JP2002132364A - Method for protecting program from internal analysis, computer readable recording medium and program distribution method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide technique for protecting a program from an internal analysis. SOLUTION: This technique consists of a step in which a code for mounting a virtual machine for performing a virtual operation code is generated, a step in which the source code of the program is converted into a virtual object code composed of the virtual operation code, a step in which the virtual object code is enciphered and a step in which a code for decoding the enciphered virtual object code is generated.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a method for protecting a program from internal analysis, a computer-readable recording medium, and a method for distributing a program.

[0002]

2. Description of the Related Art Most of the software released to date has implemented only weak protection technology, and is very vulnerable to a system analysis attack. A key maker that can be easily analyzed by crackers to bypass the user authentication part, or to generate a user authentication key by analyzing an algorithm, has been developed and distributed on the Internet. Special algorithms are often reverse engineered by competitors.
Also, when the server enters the server from the outside, it is highly possible that not only the data but also the processing performed inside the program is analyzed.

[0003] In particular, in the case of software for generating encryption, no matter how strong the encryption is, if the program is analyzed and the key is taken out, it becomes completely meaningless.
The algorithm used to encrypt the data should also be concealed without any hassle. In particular, this security is required for electronic commerce.

[0004] A technology that is resistant to internal analysis and alteration of this software is a tamper-resistant technology.
Software technology (tamper resistant software). Tamper resistant is a technique for encrypting a confidential program part itself. Of course, it is also possible to encrypt a confidential part of general application software.

[0005]

At present, research on tamper resistant software technology, that is, technology for preventing unauthorized analysis of programs, has not been advanced.
Software companies generally defend themselves in the following ways:

First, there is a method of hiding a secret element in a target program. In other words, this is a method in which an important element portion of a program is finely divided and dispersed in the program to make it difficult to find its existence. Further, not only programs but also system memories are similarly distributed. In this case, there is an advantage that each programmer can easily implement the program using only the existing development language.

However, the concealed program portion is likely to be exposed by software for reverse engineering or software ICE (software for analyzing the internal operation of the program). In fact, most package software on the market has been analyzed. This method does not provide sufficient protection.

Next, there is a method of making the processing in the target program difficult to understand. That is, the software is constructed so that the execution order is not determined only by the program.

For example, there is a method of utilizing a clock function of a computer at the time of execution and changing an operation algorithm according to the time. In addition, self-modification function (Self M
odifying) or self-decryption function (Self Decryptin)
The method according to g) is also taken. This is a mechanism that operates while rewriting the program itself at the time of execution. In particular, the latter is extremely difficult to analyze because it rewrites itself and executes it while decrypting the encrypted program. Therefore, if a complicated encryption code is applied, the analysis becomes extremely difficult.

[0010] However, since a general mounting method is not provided, a programmer individually takes time to cope. In particular, software having a self-decryption function is difficult to construct, and therefore requires a great deal of labor. There are very few examples of software that is actually distributed that uses this method for protection. There is also a problem that if the whole is encrypted, a problem of execution speed occurs.

Further, there is a case where protection is provided by providing a self-diagnosis function. That is, a process of always checking the validity of the self program and not executing the program if the program has been modified is implemented. this is,
Easy to implement.

However, this method cannot be used to conceal internal algorithms. Therefore, once the implementation of the self-diagnosis function is analyzed, the main body can be easily executed normally by avoiding the routine for performing the self-diagnosis.

Finally, as means for distributing package software through a network or the like, means for encrypting the archive file itself containing the program is taken. It is a mechanism that only a licensed user can open the archive and execute the program,
This has a major problem. When the archive is unlocked, there is no difference from a normal program, and the internal analysis of the program can be freely performed. Furthermore, if the archive is distributed in an unpacked state, it can be executed without a license.

