TW487839B - A method of providing secure linkage of program modules - Google Patents

Abstract

Secure linkage of first and second program modules so that they may authenticate each other and provide security for digital content accessed by one or more of the modules. The method includes storing at least one address of at least one function of the first program module in a file, calling the second program module by the first program module and passing the file to the second program module, verifying integrity by the second program module of the first program module, and calling, by the second program module, a selected function of the first program module using an address obtained from the file when integrity of the first program module is verified. In one embodiment, the first program module may be a digital content player application and the second program module may be an integrity verification kernel for verifying the integrity of the player application. The file may be a signed binary description file including addresses of functions in the first program module.

Description

487839 V. Description of the invention (1) Background of the invention 1. Scope The present invention relates generally to the protection of digital content in computers and consumer electronic systems, and more specifically, to the protection link between program modules. 2. Description The personal computer (PC) platform is an open and accessible computer architecture. However, the openness of the PC means that it is basically an insecure computing platform. Both hardware and software can be accessed for viewing and modification. This openness allows malicious users and programs to observe and modify executable code, which may be assisted by software tools, such as debuggers and system debt tools. Despite these sailboat risks, different types of operations must be performed safely on this essentially insecure PC platform, which is the basic operational integrity that those applications must assume, or at least proven to be reliable. Examples of such operations include financial transactions' other electronic transactions, unattended access authentication, and digital content management. For content providers, to counter the threat of digital intrusion on PCs, new software is needed to resist attacks from malicious users. In this strategy, the malicious user will want to tamper with or replace specific components of the software to gain unauthorized access to digital content or make unauthorized copies. An encryption system based on an encryption method that works with the software to help protect the rights of the content owner. Content can be encrypted to provide some level of protection, but the software is still vulnerable to attacks that access decrypted content during playback.

Page 7 487839 V. Description of the invention (2) A known method to protect such two elements). The method includes checking the return address that is not integrated, and using the present-style function to call another feature. The second secure link method is to authenticate the call and the call module, and one of the attackers killed. = Ambassador "type of attack to a stylized interface. In this example, the authorized module is obtained by replacing or replacing the authorized module." Access; " The virtual module calls the function when it is executed. The secure link; called the function and the :: address or the address of the called function, the transfer of the two functions = verification of the bit ... the default verification protocol base and the legality of whether the address is in the authentication module The one-sign accreditation is used to determine :: 2 :: that is, the address used to verify authorized :: call: copies. Update the internal procedures of the module. Access control is used for ~ -level security, and there is still a change to cover it, and the system provides an e-digital content theft before-#. What the emperor needs: 1 human body, and staying in the permissive is basically unsafe β /, a method that is difficult to be observed or modified. The limbs make their fire invention outline u Although the security link mentioned above is generally provided ^ 487839 V. Description of the invention (3) Store at least one address of at least one function of a program module in the place In a file, the first program module calls the second program module and sends the file to the second program module. The second program module of the first program module verifies its integrity. , And the second program module calls a selected function of the first program module, which uses a bit address obtained from the file after the integrity of the first program module is verified. It also illustrates and claims other specific embodiments. Brief description of the drawings: The features and benefits of the present invention will be better understood through the following detailed description of the present invention, wherein: FIG. 1 shows a secure link system according to a specific embodiment of the present invention; FIG. 2 shows FIG. 3 is a flowchart of a secure link process according to a specific embodiment of the present invention; and FIG. 3 is an exemplary processing system capable of operating as a secure link system according to a specific embodiment of the present invention. DETAILED DESCRIPTION A specific embodiment of the present invention is a method for redirecting function calls through a protected environment, which can affect the secure link of a program module. This method provides a secure link to two program modules, which can be reached at least in part by retrieving the caller's return address by including a specific compiler combination code to the entry point of a module being called , And the exit point of the call, to ensure that the appropriate return address is used. A specific embodiment of the present invention uses a callback method to supplement the check of the return address, which can additionally protect the program.

