WO2007085308A1 - Procédé et dispositif pour identifier une copie piratée - Google Patents

Procédé et dispositif pour identifier une copie piratée Download PDF

Info

Publication number
WO2007085308A1
WO2007085308A1 PCT/EP2006/065680 EP2006065680W WO2007085308A1 WO 2007085308 A1 WO2007085308 A1 WO 2007085308A1 EP 2006065680 W EP2006065680 W EP 2006065680W WO 2007085308 A1 WO2007085308 A1 WO 2007085308A1
Authority
WO
WIPO (PCT)
Prior art keywords
document
software
procedure
writing
characteristic parameters
Prior art date
Application number
PCT/EP2006/065680
Other languages
German (de)
English (en)
Inventor
Bernhard Aghte
Gero BÄSE
Norbert Oertel
Marcel Wagner
Ivan Kopilovic
Original Assignee
Siemens Enterprise Communications Gmbh & Co. Kg
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Enterprise Communications Gmbh & Co. Kg filed Critical Siemens Enterprise Communications Gmbh & Co. Kg
Priority to EP06793013A priority Critical patent/EP1979848A1/fr
Priority to CN200680052033.4A priority patent/CN101517585B/zh
Publication of WO2007085308A1 publication Critical patent/WO2007085308A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • the invention relates to a method according to claim 1 and a device according to claim 6.
  • the invention is based on the object of specifying a method and a device with which an at least partial copy of a second software is detected in a first software, wherein the method and the device is both robust against changes of the copy as well as existing software applicable ,
  • This method makes it possible to prove a pirated copy of a second software or parts of a second software in a first software by recording characteristic parameters during the respective execution.
  • the correlation value it is possible, despite changes in the first software compared to the second software, to recognize the pirated copy because the correlation value describes a similarity between two sections of the first and the second software.
  • no changes are required in the first or second software since the recording or recording of the characteristic parameters can be carried out by means of a standalone program which evaluates functions of the operating system. Thus, even existing software can be examined for pirated copies.
  • a value of the parameter group and / or an export time of the Used procedure change.
  • specific behavioral properties of the procedure instance to be invoked and / or invoked can be accurately analyzed.
  • a time chart can be created indicating when the procedure change occurred.
  • a plurality of sections of the second document are correlated with the associated characteristic parameters with at least a portion of the first document and, as a result, an associated correlation value is formed for each correlated section of the second document and a copy displayed if a plurality of the correlation values are greater than a respective threshold is.
  • a reduction in a rate of erroneously detected pirate copies can be achieved because more than one correlation value is considered for determining whether piracy or not piracy.
  • Threshold and the other correlation values are each greater than a second threshold. This alternative also makes it possible to reduce pirated copies erroneously detected.
  • the invention also relates to a device for detecting a pirated copy, in which a first software comprises a copy of at least part of a second software, with
  • a second means for executing the second software wherein during a write and / or read operation of a parameter group of a procedure instance to and / or from a stack memory, at least one parameter characteristic of this writing and / or reading operation in a time sequence for an occurrence of the writing and / or reading operations is recorded in a second document;
  • the method can be implemented and executed.
  • the method or the device can be implemented as hardware, as software running on a processor or as a combination of hardware and software.
  • Figure 1 is a program flow of a software in which a plurality of procedure units are called
  • Figure 2 shows an occupancy of a stack during a
  • FIG. 3 is a flow chart of an embodiment
  • Figure 5 shows an apparatus for performing the method for detecting a pirated copy.
  • FIGS. 1 to 5 Elements with the same function and mode of operation are provided in FIGS. 1 to 5 with the same reference numerals.
  • FIG. 1 shows a program sequence of a software.
  • the software is in the form of a sequence of machine instructions and is executed, for example, on a microprocessor or a digital signal processor.
  • This software The machine commands could be created by compiling and linking a C program using a development package, such as Microsoft Visual Studio.
  • the software can be divided into several procedure instances PI. Within each procedure instance PI, machine instructions are executed sequentially. In doing so, other procedure instances are called during or at the end of the respective procedure instance, i. a procedure change takes place. These calls cause data, such as register contents of the microprocessor, to be read from or written to a stack.
  • a second procedure instance PI2 is called during the course of a first procedure instance PI1.
  • the register contents of the microprocessor are written to the stack memory SP by means of the write operation SV at the time before the procedure change.
  • values of local variables of the first procedure instance PI1 can also be stored on the stack.
  • a parameter group PG of the procedure instance PI, PIl is written to or read from the stack SP.
  • the parameter group PG includes the register contents and local variables of the first procedure instance PIl.
  • the first procedure instance PIl represents a calling procedure instance and the second procedure instance PI2 represents a called procedure instance.
  • the individual machine instructions of the second procedure instance are processed.
  • the program flow returns to the first procedure instance PIl.
  • the data stored at the time of the procedure change from the first to the second procedure instance are read from the stack memory SP by means of the read operation LV.
  • These read data include, for example, register contents which are written to the corresponding registers of the microprocessor or also contents of local data which are assigned to the local variables of a procedure instance PI1.
