JP2009211646A - Data concealing program, data read-out program, data concealing device, and data reader - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To embed confidential data in a program so that a third person cannot easily find it. <P>SOLUTION: A computer carries out processing including: a data acquisition step S10 for acquiring data to be concealed; a confidential data code generating step S14 for generating a confidential data code by embedding the data to be concealed other than at least an operation code of a program code including the operation code; and a program generating step S16 for generating a program executable in the computer including the confidential data code. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a data concealment program, a data read program, a data concealment device, and a data read device.

  There is known a technique for embedding data that is not desired to be known by a third party in a program.

  In Patent Document 1, for password data divided into one byte, information indicating the storage position of each byte is stored as a non-overlapping offset value from a predetermined head address in a first continuous memory area, Disclosed is a technique for storing password data divided into 1 byte at a time in such a manner that each byte is distributed and stored in a second continuous storage area having a sufficient length starting from the head address according to an address determined by an offset value. Yes.

JP 2004-46640 A

  When the data is embedded in the program without being divided, the program code is scanned in consideration of the property of the data, so that it may be easily examined where the data is embedded in the program code.

  In particular, when random data such as an encryption key is embedded in orderly information such as a program, the location where the secret data is embedded is identified using the random property. There is a risk.

  The same applies to the case where the data itself is encrypted, and it is also necessary to embed a decryption encryption key for decrypting the encrypted data.

  Further, when the data is divided and concealed, there is a problem that it cannot be determined whether or not encryption is applied to the concealed data.

  One of the present invention is a data acquisition step for acquiring data to be concealed in a computer, and concealment for generating a concealed data code by embedding the data to be concealed while leaving at least the operation code of the program code including the operation code. A data concealment program for executing a process including a data code generation step and a program generation step for generating a computer-executable program including the secret data code.

  Another aspect of the present invention is a data acquisition means for acquiring data to be concealed, and generates a concealed data code by embedding the data to be concealed leaving at least the operation code of the program code including the operation code. A data concealment apparatus comprising: a secret data code generation unit; and a program generation unit that generates a computer-executable program including the secret data code.

  Here, the secret data code generation step or means randomly selects a program code and generates a secret data code by embedding the data to be concealed with at least an operation code remaining in the format of the selected program code. It may be a thing.

  Further, the secret data code generation step or means selects a program code according to the appearance probability of the operation code, and at least leaves the operation code in the format of the selected program code, and embeds the data to be concealed to provide confidential data It is also possible to generate code.

  Further, the secret data code generation step or means selects a program code according to the appearance probability of a sequence of a plurality of operation codes, and at least leaves the operation code in the format of the selected program code, and the data to be concealed The secret data code may be generated by embedding.

  The secret data code generation step or means may generate a secret data code by embedding the data to be concealed, leaving at least an operation code in a program code format included in a program template executable by a computer. Good.

  The program generation step or means may generate a program including a data extraction code for reading data embedded in the secret data code.

  Further, the program generation step or means may generate a program including a code information database in which a program code format executable by a computer is registered.

  According to another aspect of the present invention, the secret data code is read from a computer-executable program including a secret data code in which at least the operation code of the program code including the operation code is left in the computer and the data to be concealed is embedded. A data reading program, comprising: executing a process including a secret data code reading step and a data extraction step of extracting embedded data by skipping an operation code included in the secret data code.

  According to another aspect of the present invention, there is provided a concealment for reading out the concealed data code from a computer-executable program including a concealed data code in which data to be concealed is embedded, leaving at least the operation code of the program code including the operation code. A data reading device comprising: data code reading means; and data extraction means for extracting embedded data by skipping an operation code included in the secret data code.

  Here, the data extracting step or means refers to a code information database in which a program code format executable by a computer included in the program is registered and skips an operation code included in the secret data code. The embedded data may be extracted.

  According to the first and tenth aspects of the present invention, it is possible to embed data to be concealed in a program in a manner that is difficult for a third party to find.

  According to the invention of claim 2, data can be easily concealed by randomly selecting a program code for embedding data to be concealed.

