EP1979848A1 - Procédé et dispositif pour identifier une copie piratée - Google Patents
Procédé et dispositif pour identifier une copie piratéeInfo
- Publication number
- EP1979848A1 EP1979848A1 EP06793013A EP06793013A EP1979848A1 EP 1979848 A1 EP1979848 A1 EP 1979848A1 EP 06793013 A EP06793013 A EP 06793013A EP 06793013 A EP06793013 A EP 06793013A EP 1979848 A1 EP1979848 A1 EP 1979848A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- document
- software
- procedure
- writing
- characteristic parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 title claims abstract description 137
- 238000001514 detection method Methods 0.000 title description 2
- 230000008859 change Effects 0.000 claims abstract description 25
- 230000002596 correlated effect Effects 0.000 claims description 9
- 230000000875 corresponding effect Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 14
- 230000006399 behavior Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 230000018109 developmental process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000007619 statistical method Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000007306 turnover Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- the invention relates to a method according to claim 1 and a device according to claim 6.
- the invention is based on the object of specifying a method and a device with which an at least partial copy of a second software is detected in a first software, wherein the method and the device is both robust against changes of the copy as well as existing software applicable ,
- This method makes it possible to prove a pirated copy of a second software or parts of a second software in a first software by recording characteristic parameters during the respective execution.
- the correlation value it is possible, despite changes in the first software compared to the second software, to recognize the pirated copy because the correlation value describes a similarity between two sections of the first and the second software.
- no changes are required in the first or second software since the recording or recording of the characteristic parameters can be carried out by means of a standalone program which evaluates functions of the operating system. Thus, even existing software can be examined for pirated copies.
- a value of the parameter group and / or an export time of the Used procedure change.
- specific behavioral properties of the procedure instance to be invoked and / or invoked can be accurately analyzed.
- a time chart can be created indicating when the procedure change occurred.
- a plurality of sections of the second document are correlated with the associated characteristic parameters with at least a portion of the first document and, as a result, an associated correlation value is formed for each correlated section of the second document and a copy displayed if a plurality of the correlation values are greater than a respective threshold is.
- a reduction in a rate of erroneously detected pirate copies can be achieved because more than one correlation value is considered for determining whether piracy or not piracy.
- Threshold and the other correlation values are each greater than a second threshold. This alternative also makes it possible to reduce pirated copies erroneously detected.
- the invention also relates to a device for detecting a pirated copy, in which a first software comprises a copy of at least part of a second software, with
- a second means for executing the second software wherein during a write and / or read operation of a parameter group of a procedure instance to and / or from a stack memory, at least one parameter characteristic of this writing and / or reading operation in a time sequence for an occurrence of the writing and / or reading operations is recorded in a second document;
- the method can be implemented and executed.
- the method or the device can be implemented as hardware, as software running on a processor or as a combination of hardware and software.
- Figure 1 is a program flow of a software in which a plurality of procedure units are called
- Figure 2 shows an occupancy of a stack during a
- FIG. 3 is a flow chart of an embodiment
- Figure 5 shows an apparatus for performing the method for detecting a pirated copy.
- FIGS. 1 to 5 Elements with the same function and mode of operation are provided in FIGS. 1 to 5 with the same reference numerals.
- FIG. 1 shows a program sequence of a software.
- the software is in the form of a sequence of machine instructions and is executed, for example, on a microprocessor or a digital signal processor.
- This software The machine commands could be created by compiling and linking a C program using a development package, such as Microsoft Visual Studio.
- the software can be divided into several procedure instances PI. Within each procedure instance PI, machine instructions are executed sequentially. In doing so, other procedure instances are called during or at the end of the respective procedure instance, i. a procedure change takes place. These calls cause data, such as register contents of the microprocessor, to be read from or written to a stack.
- a second procedure instance PI2 is called during the course of a first procedure instance PI1.
- the register contents of the microprocessor are written to the stack memory SP by means of the write operation SV at the time before the procedure change.
- values of local variables of the first procedure instance PI1 can also be stored on the stack.
- a parameter group PG of the procedure instance PI, PIl is written to or read from the stack SP.
- the parameter group PG includes the register contents and local variables of the first procedure instance PIl.
- the first procedure instance PIl represents a calling procedure instance and the second procedure instance PI2 represents a called procedure instance.
- the individual machine instructions of the second procedure instance are processed.
- the program flow returns to the first procedure instance PIl.
- the data stored at the time of the procedure change from the first to the second procedure instance are read from the stack memory SP by means of the read operation LV.
- These read data include, for example, register contents which are written to the corresponding registers of the microprocessor or also contents of local data which are assigned to the local variables of a procedure instance PI1.
- a third procedure instance PI3 will be referred to in the following.
- a write operation SV according to the above description takes place.
- a fourth procedure instance PI4 is called, whereby again a writing process SV is executed.