  • a third procedure instance PI3 will be referred to in the following.
  • a write operation SV according to the above description takes place.
  • a fourth procedure instance PI4 is called, whereby again a writing process SV is executed.
  • the third process instance PI3 is jumped back, wherein a read operation is carried out.
  • This third procedure instance PI3 is continued until its end and then, with the aid of another read operation, the first procedure instance PI1 is called.
  • the data belonging to the respective procedure instances are written to the stack SP or read from the stack SP.
  • FIG. 2 a level diagram with the level F of the stack SP as a function of the flow of the software, that is, depending on the executed procedure instances reproduced.
  • the fill level F is indicated, for example, in bytes, with each graduation mark of the fill level F in FIG. 2 corresponding to 100 bytes in each case.
  • 250 bytes are written to the stack memory.
  • the 250 bytes are read from the stack.
  • the procedure is analogous.
  • the filling level diagram of the stack it can be seen that during a writing process the filling level of the stack increases, whereas in a reading process the filling level is reduced.
  • the method according to the invention detects characteristic parameters CP1,..., CP4 for those execution times AZ at which a procedure change takes place.
  • These characteristic parameters represent specific properties of the calling and / or the called procedure instance.
  • the characteristic parameters may, for example, correspond to one or more values of the parameter group PG, such as a specific register content.
  • a characteristic parameter can also be generated from a summary or evaluation of the parameter group PG detected for the procedure change.
  • a first characteristic parameter CP1 can correspond to a number of bytes of all local variables of the calling procedure instance PI1.
  • 250 bytes were written to the stack memory during the procedure change from PI1 to PI2.
  • These 250 bytes comprise, for example, 64 bytes, which include the register values, and 186
  • a detection of the parameter group PG is realized, for example, that when calling a function of the software that performs the read or write LV, SV, data of the calling and / or the called procedure instance, that is, the parameter group, are detected. Furthermore, in the context of carrying out the method, only a part of the parameter group or else information that is obtained by evaluating one or more data of the parameter group can be generated. The data or information obtained during a reading or writing process is stored in a document for later processing. Furthermore, it is useful in practice to log the execution time of the acquisition of this information or data for each stored information or stored data. In general, these information, which can be assigned to a procedure change, are referred to as characteristic parameters CP1,..., CP4.
  • FIG. 3 shows a flow diagram for one exemplary embodiment.
  • a first document D1 for the first software S1 is generated with the aid of the first step X1.
  • at least one first characteristic parameter CP1 for the procedure change in the first document D1 is detected in the first step X1.
  • the first document may include the level F of the stack SP over the time of executing the first software. This has already been explained in more detail with reference to FIG.
  • the first document can display level F over time in the following way:
  • Level F 0 250 0 400 The first line of this table indicates the execution times AZ over the time T, for example in milliseconds ms.
  • the second line reflects the level of the stack in bytes.
  • the level contains between 0 and 40 ms 0 bytes, between 40 and 80 ms 250 bytes etc.
  • a second document D2 is generated for the second software S2.
  • the procedure is analogous to the first step Xl.
  • the representation of the second document D2 is analogous to the first document D1.
  • a third step X3 at least one section of the second document D2 is correlated by at least one characteristic parameter CP1 of at least one section of the second document D2
  • Document Dl formed a correlation value KW.
  • the correlation value KW indicates to what extent correlated sections of the first and second documents D1, D2 are similar.
  • An exemplary procedure of the third step for forming the correlation value KW is explained in more detail below with reference to FIG.
  • FIG. 4A shows the progression of the fill level of the stack during execution of the first software over time T. This history is stored in the first document.
  • FIG. 4B shows a further course of the stack when executing the second software S2. This history is stored in the second document.
  • a first section Al is selected in the course of the filling level F from FIG. 4A. This selected first section Al is shown in FIG. 4C. Within the course of the filling level, which results when executing the second software S2, see FIG.
  • this first section A1 is now searched for.
  • statistical methods are familiar to a person skilled in the art with the aid of which the course of the fill level of the first section Al can be correlated with the fill level profile of FIG. 4B.
  • a high correlation value results at the time T 1.
  • correlation values that are 0 or small result.
  • the correlation value KW exceeds a predefinable threshold value SW at the first time Tl.
  • a fourth step at least one correlation value KW generated in the third step X3 is compared with a predefinable threshold value SW. If the correlation value KW is greater than the threshold value SW, the flowchart in the path J is continued. In this path, in a fifth step X5, for example, a user is notified that a correlation value greater than the threshold has been found. This means that at least part of the first software could be found in the second software S2 and thus at least parts of the first software were copied from the second software, i. a pirated copy has thus been discovered. The fifth step is then ended in the END state.
  • a portion of the course of the fill level of the stack when exporting the first software was compared with the course of the level during the export of the second software.
  • a section to be compared can also be used from the full-level profile of the second software instead of from the full-level profile of the first software. This is shown by way of example with a second section A2 in FIG. 4B.