487839 V. Description of invention (4) Call of module. As used herein, a programming module can be an identifiable part of any computer code, or the order of any programming instruction in any programming language. A callback function of a first program module can be registered in the qualification of the module. The result of the franchise operation of a second program module can be returned using the registration callback function of the first module. The return address check can be used to decide whether to perform the required operations in a given callback function. The specific embodiment of the present invention can make it more difficult for an attacker to skip the first program module verification process performed by the second program module, and modify the behavior of the second program module, which is for invocation The services of the first module are used for unauthorized use, or an additional module is used to replace a legitimate first program module. Refer to the specification of a specific embodiment π or a specific embodiment π of the present invention, which represents a specific feature, structure or characteristic described in conjunction with this specific embodiment, which is included in at least one specific implementation of the present invention Therefore, the phrase "in a specific embodiment" does not necessarily mean the same specific embodiment in different places throughout the specification. FIG. 1 shows a secure link system 10 according to a specific embodiment of the present invention. In this embodiment, the concept of the present invention can be used to securely link a first program module and a second program module. A first program module 'is program module A 1 2 which uses a second program module and is called an integrity verification core (I VK) 1 4 which is used to verify the first program module. Completeness. The operation of the specific embodiment of the present invention makes it very difficult to replace the I VK by other program modules (such as a hacker's verification of the program module), or to observe or modify the internal operation of the I VK . More generally,

Page 10 / Description of the invention ⑸ These two are to be presented by the present to contain any software element; m :; Fully linked program modules can be used for intrusion protection. In the case of limb K, I VK 14 can

Observe the intruder's intrusion, and prevent himself from malicious use. Use intrusion prevention technology; Xie Er or its interaction with program module A. Operating environment. Come & For a protected program module A The intrusion prevention software is a kind of 敕 ^ It can be used as a slave within a certain range, which can be protected for observation and modification. It works on <. Intrusion prevention software 俜 :: Even if it is a malicious attack, it will be remembered. Therefore, the intrusion prevention tank configuration does not need to exist in the address space or handle the cry to perform, and the upper body does not need to cry in the same place where it was generated by an intrusion prevention editor. In this specific embodiment, The soft architecture is generated when it is applied to an unpredictable one. The intrusion prevention compiles a software module generated by a text source code compiler 'to replace a plain image. This self-decrypting software = image, and after generating a fuzzy map, it does not change the map ^ ^ It is compiled and executed by the intrusion prevention compiler. The intrusion prevention code is only able to correctly perform a "hidden" under the "run mode"; = :; #software mode to ^ have the actual operation of the software, 戋 θ: Power software core .: Try to break ^ ^ ^ ^ times. Modifying this software will cause the core = King Land to fail (that is, it cannot properly solve poverty). Red module A; 1 2 can also be used with An integrated verification core (t VK) i 4 is related. — IVK is a kind of fingerprint verification (for example, program module A) that verifies the program image in the memory, corresponding to the data provided by a digital signature. This process authenticates the program image (such as program module A) ’which provides a strong mechanism to

4S7839 V. Description of Invention (6) " 一 " '' 一 '--- Detecting changes to the execution software, where those changes may be caused by transmission errors or malicious attacks on the software. Any unauthorized changes to the software will cause the verification process to fail. If the verification process fails, the processing related to program module A will be prohibited. For example, " If the red-style group A is a part of a digital content playback application Ϊ 如 ί Ϊ ί Ϊ is detected by the included 1VK, then the playback application will play the content. Self-inspection of 1 VK s series / Jinshan a 2 1 ^ code for intrusion prevention software, bilateral authentication of cooperative modules, and inspection of 2 μτΓλ end-shell materials, used to verify the integrity of a software module. yy + i t positive, self-decrypting, and must be installed independently. What it builds is Dang. The second is to have the internal processing software modules communicate with each other 'to verify that the called user uses the -predetermined "root" key to borrow the executor. This processing is early; so as to determine that it is indeed what is required In the embodiment, the IVK 14 may be a bilateral authentication. In the specific implementation of the present invention, Ding Tian is approved to verify the integrity of the program module A 1 2. The I VK can also be used to perform two or w Stuffing / changing group A 12 between modules B 16 and other program components are as described in program 09 / 109,472; 3 certificates, such as in the US patent application number software module security d: its name is "Integrity Verification, Certification , And the assignee. "Generation method and device" "It is the same as the present invention-to Emei X protection module and to provide integrity verification processing taxis with IVKS and bilateral certification," its name \ = details in 5,892,899, Seen in U.S. Patent No. 08 / 924,740 for a method and device for protecting against entry, and an application for the same method and device for intrusion protection as the present invention "'both