  According to the invention of claim 3, by selecting the program code for embedding the data to be concealed according to the frequency of use of the code, it can be embedded in the program in a manner that is difficult to be found by a third party.

  According to the invention of claim 4, by selecting the program code for embedding the data to be concealed according to the bigram or trigram indicating the probability of the operation code arrangement, the program code can be embedded in the program in a manner that is difficult to find by a third party. it can.

  According to the invention of claim 5, by embedding data to be concealed in the program code included in the program template, it can be embedded in the program in a manner that is difficult to be found by a third party.

  According to the invention of claim 6, when the generated program is executed, the data to be kept secret can be read from the program and used.

  According to the seventh aspect of the present invention, it is possible to read out and use the data concealed in the program with reference to the code information database in which the program code format executable by the computer is registered.

  According to the eighth and eleventh aspects of the present invention, the concealed data is read out from a computer-executable program including a secret data code in which at least the opcode of the program code including the opcode is left and the data to be concealed is embedded. Can be used.

  According to the ninth aspect of the present invention, it is possible to read out and use data concealed in a program by referring to a code information database in which a program code format executable by a computer is registered.

<Device configuration>
The data concealment / reading device 100 according to the embodiment of the present invention includes a central processing unit 10, a storage unit 12, an input unit 14, a display unit 16, and an interface unit 18, as illustrated in FIG. These components are connected to each other by information transmission means such as a bus or a network so as to be able to transmit information to each other.

  The central processing unit 10 includes a CPU (central control device). The central processing unit 10 receives information from the storage unit 12, the input unit 14, and the interface unit 18, performs processing such as computation on the information according to a program, and outputs the information to the display unit 16 and the interface unit 18. I do. In the present embodiment, the central processing unit 10 executes a data concealment program stored in advance in the storage unit 12, thereby realizing a function of embedding data to be concealed in the program. Further, the central processing unit 10 executes a data reading program stored in advance in the storage unit 12, thereby realizing a function of reading data embedded in the program as a secret object.

  The storage unit 12 includes an information storage device such as a semiconductor memory, a hard disk device, and an optical disk device. The storage unit 12 stores various information such as a data concealment program and data read program executed by the data concealment / reading device 100, data to be concealed used for processing in the data concealment / reading device 100, a code information database, and the like. Hold.

  The input unit 14 includes a character data input side device such as a keyboard and an information input side device such as a pointing device such as a mouse. The input unit 14 is operated by a user who inputs information to the data concealing / reading device 100, and is used to receive an instruction from the user and data for processing. Data input from the input unit 14 is stored and held in the storage unit 12.

  The display unit 16 includes a display device such as a display. The display unit 16 is used for presenting a user interface image and information to be processed to a user when performing processing in an application. For example, a user interface image that prompts the user to input information necessary for processing in the data concealment / reading apparatus 100 is displayed.

  The interface unit 18 includes a device for connecting the data concealing / reading device 100 to other devices via a communication means such as a LAN, WAN, or the Internet so that information can be transmitted. In the present embodiment, the data concealment / reading apparatus 100 can access an external computer using the interface unit 18, and may obtain information necessary for processing from the external computer. The interface unit 18 may be a device that realizes information transmission according to an existing protocol such as TCP / IP.

  FIG. 2 is a functional block diagram showing the data concealing / reading device 100 according to the present embodiment.

  As shown in FIG. 2, the data concealment / reading apparatus 100 includes a main program generation unit 20, a concealment target data acquisition unit 22, a concealment data code generation unit 24, a program generation unit 26, a concealment data code reading unit 28, a concealment data code. It functions as an apparatus including the analysis unit 30 and the code information database storage unit 32.

<Data confidentiality processing>
The data concealment / reading apparatus 100 executes the data concealment process according to the flowchart shown in FIG. 3 by executing the data concealment program stored in the storage unit 12.

  In the following description, a code indicates each instruction that can be executed by a computer that constitutes a program and a combination thereof, and a program indicates that a series of processing is performed as a whole by a combination of a plurality of codes.

  In step S10, a main program is generated. This step corresponds to the main program generating means 20 in FIG.