- the third process instance PI3 is jumped back, wherein a read operation is carried out.
- This third procedure instance PI3 is continued until its end and then, with the aid of another read operation, the first procedure instance PI1 is called.
- the data belonging to the respective procedure instances are written to the stack SP or read from the stack SP.
- FIG. 2 a level diagram with the level F of the stack SP as a function of the flow of the software, that is, depending on the executed procedure instances reproduced.
- the fill level F is indicated, for example, in bytes, with each graduation mark of the fill level F in FIG. 2 corresponding to 100 bytes in each case.
- 250 bytes are written to the stack memory.
- the 250 bytes are read from the stack.
- the procedure is analogous.
- the filling level diagram of the stack it can be seen that during a writing process the filling level of the stack increases, whereas in a reading process the filling level is reduced.
- the method according to the invention detects characteristic parameters CP1,..., CP4 for those execution times AZ at which a procedure change takes place.
- These characteristic parameters represent specific properties of the calling and / or the called procedure instance.
- the characteristic parameters may, for example, correspond to one or more values of the parameter group PG, such as a specific register content.
- a characteristic parameter can also be generated from a summary or evaluation of the parameter group PG detected for the procedure change.
- a first characteristic parameter CP1 can correspond to a number of bytes of all local variables of the calling procedure instance PI1.
- 250 bytes were written to the stack memory during the procedure change from PI1 to PI2.
- These 250 bytes comprise, for example, 64 bytes, which include the register values, and 186
- a detection of the parameter group PG is realized, for example, that when calling a function of the software that performs the read or write LV, SV, data of the calling and / or the called procedure instance, that is, the parameter group, are detected. Furthermore, in the context of carrying out the method, only a part of the parameter group or else information that is obtained by evaluating one or more data of the parameter group can be generated. The data or information obtained during a reading or writing process is stored in a document for later processing. Furthermore, it is useful in practice to log the execution time of the acquisition of this information or data for each stored information or stored data. In general, these information, which can be assigned to a procedure change, are referred to as characteristic parameters CP1,..., CP4.
- FIG. 3 shows a flow diagram for one exemplary embodiment.
- a first document D1 for the first software S1 is generated with the aid of the first step X1.
- at least one first characteristic parameter CP1 for the procedure change in the first document D1 is detected in the first step X1.
- the first document may include the level F of the stack SP over the time of executing the first software. This has already been explained in more detail with reference to FIG.
- the first document can display level F over time in the following way:
- Level F 0 250 0 400 The first line of this table indicates the execution times AZ over the time T, for example in milliseconds ms.
- the second line reflects the level of the stack in bytes.
- the level contains between 0 and 40 ms 0 bytes, between 40 and 80 ms 250 bytes etc.
- a second document D2 is generated for the second software S2.
- the procedure is analogous to the first step Xl.
- the representation of the second document D2 is analogous to the first document D1.
- a third step X3 at least one section of the second document D2 is correlated by at least one characteristic parameter CP1 of at least one section of the second document D2
- Document Dl formed a correlation value KW.
- the correlation value KW indicates to what extent correlated sections of the first and second documents D1, D2 are similar.
- An exemplary procedure of the third step for forming the correlation value KW is explained in more detail below with reference to FIG.
- FIG. 4A shows the progression of the fill level of the stack during execution of the first software over time T. This history is stored in the first document.
- FIG. 4B shows a further course of the stack when executing the second software S2. This history is stored in the second document.
- a first section Al is selected in the course of the filling level F from FIG. 4A. This selected first section Al is shown in FIG. 4C. Within the course of the filling level, which results when executing the second software S2, see FIG.
- this first section A1 is now searched for.
- statistical methods are familiar to a person skilled in the art with the aid of which the course of the fill level of the first section Al can be correlated with the fill level profile of FIG. 4B.
- a high correlation value results at the time T 1.
- correlation values that are 0 or small result.
- the correlation value KW exceeds a predefinable threshold value SW at the first time Tl.
- a fourth step at least one correlation value KW generated in the third step X3 is compared with a predefinable threshold value SW. If the correlation value KW is greater than the threshold value SW, the flowchart in the path J is continued. In this path, in a fifth step X5, for example, a user is notified that a correlation value greater than the threshold has been found. This means that at least part of the first software could be found in the second software S2 and thus at least parts of the first software were copied from the second software, i. a pirated copy has thus been discovered. The fifth step is then ended in the END state.
- a portion of the course of the fill level of the stack when exporting the first software was compared with the course of the level during the export of the second software.
- a section to be compared can also be used from the full-level profile of the second software instead of from the full-level profile of the first software. This is shown by way of example with a second section A2 in FIG. 4B.
- at least a similarity of a portion of the first and second documents in the second or first document is sought.
- the fill level of the stack has been used over the execution time of the respective software.
