOVATION TECHNOLOGY Co.,Ltd.