  • at least a similarity of a portion of the first and second documents in the second or first document is sought.
  • the fill level of the stack has been used over the execution time of the respective software.
  • characteristic parameters CP1,..., CP4 can be used, which characterize a procedure change.
  • a number of variables of the called procedure instance, a number of bytes of variables of the called procedure instance, a number of local variables of a calling procedure instance, a number of local caller instance local variables, or a number of bytes of the local variables of the calling procedure instance are considered as characteristic parameters.
  • an indication can be used which indicates whether the procedure change corresponds to a recursive call or the respective memory addresses of the called and / or the procedure instance to be called are used.
  • the correlation value describes a correlation of a plurality of characteristic parameters, which are correlated separately, for example, and linked to a correlation value by means of a weighted addition.
  • Those skilled in the art are further statistical methods for performing correlations with one or more Reren characteristic parameters known, so that will not be discussed further. If a plurality of correlation values ⁇ KWl, KW2, KW3 used, so a pirated copy is ⁇ is shown, if a plurality of correlation values respectively GRO SSER than an associated threshold value. Next Zah ⁇ lenbeispiel illustrates this:
  • a pirated copy is already detected if at least one of the correlation values is greater than the associated threshold value. For the 2 examples mentioned in the above paragraph, this means that a pirated copy is detected for each example.
  • a selection of the threshold (s) SW, Sl, ..., SW3 depends on the following aspects:
  • the respective threshold near the maxima ⁇ len correlation value is selected. It should be noted that small changes, eg due to changes in machine instructions in sections or for runtime fluctuations during the Ausbowens the first and second software, a low correlation value that is a cu ⁇ engined similarity yields and thus copied sections or the Pirated copy is not detected.
  • a low threshold SW is selected as the maximum correlation value, pirate copies can be detected even if changes occur in the runtime behavior of the sections of the first and second software. If the threshold is set too low, then cuts are recognized as copies that are not copies.
  • a concrete threshold value SW depends, for example, on the runtime behavior of a computer on which the first and second software are executed. If the computer uses a multitasking operating system, changes in the runtime behavior can occur, so that in this case a lower threshold value has to be set than with a real-time operating system.
  • Figure 5 shows an embodiment of the device in the form of a device G, which is designed for example as a portable device in a Mobilfunkgerat or as stationary operated device.
  • the device G has a first means M1, with which the first software S1 is executed.
  • characteristic parameters are recorded in a first document D1.
  • the second means M2 the second software S2 is executed.
  • characteristic parameters are recorded in a write and / or read operation of the parameter group of a procedure instance in a second document D2.
  • the second document can be read or written by means of the connection network X.
  • One or more correlation values KW1,..., KW3 are recorded in the third means M3 on the basis of the acquired information of the first and the second document.
  • correlation values are compared in the fourth means M4 with one or more predefinable threshold values SW1,..., SW4. Should one or more correlation values be greater than the respective threshold value, then with the aid of the fifth means M5 the presence of the copy, that is, at least portions of the first software with portions of the second software are almost or identical, are displayed.
  • This display can be reproduced, for example, for a user on a display DD.
  • the means Ml, ..., M5, the first and second document Dl, D2, the stack SP and the display DD are connected to each other via the connection network X for the exchange of information and data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé pour identifier une copie piratée, un premier logiciel comprenant une copie d'au moins une partie d'un second logiciel. Le procédé comprend les opérations suivantes : le premier logiciel est exécuté ; lors d'un processus d'écriture et/ou de lecture d'un groupe de paramètres d'une instance de procédure dans une pile et/ou à partir d'une pile, ce processus se déroulant pendant un changement de procédure, au moins un paramètre caractéristique du processus d'écriture et/ou de lecture est enregistré dans un premier document selon un ordre temporel des processus d'écriture et/ou de lecture ; le second logiciel est exécuté ; lors d'un processus d'écriture et/ou de lecture d'un groupe de paramètres d'une instance de procédure dans une pile et/ou à partir d'une pile, ce processus se déroulant pendant un changement de procédure, au moins un paramètre caractéristique du processus d'écriture et/ou de lecture est enregistré dans un deuxième document selon un ordre temporel des processus d'écriture et/ou de lecture ; au moins une valeur de corrélation est formée par mise en corrélation d'au moins l'un des paramètres caractéristiques d'au moins une section du deuxième document avec au moins l'un des paramètres caractéristiques correspondants d'au moins une section du premier document ; la présence d'une copie piratée est signalée lorsque la valeur de corrélation est supérieure à une valeur seuil. L'invention a également pour objet un dispositif pour mettre en oeuvre le procédé.
PCT/EP2006/065680 2006-01-30 2006-08-25 Procédé et dispositif pour identifier une copie piratée WO2007085308A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP06793013A EP1979848A1 (fr) 2006-01-30 2006-08-25 Procédé et dispositif pour identifier une copie piratée
CN200680052033.4A CN101517585B (zh) 2006-01-30 2006-08-25 用于检测盗版复制品的方法和装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102006004240.9 2006-01-30
DE102006004240A DE102006004240A1 (de) 2006-01-30 2006-01-30 Verfahren und Vorrichtung zum Nachweis einer Raubkopie