- characteristic parameters CP1,..., CP4 can be used, which characterize a procedure change.
- a number of variables of the called procedure instance, a number of bytes of variables of the called procedure instance, a number of local variables of a calling procedure instance, a number of local caller instance local variables, or a number of bytes of the local variables of the calling procedure instance are considered as characteristic parameters.
- an indication can be used which indicates whether the procedure change corresponds to a recursive call or the respective memory addresses of the called and / or the procedure instance to be called are used.
- the correlation value describes a correlation of a plurality of characteristic parameters, which are correlated separately, for example, and linked to a correlation value by means of a weighted addition.
- Those skilled in the art are further statistical methods for performing correlations with one or more Reren characteristic parameters known, so that will not be discussed further. If a plurality of correlation values ⁇ KWl, KW2, KW3 used, so a pirated copy is ⁇ is shown, if a plurality of correlation values respectively GRO SSER than an associated threshold value. Next Zah ⁇ lenbeispiel illustrates this:
- a pirated copy is already detected if at least one of the correlation values is greater than the associated threshold value. For the 2 examples mentioned in the above paragraph, this means that a pirated copy is detected for each example.
- a selection of the threshold (s) SW, Sl, ..., SW3 depends on the following aspects:
- the respective threshold near the maxima ⁇ len correlation value is selected. It should be noted that small changes, eg due to changes in machine instructions in sections or for runtime fluctuations during the Ausbowens the first and second software, a low correlation value that is a cu ⁇ engined similarity yields and thus copied sections or the Pirated copy is not detected.
- a low threshold SW is selected as the maximum correlation value, pirate copies can be detected even if changes occur in the runtime behavior of the sections of the first and second software. If the threshold is set too low, then cuts are recognized as copies that are not copies.
- a concrete threshold value SW depends, for example, on the runtime behavior of a computer on which the first and second software are executed. If the computer uses a multitasking operating system, changes in the runtime behavior can occur, so that in this case a lower threshold value has to be set than with a real-time operating system.
- Figure 5 shows an embodiment of the device in the form of a device G, which is designed for example as a portable device in a Mobilfunkgerat or as stationary operated device.
- the device G has a first means M1, with which the first software S1 is executed.
- characteristic parameters are recorded in a first document D1.
- the second means M2 the second software S2 is executed.
- characteristic parameters are recorded in a write and / or read operation of the parameter group of a procedure instance in a second document D2.
- the second document can be read or written by means of the connection network X.
- One or more correlation values KW1,..., KW3 are recorded in the third means M3 on the basis of the acquired information of the first and the second document.
- correlation values are compared in the fourth means M4 with one or more predefinable threshold values SW1,..., SW4. Should one or more correlation values be greater than the respective threshold value, then with the aid of the fifth means M5 the presence of the copy, that is, at least portions of the first software with portions of the second software are almost or identical, are displayed.
- This display can be reproduced, for example, for a user on a display DD.
- the means Ml, ..., M5, the first and second document Dl, D2, the stack SP and the display DD are connected to each other via the connection network X for the exchange of information and data.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102006004240A DE102006004240A1 (de) | 2006-01-30 | 2006-01-30 | Verfahren und Vorrichtung zum Nachweis einer Raubkopie |
PCT/EP2006/065680 WO2007085308A1 (fr) | 2006-01-30 | 2006-08-25 | Procédé et dispositif pour identifier une copie piratée |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1979848A1 true EP1979848A1 (fr) | 2008-10-15 |
Family
ID=37671191
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06793013A Ceased EP1979848A1 (fr) | 2006-01-30 | 2006-08-25 | Procédé et dispositif pour identifier une copie piratée |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1979848A1 (fr) |
CN (1) | CN101517585B (fr) |
DE (1) | DE102006004240A1 (fr) |
WO (1) | WO2007085308A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104424402B (zh) * | 2013-08-28 | 2019-03-29 | 卓易畅想(北京)科技有限公司 | 一种用于检测盗版应用程序的方法及装置 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6971019B1 (en) * | 2000-03-14 | 2005-11-29 | Symantec Corporation | Histogram-based virus detection |