Page 12 V. Description of the invention (7) Root: In the specific embodiment of the present invention, the program module a i2 includes one or more callback functions # '′, which are labeled as callback functions 1 18, callback functions 2 2 0, η back, Hugan function N, etc. 'are shown in Figure 1. As used here-callback convex, is a part of the software in the cloud module A, its program module is called, 丨 Λ τ ντ / ,, ^ ^ 博 彳 乾 浐 Λ ΛΛ Use for example 1 VK 1 4. A callback function can assist the verification operation of group A ... The callback function starts with the callback address in program module eight. Each callback function may correspond to a special private verification or a specific section referred to herein as a "milestone." At least: In a specific embodiment, there are at least three milestones. —A = Yaoyun Module A has not been hacked. Another milestone is to verify that the program is executed by the computer system running program module A. ^ 1 type of debugger can be used by malicious users to interfere, observe or repair the program module A . Another milestone is to verify that a signed binary value description file (BDF) 24 of the program / 旲 group eight and I VK combination has been generated by a trusted entity. The signed BDF 24 is a file, which at least partially contains the unary description of the sharkness of the program module A. The signed B D F can be stored anywhere that can be accessed by program modules A and IVK. In a specific embodiment, the BDF includes identification information 26 related to the file and the program modules a 1 2 and IVK 1 4 and one or more callbacks corresponding to the callback functions 丨 8, 20, and 22 Address (labeled as callback address 1 2 8, callback address 2 3 0, ^ ·, callback address N 32 in Figure 1), and a digital signature 34. The signed bdf can be generated by the early morning tool 36, which is received by the program module A about the callback function and the identification information from the program modules A and 丨 νκ.

Page 13 / ^ 39 V. Description of the invention (8) The file is already available. A signature tool suitable for this purpose can be found in the US Patent Application No. 0 9/1 0 9, 472 'its name " integrity verification' certification, and the method and device for secure linking of software ", which It has the same recipients as the present invention. In a specific embodiment, the random value of the program module A can be calculated as a part of the identification information, and is calculated with the callback address ^ ^ BODF. This information can be exploited with the private half of an asymmetric key pair—by using the encrypted callback address in the signed BDF, it is difficult to replace a malicious module with a malicious module. K, each "Λ for a given callback function, t1 egg cone buckle, #squeegee on the address. Ju sighed to D, it is difficult to know which need to use the bit pattern to send the correlation to a The hacker is the one that stores the encrypted number. The integrity check benefit of this rack. It is easy to be overthrown by a malicious program. The verification group A calls the IVK. You = sign the BDF to the IVK. Because this IVK is a j that invades Mozilla, it is difficult to observe or modify the mvK β ς: The BDF after the chapter cannot be stored so that it is invalidated and changed. According to the present invention and the -used callback address, additional security is added by providing the second sister of the module ::: level I, this hibiscus group: Wang chain: combined with the program module The benefits of Α are presented; V: Equipped-the user can perform the integration check by the line 'f' the IVK because of the encrypted callback address factory: here-replaced by the wide module. Therefore, it is even more tolerant of the link between Group A and I VK. Although waterjet separation or operation can be divided into one or more milestones. t every mile