Publications (1)

Publication Number Publication Date
WO2007085308A1 true WO2007085308A1 (fr) 2007-08-02

Family

ID=37671191

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2006/065680 WO2007085308A1 (fr) 2006-01-30 2006-08-25 Procédé et dispositif pour identifier une copie piratée

Country Status (4)

Country Link
EP (1) EP1979848A1 (fr)
CN (1) CN101517585B (fr)
DE (1) DE102006004240A1 (fr)
WO (1) WO2007085308A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104424402A (zh) * 2013-08-28 2015-03-18 卓易畅想(北京)科技有限公司 一种用于检测盗版应用程序的方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001069356A2 (fr) * 2000-03-14 2001-09-20 Symantec Corporation Detection de virus basee sur un histogramme
US20030191942A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions
EP1582964A1 (fr) * 2004-04-01 2005-10-05 Shieldip, Inc. Procédé de détection et identification de logiciel
US6973577B1 (en) * 2000-05-26 2005-12-06 Mcafee, Inc. System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002082280A1 (fr) * 2001-04-05 2002-10-17 Ed-Contrive Inc. Procede pour interdire l'execution de programme d'application de copie non-autorisee, son programme, son appareil d'enregistrement de programmes et son support d'enregistrement de programmes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001069356A2 (fr) * 2000-03-14 2001-09-20 Symantec Corporation Detection de virus basee sur un histogramme
US6973577B1 (en) * 2000-05-26 2005-12-06 Mcafee, Inc. System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state
US20030191942A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions
EP1582964A1 (fr) * 2004-04-01 2005-10-05 Shieldip, Inc. Procédé de détection et identification de logiciel

