WO2015131324A1 - Software security detection method, apparatus and device - Google Patents

Software security detection method, apparatus and device Download PDF

Info

Publication number
WO2015131324A1
WO2015131324A1 PCT/CN2014/072826 CN2014072826W WO2015131324A1 WO 2015131324 A1 WO2015131324 A1 WO 2015131324A1 CN 2014072826 W CN2014072826 W CN 2014072826W WO 2015131324 A1 WO2015131324 A1 WO 2015131324A1
Authority
WO
WIPO (PCT)
Prior art keywords
summary information
verification
original
software code
network element
Prior art date
Application number
PCT/CN2014/072826
Other languages
French (fr)
Chinese (zh)
Inventor
谭平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/072826 priority Critical patent/WO2015131324A1/en
Priority to CN201480000117.8A priority patent/CN105190637A/en
Publication of WO2015131324A1 publication Critical patent/WO2015131324A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present invention relates to the field of information security technologies, and in particular, to a software security detection method, apparatus, and device. Background technique
  • Malware can modify or replace software on some network element devices, invade the system of the network element device, destroy the system, or steal information on the network element device.
  • the integrity of the software on the network element device can be verified by using a digital signature, that is, the network management device can generate a digital signature of the software when the software is released or upgraded, and package the digital signature in the software. Then, it is sent to the network element device, and the network element device verifies the security of the software according to the digital signature before loading the software, and loads the software after the verification is passed.
  • the embodiment of the invention provides a software security detection method, device and device, which solves the problem that the network element device in the prior art is difficult to protect the dynamic security during the running of the software.
  • a software security detection method includes: [07] a network management device obtains from a network element device The original summary information, where the original summary information is summary information generated by the network element device for software code loaded in the memory;
  • the network management device receives the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code; [09] The network management device compares whether the verification summary information is consistent with the original summary information, and if not, determines that the software code is unsecure, and if yes, determines that the software code is secure.
  • the network management device obtains the original summary information from the network element device, including: [11] the network management device to the network element device Sending a request message of the original summary information, and receiving the original summary information returned by the network element device according to the request message of the original summary information; or
  • the network management device receives the original summary information reported to the network management device when the network element device loads the software code in the memory.
  • the network management device receives the verification summary information sent by the network element device , including:
  • the network management device receives the verification summary information reported by the network element device according to a set time period
  • the network management device sends a report request message for verifying summary information to the network element device, and receives the verification summary information returned by the network element device according to the report request message of the verification summary information.
  • a software security detection method is provided, where the method includes:
  • the network element device sends the original summary information to the network management device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory;
  • the network element device sends the verification summary information of the software code to the network management device during the running of the software code, so that the network management device compares the verification summary information with the original summary information. Determine if the software code is secure.
  • the network element device sends the original summary information to the network management device, including:
  • the network element device receives the request message of the original summary information sent by the network management device, and generates the original summary information for the software code loaded in the memory according to the request message of the original summary information, and the Sending the original summary information to the network management device; or [21] The network element device generates the original summary information for the software code when the software code is loaded in the memory, and reports the original summary information to the network management device.
  • the network element device is in the process of running the software code
  • the network management device sends the verification summary information of the software code, including:
  • the network element device generates the verification summary information of the software code according to the set time period, and sends the verification summary information to the network management device during the running of the software code;
  • the network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code, and generates the verification summary information of the software code according to the report request message of the verification summary information. And sending the verification summary information to the network management device.
  • a software security detecting apparatus includes:
  • an obtaining unit configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for software code loaded in the memory;
  • a receiving unit configured to receive the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
  • a detecting unit configured to compare whether the verification summary information received by the receiving unit is consistent with the original summary information obtained by the obtaining unit, and if not, determining that the software code is unsafe, and if yes, Determine the software code security.
  • the obtaining unit includes: a request message sending subunit and a first original digest receiving subunit;
  • the request message sending subunit configured to send a request message of the original digest information to the network element device
  • the first original digest receiving subunit configured to receive the original digest information returned by the network element device according to the request message of the original digest information sent by the request message sending subunit;
  • the obtaining unit includes: a second original digest receiving subunit; [34] The second original digest receiving subunit is configured to receive the original digest information reported by the network element device when the software code is loaded in the memory.
  • the receiving unit includes: a first verification digest receiver Unit
  • the first verification digest receiving subunit configured to receive the verification summary information reported by the network element device according to a set time period
  • the receiving unit includes: a report request sending subunit and a second verification digest receiving subunit;
  • the report request sending subunit configured to send a report request message of the verification summary information to the network element device
  • the second verification digest receiving subunit is configured to receive the verification digest information returned by the network element device according to the reporting request message of the verification digest information sent by the reporting request sending subunit.
  • a software security detecting apparatus includes:
  • the first sending unit is configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;
  • a second sending unit configured to send, to the network management device, verification summary information of the software code during the running of the software code, so that the network management device compares the verification sent by the second sending unit The summary information and the original summary information sent by the first sending unit determine whether the software code is secure.
  • the first sending unit includes: a request message receiving subunit, a first original digest generating subunit, and a first original Summary sending subunit;
  • the request message receiving subunit configured to receive a request message of the original summary information sent by the network management device
  • the first original digest generating subunit configured to receive the original received by the subunit according to the request message
  • the request message of the summary information generates the original summary information for the software code loaded in the memory
  • the first original digest sending subunit configured to send the original digest information generated by the first original digest generating subunit to the network management device
  • the first sending unit includes: a second original digest generating subunit and a second original digest sending subunit;
  • the second original digest generating subunit configured to generate the original digest information for the software code when the software code is loaded in the memory
  • the second original digest sending subunit is configured to report, to the network management device, original digest information generated by the second original digest generating subunit.
  • the second sending unit includes: a first verification digest generating unit and a first verification digest sending subunit;
  • the first verification digest generating unit is configured to generate verification summary information of the software code according to a set time period during the running of the software code
  • the first verification digest sending subunit configured to send the verification digest information generated by the first verification digest generating unit to the network management device
  • the second sending unit includes: a report request receiving subunit, a second verification digest generating subunit, and a second verification digest sending subunit;
  • the report request receiving subunit configured to receive a report request message of the verification summary information sent by the network management device during the running of the software code
  • the second verification digest generating subunit configured to generate verification digest information of the software code according to the reporting request message of the verification digest information received by the reporting request receiving subunit;
  • the second verification digest sending subunit is configured to send the verification digest information generated by the second verification digest generating subunit to the network management device.
  • the fifth aspect provides a network management device, where the network management device includes: a network interface and a processor, where
  • the network interface configured to obtain original summary information from a network element device, where the original summary information is summary information generated by the network element device for software code loaded in a memory, and receiving the network element device
  • the verification summary information that is sent, the verification summary information is summary information generated by the network element device during the running of the software code
  • the processor is configured to compare whether the verification summary information is consistent with the original summary information, and if not, determine that the software code is unsafe, and if yes, determine that the software code is secure.
  • the network interface is specifically configured to send a request message of the original digest information to the network element device, and receive the network element The original summary information returned by the device according to the request message of the original summary information; or the original summary information reported to the network management device when the network element device loads the software code in the memory.
  • the network interface is specifically configured to receive the network element device according to And the verification summary information reported by the set time period; or sending the report request message of the verification summary information to the network element device, and receiving the report returned by the network element device according to the report request message of the verification summary information Verify summary information.
  • a network element device includes: a network interface and a processor, where
  • the processor is configured to send the original summary information to the network management device by using the network interface, where the original summary information is summary information generated by the network element device for software code loaded in the memory, and Sending, by the network interface, the verification summary information of the software code to the network management device, in the running of the software code, to enable the network management device to determine the verification by comparing the verification summary information with the original summary information. Is the software code secure?
  • the processor is specifically configured to: after the network interface receives the request message of the original digest information sent by the network management device, Generating the original summary information for the software code loaded in the memory according to the request message of the original summary information, and sending the original summary information to the network management device through the network interface; or loading in the memory And generating, by the software code, the original summary information for the software code, and using the network interface to the network management The device reports the original summary information.
  • the processor is specifically used in the running process of the software code Generating verification summary information of the software code according to the set time period, and sending the verification summary information to the network management device through the network interface; or, when the software code is running, when the network interface After receiving the report request message of the verification summary information sent by the network management device, generating the verification summary information of the software code according to the report request message of the verification summary information, and sending the verification summary information to the network interface through the network interface The network management device.
  • the network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and the network element device runs during the software code.
  • the verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it determines that the software code is insecure, and if so, determines the software code security.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the software in the running process can be performed on the network element device. The security is protected and the dynamic security of the software is improved.
  • FIG. 1A is a flow chart of an embodiment of a software security detection method according to the present invention.
  • FIG. 1B is a flow chart of another embodiment of a software security detection method according to the present invention.
  • FIG. 2 is a flow chart of another embodiment of a software security detection method according to the present invention.
  • FIG. 3 is a flow chart of another embodiment of a software security detection method according to the present invention.
  • FIG. 4 is a flowchart of another embodiment of a software security detection method according to the present invention.
  • FIG. 5 is a flowchart of another embodiment of a software security detection method according to the present invention.
  • FIG. 6 is a block diagram of an embodiment of a software security detecting apparatus according to the present invention.
  • FIG. 7 is a block diagram of another embodiment of a software security detecting apparatus of the present invention.
  • FIG. 8 is a block diagram of an embodiment of a network management device of the present invention.
  • FIG. 9 is a block diagram of an embodiment of a network element device of the present invention. detailed description
  • FIG. 1A is a flowchart of an embodiment of a software security detection method according to the present invention.