487839 V. Description of the invention (9) After the monument has been successfully completed, the signed BDF for the mileage will be obtained, and the configuration will be reset. The address can be set to a legal address. If the and are verified in the private module A, the call function can be called or executed. In the case of Juju 6 Ling, the callback function of the service provided by the relevant callback module A performs some digital content), and in the case of failure; = Off, work (for example, like In the specific embodiment of broadcasting, no error response will be returned. ▲ Error indication. Execution is stopped in one place. In this mode, a T μ 4 ^ type module is needed to simply perform the key function of the module & It is also very difficult for the & type module A to successfully skip the σ call and reach the I ^ κ. For the attacker 4, its corresponding to the callback function in IVK is called function 1 19 and function 2 21 , Cheng Bei call function (labeled as call definition to provide a secure link to program module A: called function N 23), can serve. Milestone call function package eight in the same, and provide key programs to perform verification actions. These miles ^ 1 The software part of VK, is used to achieve the intrusion prevention% when the IVK is established. The calling function can be obfuscated to make the call in the program module A related: call :: milestone call function can be shown in Figure 2 A flowchart is shown in accordance with the present invention. In 丨 〇〇, 2: The execution of the secure link processing program module A 12 in the example of the spiritual yoke. The binary value description file (BDF) is loaded and started in the square system (0S), and program module A sends The sign < verified the integrity of the module before. Μ 1 4 to continue processing

At the time, the BDF of the signature is used as a // // presentation module A. In calling the 1VK, the IVK uses the signature BDF :: number. Then, at block 104, perform the verification of program module A, at least 487839. V. Invention description (10) is aimed at a milestone. For example, in one, the program module must have been invaded ... If: the numerical value is not successful in the Asian kiss 106, the IVK stops the program module H and returns ^ in the box, box m-failure indication Go to program mode m and process. Being compromised, Asia will give up without performing any of its Λs. If the current milestone verification is processed in block 06, it will continue to block no. In this box, the IVKWu verification obtains the callback address for the current milestone, reconfigures it to f = BDF return :, the address is in the program mode, and uses the return = register the: operation. That is, the function address used by the IVK is located at the callback address of: w. A milestone call function in the IVK (such as the call function 1 for dual use, a callback function in the private branch group A. The callback function is performed 1 4 to perform some program module A Useful functions. In general, this = 2 is the key to the success of program module A. For example, this can include eight: a part of the inner valley is decrypted. When the callback function ends, it is Control to call this calling function in I VK. If all miles and distances σ are not completed in block 112, the IVK checks the milestones in block 104. If all milestones are in block 1 1 2 When completed, ^ U completes the verification of program module a in block 11 4 and returns a successful verification of program module A. At this time, control can be returned to program A, and Perform subsequent processing.

Page 16 487839 V. Description of the invention (11) The present invention includes a general mechanism, using: an intrusion prevention code or plain text code, a link intrusion prevention code and other | other unauthorized access. In the present invention 2 this method to distinguish the intrusion or 1 contains different options in the aforementioned technology [for example, in different specific embodiments, it can be applied to other than the IV κ, for example, the security link processing check To provide the program module A during the execution of the town group. Milestones can be repeated In addition to intrusion prevention, which can be implemented using software, ~ continuous self-inspection. This (another specific embodiment of the present invention can be implemented in hardware. ^ Exceptions to the content of the processor to control, and for an attacker, its 1 VK callback on a failed piece. Therefore, this An attacker can only observe that it is more difficult to detect the failure period but cannot determine why it is not working. The program mode is not working. In other specific embodiments, it can be rounded down. The customized milestone call function can be Second, the number of additional random parameters of the security link. The customized call function is related to the intrusion protection function. Incoming to a customer = the call function of the tablet can itself be used as an indicator. , Refers to the call-back, material storage area of the call-to-call function of Zili, the call-back address, and its use by IVK ^ encryption in the signature BDF to strengthen its security. The encrypted password can be hidden The method of wealth decryption is to be added and retrieved by IVK. If the callback address is 'hidden', and only when required, when the callback address is called or referenced, the sentence function has been Intrusive display. In another specific embodiment, this time ^, An error will occur before encryption and decryption are performed. In order to add "functions can be used in the call function that is just in use, the protection outside the rhyme in the IVK can be used, and a milestone prevents illegal operation. In this way, the control is exceptional, and for an attacker, it still maintains a callback in a failure condition. Therefore, an attacker can only observe the correction and it is more difficult to detect the failure or the A data