  The central processing unit 10 executes a programming tool such as a program editor, receives a program code input by the user from the input unit 14, and generates a main program for performing a target process. For example, the editor screen of the program tool is displayed on the display unit 16, the input of the user's compiler source code by the input unit 14 is received, and the source code is compiled to generate the object code of the main program.

  Here, the main program code includes a data extraction code and a calling code. The data extraction code describes the process of reading the secret data code from the secret data storage unit that stores the data to be concealed as the secret data code in the following process, and analyzing the read secret data code to extract the secret data It is a thing.

  The calling code describes a process for calling the data extraction code in the main program and executing the data extraction code. The calling code also includes the start address and the size of the secret data storage unit that is an area for storing the secret data code.

  In step S12, data to be concealed is acquired. This step corresponds to the confidential data acquisition unit 22 in FIG.

  The central processing unit 10 acquires data to be concealed from the user via the input unit 10 or from an external device via the interface unit 18. However, the data acquisition method is not limited to this.

  Examples of the data to be concealed include data that requires secure handling such as a password used for authentication, an encryption key used for data encryption, and a decryption key used for data decryption.

  Step S14, a process of embedding the data to be concealed in the concealed data code. This step corresponds to the secret data code generation means 24 in FIG.

  The central processing unit 10 performs a process of embedding the data to be concealed acquired in step S12 as part of program code executable by the computer. The program code is described as source code before the compilation process, and includes an opcode part and an operand part as illustrated in FIG.

  The opcode part is usually 1 byte or 2 bytes. Further, if the opcode part includes an instruction prefix part, it may be 3 bytes or more. The opcode part is a part describing the type of each processing (arithmetic) instruction in the program.

  The operand part is a part that describes values and variables to be processed (calculated) in the program. The operand part may include data indicating a register to be processed and an immediate value. The operand part may be divided into an address specifying part, a displacement part, and an immediate part.

  For example, the source code of the process of storing data “0x1122” in the register specified by the identifier “eax” is described as “Mov eax 0x1122” or the like. The source code of the process of adding data “0x3344” to the data stored in the register specified by the identifier “ebx” is described as “Add ebx 0x3344” or the like.

  An object code is generated by converting such source code by a compiler. The object code is a bit string that can be directly executed by the central processing unit 10 (CPU) of the computer.

  The central processing unit 10 performs processing to embed data to be concealed in a program code including an executable opcode. Specifically, as illustrated in FIG. 5, a code information database in which executable opcodes and data lengths of corresponding operands are associated with each other is registered in the storage unit 12 in advance, and operation codes are randomly selected from the code information database. The selected data is sequentially embedded in the operand corresponding to the opcode.

  For example, when “0x11223345456667788” is acquired as the secret data and the operation code randomly extracted from the code information database is “Move eax”, the data length of the operand corresponding to the operation code “Move eax” is 4 bytes. Then, the source code of “Mov eax 0x11223344” is generated using the 4-byte data “0x11223344” from the beginning of the secret data as an operand. Since the 4-byte data “0x556667788” remains in the secret data, the operation code is further extracted at random from the code information database. When the extracted opcode is “Add”, the data length of the operand corresponding to the opcode “Add” is 4 bytes. Therefore, the 4-byte data “0x556667788” is used as the operand from the data next to the already embedded data. A source code “Add eax 0x556667788” is generated. Since all the data to be kept secret is embedded as a code, the process is terminated.

  Also, instead of generating source code, object codes B8H, 44H, 33H, 22H, 11H, 88H, 77H, 66H, and 55H are directly used in accordance with a file format that can be linked to the main program in step S16. It may be generated. Although this representation shows an example in which numerical values are represented in little endian, it can also be represented as B8H, 44H, 33H, 22H, 11H, 88H, 77H, 66H, 55H as a pair of data strings.

  In this way, until all the confidential data is embedded, the operation code is randomly extracted from the code information database and the data is embedded.

  In addition to the operand part, the secret data may be embedded while leaving the description of the ModR / M part including information such as a register. For example, when the operation code randomly extracted from the code information database is “Mov eax” and an instruction that takes an offset from the register ebx as an immediate value is used, in addition to the operand, ModR / M is left and the data “0x11223344” "May be embedded to generate a source code of" Mov eax 0x11223344 [ebx] ".