  • the embodiment describes a security detection process during software operation from a network management device side:
  • Step 101 The network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory.
  • the network management device may send the request message of the original digest information to the network element device, and receive the original digest information returned by the network element device according to the request message of the original digest information; or the network management device may also receive the network element device.
  • Step 102 The network management device receives the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code.
  • the network management device may receive the verification summary information reported by the network element device according to the set time period; or the network management device may send the report of the verification summary information to the network element device, and receive the network element device according to the Verification summary information returned by the report request message of the verification summary information.
  • Step 103 The network management device compares the verification summary information with the original summary information. If not, it determines that the software code is not secure, and if so, determines the software code security.
  • FIG. 1B is a flowchart of another embodiment of a software security detection method according to the present invention. The embodiment describes a security detection process during software operation from a network element device side:
  • Step 111 The network element device sends the original summary information to the network management device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory.
  • the network element device may receive the request message of the original summary information sent by the network management device, generate the original summary information for the software code loaded in the memory according to the request message of the original summary information, and send the original summary information to the The network management device; or the network element device may also generate the original summary information for the software code when the software code is loaded in the memory, and report the original summary information to the network management device.
  • Step 112 The network element device sends the verification summary information of the software code to the network management device during the running of the software code, so that the network management device determines whether the software code is secure by comparing the verification summary information with the original summary information.
  • the network element device may generate the verification summary information of the software code according to the set time period during the running of the software code, and send the verification summary information to the network management device; or the network element device may also be in the software code.
  • the device sends a verification summary message of the verification summary information sent by the network management device, generates a verification summary information of the software code according to the report request message of the verification summary information, and sends the verification summary information to the network management device.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device.
  • the security of the software in the protection protects the dynamic security of the software.
  • Step 201 The network element device loads the software into the memory.
  • the network element device may be specifically a single board or the like.
  • the network element device may be provided with a system on chip (SoC) security chip and a memory connected through a bus, wherein the SoC security chip It can further include a Central Processing Unit (CPU), a Field-Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), and a Complex Programmable Logic ( Complex Programmable Logic). Device, CPU)), etc.
  • the memory can include random access memory (RAM), flash memory, and the like.
  • the network management device When the network management device releases new software or software that upgrades the existing software, it generates a digital signature for the software, that is, the summary information of the network management device calculation software, and encrypts the summary information by the private key to generate a number. Signing, packaging the digital signature in the software, and sending the software package to the network element device.
  • the network element device After receiving the software package, the network element device obtains the digital signature therein, and decrypts the digital signature with the public key to obtain the first a summary information, and the second summary information of the software is calculated in the same manner as the network management device side. If the first summary information is consistent with the second summary information, the software to be loaded is safe, if the first summary information and the second If the summary information is inconsistent, the software to be loaded is not secure, so as to ensure the static security of the software to be loaded.
  • the software is loaded into the memory, and the loading process may include decompressing and initializing the software. After the loading is completed, the software is usually in the form of software code. Running in memory, ie the software to be loaded is different from the software code loaded into memory.
  • Step 202 The network management device sends a request message of the original summary information to the network element device.
  • the network management device can be specifically an operation and maintenance center (OMC) device, and each network management device can implement communication with multiple network element devices.
  • OMC operation and maintenance center
  • the network management device may send the request message of the original summary information to the network element device, and the network management device may send the request message after the preset time after the software package is sent to the network element device. Time to ensure that the network element device can complete the loading of the software code in the memory.
  • Step 203 The network element device generates the original summary information after the software message loaded in the memory according to the request message of the original summary information.
  • the network element device calculates the digest information of the software code that has been loaded in the memory, and uses the digest information as the original digest information.
  • the summary information may also be referred to as a Message Digest, or a Digital Digest, which is a unique fixed-length value corresponding to the software code, which may be a one-way hash (Hash) encryption function to the software.
  • the code is generated. If the software code itself changes, the calculated summary information will also change, so the summary information can verify the security and integrity of the software code.
  • Step 204 The network element device sends the original summary information to the network management device.
  • Step 205 The network management device saves the original summary information.
  • Step 206 The network element device generates the verification summary information of the software code according to the set time period during the running of the software code.
  • the network element device may calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information.
  • the network element device can set a timer. When the timer period of the timer arrives, the network element device is triggered to calculate the verification summary information of the timing period. In this step, the calculation method and process of the verification summary information are consistent with the original summary information, and are not described here.
  • Step 207 The network element device reports the verification summary information to the network management device.
  • Step 208 The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, the software code is determined to be insecure. When the verification summary information is consistent with the original summary information, the software code is determined. Safety.
  • the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device.
  • the security of the software in the protection protects the dynamic security of the software.
  • Step 301 The network element device loads software into the memory.
  • the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like.
  • the memory can contain RAM, Flash, and so on.
  • the network management device When the network management device releases new software or software that upgrades existing software, it will generate a digital signature for the software, package the digital signature in the software, and send the software package to the network element device.
  • the network element device After receiving the software package, the network element device obtains the digital signature therein, and determines the software by verifying the digital signature. Whether it is safe, so as to ensure the static security of the software to be loaded.
  • the specific process of verifying the received software by the network element device is consistent with the description in the foregoing step 201, and details are not described herein again.
  • the software is loaded into the memory, and the loading process may include decompressing and initializing the software. After the loading is completed, the software is usually in the form of software code. Running in memory, ie the software to be loaded is different from the software code loaded into memory.
  • Step 302 The network management device sends a request message of the original summary information to the network element device.
  • the network management device can be specifically an OMC device, and each network management device can implement communication with multiple network element devices.
  • the network management device may send the request message of the original summary information to the network element device, and the network management device may send the request message after the preset time after the software package is sent to the network element device. Time to ensure that the network element device can complete the loading of the software code in the memory.
  • Step 303 The network element device generates the original summary information after the software message loaded in the memory according to the request message of the original summary information.
  • the network element device calculates the digest information of the software code that has been loaded in the memory, and uses the digest information as the original digest information.
  • the summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity.
  • Step 304 The network element device sends the original summary information to the network management device.
  • Step 305 The network management device saves the original summary information.
  • Step 306 The network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code.
  • Step 307 The network element device generates verification summary information of the software code according to the report request message of the verification summary information.
  • the network element device After receiving the report request message of the verification summary information, the network element device calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information, and the calculation manner and process of the verification summary information are consistent with the original summary information. , will not repeat them here.
  • Step 308 The network element device sends the verification summary information to the network management device.
  • Step 309 The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, determining that the software code is insecure, and determining the software code when the verification summary information is consistent with the original summary information. Safety. [131] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the running process, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, and thus can run on the network element device.
  • the security of the software in the protection protects the dynamic security of the software.
  • FIG. 4 it is a flowchart of another embodiment of the software security detection method of the present invention:
  • Step 401 The network element device loads the software into the memory.
  • the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like.
  • the memory can contain RAM, Flash, and so on.
  • Step 402 The network element device generates original summary information for the software code when the software code is loaded in the memory.
  • the network element device in this embodiment may generate summary information of the software code in real time after loading the software code, and use the summary information as the original summary information.
  • the summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity.
  • Step 403 The network element device reports the original summary information to the network management device.
  • Step 404 The network management device saves the original summary information.
  • Step 405 The network element device generates the verification summary information of the software code according to the set time period during the running of the software code.
  • the network element device may calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information.
  • the network element device can set a timer. When the timer period of the timer arrives, the network element device is triggered to calculate the verification summary information of the timing period. In this step, the calculation method and process of the verification summary information are consistent with the original summary information, and are not described here.
  • Step 406 The network element device reports the verification summary information to the network management device.
  • Step 407 The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, the software code is determined to be insecure. When the verification summary information is consistent with the original summary information, the software code is determined. Safety. [145] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device.
  • the security of the software in the protection protects the dynamic security of the software.
  • Step 501 The network element device loads the software into the memory.
  • the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like.
  • the memory can contain RAM, Flash, and so on.
  • the network management device When the network management device releases new software or software that upgrades existing software, it will generate a digital signature for the software, package the digital signature in the software, and send the software package to the network element device.
  • the network element device After receiving the software package, the network element device obtains the digital signature therein, and determines whether the software is secure by verifying the digital signature, thereby ensuring the static security of the software to be loaded.
  • the specific process of verifying the received software by the network element device is consistent with the description in the foregoing step 201, and details are not described herein again.
  • Step 502 The network element device generates original summary information for the software code when the software code is loaded in the memory.
  • Step 503 The network element device reports the original summary information to the network management device.
  • Step 504 The network management device saves the original summary information.
  • the network element device in this embodiment may generate summary information of the software code in real time after the software code is loaded, and use the summary information as the original summary information.
  • the summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity.
  • Step 505 The network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code.
  • the difference between the embodiment shown in FIG. 2 and FIG. 4 is that, in the running process of the software code on the network element device, the network management device can send the report request message of the verification summary information in real time according to the administrator's requirement.
  • Step 506 The network element device generates verification summary information of the software code according to the report request message of the verification summary information. [157] After receiving the report request message of the verification summary information, the network element device calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information to verify the calculation manner and process of the summary information. The original summary information is consistent and will not be described here.
  • Step 507 The network element device sends the verification summary information to the network management device.
  • Step 508 The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, determining that the software code is insecure, and determining the software code when the verification summary information is consistent with the original summary information. Safety.
  • the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, and thus can run on the network element device. The security of the software in the protection protects the dynamic security of the software.
  • the present invention also provides an embodiment of a software security detecting device, a network management device, and a network element device.
  • a software security detecting apparatus may be disposed on a network management device side:
  • the apparatus includes: an obtaining unit 610, a receiving unit 620, and a detecting unit 630.
