WO2007074992A1 - Method for detecting malicious code changes from hacking of program loaded and executed on memory through network - Google Patents

Method for detecting malicious code changes from hacking of program loaded and executed on memory through network Download PDF

Info

Publication number
WO2007074992A1
WO2007074992A1 PCT/KR2006/005582 KR2006005582W WO2007074992A1 WO 2007074992 A1 WO2007074992 A1 WO 2007074992A1 KR 2006005582 W KR2006005582 W KR 2006005582W WO 2007074992 A1 WO2007074992 A1 WO 2007074992A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
confirming
errors
confirming errors
server
Prior art date
Application number
PCT/KR2006/005582
Other languages
English (en)
French (fr)
Inventor
Hee An Park
Original Assignee
Ahn Lab, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ahn Lab, Inc. filed Critical Ahn Lab, Inc.
Publication of WO2007074992A1 publication Critical patent/WO2007074992A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0772Means for error signaling, e.g. using interrupts, exception flags, dedicated error registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0727Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a storage system, e.g. in a DASD or network based storage system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1004Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to a method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network.
  • the present invention relates to a method for detecting malicious code changes from hacking of a program loaded and executed on the memory under the client-server model in real time.
  • a program provided at a server in general under client-server model is often executed at a client terminal in real time. At this time, a hacking is tried to hinder from fulfilling the original objective of the program in execution.
  • a hacking method is divided into a method that prohibits from executing the intended original objective of a program by creating a crack in the code of executing the program that exists in a file type, and a method that makes changes in a program that is loaded on the memory for execution.
  • a method of the latter gets more problematic in recent days in that this method will bring about a fatal damage that is similar to the effect of the former, and the latter is more effective in hacking in real time, thus a preventative measure is necessary.
  • the present invention will provide a new method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network.
  • An objective of the present invention is to provide a method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network under client-server model.
  • a method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network comprises the following steps of: creating a first data for confirming errors with regard to the program code area that a server wishes to protect; transmitting a request message created based on the first data for confirming errors to a client; creating a second data for confirming errors with regard to the code area according to the request message at the client; transmitting an answer message created based on the second data for confirming errors to the server; and comparing the first data for confirming errors with the second data for confirming errors at the server.
  • Both the first data for confirming errors and the second data for confirming errors may be created with regard to the entire area of the program to be protected or with regard to a part of the code area by extracting the starting point and ending point of at least one function constituting a program.
  • At least one part of the code area exists, and both the first data for confirming errors and the second data for confirming errors may be created with regard to a part of each of the code area.
  • An ending point is the area where a return code is extracted in prearranged numbers by executing a disassembling step from a starting point, a point right before the starting point of a different function after the starting point of the different function is extracted by executing a disassembling step from the starting point of the different function, and the ending point is the point away from a starting point by a prefixed length.
  • the first data for confirming errors and the second data for confirming errors comprises an instruction constituting a function, or further comprises an operand constituting a function.
  • a CRC (Cyclic Redundancy Check) data, a Check Sum data, or a Hash data are used as a first data for confirming errors and a second data for confirming errors.
  • Both the request message and the answer message are encrypted and transmitted based on session key shared by a server and a client, both the request message and the answer message are decrypted based on the session key, and thereby security in data transmission is duly considered.
  • FIG. 1 is a flowchart of a method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network under client- server model according to the present invention.
  • the present invention will be described in detail in the following with reference to the drawing attached herein. [21]
  • the present invention relates to a method for detecting an outside attack that changes a program code is loaded on the memory when the program code that is executed through a network under client-server model.
  • the present invention communicates data by transmitting a request message and an answer message between a client and a server under client-server model. Further, a session key is shared for encrypting and decrypting of data in transmission for a security purpose.