  The central processing unit 10 compiles the source code in which the secret data is embedded in this way and converts it into a secret data code that is an object code. The compiler may be incorporated in the data concealment program, or may be a compiler that is stored in advance in the storage unit 12 or an external device and applied. If the object code is directly generated instead of the source code, this compiling operation is unnecessary.

  In this embodiment, the operation code is randomly extracted from the code information database and the data is embedded with the data length corresponding to the operation code. However, each operation code is stored at a frequency corresponding to the appearance probability of each operation code in the program. You may choose. The probability of appearance of each opcode in the program may be obtained by statistically examining a plurality of programs. The appearance probability of each opcode may be stored in the storage unit 12 in advance.

  Further, each opcode may be selected according to the appearance probability of a sequence of a plurality of opcodes in the program. That is, instead of the occurrence probability of each operand, the operands included in the program are decomposed in units of N, and an operation code is selected according to the appearance probability of the combination. If the value of N is 2, it is called a bigram (bi-gram), and if it is 3, it is called a trigram (tri-gram).

  For example, as shown in the example of the trigram in FIG. 6, the appearance probability of the next operation code is obtained according to the combination of the two previous operation codes and the previous operation code, and the frequency according to the appearance probability is obtained. A selection process is performed so that an opcode is selected.

  Further, the secret data may be embedded in the operand included in the program template without using the code information database. The program template may be prepared in advance, or a part of the main program generated in step S10 may be used as a template.

  When embedding secret data “0x11223334556767888” using the program template illustrated in FIG. 7A, the opcode “Move eax” is left as the operand for the source code “Move eax 0x000004030” on the first line, and the operand The first 4 bytes of the secret data are embedded in the part to make “Mov eax 0x11223344”, the opcode part “Add ebx” is left in the operand part for the source code “Add ebx 0x0000008c” in the second row, and the remaining part of the secret data in the operand part 4 bytes are embedded and “Add ebx 0x556667788” is set. As a result, a source code as shown in FIG. 7B is generated. The source code generated in this way is converted into a secret data code that is an object code by compiling.

  In step S16, the main program code and the secret data code are linked to complete the program. This step corresponds to the program generation means 26 in FIG.

  The central processing unit 10 links the object code of the main program generated in step S10 and the object code of the secret data code generated in step S14 with a linker to generate a program that is a load module.

  As illustrated in FIG. 8, the generated program includes a call code, a secret data code, and a data extraction code in the text section together with the main program. Moreover, you may include the utilization code of the data which is a program code which utilizes the confidential data read from the confidential data code. The usage code may be generated in the main program generation step in step S10.

  Further, the registration contents of the code information database may be included in the program. The code information database may be stored in the storage unit 12 instead of in the program. This corresponds to the code information database storage unit 32.

  In the above-described embodiment and modification, an example in which one piece of secret data is embedded in one program code is shown, but a plurality of pieces of secret data can be embedded in one program. In that case, a data extraction code and an operand information database may be provided in common for a plurality of secret data.

<Data read processing>
Hereinafter, a data read process for reading data embedded in the program generated by the data concealment process will be described.

  The data concealment / reading apparatus 100 executes the data reading process according to the flowchart shown in FIG. 9 by executing the data reading program stored in the storage unit 12. In the present embodiment, the data reading program is a program generated in the data concealment process.

  In step S20, a memory area for storing the read secret data is secured. This step corresponds to a part of the secret data code reading means 28 in FIG.

  The central processing unit 10 secures a free area in the storage unit 12 in order to store confidential data read in the following processing. Also, the start address of the secured free area is obtained.

  In step S22, the calling code is called to call the data extraction code. This step corresponds to a part of the secret data code reading means 28 in FIG.

  The central processing unit 10 executes a call code included in the program. When the calling code is executed, the processing of the data extraction code included in the program is called. At this time, the start address of the secret data storage unit and the size of the secret data storage unit included in the call code, and the start address of the memory area secured in step S20 are delivered to the data call code.

  In step S24, the confidential data is read out. This step corresponds to a part of the secret data code reading means 28 and the secret data code analyzing means 30 in FIG.