  • the obtaining unit 610 is configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for software code loaded in the memory; [166] receiving unit 620 And for receiving the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
  • the detecting unit 630 is configured to compare whether the verification summary information received by the receiving unit 610 is consistent with the original summary information obtained by the obtaining unit 620, and if not, determining that the software code is unsafe. If so, the software code is determined to be secure.
  • the obtaining unit 610 may include (not shown in FIG. 6): [169] a request message sending subunit, configured to send a request message of the original digest information to the network element device;
  • a first original digest receiving subunit configured to receive the original digest information returned by the network element device according to the request message that sends the original digest information sent by the subunit according to the request message.
  • the obtaining unit 610 may also include (not shown in FIG. 6): [172] a second original digest receiving subunit, configured to receive, after the network element device is loaded in the memory, The original summary information reported when the software code is reported.
  • the receiving unit 620 may include (not shown in FIG. 6):
  • the first verification digest receiving subunit is configured to receive the verification digest information reported by the network element device according to the set time period;
  • the receiving unit 620 may also include (FIG. 6 Not shown):
  • a report request sending subunit configured to send a report request message of the verification summary information to the network element device
  • a second verification digest receiving subunit configured to receive the verification digest information returned by the network element device according to the reporting request message of the verification digest information sent by the sub-unit.
  • FIG. 7 is a block diagram of another embodiment of a software security detecting apparatus according to the present invention.
  • the apparatus may be disposed on a network element device side:
  • the apparatus includes: a first transmitting unit 710 and a second transmitting unit 720.
  • the first sending unit 710 is configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;
  • the second sending unit 720 is configured to send the verification summary information of the software code to the network management device during the running of the software code, so that the network management device sends the comparison by the second sending unit.
  • the verification summary information and the original summary information sent by the first sending unit determine whether the software code is secure.
  • the first sending unit 710 may include (not shown in FIG. 7):
  • a request message receiving subunit configured to receive a request message of the original digest information sent by the network management device;
  • a first original digest generating subunit configured to generate the original digest information for the software code loaded in the memory according to the request message that the request message receives the original digest information received by the subunit;
  • the first original digest sending subunit is configured to send the original digest information generated by the first original digest generating subunit to the network management device.
  • the first sending unit 710 may also include (not shown in FIG. 7):
  • a second original digest generating subunit configured to generate the original digest information for the software code when the software code is loaded in the memory
  • a second original digest sending subunit configured to report, to the network management device, original digest information generated by the second original digest generating subunit.
  • the second sending unit 720 may include (not shown in FIG. 7):
  • a first verification digest generating unit configured to generate verification summary information of the software code according to a set time period during the running of the software code
  • the first verification digest sending subunit is configured to send the verification digest information generated by the first verification digest generating unit to the network management device.
  • the second sending unit 720 may also include (not shown in FIG. 7):
  • a report request receiving subunit configured to receive a report request message of the verification summary information sent by the network management device during the running of the software code
  • a second verification digest generating subunit configured to generate verification digest information of the software code according to the reporting request message of the verification digest information received by the reporting request receiving subunit;
  • the second verification digest sending subunit is configured to send the verification digest information generated by the second verification digest generating subunit to the network management device.
  • FIG. 8 is a block diagram of an embodiment of the network management device of the present invention:
  • the network management device includes: a network interface 810 and a processor 820.
  • the network interface 810 is configured to obtain original summary information from a network element device, where the original summary information is summary information generated by the network element device for software code loaded in a memory, and receive the The verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
  • the processor 820 is configured to compare the verification summary information Whether it is consistent with the original summary information, if not, determining that the software code is unsafe, and if so, determining that the software code is secure.
  • the network interface 810 may be specifically configured to send a request message of the original digest information to the network element device, and receive a request message returned by the network element device according to the request message of the original digest information. Or the original summary information reported to the network management device when the network element device loads the software code in the memory.
  • the network interface 810 may be specifically configured to receive the verification summary information that is reported by the network element device according to a set time period; or send a report of the verification summary information to the network element device. And requesting the message, and receiving the verification summary information returned by the network element device according to the report request message of the verification summary information.
  • FIG. 9 a block diagram of an embodiment of a network element device of the present invention is shown:
  • the network element device includes: a network interface 910 and a processor 920.
  • the processor 920 is configured to send the original summary information to the network management device by using the network interface 910, where the original summary information is a summary generated by the network element device for the software code loaded in the memory. And the verification summary information of the software code is sent to the network management device by using the network interface 910 during the running of the software code, so that the network management device compares the verification summary information with the original The summary information determines if the software code is secure.
  • the processor 920 may be specifically configured to: when the network interface receives the request message of the original digest information sent by the network management device, the request message according to the original digest information is loaded in the memory.
  • the software code in the middle generates the original summary information, and sends the original summary information to the network management device through the network interface; or, when the software code is loaded in the memory, generates the software code
  • the original summary information is reported, and the original summary information is reported to the network management device by using the network interface.
  • the processor 920 may be specifically configured to follow the setting during the running of the software code. And generating the verification summary information of the software code, and sending the verification summary information to the network management device through the network interface; or, when the software code is running, when the network interface receives the network management After the report request message of the verification summary information sent by the device, the verification summary information of the software code is generated according to the report request message of the verification summary information, and the verification summary information is sent to the network management device by using the network interface. .
  • the network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and the network element device is in the process of running the software code.
  • the verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it determines that the software code is insecure, and if so, determines the software code security.
  • the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the software in the running process can be performed on the network element device.
  • the security is protected and the dynamic security of the software is improved.
  • the techniques in the embodiments of the present invention can be implemented by means of software plus the necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM. , a diskette, an optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or in some portions of the embodiments.
  • a computer device which may be a personal computer, server, or network device, etc.

Abstract

A software security detection method, apparatus and device. The method comprises: a network management device obtaining original summary information from a network element device, the original summary information being summary information generated by the network element device for software code loaded in a memory; the network management device receiving verification summary information sent by the network element device, the verification summary information being summary information generated by the network element device during the running of the software code; and the network management device comparing the verification summary information with the original summary information to determine whether they are consistent, if not, determining that the software code is not secure, and if yes, determining that the software code is secure. By using embodiments of the present invention, whether software suffers a malicious attack during the running of the software can be detected because a network element device can send, to a network management device, summary information during the running of the software, so that the security of software running on the network element device can be protected, thereby improving the dynamic security of the software.

Description

软件安全性柃测方法、 装置及设备  Software security testing method, device and device
技术领域 Technical field
[01] 本发明涉及信息安全技术领域, 特别涉及软件安全性检测方法、 装置及设备。 背景技术 [01] The present invention relates to the field of information security technologies, and in particular, to a software security detection method, apparatus, and device. Background technique
[02] 恶意软件可以通过修改、 替换某些网元设备上的软件, 入侵网元设备的系统, 并对系统进行破坏, 或者窃取网元设备上的信息。现有技术中, 通常可以采用数字签 名的方式对网元设备上软件的完整性进行验证,即网管设备可以在发布软件或者进行 软件升级时, 生成软件的数字签名, 并将数字签名打包在软件中, 然后发送给网元设 备, 网元设备在加载软件之前, 根据数字签名对软件的安全性进行验证, 验证通过后 对软件进行加载。 [02] Malware can modify or replace software on some network element devices, invade the system of the network element device, destroy the system, or steal information on the network element device. In the prior art, the integrity of the software on the network element device can be verified by using a digital signature, that is, the network management device can generate a digital signature of the software when the software is released or upgraded, and package the digital signature in the software. Then, it is sent to the network element device, and the network element device verifies the security of the software according to the digital signature before loading the software, and loads the software after the verification is passed.
[03] 发明人在对现有技术的研究过程中发现, 在对网元设备上软件的完整性和可信 性进行保护时,通常只能在软件加载之前进行验证,这种验证方式是一种静态的验证 方式,当软件在加载完成后的运行过程中受到恶意攻击时,由于难以对软件进行验证, 因此降低了网元设备上软件运行过程中的动态安全性。 发明内容 [03] The inventor found in the research process of the prior art that when the integrity and credibility of the software on the network element device is protected, the verification can usually only be performed before the software is loaded. A static verification method, when the software is maliciously attacked during the running process, the software is difficult to verify, thus reducing the dynamic security of the software running on the network element device. Summary of the invention
[04] 本发明实施例提供了软件安全性检测方法、 装置及设备, 以解决现有技术中的 网元设备难以保护软件运行过程中的动态安全性的问题。 The embodiment of the invention provides a software security detection method, device and device, which solves the problem that the network element device in the prior art is difficult to protect the dynamic security during the running of the software.
[05] 为了解决上述技术问题, 本发明实施例公开了如下技术方案: [06] 第一方面, 提供一种软件安全性检测方法, 所述方法包括: [07] 网管设备从网元设备获得原始摘要信息, 所述原始摘要信息是所述网元设备为 加载在内存中的软件代码生成的摘要信息; [05] In order to solve the above technical problem, the embodiment of the present invention discloses the following technical solution: [06] In a first aspect, a software security detection method is provided, where the method includes: [07] a network management device obtains from a network element device The original summary information, where the original summary information is summary information generated by the network element device for software code loaded in the memory;
[08] 所述网管设备接收所述网元设备发送的验证摘要信息, 所述验证摘要信息是所 述网元设备在所述软件代码运行过程中生成的摘要信息; [09] 所述网管设备比较所述验证摘要信息与所述原始摘要信息是否一致, 若否, 则 确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 [08] The network management device receives the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code; [09] The network management device compares whether the verification summary information is consistent with the original summary information, and if not, determines that the software code is unsecure, and if yes, determines that the software code is secure.