A method has been devised which takes this one step further and encrypts the entire program body, decrypts it in a startup routine, and then executes it. In this case, although the security is higher than the method of encrypting the whole package, the executable is resident in the memory after the decryption is completed, so that it cannot defend against analysis such as ICE.

[0015] Most of the actual package software takes the first method of hiding the secret element in the target program. The software "AirCraft" created in the past by the inventor was a relatively large program with more than 30,000 users and 220,000 steps S. Developed to execute while performing cooperative operation by thread execution. Nevertheless, it was parsed in earlier versions.

It has been found that no matter how finely dividing the processing, it is impossible to counter reverse engineering such as disassembly. In addition, it goes without saying that a lot of cracking methods and passwords of package software are flowing on the Internet.

Accordingly, the present invention has been made to solve the above-mentioned conventional problems, and has as its object to protect a program from internal analysis, a computer-readable recording medium, and difficulties in internal analysis. Is to provide a simple distribution method of the program.

[0018]

A first aspect of the present invention is a step of generating code for implementing a virtual machine for executing a virtual operation code, and converting a source code of a program into a virtual operation code comprising the virtual operation code. A method is provided for protecting a program from internal analysis, comprising the steps of: converting an object code into an object code; encrypting the virtual object code; and generating a code for decrypting the encrypted virtual object code.

A second aspect of the present invention provides a method according to the first aspect, wherein the program is created in a high-level language, and the program is protected from internal analysis.

According to a third aspect of the present invention, in the second aspect, the encrypted virtual object code includes a code for mounting the virtual machine and a code for decrypting the encrypted virtual object code. A method is provided for protecting a program that is statically linked as object code from internal analysis.

According to a fourth aspect of the present invention, in the second aspect, a non-encrypted non-encrypted object code is used as a source code different from a source code to be converted into a virtual object code comprising the virtual operation code. And protecting the program from internal analysis, further comprising the steps of: linking the encrypted virtual object code and the non-encrypted object code.

According to a fifth aspect of the present invention, there is provided a method for protecting a program from internal analysis, wherein the non-encrypted object code comprises a native code.

According to a sixth aspect of the present invention, in the second aspect, the code for decrypting the encrypted virtual object code protects a program characterized by being implemented by the virtual operation code from internal analysis. Provide a way.

According to a seventh aspect of the present invention, there is provided a code for implementing a virtual machine for executing a virtual operation code,
Provided is a computer-readable recording medium for storing an encrypted virtual object code obtained by encrypting a virtual object code composed of the virtual operation code, and a program protected from internal analysis composed of a code for decrypting the encrypted virtual object code. I do.

[0025] The present invention relates to a method for distributing a program in a state capable of being protected from internal analysis, wherein the program is obtained by encrypting a virtual object code consisting of a virtual operation code executable by a virtual machine. A method for distributing a program characterized by comprising encrypted virtual object code is provided.

According to one aspect, the encryption code development environment according to the present invention can be said to encrypt not the data but the processing content itself. Such techniques and research are still largely untouched, so to speak, unexplored fields. An example of a typical procedure of actual encryption is as follows.

(I) A process to be encrypted is described in a portable language, for example, an ANSI C language. This may be the whole program or only a part.

(Ii) Compiling with a virtual C compiler,
Obtain a virtual object code by a virtual operation code.

(Iii) Encrypt the virtual operation code using the encryptor.

(Iv) The encrypted code and the encrypted code execution environment (virtual machine library) are converted into virtual object code corresponding to the target platform by using a virtual object code generator.

(V) Link the virtual object code with other native program parts using a link editor that can be used on the target platform to obtain an execution image.

[0032]

DESCRIPTION OF THE PREFERRED EMBODIMENTS First, to create software protected by the software analysis protection method according to the embodiment of the present invention, it is necessary to create a virtual machine. In particular, this virtual machine is basically created independent of the model. As the virtual machine, a Java virtual machine is well known. It consists of an intermediate code called "byte code" (Ja
A virtual computer that interprets and executes programs (created in va language).