  • Whether a program code is modified or not is detected in the present invention by the following steps of: creating a first data for confirming errors at a server with regard to the executing the program code, creating a second data for confirming errors corresponding to the first data for confirming errors, and comparing the first data for confirming errors and the second data for confirming errors.
  • the first data for confirming errors and the second data for confirming errors in accordance with the present invention are selected from the group consisting of a CRC (Cyclic Redundancy Check) data, a Check Sum data, and a Hash data that contain an instruction only or both an instruction and an operand.
  • CRC Cyclic Redundancy Check
  • FIG. 1 illustrates a method for detecting malicious code changes from hacking of a program loaded and executed on the memory through a network under client-server model according to the present invention.
  • a first data for confirming errors with regard to the program code area on the memory is firstly created when the program that a server wishes to protect is loaded and executed on the memory at step 101.
  • the first data for confirming errors may be created with regard to the entire program code to be protected or with regard to a part of the program code.
  • more than one part may be set up.
  • functions in a fixed number may be selected from the functions constituting the program for executing.
  • the number of functions are determined depending on the number of the functions that constitutes the code to be protected and thereby is set up particularly according to the program to be protected. In other words, if a part of the code to be protected is comprised of ten functions, the ten functions shall be selected. Further, it may be all right to select a part of the memory address at which executing code is loaded.
  • an ending point of a function is determined by executing a disassembling step from starting point.
  • ending point may be the point where a return code is extracted in a prescribed number during the process of disassembling.
  • a point right before the starting point may be set up as an ending point of the function.
  • a point which is away from the starting point of a function by a certain length may be the ending point. Not to mention, the length shall fall within the scope of the entire code area.
  • an instruction in charge of real calculation of a function is drawn out by executing a disassembling step from a starting point to an ending point, and a first d ata for confirming errors is created to include the instruction.
  • the first data for confirming errors including an instruction further comprises an operand which executes a function for calculation.
  • the first data for confirming errors may be created in consideration of the address which is relocated.
  • a request message corresponding to the first data for confirming errors is transmitted to a client.
  • the content of the request message is that a second data for confirming errors shall have a random order based on the first data for confirming errors.
  • the request message is preferably transmitted in an encrypted form based on a session key in consideration of security during data communication.
  • a client creates a second data for confirming errors corresponding to the first data for confirming errors according to the request message.
  • the request message is encrypted
  • the encrypted request message is decrypted based on the session key.
  • the second data for confirming errors creates a second data for confirming errors including an instruction that is detected at applicable area while executing the disassembling step requested by the server from starting point of the memory address to ending point.
  • a second data for confirming errors is created including not only an instruction but also an operand.
  • a second data for confirming errors with respect to each address is created, and the second data for confirming errors can be created by arranging in a random order according to the request of a request message.
  • the client creates an answer message at step 104, based on the second data for confirming errors created in that manner, and transmits the answer message to the server.
  • an answer message may be encrypted and transmitted in the same manner as in a request message.
  • step 105 after the server receives the answer message, the first data for confirming errors and the second data for confirming errors are compared, and thereafter it is determined whether both are identical or not. At this time, if an answer message is found out to be encrypted, the answer message is decrypted and thereafter the original second data for confirming error is restored.
  • a program may run continuously as in step 106, and thereafter whether a code on the memory is changed or not is periodically or randomly inspected from step 101 regarding the code area to be protected if there is a need for that.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Detection And Correction Of Errors (AREA)
PCT/KR2006/005582 2005-12-26 2006-12-19 Method for detecting malicious code changes from hacking of program loaded and executed on memory through network WO2007074992A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020050129616A KR100663034B1 (ko) 2005-12-26 2005-12-26 메모리 상의 코드 조작 감지 방법 및 그 시스템
KR10-2005-0129616 2005-12-26