[10] 结合第一方面, 在第一方面的第一种可能的实现方式中, 所述网管设备从网元 设备获得原始摘要信息, 包括: [11] 所述网管设备向所述网元设备发送原始摘要信息的请求消息, 并接收所述网元 设备根据所述原始摘要信息的请求消息返回的所述原始摘要信息; 或者, [10] In combination with the first aspect, in a first possible implementation manner of the first aspect, the network management device obtains the original summary information from the network element device, including: [11] the network management device to the network element device Sending a request message of the original summary information, and receiving the original summary information returned by the network element device according to the request message of the original summary information; or
[12] 所述网管设备接收所述网元设备在内存中加载完所述软件代码时, 向所述网管 设备上报的所述原始摘要信息。 [12] The network management device receives the original summary information reported to the network management device when the network element device loads the software code in the memory.
[13] 结合第一方面, 或第一方面的第一种可能的实现方式, 在第一方面的第二种可 能的实现方式中, 所述网管设备接收所述网元设备发送的验证摘要信息, 包括: [13] In combination with the first aspect, or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the network management device receives the verification summary information sent by the network element device , including:
[14] 所述网管设备接收所述网元设备按照设置的时间周期上报的所述验证摘要信 息; 或者, [14] The network management device receives the verification summary information reported by the network element device according to a set time period; or
[15] 所述网管设备向所述网元设备发送验证摘要信息的上报请求消息, 并接收所述 网元设备根据所述验证摘要信息的上报请求消息返回的所述验证摘要信息。 [16] 第二方面, 提供一种软件安全性检测方法, 所述方法包括: [15] The network management device sends a report request message for verifying summary information to the network element device, and receives the verification summary information returned by the network element device according to the report request message of the verification summary information. [16] In a second aspect, a software security detection method is provided, where the method includes:
[17] 网元设备将原始摘要信息发送给网管设备, 所述原始摘要信息是所述网元设备 为加载在内存中的软件代码生成的摘要信息; [17] The network element device sends the original summary information to the network management device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory;
[18] 所述网元设备在所述软件代码运行过程中向所述网管设备发送所述软件代码的 验证摘要信息,以使所述网管设备通过比较所述验证摘要信息与所述原始摘要信息确 定所述软件代码是否安全。 [18] The network element device sends the verification summary information of the software code to the network management device during the running of the software code, so that the network management device compares the verification summary information with the original summary information. Determine if the software code is secure.
[19] 结合第二方面, 在第二方面的第一种可能的实现方式中, 所述网元设备将所述 原始摘要信息发送给网管设备, 包括: [19] In combination with the second aspect, in a first possible implementation manner of the second aspect, the network element device sends the original summary information to the network management device, including:
[20] 所述网元设备接收所述网管设备发送的原始摘要信息的请求消息, 根据所述原 始摘要信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息,并将所述 原始摘要信息发送给所述网管设备; 或者, [21] 所述网元设备在内存中加载完所述软件代码时, 为所述软件代码生成所述原始 摘要信息, 并向所述网管设备上报所述原始摘要信息。 [20] The network element device receives the request message of the original summary information sent by the network management device, and generates the original summary information for the software code loaded in the memory according to the request message of the original summary information, and the Sending the original summary information to the network management device; or [21] The network element device generates the original summary information for the software code when the software code is loaded in the memory, and reports the original summary information to the network management device.
[22] 结合第二方面, 或第二方面的第一种可能的实现方式, 在第二方面的第二种可 能的实现方式中,所述网元设备在所述软件代码运行过程中向所述网管设备发送所述 软件代码的验证摘要信息, 包括: [22] In combination with the second aspect, or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the network element device is in the process of running the software code The network management device sends the verification summary information of the software code, including:
[23] 所述网元设备在所述软件代码运行过程中, 按照设置的时间周期生成所述软件 代码的验证摘要信息, 并向所述网管设备发送所述验证摘要信息; 或者, [23] The network element device generates the verification summary information of the software code according to the set time period, and sends the verification summary information to the network management device during the running of the software code; or
[24] 所述网元设备在所述软件代码运行过程中接收所述网管设备发送的验证摘要信 息的上报请求消息,根据所述验证摘要信息的上报请求消息生成所述软件代码的验证 摘要信息, 并将所述验证摘要信息发送给所述网管设备。 [24] The network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code, and generates the verification summary information of the software code according to the report request message of the verification summary information. And sending the verification summary information to the network management device.
[25] 第三方面, 提供一种软件安全性检测装置, 所述装置包括: [25] In a third aspect, a software security detecting apparatus is provided, where the apparatus includes:
[26] 获得单元, 用于从网元设备获得原始摘要信息, 所述原始摘要信息是所述网元 设备为加载在内存中的软件代码生成的摘要信息; [26] an obtaining unit, configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for software code loaded in the memory;
[27] 接收单元, 用于接收所述网元设备发送的验证摘要信息, 所述验证摘要信息是 所述网元设备在所述软件代码运行过程中生成的摘要信息; [27] a receiving unit, configured to receive the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
[28] 检测单元, 用于比较所述接收单元接收的所述验证摘要信息与所述获得单元获 得的所述原始摘要信息是否一致, 若否, 则确定所述软件代码不安全, 若是, 则确定 所述软件代码安全。 [28] a detecting unit, configured to compare whether the verification summary information received by the receiving unit is consistent with the original summary information obtained by the obtaining unit, and if not, determining that the software code is unsafe, and if yes, Determine the software code security.
[29] 结合第三方面, 在第三方面的第一种可能的实现方式中, [30] 所述获得单元包括: 请求消息发送子单元和第一原始摘要接收子单元; [29] In combination with the third aspect, in a first possible implementation manner of the third aspect, [30] the obtaining unit includes: a request message sending subunit and a first original digest receiving subunit;
[31] 所述请求消息发送子单元,用于向所述网元设备发送原始摘要信息的请求消息; [31] the request message sending subunit, configured to send a request message of the original digest information to the network element device;
[32] 所述第一原始摘要接收子单元, 用于接收所述网元设备根据所述请求消息发送 子单元发送的所述原始摘要信息的请求消息返回的所述原始摘要信息; [32] the first original digest receiving subunit, configured to receive the original digest information returned by the network element device according to the request message of the original digest information sent by the request message sending subunit;
[33] 或者, 所述获得单元包括: 第二原始摘要接收子单元; [34] 所述第二原始摘要接收子单元, 用于接收所述网元设备在内存中加载完所述软 件代码时上报的所述原始摘要信息。 [33] Alternatively, the obtaining unit includes: a second original digest receiving subunit; [34] The second original digest receiving subunit is configured to receive the original digest information reported by the network element device when the software code is loaded in the memory.
[35] 结合第三方面, 或第三方面的第一种可能的实现方式, 在第三方面的第二种可 能的实现方式中, [36] 所述接收单元包括: 第一验证摘要接收子单元; [35] In combination with the third aspect, or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, [36] the receiving unit includes: a first verification digest receiver Unit
[37] 所述第一验证摘要接收子单元, 用于接收所述网元设备按照设置的时间周期上 报的所述验证摘要信息; [37] the first verification digest receiving subunit, configured to receive the verification summary information reported by the network element device according to a set time period;
[38] 或者, 所述接收单元包括: 上报请求发送子单元和第二验证摘要接收子单元; [38] Alternatively, the receiving unit includes: a report request sending subunit and a second verification digest receiving subunit;
[39] 所述上报请求发送子单元, 用于向所述网元设备发送验证摘要信息的上报请求 消息; [39] the report request sending subunit, configured to send a report request message of the verification summary information to the network element device;
[40] 所述第二验证摘要接收子单元, 用于接收所述网元设备根据所述上报请求发送 子单元发送的验证摘要信息的上报请求消息返回的所述验证摘要信息。 [40] The second verification digest receiving subunit is configured to receive the verification digest information returned by the network element device according to the reporting request message of the verification digest information sent by the reporting request sending subunit.
[41] 第四方面, 提供一种软件安全性检测装置, 所述装置包括: [41] In a fourth aspect, a software security detecting apparatus is provided, where the apparatus includes:
[42] 第一发送单元, 用于将原始摘要信息发送给网管设备, 所述原始摘要信息是为 加载在内存中的软件代码生成的摘要信息; [42] The first sending unit is configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;
[43] 第二发送单元, 用于在所述软件代码运行过程中向所述网管设备发送所述软件 代码的验证摘要信息,以使所述网管设备通过比较所述第二发送单元发送的验证摘要 信息与所述第一发送单元发送的原始摘要信息确定所述软件代码是否安全。 [43] a second sending unit, configured to send, to the network management device, verification summary information of the software code during the running of the software code, so that the network management device compares the verification sent by the second sending unit The summary information and the original summary information sent by the first sending unit determine whether the software code is secure.