The virtual machine code of the present invention will be referred to in more general terms as a virtual operation code. One of the differences between an ordinary computer and a virtual computer is that an operation set of a model-independent virtual machine performs a standard procedure for linking with a native code such as an OS basic function corresponding to the model-dependent part. There are points that include operations for.

In the case of the Java virtual machine, the instruction set architecture of the virtual machine is disclosed, and the configuration does not consider reverse engineering. Therefore, analysis can be easily performed as it is, and in fact, analysis utilities such as decompilers have been developed. In a preferred embodiment of the present invention, different virtual machines are included in respective execution files, and the analysis is difficult by keeping the virtual machines themselves private. However, the virtual machine itself can be basically used even if it is mounted by a conventional method, and does not constitute the most essential feature of the present invention, so that the details are omitted. As a reference book of a specific example of the implementation of the virtual machine, for example, “Ti
m Lindholm and Frank Yellin, "The Java Virtual Mac
hine Specification, "ADDISON-WESLEY (1996), ISBN 0
-201-63452-X ".

FIG. 2 shows an example of the virtual operation code of the virtual machine implemented by the present inventor. This is Pa
It is defined with reference to the scal P4 processor, and corresponds to the general stack type bytecode operator. However, if a set of virtual operation codes that are difficult to analyze is created in consideration of reverse engineering, a system that is more resistant to reverse engineering is realized. Since the virtual operation code is designed independently of the language, C / C ++ or BAS
It is possible to prepare a compiler for each language such as an IC. The present inventor has already developed a virtual C compiler, assembler and linker.

The virtual operation code of the virtual machine of the present invention is greatly different from a general virtual operation code in that the virtual operation code may be a one-time operation code. In other words, in situations where many compilers are developed, sold, and used, such as the Java Virtual Machine,
Changing the virtual operation code of a virtual machine is confusing. Rather, immutability is a prevalent factor on many platforms.

In the present invention, the virtual operation code may be changed. Rather, constantly changing is preferable in terms of confidentiality. Specifically, the correspondence between the virtual operation and the virtual operation code may be simply redefined. In that case, the virtual machine may be recompiled with the redefined virtual operation code. Also, create multiple virtual machines, and for each copy,
Another virtual machine may be used. Even if a tool for disassembling the code appears, the damage will be very limited and the willingness to disassemble will be suppressed.

In other words, even if the code 12h means addition in one version, it is changed to a jump instruction in another version. For that purpose, the definition of the virtual operation code may be easily replaced in the implementation of the virtual machine. Also, the implementation of a portion for decrypting the encryption of the virtual operation code, which will be described later, may be such that the encryption key portion can be flexibly redefined.

Hereinafter, embodiments of the present invention will be described more specifically with reference to the drawings. FIG. 1 is a block diagram illustrating a software analysis protection method according to an embodiment of the present invention. It is assumed that a processing system such as a parser, a preprocessor, a compiler (virtual compiler), and a virtual link editor for creating a virtual machine and a file executable on the virtual machine is implemented in advance.

First, source code 1 is created in a high-level language. As a high-level language, a general portable language can be used, but the present inventor has proposed a processing system (virtual C language) for C language.
Compiler, virtual assembler, etc.).
It is also possible to create the source code 1 in a low-level language. In this case, only the virtual assembler is used.

The source code 1 is a part of the entire program (functions, routines, etc.) which is required to be highly confidential or the whole program is analyzed. Refers only to the part. Specifically, there is a password authentication routine and the like. Of course, depending on the size of the program and its potential in the future, it is possible to handle the entire source code. The remaining elements constituting the program are handled in step S4 described later, but are compiled by a conventional development method.
This part is basically model independent.

In step S1, the source code is compiled by a virtual compiler to obtain an execution code 3 including a virtual object code of the virtual machine, that is, a virtual operation code of the virtual machine. In this specification, this is called a virtual object code. On the other hand, an object code including an actual computer operation code is referred to as a real object code in this specification. Step S1 is also basically model-independent.