  The central processing unit 10 executes the data extraction code called in step S22. The data extraction code accesses the secret data storage unit embedded in the program, and sequentially reads the secret data code from the start address of the secret data storage unit. The central processing unit 10 reads out the data stored in the secret data storage unit and refers to the code information database to check which opcode it is. Then, the data length of the operand portion of the corresponding operation code is obtained, and the secret data code composed of the combination of the operation code portion and the operand portion is read out. In the present embodiment, the confidential data code is read one by one, and the confidential data is stored in the next step S26.

  The code information database may be incorporated in the program, or may be stored in the storage unit 12 or the like so as to be accessible from the central processing unit 10.

  For example, when the secret data code “B8H, 44H, 33H, 22H, 11H” corresponding to the source code “Mov eax 0x11223344” is stored, the opcode “B8H (Mov eax)” in the code information database illustrated in FIG. Is 1 byte, and the data length of the operand corresponding to it is 4 bytes. Therefore, 5 bytes of data are read out as the first secret data code from the head address of the secret data storage unit.

  Next, when the process returns to step S24, if the secret data code “05H, 88H, 77H, 66H, 55H” corresponding to the source code “Add eax 0x556667788” is stored after the secret data code, In the code information database illustrated in FIG. 5, the opcode “05H (Add eax)” is 1 byte, and the data length of the operand corresponding to it is 4 bytes. Therefore, 5 bytes of data from the start address of the secret data storage unit is the second secret. Read as data code.

  In step S26, the data is read from the operand part and stored in the reserved memory area. This step corresponds to a part of the secret data code analyzing means 30 in FIG.

  The central processing unit 10 extracts only the secret data from the read secret data code according to the separation between the operation code part and the operand part performed in step S24, and starts from the start address of the free area in the memory secured in step S20. Store in order.

  For example, in the above example, when the secret data code “B8H, 44H, 33H, 22H, 11H” is read, the first one byte is the operation code “B8H (Move beam)”, so that portion is skipped. Operand data “0x11223344” having a data length of 4 bytes is extracted and stored in the memory area for 4 bytes from the start address of the free area of the memory.

  Next, when the secret data code “05H, 88H, 77H, 66H, 55H” is read, the first byte is the operation code “05H (Add eax)”. Operand data “0x556667788”, which is a byte, is extracted, and data “0x11223344” is stored in the memory area after the storage area (four bytes from the fifth byte from the start address).

  In step S28, it is determined whether all the confidential data has been read. This step corresponds to a part of the secret data code analyzing means 30 in FIG.

  The central processing unit 10 determines whether or not all the secret data codes stored in the secret data storage unit have been read. Specifically, in the data extraction code, whether the secret data code has been read up to the final end of the secret data storage unit using the start address of the secret data storage unit and the size of the secret data storage unit delivered from the calling code Determine. If all the reading is completed, the data reading process is terminated and the process returns to the main program. If not, the process returns to step S24 to read a new secret data code.

<Modification>
In the above embodiment, the dummy program code is incorporated into the program as the secret data code. However, the secret data may be read by executing the secret data code.

  For example, a secret data code is generated by a combination of a program code stored in a memory (register) in which data is secured and a program code that increases the address of the memory (register), and the secret data code is executed in the memory by executing the secret data code. Secret data can be stored sequentially. The secret data is embedded in the data portion of the program code that stores the data in the secured memory (register).

  More specifically, the source code “Mov1 [eax] immediate value (4 bytes)” for storing immediate data in the memory area indicated by the address value stored in the register eax, and the data size storing the value of the register eax The source code “Add eax 4” that is increased by (4 bytes) is combined to generate a secret data code that repeats the combination as many times as necessary to store the secret data, as illustrated in FIG. Confidential data is embedded as an immediate value. At the end of the secret data code, a code for returning the processing to the main routine is inserted.

  The secret data code generated in this way is linked with the main program including the call code for the secret data code to generate a program.

  The secret data reading process is performed by calling the secret data code by the call code of the main program.