[44] 结合第四方面, 在第四方面的第一种可能的实现方式中, [45] 所述第一发送单元包括: 请求消息接收子单元, 第一原始摘要生成子单元和第 一原始摘要发送子单元; [44] In conjunction with the fourth aspect, in a first possible implementation manner of the fourth aspect, [45] the first sending unit includes: a request message receiving subunit, a first original digest generating subunit, and a first original Summary sending subunit;
[46] 所述请求消息接收子单元, 用于接收所述网管设备发送的原始摘要信息的请求 消息; [46] the request message receiving subunit, configured to receive a request message of the original summary information sent by the network management device;
[47] 所述第一原始摘要生成子单元, 用于根据所述请求消息接收子单元接收的原始 摘要信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息; [47] the first original digest generating subunit, configured to receive the original received by the subunit according to the request message The request message of the summary information generates the original summary information for the software code loaded in the memory;
[48] 所述第一原始摘要发送子单元, 用于将所述第一原始摘要生成子单元生成的原 始摘要信息发送给所述网管设备;  [48] the first original digest sending subunit, configured to send the original digest information generated by the first original digest generating subunit to the network management device;
[49] 或者, 所述第一发送单元包括: 第二原始摘要生成子单元和第二原始摘要发送 子单元;  [49] Alternatively, the first sending unit includes: a second original digest generating subunit and a second original digest sending subunit;
[50] 所述第二原始摘要生成子单元, 用于在内存中加载完所述软件代码时, 为所述 软件代码生成所述原始摘要信息;  [50] the second original digest generating subunit, configured to generate the original digest information for the software code when the software code is loaded in the memory;
[51] 所述第二原始摘要发送子单元, 用于向所述网管设备上报所述第二原始摘要生 成子单元生成的原始摘要信息。  [51] The second original digest sending subunit is configured to report, to the network management device, original digest information generated by the second original digest generating subunit.
[52] 结合第四方面, 或第四方面的第一种可能的实现方式, 在第四方面的第二种可 能的实现方式中, [52] In combination with the fourth aspect, or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect,
[53] 所述第二发送单元包括: 第一验证摘要生成单元和第一验证摘要发送子单元;  [53] The second sending unit includes: a first verification digest generating unit and a first verification digest sending subunit;
[54] 所述第一验证摘要生成单元, 用于在所述软件代码运行过程中, 按照设置的时 间周期生成所述软件代码的验证摘要信息;  [54] the first verification digest generating unit is configured to generate verification summary information of the software code according to a set time period during the running of the software code;
[55] 所述第一验证摘要发送子单元, 用于向所述网管设备发送所述第一验证摘要生 成单元生成的验证摘要信息; [55] the first verification digest sending subunit, configured to send the verification digest information generated by the first verification digest generating unit to the network management device;
[56] 或者, 所述第二发送单元包括: 上报请求接收子单元、 第二验证摘要生成子单 元和第二验证摘要发送子单元;  [56] Alternatively, the second sending unit includes: a report request receiving subunit, a second verification digest generating subunit, and a second verification digest sending subunit;
[57] 所述上报请求接收子单元, 用于在所述软件代码运行过程中接收所述网管设备 发送的验证摘要信息的上报请求消息;  [57] the report request receiving subunit, configured to receive a report request message of the verification summary information sent by the network management device during the running of the software code;
[58] 所述第二验证摘要生成子单元, 用于根据所述上报请求接收子单元接收的验证 摘要信息的上报请求消息生成所述软件代码的验证摘要信息;  [58] the second verification digest generating subunit, configured to generate verification digest information of the software code according to the reporting request message of the verification digest information received by the reporting request receiving subunit;
[59] 所述第二验证摘要发送子单元, 用于将所述第二验证摘要生成子单元生成的验 证摘要信息发送给所述网管设备。 [60] 第五方面, 提供一种网管设备, 所述网管设备包括: 网络接口和处理器, 其中, [59] The second verification digest sending subunit is configured to send the verification digest information generated by the second verification digest generating subunit to the network management device. [60] The fifth aspect provides a network management device, where the network management device includes: a network interface and a processor, where
[61] 所述网络接口, 用于从网元设备获得原始摘要信息, 所述原始摘要信息是所述 网元设备为加载在内存中的软件代码生成的摘要信息,以及接收所述网元设备发送的 验证摘要信息,所述验证摘要信息是所述网元设备在所述软件代码运行过程中生成的 摘要信息; [61] the network interface, configured to obtain original summary information from a network element device, where the original summary information is summary information generated by the network element device for software code loaded in a memory, and receiving the network element device The verification summary information that is sent, the verification summary information is summary information generated by the network element device during the running of the software code;
[62] 所述处理器, 用于比较所述验证摘要信息与所述原始摘要信息是否一致, 若否, 则确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 [62] The processor is configured to compare whether the verification summary information is consistent with the original summary information, and if not, determine that the software code is unsafe, and if yes, determine that the software code is secure.
[63] 结合第五方面, 在第五方面的第一种可能的实现方式中, 所述网络接口, 具体 用于向所述网元设备发送原始摘要信息的请求消息,并接收所述网元设备根据所述原 始摘要信息的请求消息返回的所述原始摘要信息; 或者,接收所述网元设备在内存中 加载完所述软件代码时, 向所述网管设备上报的所述原始摘要信息。 With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the network interface is specifically configured to send a request message of the original digest information to the network element device, and receive the network element The original summary information returned by the device according to the request message of the original summary information; or the original summary information reported to the network management device when the network element device loads the software code in the memory.
[64] 结合第五方面, 或第五方面的第一种可能的实现方式, 在第五方面的第二种可 能的实现方式中,所述网络接口, 具体用于接收所述网元设备按照设置的时间周期上 报的所述验证摘要信息; 或者, 向所述网元设备发送验证摘要信息的上报请求消息, 并接收所述网元设备根据所述验证摘要信息的上报请求消息返回的所述验证摘要信 息。 With the fifth aspect, or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the network interface is specifically configured to receive the network element device according to And the verification summary information reported by the set time period; or sending the report request message of the verification summary information to the network element device, and receiving the report returned by the network element device according to the report request message of the verification summary information Verify summary information.
[65] 第六方面, 提供一种网元设备, 所述网元设备包括: 网络接口和处理器, 其中, [65] In a sixth aspect, a network element device is provided, where the network element device includes: a network interface and a processor, where
[66] 所述处理器, 用于通过所述网络接口将原始摘要信息发送给网管设备, 所述原 始摘要信息是所述网元设备为加载在内存中的软件代码生成的摘要信息, 以及,在所 述软件代码运行过程中通过所述网络接口向所述网管设备发送所述软件代码的验证 摘要信息,以使所述网管设备通过比较所述验证摘要信息与所述原始摘要信息确定所 述软件代码是否安全。 [66] the processor is configured to send the original summary information to the network management device by using the network interface, where the original summary information is summary information generated by the network element device for software code loaded in the memory, and Sending, by the network interface, the verification summary information of the software code to the network management device, in the running of the software code, to enable the network management device to determine the verification by comparing the verification summary information with the original summary information. Is the software code secure?
[67] 结合第六方面, 在第六方面的第一种可能的实现方式中, 所述处理器, 具体用 于当所述网络接口接收所述网管设备发送的原始摘要信息的请求消息后,根据所述原 始摘要信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息,并通过所 述网络接口将所述原始摘要信息发送给所述网管设备; 或者,在内存中加载完所述软 件代码时, 为所述软件代码生成所述原始摘要信息, 并通过所述网络接口向所述网管 设备上报所述原始摘要信息。 With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the processor is specifically configured to: after the network interface receives the request message of the original digest information sent by the network management device, Generating the original summary information for the software code loaded in the memory according to the request message of the original summary information, and sending the original summary information to the network management device through the network interface; or loading in the memory And generating, by the software code, the original summary information for the software code, and using the network interface to the network management The device reports the original summary information.
[68] 结合第六方面, 或第六方面的第一种可能的实现方式, 在第六方面的第二种可 能的实现方式中, 所述处理器, 具体用于在所述软件代码运行过程中, 按照设置的时 间周期生成所述软件代码的验证摘要信息,并通过所述网络接口向所述网管设备发送 所述验证摘要信息; 或者,在所述软件代码运行过程中当所述网络接口接收所述网管 设备发送的验证摘要信息的上报请求消息后,根据所述验证摘要信息的上报请求消息 生成所述软件代码的验证摘要信息,并通过所述网络接口将所述验证摘要信息发送给 所述网管设备。 [68] In combination with the sixth aspect, or the first possible implementation manner of the sixth aspect, in a second possible implementation manner of the sixth aspect, the processor is specifically used in the running process of the software code Generating verification summary information of the software code according to the set time period, and sending the verification summary information to the network management device through the network interface; or, when the software code is running, when the network interface After receiving the report request message of the verification summary information sent by the network management device, generating the verification summary information of the software code according to the report request message of the verification summary information, and sending the verification summary information to the network interface through the network interface The network management device.
[69] 本发明实施例中, 网管设备从网元设备获得原始摘要信息, 该原始摘要信息是 网元设备为加载在内存中的软件代码生成的摘要信息,网元设备在软件代码运行过程 中生成验证摘要信息, 网管设备接收网元设备发送的验证摘要信息, 并比较验证摘要 信息与原始摘要信息是否一致, 若否, 则确定软件代码不安全, 若是, 则确定软件代 码安全。应用本发明实施例, 由于网元设备可以通过向网管设备发送软件运行过程中 的摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元 设备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 附图说明 In the embodiment of the present invention, the network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and the network element device runs during the software code. The verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it determines that the software code is insecure, and if so, determines the software code security. According to the embodiment of the present invention, the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the software in the running process can be performed on the network element device. The security is protected and the dynamic security of the software is improved. DRAWINGS
[70] 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例或 现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅 仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的 前提下, 还可以根据这些附图获得其他的附图。 [70] In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art description will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and other drawings may be obtained from those of ordinary skill in the art without departing from the scope of the invention.