487839

V. Description of the invention (12) The operation of the 2-5 taxis' may permit the use of secrets and poor information stored in the 1 VK intrusion protection code to provide another level of indirection. The callback address passed to a milestone call u number can be used as an indicator, referring to a data storage area that holds an entity code as a "missing function", which can be relocated to the IVK, right "place 'It can effectively make the program module work correctly only after the program module is verified. The return value of the callback function can be chained together, thus allowing a series of functions to be called. The specific callback may also cause different program behaviors according to the specific location of the calling function according to the address of the caller. In the previous description, different aspects of the invention have been explained. For the sake of explanation, The specific numbers, systems, and architectures proposed are intended to provide a complete understanding of the present invention. However, for a professional in the art, the advantage of Lu ''s disclosure is that it does not require specific details to be able to implement the present invention. In other situations, the well-known special two is omitted or simplified so as not to confuse the present invention. Specific embodiments of the present invention can be combined. However, the individual of the present invention Processor data storage memory and / or storage elements), and programmable programming system, and used to input data to perform the output information here can use known devices. In order to achieve the processing system of this application, including any The specific embodiment can be implemented in a computer program including a small system (including at least one volatile and non-volatile input device and at least Wang Xi's round of dream execution. Turn the function described in & and generate the rounds ~ ^ ^ Do not give out poor information. The method to apply to a red evening v or multiple rounds, a system that includes the playback and a processor, for example, τξ: ~ number

Page 18 487839

Special application integrated circuit 5. Invention description (13) Bit signal processor (DSP), a microcontroller, (ASIC), or a microprocessor. The program can be implemented in a high-level process or object-oriented programming language to communicate with a processing system. The program can also use 眚 σσ 丨 as required, only in address language or machine language. In fact, the invention is not limited to any particular programming language. In any case, the language is not a compiled or compiled language.

The program can be stored on a storage medium or device (such as a hard drive, floppy drive, read-only memory (ROM), CD-ROM device, flash memory device, digital versatile disc (DVD), or other storage Device), which can be read by a general purpose or special purpose programmable system and used to set up and operate the process when the storage medium or device is read by the processing system to execute the procedures described herein system. The specific embodiment of the present invention can also be considered to be implemented as a machine-readable storage medium and set for a processing system, wherein the storage medium is set up so that the processing system can operate in a specific and predetermined manner and execute The function described here. As shown in Figure 3, this is an example of such a processing system, but other systems may be used, and not all of the elements shown here are required in the present invention. For example, the sample system 400 can be used to perform processing of a specific embodiment of the secure link system, which is according to the foregoing specific embodiment in the present invention. Sample system 40 0 represents the processing system of PENTIUM I, PENTIUM ® III, and CELERONTM processors provided by Intel Corporation, although other systems (including personal computers with other microprocessors, engineering workstations, other machines) Box, etc.) and architecture.

Page 19 487839

/ In a specific embodiment of the present invention-the block diagram of the system 4⑽ system 400 includes a processor 402, which can process data as V 4 02 and can be combined with a processor bus 4. 4 'It's in department two. 〇 Intermediate. The poor signal is between the processor 402 and other components. System 40 0 contains a memory 40 6. The memory 406 can store the instructions and / or information represented by the information signal, which can be executed by the processor 402. The instructions and / or the data can include code to perform any and / or all well-known technologies . The memory 406 may also contain additional software and / or data (not shown). A cache memory 408 may exist in the processor 402, which may store data signals previously stored in the memory 406. ^

The bridge / memory controller 4 1 0 can be combined with the processor bus 4 0 4 and the memory 4 0 6. The bridge / memory controller 4 10 guides the data signal between the processor 402, the memory 406 and other components in the system 400, and bridges the data signal on the processor bus 404. Memory 406 and a first input / output (I / 0) bus 4 1 2. In this embodiment, the 'drawing controller 413 and a display device (not shown) constitute an interface for displaying the provided image, or processed by the drawing processor 4 1 3 to a user. The first I / 0 bus 4 1 2 may include a single bus or a combination of multiple buses. The first I / 0 bus 41 2 provides a communication link between the components in the system 400. A network controller 4 1 4 can be coupled to the first I / O bus 4 1 2. In some embodiments, a display device controller 4 1 6 may be coupled to the first I / 0 bus 4 1 2. The display device controller 4 1 6 allows a display device to be coupled to the system 40 0 as a display device (not shown) and the display device