Next, in step S2, the virtual object code 3 is encrypted with an encryptor to obtain an encrypted virtual object code 5. This encryptor
It may be implemented by a general encryption algorithm. For example, a secret key cryptosystem such as DES or FEAL, a public key cryptosystem using prime factorization or an elliptic curve,
Alternatively, both may be used in combination. This part is also basically model independent.

Steps S1 and S2 can be performed simultaneously by integrating the compiler and the encryptor. However, separating the compiler and the encryptor makes it easy to upgrade the encryption method. Also, the front end compiler is BASIC
Quick support for multiple languages such as compilers

Here, step S2 is performed by an encryptor prepared as a back end at the position of the post-optimizer in the processing system, so that the programmer does not need to be particularly conscious of encryption.

Next, in step S3, the encrypted virtual object code 5 is linked with the virtual machine library (VM library) and the decryption routine library 7, and the real object code 9 including the encrypted virtual object code is linked. obtain. Here, the decryption routine library forms a pair with the above-described encryptor, and is a utility library for decrypting the content encrypted by the encryptor. The real object code 9 includes the encrypted virtual object code 5 and can be executed in a native environment, thereby constructing and decrypting a virtual machine, and executing the encrypted virtual object code 5 on the virtual machine. Is to execute. This part
Generally, it depends on the model.

Next, in step S4, the target program 13 is obtained by linking with the actual object code relating to the remaining elements constituting the program and other necessary libraries 11. Here, the program 13 may be a general application, but may be a library or another program component that cannot be directly executed if it is linked and executable. This part is generally model-dependent, and existing development tools can be used as they are.

As described above, the software analysis protection method according to the embodiment of the present invention can be implemented in a program. This program is distributed while being recorded on a recording device such as an FD or a CD-ROM. Alternatively, it is downloaded to a user's computer via a network. Then, for example, it can be executed alone as follows.

First, an OS loader or the like loads the above program into a memory as a normal execution file.
Then, a normal startup routine is executed.
After a series of initialization processing and the like, the processing moves to the execution of the main body. The actual object code is performed in a normal process. In order to execute the encrypted virtual object code, it is necessary to construct a virtual machine and prepare a decryption routine to be executable before moving to the entry point.

FIG. 3 shows the memory model. First, to execute the encrypted virtual object code, a decryption routine library is called using the entry point as an argument (11). The decryption routine decrypts the encrypted virtual object code after the entry point and expands it into an empty area of the memory (13). When the development is completed, the virtual machine is called with the entry point of the decrypted virtual object code as an argument (1).
5). After executing the virtual object code (17), the virtual machine returns control (19). Here, since the virtual object code is always encrypted, the decryption routine can be considered as a part of the virtual machine.

The most important thing in the present invention is the encryption of the virtual operation code. With ordinary compilers and CPU code, encryption has its limits. This is because the decryption program itself is also written in the same CPU code, and when it is analyzed, everything is decrypted.

In the protection according to the present invention, the virtual operation code is further encrypted. This is performed by an encryptor prepared as a back end at the position of the post-optimizer in the processing system, so that the programmer does not need to be particularly aware of encryption.

The method of encryption is important. Hereinafter, a specific example of the encryption will be described. Here, description will be made below from level 1 to level 3 in the order of easy mounting. The first step is to start with level 1 and then gradually increase the level to deal with more sophisticated piracy.

First, level 1 will be described. Where c
Take the example of encrypting a simple sentence = a + b;

Raw state;-> Encrypted state push a; decode 23 push b; dfxdasf add; fdafds2aa store c; dafadf2 The raw state is the code of the virtual machine itself. Although the analysis becomes difficult even as it is by redefining the virtual operation code, it can be deciphered as long as you examine it patiently.