[71] 图 1A为本发明软件安全性检测方法的一个实施例流程图; 1A is a flow chart of an embodiment of a software security detection method according to the present invention;
[72] 图 1B为本发明软件安全性检测方法的另一个实施例流程图; 1B is a flow chart of another embodiment of a software security detection method according to the present invention;
[73] 图 2为本发明软件安全性检测方法的另一个实施例流程图; 2 is a flow chart of another embodiment of a software security detection method according to the present invention;
[74] 图 3为本发明软件安全性检测方法的另一个实施例流程图; [75] 图 4为本发明软件安全性检测方法的另一个实施例流程图; 3 is a flow chart of another embodiment of a software security detection method according to the present invention; [75] FIG. 4 is a flowchart of another embodiment of a software security detection method according to the present invention;
[76] 图 5为本发明软件安全性检测方法的另一个实施例流程图; [77] 图 6为本发明软件安全性检测装置的一个实施例框图; FIG. 5 is a flowchart of another embodiment of a software security detection method according to the present invention; FIG. 6 is a block diagram of an embodiment of a software security detecting apparatus according to the present invention;
[78] 图 7为本发明软件安全性检测装置的另一个实施例框图; 7 is a block diagram of another embodiment of a software security detecting apparatus of the present invention;
[79] 图 8为本发明网管设备的实施例框图; [80] 图 9为本发明网元设备的实施例框图。 具体实施方式 8 is a block diagram of an embodiment of a network management device of the present invention; [80] FIG. 9 is a block diagram of an embodiment of a network element device of the present invention. detailed description
[81] 为了使本技术领域的人员更好地理解本发明实施例中的技术方案, 并使本发明 实施例的上述目的、特征和优点能够更加明显易懂, 下面结合附图对本发明实施例中 技术方案作进一步详细的说明。 The above described objects, features, and advantages of the embodiments of the present invention will become more apparent and understood. The technical solution is described in further detail.
[82] 参见图 1A, 为本发明软件安全性检测方法的一个实施例流程图, 该实施例从网 管设备侧描述了软件运行过程中的安全性检测过程: FIG. 1A is a flowchart of an embodiment of a software security detection method according to the present invention. The embodiment describes a security detection process during software operation from a network management device side:
[83] 步骤 101 : 网管设备从网元设备获得原始摘要信息,该原始摘要信息是网元设备 为加载在内存中的软件代码生成的摘要信息。 [83] Step 101: The network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory.
[84] 可选的, 网管设备可以向网元设备发送原始摘要信息的请求消息, 并接收网元 设备根据原始摘要信息的请求消息返回的原始摘要信息; 或者, 网管设备也可以接收 网元设备在内存中加载完软件代码时, 向网管设备上报的原始摘要信息。 [84] Optionally, the network management device may send the request message of the original digest information to the network element device, and receive the original digest information returned by the network element device according to the request message of the original digest information; or the network management device may also receive the network element device. The original summary information reported to the network management device when the software code is loaded in memory.
[85] 步骤 102: 网管设备接收网元设备发送的验证摘要信息,该验证摘要信息是网元 设备在软件代码运行过程中生成的摘要信息。 [85] Step 102: The network management device receives the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code.
[86] 可选的, 网管设备可以接收网元设备按照设置的时间周期上报的验证摘要信息; 或者, 网管设备也可以向网元设备发送验证摘要信息的上报请求消息, 并接收网元设 备根据验证摘要信息的上报请求消息返回的验证摘要信息。 [86] Optionally, the network management device may receive the verification summary information reported by the network element device according to the set time period; or the network management device may send the report of the verification summary information to the network element device, and receive the network element device according to the Verification summary information returned by the report request message of the verification summary information.
[87] 步骤 103: 网管设备比较验证摘要信息与原始摘要信息是否一致, 若否, 则确定 软件代码不安全, 若是, 则确定软件代码安全。 [87] Step 103: The network management device compares the verification summary information with the original summary information. If not, it determines that the software code is not secure, and if so, determines the software code security.
[88] 由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [89] 参见图 1B, 为本发明软件安全性检测方法的另一个实施例流程图, 该实施例从 网元设备侧描述了软件运行过程中的安全性检测过程: [88] It can be seen from the foregoing embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, and thus can run on the network element device. The security of the software in the protection protects the dynamic security of the software. [0] FIG. 1B is a flowchart of another embodiment of a software security detection method according to the present invention. The embodiment describes a security detection process during software operation from a network element device side:
[90] 步骤 111 : 网元设备将原始摘要信息发送给网管设备,原始摘要信息是网元设备 为加载在内存中的软件代码生成的摘要信息。 [91] 可选的, 网元设备可以接收网管设备发送的原始摘要信息的请求消息, 根据原 始摘要信息的请求消息为加载在内存中的软件代码生成原始摘要信息,并将原始摘要 信息发送给网管设备; 或者, 网元设备也可以在内存中加载完软件代码时, 为软件代 码生成原始摘要信息, 并向网管设备上报原始摘要信息。 [90] Step 111: The network element device sends the original summary information to the network management device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory. [91] Optionally, the network element device may receive the request message of the original summary information sent by the network management device, generate the original summary information for the software code loaded in the memory according to the request message of the original summary information, and send the original summary information to the The network management device; or the network element device may also generate the original summary information for the software code when the software code is loaded in the memory, and report the original summary information to the network management device.
[92] 步骤 112:网元设备在软件代码运行过程中向网管设备发送软件代码的验证摘要 信息, 以使网管设备通过比较验证摘要信息与原始摘要信息确定软件代码是否安全。 [92] Step 112: The network element device sends the verification summary information of the software code to the network management device during the running of the software code, so that the network management device determines whether the software code is secure by comparing the verification summary information with the original summary information.
[93] 可选的, 网元设备可以在软件代码运行过程中, 按照设置的时间周期生成软件 代码的验证摘要信息, 并向网管设备发送验证摘要信息; 或者, 网元设备也可以在软 件代码运行过程中接收网管设备发送的验证摘要信息的上报请求消息,根据验证摘要 信息的上报请求消息生成软件代码的验证摘要信息,并将验证摘要信息发送给网管设 备。 [93] Optionally, the network element device may generate the verification summary information of the software code according to the set time period during the running of the software code, and send the verification summary information to the network management device; or the network element device may also be in the software code. During the operation, the device sends a verification summary message of the verification summary information sent by the network management device, generates a verification summary information of the software code according to the report request message of the verification summary information, and sends the verification summary information to the network management device.
[94] 由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [94] It can be seen from the foregoing embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device. The security of the software in the protection protects the dynamic security of the software.
[95] 参见图 2, 为本发明软件安全性检测方法的另一个实施例流程图: [96] 步骤 201 : 网元设备将软件加载到内存。 [95] Referring to FIG. 2, it is a flowchart of another embodiment of the software security detection method of the present invention: [96] Step 201: The network element device loads the software into the memory.
[97] 本发明实施例中, 网元设备可以具体为单板等, 网元设备上可以设置有通过总 线连接的片上系统 (System on Chip, SoC) 安全芯片和内存等, 其中, SoC 安全芯 片可以进一步包含中央处理器 (Central Processing Unit, CPU), 现场可编程门阵 列 (Field— Programmable Gate Array, FPGA)、 数字信号处理器 (Digital Signal Processor, DSP)、复杂可编程逻辑器件 ( Complex Programmable Logic Device, CPU)) 等, 内存可以包含随机存储器 (Random Access Memory, RAM), 闪存 (Flash) 等。 [98] 当网管设备发布新的软件, 或者对现有软件进行升级的软件时, 会为这些软件 生成数字签名, 即网管设备计算软件的摘要信息, 并通过私钥加密该摘要信息后生成 数字签名, 将数字签名打包在软件中, 并将该软件包发送给网元设备, 现有技术中, 网元设备接收到软件包后, 获得其中的数字签名,用公钥解密该数字签名得到第一摘 要信息, 并同时按照与网管设备侧一致的方式计算软件的第二摘要信息, 如果第一摘 要信息与第二摘要信息一致, 则说明待加载的软件安全, 如果第一摘要信息与第二摘 要信息不一致, 则说明待加载的软件不安全, 以此保证待加载软件的静态安全性。 In the embodiment of the present invention, the network element device may be specifically a single board or the like. The network element device may be provided with a system on chip (SoC) security chip and a memory connected through a bus, wherein the SoC security chip It can further include a Central Processing Unit (CPU), a Field-Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), and a Complex Programmable Logic ( Complex Programmable Logic). Device, CPU)), etc., the memory can include random access memory (RAM), flash memory, and the like. [98] When the network management device releases new software or software that upgrades the existing software, it generates a digital signature for the software, that is, the summary information of the network management device calculation software, and encrypts the summary information by the private key to generate a number. Signing, packaging the digital signature in the software, and sending the software package to the network element device. In the prior art, after receiving the software package, the network element device obtains the digital signature therein, and decrypts the digital signature with the public key to obtain the first a summary information, and the second summary information of the software is calculated in the same manner as the network management device side. If the first summary information is consistent with the second summary information, the software to be loaded is safe, if the first summary information and the second If the summary information is inconsistent, the software to be loaded is not secure, so as to ensure the static security of the software to be loaded.
[99] 当网元设备通过验证数字签名确定待加载的软件安全时, 将该软件加载到内存 中, 加载过程可以包括对软件的解压缩和初始化, 加载完成后, 该软件通常以软件代 码形式在内存中运行, 即待加载的软件与以加载到内存中的软件代码二者的形式不 同。 [99] When the network element device determines the security of the software to be loaded by verifying the digital signature, the software is loaded into the memory, and the loading process may include decompressing and initializing the software. After the loading is completed, the software is usually in the form of software code. Running in memory, ie the software to be loaded is different from the software code loaded into memory.
[100]步骤 202 : 网管设备向网元设备发送原始摘要信息的请求消息。 [100] Step 202: The network management device sends a request message of the original summary information to the network element device.