Page 20 487839 V. Description of Invention (15) ----- ~ ί Interface. The display device receives data signals from the processor 4 by displaying several controllers "6", and displays the information of the chat signal to a user of the system 400.-< The two I / 〇 buses 4 2 0 can include a single sink. The second reading link μ ^^ two = links. A data storage device 422 can be implemented: Hungry 42 0. A keyboard interface 424 can be coupled At 1 / U a 420. A user input device 425 can be lightly closed ^: 1 a / 0 bus 4 2 0. The user input device can be coupled to a < brother I / 0 bus such as a remote control Device, slider, joystick, or trackball user input device, the computer system is expected. A bus bridge 4? 4 into the capital 412 is coupled to the second "quota bridge 42". Word Ang An I / O bridge The specific embodiment of the present invention is related to the system 4 ^ connection system. According to a presentation, each _ is used as a security chain to perform in mind, the various types of processing can be processed according to the processor The command sequence in fe4U4 is divided into lines. Such commands can be executed by the system 400, such as data storage, The system reads into the register 414 and comes directly from it, or through the network control according to the present invention and the execution of the / day order sequence will make the processor 402 in the specific embodiment; to Execute secure link processing. In another combination to implement the present invention ΐ = "instead of 'or with software instruction 1 on any specific hardware line :::. Because & 'the present invention is not limited to the combination of the elements of the system 400 and the right moon beans. Custom functions. In particular, the methods well known in the art to implement its shake storage device 4 22 can be used to provide long-term storage of executable instructions and data structures of specific embodiments of the secure link system of the present invention in accordance with 487839 V. Invention Description (16) However, the memory 406 is used for short-term storage of executable instructions of the specific embodiment of the secure link system according to the present invention during the execution of the processor 402. The invention has been described with reference to the specific embodiments shown, and the description is not intended to be a limitation. Different modifications of the illustrated specific embodiment and other specific embodiments of the present invention can be understood by those skilled in the art, and can be regarded as within the spirit and scope of the present invention.

I

Page 22 487839 Simple illustration of the diagram 4 Page 23

Claims (1)