US6973577B1 (en) * | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
JPWO2002082280A1 (ja) * | 2001-04-05 | 2004-07-29 | イーディーコントライブ株式会社 | 不正複製アプリケーションプログラム実行防止方法、そのプログラム、そのプログラム記録装置、および、そのプログラム記録媒体 |
US7346780B2 (en) * | 2002-04-03 | 2008-03-18 | Microsoft Corporation | Integrity ordainment and ascertainment of computer-executable instructions |
US7287159B2 (en) * | 2004-04-01 | 2007-10-23 | Shieldip, Inc. | Detection and identification methods for software |
-
2006
- 2006-01-30 DE DE102006004240A patent/DE102006004240A1/de not_active Withdrawn
- 2006-08-25 CN CN200680052033.4A patent/CN101517585B/zh not_active Expired - Fee Related
- 2006-08-25 WO PCT/EP2006/065680 patent/WO2007085308A1/fr active Application Filing
- 2006-08-25 EP EP06793013A patent/EP1979848A1/fr not_active Ceased
Non-Patent Citations (1)
Title |
---|
"Immer unterwegs", INTERNET CITATION, 1 April 2005 (2005-04-01), XP007912770, Retrieved from the Internet <URL:http://www.linux-magazin.de/Heft-Abo/Ausgaben/2005/04/Auf-der-Pirsch/ (offset)/4> [retrieved on 20100421] * |
Also Published As
Publication number | Publication date |
---|---|
CN101517585A (zh) | 2009-08-26 |
DE102006004240A1 (de) | 2007-08-09 |
WO2007085308A1 (fr) | 2007-08-02 |
CN101517585B (zh) | 2012-10-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69918334T2 (de) | Erzeugung von kompilierten programmen für interpretative laufzeitumgebungen | |
DE3750515T2 (de) | Verfahren zur Zugriffssteuerung einer Datenbasis. | |
DE69831708T2 (de) | Effiziente Erkennung von Computerviren und andere Dateneigenschaften | |
DE69610905T2 (de) | Verfahren zum schutz von ausführbaren softwareprogrammen gegen infektion durch softwareviren | |
DE10050684B4 (de) | Verfahren und System zur periodischen Ablaufverfolgung für Aufrufsequenzen zwischen Routinen | |
DE69609980T2 (de) | Verfahren und system zur erkennung von polymorphen viren | |
DE69230450T2 (de) | Programmverarbeitungssystem und -verfahren | |
DE69909945T2 (de) | Verfahren und Anordnung zur Korrelation von Profildaten dynamisch erzeugt durch ein optimiertes ausführbares Programm mit Quellcodeanweisungen | |
DE3121599A1 (de) | Verfahren und schaltungsanordnung zum verdecken von fehlern in einem digitalen videosignal | |
DE19959758A1 (de) | Bestimmung der Art und der Genauigkeit von lokalen Variablen bei vorhandenen Subroutinen | |
DE69126057T2 (de) | Ein Informationsverarbeitungsgerät mit einer Fehlerprüf- und Korrekturschaltung | |
DE69930143T2 (de) | Extrahieren von zusatzdaten in einem informationssignal | |
DE10234736A1 (de) | System und Verfahren zum Synchronisieren von Mediendaten | |
DE69905776T2 (de) | Sprachenverarbeitungsverfahren mit geringem Aufwand und Speicherbedarf bei der Profildatensammlung | |
DE10240883A1 (de) | Verfahren zum Erfassen eines unbegrenzten Wachstums verketteter Listen in einer laufenden Anwendung | |
DE69721887T2 (de) | Koordinatenleser, Zustandsumwandlungsverfahren, Interfacegerät und zugehöriges Koordinaten-Lesesystem | |
DE102006029138A1 (de) | Verfahren und Computerprogrammprodukt zur Detektion von Speicherlecks | |
DE3850444T2 (de) | Progammverwaltungsverfahren für verteilte Verarbeitungssysteme und angepasste Vorrichtung. | |
EP1067460A1 (fr) | Support de données avec des données restaurables de base à l'état initial et procédé pour sa fabrication | |
DE102018214541A1 (de) | Verfahren und vorrichtung zum abbilden von single-static-assignment-anweisungen auf einen datenflussgraphen in einer datenflussarchitektur | |
EP1979848A1 (fr) | Procédé et dispositif pour identifier une copie piratée | |
DE102021204550A1 (de) | Verfahren zum Erzeugen wenigstens eines Datensatzes zum Trainieren eines Algorithmus maschinellen Lernens | |
DE1965507A1 (de) | Verfahren zum Wiederauffinden gespeicherter Informationen | |
WO2003094093A2 (fr) | Comparaison de protocoles de traitement | |
WO2007009859A1 (fr) | Procede pour exporter des droits d'utilisation sur des objets de donnees electroniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20080707 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): DE FR GB IT SE |
|
17Q | First examination report despatched |
Effective date: 20081107 |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE FR GB IT SE |
|
APBK | Appeal reference recorded |
Free format text: ORIGINAL CODE: EPIDOSNREFNE |
|
APBN | Date of receipt of notice of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA2E |
|
APBR | Date of receipt of statement of grounds of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA3E |
|
APAF | Appeal reference modified |
Free format text: ORIGINAL CODE: EPIDOSCREFNE |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: UNIFY GMBH & CO. KG |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
APBT | Appeal procedure closed |
Free format text: ORIGINAL CODE: EPIDOSNNOA9E |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20150316 |