[101]本实施例中, 网管设备可以具体为操作维护中心 ( Operation and Maintenance Center, OMC) 设备等, 每个网管设备可以实现与多个网元设备之间的通信。 [102]本实施例中, 可以由网管设备主动向网元设备发送原始摘要信息的请求消息, 网管设备可以在向网元设备发送软件包后的预设时间后发送该请求消息,该预设时间 以保证网元设备能够完成在内存中加载软件代码即可。 In this embodiment, the network management device can be specifically an operation and maintenance center (OMC) device, and each network management device can implement communication with multiple network element devices. [102] In this embodiment, the network management device may send the request message of the original summary information to the network element device, and the network management device may send the request message after the preset time after the software package is sent to the network element device. Time to ensure that the network element device can complete the loading of the software code in the memory.
[103]步骤 203 :网元设备根据原始摘要信息的请求消息为加载在内存中的软件代码后 生成原始摘要信息。 [104]本实施例中, 网元设备接收到原始摘要信息的请求消息后, 计算已加载在内存 中的软件代码的摘要信息, 将该摘要信息作为原始摘要信息。其中, 摘要信息也可以 称为消息摘要 (Message Digest ) , 或者数字摘要(Digital Digest) , 它是唯一对应 软件代码的固定长度的值, 它可以由一个单向哈希(Hash )加密函数对软件代码进行 作用而产生, 如果软件代码本身发生变化, 则计算出的摘要信息也会发生变化, 因此 通过摘要信息可以验证软件代码的安全性和完整性。 [103] Step 203: The network element device generates the original summary information after the software message loaded in the memory according to the request message of the original summary information. [104] In this embodiment, after receiving the request message of the original digest information, the network element device calculates the digest information of the software code that has been loaded in the memory, and uses the digest information as the original digest information. The summary information may also be referred to as a Message Digest, or a Digital Digest, which is a unique fixed-length value corresponding to the software code, which may be a one-way hash (Hash) encryption function to the software. The code is generated. If the software code itself changes, the calculated summary information will also change, so the summary information can verify the security and integrity of the software code.
[105]步骤 204: 网元设备将原始摘要信息发送给网管设备。 [105] Step 204: The network element device sends the original summary information to the network management device.
[106]步骤 205 : 网管设备保存原始摘要信息。 [107]步骤 206 : 网元设备在软件代码运行过程中,按照设置的时间周期生成软件代码 的验证摘要信息。 [106] Step 205: The network management device saves the original summary information. [107] Step 206: The network element device generates the verification summary information of the software code according to the set time period during the running of the software code.
[108]本实施例中, 为了验证软件代码运行过程中的安全性, 网元设备可以在软件代 码运行过程中, 按照设置的时间周期计算软件代码的摘要信息,将该摘要信息作为验 证摘要信息, 例如, 网元设备可以设置一个定时器, 当定时器的定时周期到达时, 触 发网元设备计算该定时周期的验证摘要信息。本步骤中,验证摘要信息的计算方式和 过程与原始摘要信息一致, 在此不再赘述。 [108] In this embodiment, in order to verify the security during the running of the software code, the network element device may calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information. For example, the network element device can set a timer. When the timer period of the timer arrives, the network element device is triggered to calculate the verification summary information of the timing period. In this step, the calculation method and process of the verification summary information are consistent with the original summary information, and are not described here.
[109]步骤 207 : 网元设备向网管设备上报验证摘要信息。 [109] Step 207: The network element device reports the verification summary information to the network management device.
[110]步骤 208 : 网管设备比较验证摘要信息与原始摘要信息是否一致, 当验证摘要信 息与原始摘要信息不一致时,确定软件代码不安全, 当验证摘要信息与原始摘要信息 一致时, 确定软件代码安全。 [110] Step 208: The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, the software code is determined to be insecure. When the verification summary information is consistent with the original summary information, the software code is determined. Safety.
[111]当网管设备接收到验证摘要信息后, 可以获取保存的原始摘要信息, 然后比较 验证摘要信息与原始摘要信息是否一致,如果一致则可以确定软件代码运行过程中未 被篡改, 软件代码安全, 如果不一致则可以确定软件代码运行过程中遭到篡改, 因此 软件代码不安全, 此时网管设备可以触发告警, 或者由管理员进行人工干预。 [111] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
[112]由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [112] It can be seen from the foregoing embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device. The security of the software in the protection protects the dynamic security of the software.
[113]参见图 3, 为本发明软件安全性检测方法的另一个实施例流程图: [114]步骤 301 : 网元设备将软件加载到内存。 Referring to FIG. 3, it is a flowchart of another embodiment of the software security detection method of the present invention: [114] Step 301: The network element device loads software into the memory.
[115]本发明实施例中, 网元设备可以具体为单板等, 网元设备上可以设置有通过 SoC 安全芯片和内存等, 其中, SoC安全芯片可以进一步包含 CPU、 FPGA、 DSP、 CPLD等, 内存可以包含 RAM、 Flash等。 In the embodiment of the present invention, the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like. , the memory can contain RAM, Flash, and so on.
[116]当网管设备发布新的软件, 或者对现有软件进行升级的软件时, 会为这些软件 生成数字签名, 将数字签名打包在软件中, 并将该软件包发送给网元设备, 现有技术 中, 网元设备接收到软件包后, 获得其中的数字签名, 并通过验证数字签名确定软件 是否安全, 以此保证待加载软件的静态安全性。 网元设备对接收到的软件进行验证的 具体过程与前述步骤 201中的描述一致, 在此不再赘述。 [116] When the network management device releases new software or software that upgrades existing software, it will generate a digital signature for the software, package the digital signature in the software, and send the software package to the network element device. In the prior art, after receiving the software package, the network element device obtains the digital signature therein, and determines the software by verifying the digital signature. Whether it is safe, so as to ensure the static security of the software to be loaded. The specific process of verifying the received software by the network element device is consistent with the description in the foregoing step 201, and details are not described herein again.
[117]当网元设备通过验证数字签名确定待加载的软件安全时, 将该软件加载到内存 中, 加载过程可以包括对软件的解压缩和初始化, 加载完成后, 该软件通常以软件代 码形式在内存中运行, 即待加载的软件与以加载到内存中的软件代码二者的形式不 同。 [117] When the network element device determines the security of the software to be loaded by verifying the digital signature, the software is loaded into the memory, and the loading process may include decompressing and initializing the software. After the loading is completed, the software is usually in the form of software code. Running in memory, ie the software to be loaded is different from the software code loaded into memory.
[118]步骤 302 : 网管设备向网元设备发送原始摘要信息的请求消息。 [118] Step 302: The network management device sends a request message of the original summary information to the network element device.
[119]本实施例中, 网管设备可以具体为 0MC设备等, 每个网管设备可以实现与多个 网元设备之间的通信。 [120]本实施例中, 可以由网管设备主动向网元设备发送原始摘要信息的请求消息, 网管设备可以在向网元设备发送软件包后的预设时间后发送该请求消息,该预设时间 以保证网元设备能够完成在内存中加载软件代码即可。 In this embodiment, the network management device can be specifically an OMC device, and each network management device can implement communication with multiple network element devices. [120] In this embodiment, the network management device may send the request message of the original summary information to the network element device, and the network management device may send the request message after the preset time after the software package is sent to the network element device. Time to ensure that the network element device can complete the loading of the software code in the memory.
[121]步骤 303 :网元设备根据原始摘要信息的请求消息为加载在内存中的软件代码后 生成原始摘要信息。 [122]本实施例中, 网元设备接收到原始摘要信息的请求消息后, 计算已加载在内存 中的软件代码的摘要信息, 将该摘要信息作为原始摘要信息。其中, 摘要信息可以由 一个单向 Hash加密函数对软件代码进行作用而产生, 如果软件代码本身发生变化, 则计算出的摘要信息也会发生变化,因此通过摘要信息可以验证软件代码的安全性和 完整性。 [123]步骤 304: 网元设备将原始摘要信息发送给网管设备。 [124]步骤 305 : 网管设备保存原始摘要信息。 [121] Step 303: The network element device generates the original summary information after the software message loaded in the memory according to the request message of the original summary information. [122] In this embodiment, after receiving the request message of the original digest information, the network element device calculates the digest information of the software code that has been loaded in the memory, and uses the digest information as the original digest information. The summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity. [123] Step 304: The network element device sends the original summary information to the network management device. [124] Step 305: The network management device saves the original summary information.
[125]步骤 306 :网元设备在软件代码运行过程中接收网管设备发送的验证摘要信息的 上报请求消息。 [125] Step 306: The network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code.
[126]与图 2示出的实施例的不同在于,本实施例在网元设备上软件代码运行过程中, 网管设备可以根据管理员需求实时发送验证摘要信息的上报请求消息。 [127]步骤 307 :网元设备根据验证摘要信息的上报请求消息生成软件代码的验证摘要 信息。 [126] The difference from the embodiment shown in FIG. 2 is that, in the running process of the software code on the network element device, the network management device can send the report request message of the verification summary information in real time according to the administrator's requirement. [127] Step 307: The network element device generates verification summary information of the software code according to the report request message of the verification summary information.
[128]网元设备接收验证摘要信息的上报请求消息后, 计算当前内存中运行的软件代 码的摘要信息,将该摘要信息作为验证摘要信息,验证摘要信息的计算方式和过程与 原始摘要信息一致, 在此不再赘述。 [128] After receiving the report request message of the verification summary information, the network element device calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information, and the calculation manner and process of the verification summary information are consistent with the original summary information. , will not repeat them here.
[129]步骤 308 : 网元设备将验证摘要信息发送给网管设备。 [129] Step 308: The network element device sends the verification summary information to the network management device.