487839 VI. Scope of patent application 1. A method for securely linking first and second program modules, comprising: storing at least one address of at least one function of the first program module in a file; by the first program A module to call the second program module and send the file to the second program module; the second program module to verify the integrity of the first program module; and the second program module To call a selected function of the first program. When the integrity of the first program module is verified, it uses a bit address taken from the file. 2. The method of claim 1 in which the file contains at least one of a digital signature of the at least one address and a digital signature of the first program module. 3. The method of claim 2, wherein verifying the integrity includes verifying at least one of the digital signature of the at least one address and the digital signature of the first program module. 4. The method according to item 1 of the patent application scope, wherein the file contains identification information relating to the first program module and the second program module. 5. The method according to item 1 of the patent application scope, wherein the second program module includes intrusion prevention software. 6. The method of claim 1, wherein the verification integrity includes bilateral certification of the first and second program modules. 7. If the method of applying for the scope of the first item of the patent, wherein the verification integrity includes at least one of the following items, that is to verify that the first program module has not been modified, Page 24 487839 VI. Scope of patent application It is decided that a program debugger application is not executed on a processing system that executes one of the program modules, and verify that the file is generated by a trusted entity. 8. The method of claim 1, wherein verifying the integrity includes verifying that the address is a calling address of the selected function in the first program module. 9. The method of claim 1 in which the at least one address is stored in the file, and the at least one address is encrypted during storage. 10. The method of claim 1 in the scope of patent application, wherein the at least one function includes intrusion prevention software. 1 1. The method of claim 1, wherein calling the selected function includes calling the selected function with a number of on-demand parameters. 1 2. An object comprising: a storage medium having a plurality of machine-readable instructions, wherein when the instruction is executed by a processor, the instruction provides the secure link of the first and second program modules, It stores at least one address of at least one function of the first program module in a file; the first program module calls the second program module, and sends the file to the second program module Group; verifying the integrity of the first program module by the second program module; and calling a selected function of the first program by the second program module when the first program module is When integrity is verified, it uses an address taken from the file. Page 25 487839 VI. Scope of patent application 1 3. If the object of the scope of patent application item 12 is included, the file contains a digital signature of the at least one address and a digital signature of the first program module. At least one of. 14. The article of item 13 in the scope of patent application, wherein the instruction for verifying the integrity includes the digital signature for verifying the at least one address and the digital signature for verifying the first program module. At least one of the instructions. 1 5. The object of item 12 in the scope of patent application, wherein the file contains identification information relating to the first program module and the second program module. 16. The object of item 12 in the scope of patent application, wherein the second program module includes intrusion prevention software. 1 7. As for the article 12 in the scope of patent application, wherein the instruction for verifying the integrity includes instructions for bilateral authentication of the first and second program modules. 0 8. As in the scope of patent application 1 2 Item, wherein the instruction for verifying the integrity includes an instruction for at least one of the following items, that is, verifying that the first program module has not been modified, and deciding on a processing system that executes one of the program modules No program debugger application was run, and the file was verified to have been generated by a trusted entity. 19. The object of item 12 in the scope of patent application, wherein the instruction for verifying the integrity includes an instruction for verifying that the address is a calling address of the selected function in the first program module. 2 0. The object of the scope of claim 12, wherein the instructions for storing the at least one address in the file, and the instructions for encrypting the at least one address during storage are also included. 487839 VI. Scope of patent application 2 1. For the object of scope 12 of the patent application, wherein the at least one function includes intrusion prevention software. 2 2 · The object of the scope of patent application item 12, wherein the instruction for calling the selected function includes an instruction for calling the selected function with a number of optional parameters. 2 3. —A method for verifying the integrity of a first program module by a second program module. The first program module with an address of a callable function is stored in a file. It includes: calling the second program module by the first program module to verify the integrity of the first program module; using at least one verification milestone in the file to execute the first program module on the first program module; Verify the integrity of the program module; and obtain a selected address from the file, verify that the address is within the first program module, and call the selected address when the verification milestone is successfully reached An address and a selected function associated with the at least one verification milestone. 2 4. If the method according to item 23 of the scope of patent application, wherein the at least one verification milestone includes at least one of the following, that is, verify that the first program module has not been modified, it is decided to execute a program module A program debugger application was not running on a processing system and verified that the file was generated by a trusted entity. 25. The method according to item 23 of the scope of patent application, wherein the file contains a digital signature of the address. 2 6. The method according to item 23 of the scope of patent application, further comprising calling the second Page 27 487839 VI. Apply for a patent scope module, perform integrity verification, obtain the selected address, verify the selected address, and repeatedly call the first during the entire execution process of the first program module A program module to detect any compromise to the integrity of the first program module. 27. The method according to item 23 of the scope of patent application, wherein the first program module includes a digital content playback application program, and the second program module includes an integrity verification core. 2 8. The method according to item 23 of the scope of patent application, wherein the address is encrypted in the file, and obtaining the selected address includes decrypting the selected address ° 2 9. According to the scope of patent application, 2 3 The method of claim 1, wherein the second program module is intrusion prevention. 3 0. An article of manufacture, comprising: a storage medium having a plurality of machine-readable instructions, wherein when the instruction is executed by a processor, the instruction is provided by a second program module to The first program module performs integrity verification. The address of the callable function of the first program module is stored in a file, and the instruction is used by the first program module to call the second program module. Group to verify the integrity of the first program module; use at least one verification milestone in the file to perform integrity verification of the first program module by the second program module; and obtain a The selected address, verify that the address is within the first program module, and when the verification milestone is successfully reached, call one of the addresses specified by the selected location and the at least one related verification milestone Page 487 839 Page 29