  For example, in the case of the above example, if the start address of the secret data code is called by storing the start address of the memory area that is the storage destination of the secret data in the register eax, the secret data code “Movl [eax] immediate value (4 bytes)” Is executed, and the 4-byte immediate value included in the code is stored in the memory area indicated by the register eax. Subsequently, the secret data code “Add eax 4” is executed, and the value of the register eax is increased by 4 bytes. Subsequently, the next “Mov” code is executed, and the next secret data is stored in the memory area indicated by the register eax increased by 4 bytes. The secret data is sequentially stored in the memory space secured by combining such processes. By putting a code for returning the process to the main routine at the end of the secret data code, the process is returned to the main routine when the reading of the secret data is completed.

It is a figure which shows the structure of the data concealment / reading apparatus in embodiment of this invention. It is a functional block diagram of the data concealment / reading device in the embodiment of the present invention. It is a flowchart of the data concealment process in the embodiment of the present invention. It is a figure which shows the structural example of a program code. It is a figure which shows the example of the relationship between the opcode in a program code, and the size of an operand. It is a figure which shows the example of the trigram in embodiment of this invention. It is a figure which shows the example in the embodiment of this invention, and the secret data code produced | generated from it. It is a figure which shows the structural example of the program in embodiment of this invention. It is a flowchart of the data reading process in embodiment of this invention. It is a figure which shows the example of the secret data code in the modification of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 Central processing part, 12 Storage part, 14 Input part, 16 Display part, 18 Interface part, 20 Main program production | generation means, 22 Confidential object data acquisition means, 24 Confidential data code production | generation means, 26 Program production | generation means, 28 Confidential data code Reading means, 30 secret data code analyzing means, 32 code information database storage means, 100 data concealing / reading device.

Claims (11)

On the computer,
A data acquisition step for acquiring data to be concealed;
A secret data code generating step for generating a secret data code by embedding the data to be concealed leaving at least the operation code of the program code including the operation code;
A program generation step of generating a computer-executable program including the secret data code;
A data concealment program for executing a process including: In the data concealment program according to claim 1,
The secret data code generation step is characterized by randomly selecting a program code and generating a secret data code by embedding the data to be concealed while leaving at least an operation code in the format of the selected program code. Data concealment program. In the data concealment program according to claim 1,
The secret data code generation step selects a program code in accordance with the appearance probability of the operation code, and generates a secret data code by embedding the data to be concealed, leaving at least the operation code in the format of the selected program code. A data concealment program characterized by that. In the data concealment program according to claim 1,
The secret data code generation step selects a program code according to the appearance probability of a sequence of a plurality of operation codes, and at least leaves the operation code in the format of the selected program code, and embeds the data to be concealed into the secret data A data concealment program characterized by generating code. In the data concealment program according to claim 1,
The secret data code generation step generates a secret data code by embedding the data to be concealed with at least an operation code remaining in a program code format included in a computer-executable program template. program. In the data concealment program according to any one of claims 1 to 5,
In the data generation program, the program generation step generates a program including a data extraction code for reading data embedded in the confidential data code. In the data concealment program according to any one of claims 1 to 6,
The program generating step generates a program including a code information database in which a program code format executable by a computer is registered. On the computer,
A secret data code reading step of reading out the secret data code from a computer-executable program, including a secret data code in which at least the opcode of the program code including the operation code is embedded and data to be concealed is embedded;
A data extraction step of skipping the opcode included in the secret data code and extracting the embedded data;
A data reading program for executing a process including: The data reading program according to claim 8,
The data extraction step is embedded by skipping an operation code included in the secret data code with reference to a code information database in which a program code format executable by a computer included in the program is registered. A data reading program for extracting data. Data acquisition means for acquiring data to be concealed;
A secret data code generating means for generating a secret data code by embedding the data to be concealed leaving at least the operation code of the program code including the operation code;
Program generation means for generating a computer-executable program including the secret data code;
A data concealment device comprising: A secret data code reading means for reading out the secret data code from a computer-executable program including a secret data code in which at least the operation code of the program code is stored and the data to be concealed is embedded;
Data extraction means for extracting the embedded data by skipping the opcode included in the secret data code;
A data reading device comprising:

Images