Publications (1)

Publication Number Publication Date
WO2007074992A1 true WO2007074992A1 (en) 2007-07-05

Family

ID=37866488

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/005582 WO2007074992A1 (en) 2005-12-26 2006-12-19 Method for detecting malicious code changes from hacking of program loaded and executed on memory through network

Country Status (2)

Country Link
KR (1) KR100663034B1 (ko)
WO (1) WO2007074992A1 (ko)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG161167A1 (en) * 2008-10-23 2010-05-27 Hung Chien Chou Real-time data protection method and data protection device for implementing the same

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101052735B1 (ko) * 2009-03-06 2011-07-29 주식회사 안철수연구소 메모리 조작유무를 감지하는 방법 및 이를 이용한 장치
KR101335326B1 (ko) * 2011-12-30 2013-12-02 (주)네오위즈게임즈 클라이언트 단말, 감시 서버, 및 감시 영역 변조 방지 방법
KR101623266B1 (ko) 2014-09-17 2016-05-20 (주)스마일게이트엔터테인먼트 Crc 알고리즘을 이용한 메모리 보호 파일의 위변조 검출 방법 및 서버
EP3772842A1 (de) * 2019-08-07 2021-02-10 Siemens Aktiengesellschaft Erkennung von manipulierten clients eines leitsystems

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6195767B1 (en) * 1998-09-14 2001-02-27 Phillip M. Adams Data corruption detection apparatus and method
US6640317B1 (en) * 2000-04-20 2003-10-28 International Business Machines Corporation Mechanism for automated generic application damage detection and repair in strongly encapsulated application
US6889159B2 (en) * 2002-07-22 2005-05-03 Finisar Corporation Scalable multithreaded system testing tool

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6195767B1 (en) * 1998-09-14 2001-02-27 Phillip M. Adams Data corruption detection apparatus and method
US6640317B1 (en) * 2000-04-20 2003-10-28 International Business Machines Corporation Mechanism for automated generic application damage detection and repair in strongly encapsulated application
US6889159B2 (en) * 2002-07-22 2005-05-03 Finisar Corporation Scalable multithreaded system testing tool

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG161167A1 (en) * 2008-10-23 2010-05-27 Hung Chien Chou Real-time data protection method and data protection device for implementing the same

Also Published As

Publication number Publication date
KR100663034B1 (ko) 2007-01-02

Similar Documents

Publication Publication Date Title
CN101783801B (zh) 一种基于网络的软件保护方法、客户端及服务器
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
CN107483419B (zh) 服务器认证接入终端的方法、装置、系统、服务器及计算机可读存储介质
KR100919536B1 (ko) 복제된 디바이스를 식별하기 위해 동적 자격 증명을사용하는 시스템 및 방법
US20170034189A1 (en) Remediating ransomware
CN101473335A (zh) 信息处理终端与状态通知方法
CN112235321B (zh) 短信验证码防刷方法及装置
CN108900479A (zh) 短信验证码获取方法及装置
CN104092647A (zh) 网络访问方法、系统及客户端
CN111415161A (zh) 基于区块链的数据验证方法、装置及计算机可读存储介质
KR101369251B1 (ko) 시스템 파일 보호 및 복구를 위한 장치, 방법, 사용자 단말기 및 시스템
CN112559005A (zh) 基于区块链与分布式存储的物联网设备固件更新方法及系统
CN104980449B (zh) 网络请求的安全认证方法及系统
WO2007074992A1 (en) Method for detecting malicious code changes from hacking of program loaded and executed on memory through network
CN111597537A (zh) 基于区块链网络的证书签发方法、相关设备及介质
CN111585995A (zh) 安全风控信息传输、处理方法、装置、计算机设备及存储介质
CN114095228A (zh) 基于区块链和边缘计算的物联网数据安全存取方法、系统、装置及存储介质
CN111224826B (zh) 基于分布式系统的配置更新方法、设备、系统及介质
KR101436404B1 (ko) 사용자 인증 장치 및 방법
CN113259376A (zh) 一种基于区块链的物联网设备的控制方法
CN115118504B (zh) 知识库更新方法、装置、电子设备及存储介质
CN105100030B (zh) 访问控制方法、系统和装置
CN112732676B (zh) 基于区块链的数据迁移方法、装置、设备及存储介质
CN102262717B (zh) 用于更改原始安装信息及检测安装信息的方法、装置及设备
CN111786938A (zh) 防止恶意获取资源的方法、系统和电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06835289

Country of ref document: EP

Kind code of ref document: A1