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1979848A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104424402A (zh) * 2013-08-28 2015-03-18 卓易畅想(北京)科技有限公司 一种用于检测盗版应用程序的方法及装置

Also Published As

Publication number Publication date
CN101517585A (zh) 2009-08-26
DE102006004240A1 (de) 2007-08-09
EP1979848A1 (fr) 2008-10-15
CN101517585B (zh) 2012-10-10

Similar Documents

Publication Publication Date Title
DE69918334T2 (de) Erzeugung von kompilierten programmen für interpretative laufzeitumgebungen
DE69831708T2 (de) Effiziente Erkennung von Computerviren und andere Dateneigenschaften
DE10050684B4 (de) Verfahren und System zur periodischen Ablaufverfolgung für Aufrufsequenzen zwischen Routinen
DE69909945T2 (de) Verfahren und Anordnung zur Korrelation von Profildaten dynamisch erzeugt durch ein optimiertes ausführbares Programm mit Quellcodeanweisungen
DE3121599A1 (de) Verfahren und schaltungsanordnung zum verdecken von fehlern in einem digitalen videosignal
DE10234736A1 (de) System und Verfahren zum Synchronisieren von Mediendaten
DE69905776T2 (de) Sprachenverarbeitungsverfahren mit geringem Aufwand und Speicherbedarf bei der Profildatensammlung
DE102006029138A1 (de) Verfahren und Computerprogrammprodukt zur Detektion von Speicherlecks
EP1067460B1 (fr) Support de données avec des données restaurables de base à l'état initial et procédé pour sa fabrication
WO2007085308A1 (fr) Procédé et dispositif pour identifier une copie piratée
DE1965507A1 (de) Verfahren zum Wiederauffinden gespeicherter Informationen
DE102009041098A1 (de) Verfahren zur Kennzeichnung eines in einem Computerspeichersystem enthaltenden Computerprogrammabschnitts
WO2003094093A2 (fr) Comparaison de protocoles de traitement
DE60315522T2 (de) Klickgeräusch-erkennung in einem digitalen audiosignal
EP1904909A1 (fr) Procede pour exporter des droits d'utilisation sur des objets de donnees electroniques
DE10325843B4 (de) Verfahren, Drucksystem, Computer und Computerprogramm zum Verwalten von Resourcen zur Verwendung in einem resourcenbasierten Dokumentendatenstrom
EP1505399B1 (fr) Procédé pour génération de données de test pour test fonctionnel d'un circuit de traitement de données
EP0708941B1 (fr) Procede permettant de tester un programme oriente objet
DE10300541A1 (de) Erzeugen einer ausführbaren Datei
DE2702586A1 (de) Schaltungsanordnung zur steuerung des speicherzugriffs fuer einen rechner
WO2022161683A1 (fr) Susceptibilité aux erreurs d'un pipeline de construction
EP1393173B1 (fr) Ensemble pour executer des processus de traitement de donnees, procede pour determiner la strategie d'acces optimale
EP2682866A1 (fr) Procédé de conversion de formats de données
DE10042005A1 (de) Verfahren und Vorrichtung zum Aufzeichnen von abgetasteten Informationen, insbesondere von Betriebsdaten eines Kraftfahrzeuges
WO2004072850A2 (fr) Procede et dispositif pour modifier des messages modulaires

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200680052033.4

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006793013

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 6318/DELNP/2008

Country of ref document: IN

NENP Non-entry into the national phase

Ref country code: DE