Therefore, a method has been devised in which a special operation code called "decode" is defined in the virtual machine, and the decoding is performed while decoding is performed in block units. In the above example, de
The code23 instruction is followed by a 23-byte encrypted block. 23 bytes are read ahead, decoded, and executed. The decrypted program is executed in a different memory space from the unencrypted program.

Here, another memory space is a memory space on the virtual machine, and is an address that cannot be easily corresponded to an actual linear address. This makes decryption even more difficult. Therefore, the label of an unencrypted program referred to by jump or the like uses the position in the memory space of the original program. Here, as the encryption algorithm, for example, a simple remainder method is used. The key is embedded in the header of the program, or a key is obtained from the outside at the time of execution, and decryption is performed using the key by the remainder method.

In this case, the decoding routine is performed in a native C
Written in PU code. In addition, since the decrypted program remains in the memory, there is a possibility that the decryption routine may be analyzed based on the program.

In the level 2 encrypted code, the analysis is made more difficult by writing the decryption routine itself as a virtual operation code. At the code output stage, the object of the decoding routine is output together with the normal object. In this case, in FIG. 3, the virtual machine executes the decryption routine.

The advantage of this method is that the decoding routine is first written in a virtual operation code, so that it is difficult to be analyzed by an existing disassembler or the like. Also,
The protection can be strengthened by dynamically changing the encoding / decoding, that is, by changing the encryption algorithm incorporated in each program.

In this case, the operation may be slower than the encryption code level 1. However, basically, not all programs are encrypted, but only highly confidential processes are encrypted. Therefore, it is considered that the merit is greater than the reduction in operation. In addition, since the processing speed of computers is increasing at a rapid pace every year, disadvantages are being resolved.

Even with the encrypted code of level 2, a problem occurs because the decrypted code remains in the memory. Therefore, in level 3, a method of executing the code developed on the memory while erasing it as needed is adopted. Alternatively, a method is used in which the addresses of the code expanded on the memory are executed while being appropriately converted.

The confidentiality is enhanced by minimizing the blocks that always reside in one place and executing the encryption code while clearing or moving the address as appropriate. Similarly, by executing the decryption process while clearing or moving the address, the confidentiality is further enhanced.

Further, in the software analysis protection method according to the embodiment of the present invention, confidentiality processing can be distributed to provide higher confidentiality. Since a single program progresses inevitably weakens security, multiple virtual machines are executed in parallel. This is a method of preparing means for communicating with each other between the virtual machines and executing the encryption code in parallel.

However, when processing is performed in parallel, it is necessary for the programmer to explicitly divide the program and develop the programs so that they are synchronized. Therefore, the burden on the programmer is slightly increased. This technique is used when confidentiality higher than level 3 needs to be maintained.

An example will be described. For example, take the processing of d = (a * 127 + b) * (c + 2). This processing is divided, and program 1 calculates only a * 127 + b. In program 2, c + 2
Only calculate. Program 3 waits for the end of program 1 and program 2 and performs multiplication with the value obtained after the end. The program 4 prepares the address of d, waits for the end of the program 3, and stores the obtained value in the address of d after the end.

Although this example is simplified, a program for synchronizing is expanded on a larger scale, and irrelevant processing is executed at the same time (for example, by transforming the expression (a * 127 + b +
e) * (c + 2)-e * c-e * 2, and insert a dummy e, and run another program that uses e at the same time to confuse it.) The effect is expected.

Further, by introducing a method of outputting a code of a language that supports parallel processing, if the confidential processing is automatically distributed, the burden on the programmer can be reduced.

In the above embodiment, both the virtual machine and the decryption routine are incorporated in the program in advance. But,
In the most basic idea of the present invention, one or both of the virtual machine and the decoding routine may be dynamic.

Next, a program distribution server according to an embodiment of the present invention will be described. Currently, commercial software is FD
The software is distributed as paid package software on disks such as CD-ROMs and CD-ROMs, but the rate of distribution via open computer networks such as the Internet is increasing year by year. It is common practice to accept limited trial use and to allow regular use with a password.

The problem in this case is that anyone can easily obtain the program body. Then, those who have the skills to remember will easily perform internal analysis and publish it on the network.

In the program distribution method according to the embodiment of the present invention, a program to be distributed is subjected to the above-described internal analysis protection method, and then stored in a program distribution server connected to the Internet. An unspecified number of users can download and execute the program via the Internet. However, internal analysis of a program is almost impossible as described above.

By doing so, the program can be protected from internal analysis even if the program distribution server is installed in a state where it can be freely downloaded from the computer network.

Although the present invention has been described in detail with reference to the embodiments, it is apparent to those skilled in the art that the present invention is not limited to the embodiments described in the present application. The device of the present invention can be embodied as modifications and alterations without departing from the spirit and scope of the present invention defined by the claims. Therefore, the description of the present application is intended for illustrative purposes, and has no restrictive meaning to the present invention.

[0075]

According to the present invention, the inventor has developed "Program of t
Based on the technology of "he air", concealment processing (and part of the main processing that is the key to the processing) is converted to virtual operation code using a virtual C compiler, and the virtual machine and its code are embedded in "AirCraft" and tested. Was done. As a result, it was no longer cracked. Before the experiment, it was decrypted within one month after release, but so far it has not been decrypted for more than one and a half years.

In the case of using a virtual machine, it is possible to avoid the risk of analysis by itself because a unique code system can be obtained. This is because existing reverse-engineering software such as disassembler is compatible with the widely used instruction set of CPUs such as those made by Intel, and cannot disassemble special virtual operation codes determined by the user. .

However, in the past, the inventor has defined and used a very simple virtual operation code, but in the end, has experienced decoding this code. If it is difficult to decipher the virtual operation code, it is clear that there is a considerable effect, but it is safer if further measures are taken.

In the present invention, since the program is converted into a virtual operation code and the virtual operation code is further encrypted, it is clear that decryption becomes extremely difficult. Furthermore, if the virtual operation code is changed each time, it can be said that decryption is almost impossible without much time and effort.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a software analysis protection method according to an embodiment of the present invention.

FIG. 2 is a diagram illustrating an example of a virtual operation code of a virtual machine used in a software analysis protection method according to an embodiment of the present invention.

FIG. 3 is a diagram showing a memory model of a program to which a software analysis protection method according to an embodiment of the present invention is applied.

Claims (8)

[Claims] Generating a code for implementing a virtual machine that executes a virtual operation code; converting a source code of a program into a virtual object code including the virtual operation code;
A method of protecting a program from internal analysis, comprising: encrypting the virtual object code; and generating a code for decrypting the encrypted virtual object code. 2. The method according to claim 1, wherein the program is created in a high-level language. 3. The encrypted virtual object code is statically linked as a real object code with a code for implementing the virtual machine and a code for decrypting the encrypted virtual object code. A method for protecting a program according to claim 2 from internal analysis. 4. A step of converting a source code different from a source code to be converted into a virtual object code including the virtual operation code into an unencrypted non-encrypted object code; 3. The method of claim 2, further comprising linking the non-encrypted object code with the non-encrypted object code. 5. The method according to claim 2, wherein the non-encrypted object code comprises a native code. 6. The method according to claim 2, wherein the code for decrypting the encrypted virtual object code is implemented by the virtual operation code. 7. A code for implementing a virtual machine that executes a virtual operation code, an encrypted virtual object code obtained by encrypting a virtual object code including the virtual operation code, and a decryption of the encrypted virtual object code. A computer-readable recording medium for storing a program protected from internal analysis consisting of codes. 8. A method for distributing a program in a state that can be protected from internal analysis, wherein the program is an encrypted virtual object code obtained by encrypting a virtual object code composed of a virtual operation code executable by a virtual machine. A method of distributing a program, characterized by being configured.