[130]步骤 309 : 网管设备比较验证摘要信息与原始摘要信息是否一致, 当验证摘要信 息与原始摘要信息不一致时,确定软件代码不安全, 当验证摘要信息与原始摘要信息 一致时, 确定软件代码安全。 [131]当网管设备接收到验证摘要信息后, 可以获取保存的原始摘要信息, 然后比较 验证摘要信息与原始摘要信息是否一致,如果一致则可以确定软件代码运行过程中未 被篡改, 软件代码安全, 如果不一致则可以确定软件代码运行过程中遭到篡改, 因此 软件代码不安全, 此时网管设备可以触发告警, 或者由管理员进行人工干预。 [130] Step 309: The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, determining that the software code is insecure, and determining the software code when the verification summary information is consistent with the original summary information. Safety. [131] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the running process, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
[132]由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [132] It can be seen from the above embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, and thus can run on the network element device. The security of the software in the protection protects the dynamic security of the software.
[133]参见图 4, 为本发明软件安全性检测方法的另一个实施例流程图: [133] Referring to FIG. 4, it is a flowchart of another embodiment of the software security detection method of the present invention:
[134]步骤 401 : 网元设备将软件加载到内存。 [134] Step 401: The network element device loads the software into the memory.
[135]本发明实施例中, 网元设备可以具体为单板等, 网元设备上可以设置有通过 SoC 安全芯片和内存等, 其中, SoC安全芯片可以进一步包含 CPU、 FPGA、 DSP、 CPLD等, 内存可以包含 RAM、 Flash等。 In the embodiment of the present invention, the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like. , the memory can contain RAM, Flash, and so on.
[136]当网管设备发布新的软件, 或者对现有软件进行升级的软件时, 会为这些软件 生成数字签名, 将数字签名打包在软件中, 并将该软件包发送给网元设备, 现有技术 中, 网元设备接收到软件包后, 获得其中的数字签名, 并通过验证数字签名确定软件 是否安全, 以此保证待加载软件的静态安全性。 网元设备对接收到的软件进行验证的 具体过程与前述步骤 201中的描述一致, 在此不再赘述。 [137]步骤 402 :网元设备在内存中加载完软件代码时,为软件代码生成原始摘要信息。 [136] When the network management device releases new software or software that upgrades existing software, it will generate a digital signature for the software, package the digital signature in the software, and send the software package to the network element device. In the prior art, after receiving the software package, the network element device obtains the digital signature therein, and determines whether the software is secure by verifying the digital signature, thereby ensuring the static security of the software to be loaded. The specific process of verifying the received software by the network element device is consistent with the description in the foregoing step 201, and details are not described herein again. [137] Step 402: The network element device generates original summary information for the software code when the software code is loaded in the memory.
[138]与前述图 2和图 3示出的实施例不同, 本实施例中网元设备可以在加载完软件 代码后, 实时生成软件代码的摘要信息, 将该摘要信息作为原始摘要信息。 其中, 摘 要信息可以由一个单向 Hash加密函数对软件代码进行作用而产生, 如果软件代码本 身发生变化, 则计算出的摘要信息也会发生变化, 因此通过摘要信息可以验证软件代 码的安全性和完整性。 [138] Unlike the foregoing embodiment shown in FIG. 2 and FIG. 3, the network element device in this embodiment may generate summary information of the software code in real time after loading the software code, and use the summary information as the original summary information. The summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity.
[139]步骤 403 : 网元设备向网管设备上报原始摘要信息。 [140]步骤 404: 网管设备保存原始摘要信息。 [139] Step 403: The network element device reports the original summary information to the network management device. [140] Step 404: The network management device saves the original summary information.
[141]步骤 405 : 网元设备在软件代码运行过程中,按照设置的时间周期生成软件代码 的验证摘要信息。 [141] Step 405: The network element device generates the verification summary information of the software code according to the set time period during the running of the software code.
[142]本实施例中, 为了验证软件代码运行过程中的安全性, 网元设备可以在软件代 码运行过程中, 按照设置的时间周期计算软件代码的摘要信息,将该摘要信息作为验 证摘要信息, 例如, 网元设备可以设置一个定时器, 当定时器的定时周期到达时, 触 发网元设备计算该定时周期的验证摘要信息。本步骤中,验证摘要信息的计算方式和 过程与原始摘要信息一致, 在此不再赘述。 [142] In this embodiment, in order to verify the security during the running of the software code, the network element device may calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information. For example, the network element device can set a timer. When the timer period of the timer arrives, the network element device is triggered to calculate the verification summary information of the timing period. In this step, the calculation method and process of the verification summary information are consistent with the original summary information, and are not described here.
[143]步骤 406 : 网元设备向网管设备上报验证摘要信息。 [143] Step 406: The network element device reports the verification summary information to the network management device.
[144]步骤 407 : 网管设备比较验证摘要信息与原始摘要信息是否一致, 当验证摘要信 息与原始摘要信息不一致时,确定软件代码不安全, 当验证摘要信息与原始摘要信息 一致时, 确定软件代码安全。 [145]当网管设备接收到验证摘要信息后, 可以获取保存的原始摘要信息, 然后比较 验证摘要信息与原始摘要信息是否一致,如果一致则可以确定软件代码运行过程中未 被篡改, 软件代码安全, 如果不一致则可以确定软件代码运行过程中遭到篡改, 因此 软件代码不安全, 此时网管设备可以触发告警, 或者由管理员进行人工干预。 [144] Step 407: The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, the software code is determined to be insecure. When the verification summary information is consistent with the original summary information, the software code is determined. Safety. [145] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.
[146]由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [147]参见图 5, 为本发明软件安全性检测方法的另一个实施例流程图: [148]步骤 501 : 网元设备将软件加载到内存。 [146] It can be seen from the above embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the network element device can be run on the network element device. The security of the software in the protection protects the dynamic security of the software. Referring to FIG. 5, it is a flowchart of another embodiment of the software security detection method of the present invention: [148] Step 501: The network element device loads the software into the memory.
[149]本发明实施例中, 网元设备可以具体为单板等, 网元设备上可以设置有通过 SoC 安全芯片和内存等, 其中, SoC安全芯片可以进一步包含 CPU、 FPGA、 DSP、 CPLD等, 内存可以包含 RAM、 Flash等。 In the embodiment of the present invention, the network element device may be specifically a single board or the like, and the network element device may be provided with a SoC security chip and a memory, wherein the SoC security chip may further include a CPU, an FPGA, a DSP, a CPLD, and the like. , the memory can contain RAM, Flash, and so on.
[150]当网管设备发布新的软件, 或者对现有软件进行升级的软件时, 会为这些软件 生成数字签名, 将数字签名打包在软件中, 并将该软件包发送给网元设备, 现有技术 中, 网元设备接收到软件包后, 获得其中的数字签名, 并通过验证数字签名确定软件 是否安全, 以此保证待加载软件的静态安全性。 网元设备对接收到的软件进行验证的 具体过程与前述步骤 201中的描述一致, 在此不再赘述。 [150] When the network management device releases new software or software that upgrades existing software, it will generate a digital signature for the software, package the digital signature in the software, and send the software package to the network element device. In the prior art, after receiving the software package, the network element device obtains the digital signature therein, and determines whether the software is secure by verifying the digital signature, thereby ensuring the static security of the software to be loaded. The specific process of verifying the received software by the network element device is consistent with the description in the foregoing step 201, and details are not described herein again.
[151]步骤 502 :网元设备在内存中加载完软件代码时,为软件代码生成原始摘要信息。 步骤 503 : 网元设备向网管设备上报原始摘要信息。 [151] Step 502: The network element device generates original summary information for the software code when the software code is loaded in the memory. Step 503: The network element device reports the original summary information to the network management device.
[152]步骤 504: 网管设备保存原始摘要信息。 [152] Step 504: The network management device saves the original summary information.
[153]与前述图 2和图 3示出的实施例不同, 本实施例中网元设备可以在加载完软件 代码后, 实时生成软件代码的摘要信息, 将该摘要信息作为原始摘要信息。 其中, 摘 要信息可以由一个单向 Hash加密函数对软件代码进行作用而产生, 如果软件代码本 身发生变化, 则计算出的摘要信息也会发生变化, 因此通过摘要信息可以验证软件代 码的安全性和完整性。 [153] Unlike the foregoing embodiment shown in FIG. 2 and FIG. 3, the network element device in this embodiment may generate summary information of the software code in real time after the software code is loaded, and use the summary information as the original summary information. The summary information may be generated by a one-way Hash encryption function acting on the software code. If the software code itself changes, the calculated summary information may also change, so the summary information can verify the security of the software code and Integrity.
[154]步骤 505 :网元设备在软件代码运行过程中接收网管设备发送的验证摘要信息的 上报请求消息。 [154] Step 505: The network element device receives the report request message of the verification summary information sent by the network management device during the running of the software code.
[155]与图 2和图 4示出的实施例的不同在于, 本实施例在网元设备上软件代码运行 过程中, 网管设备可以根据管理员需求实时发送验证摘要信息的上报请求消息。 The difference between the embodiment shown in FIG. 2 and FIG. 4 is that, in the running process of the software code on the network element device, the network management device can send the report request message of the verification summary information in real time according to the administrator's requirement.
[156]步骤 506 :网元设备根据验证摘要信息的上报请求消息生成软件代码的验证摘要 信息。 [157]网元设备接收验证摘要信息的上报请求消息后, 计算当前内存中运行的软件代 码的摘要信息,将该摘要信息作为验证摘要信息,验证摘要信息的计算方式和过程与 原始摘要信息一致, 在此不再赘述。 [156] Step 506: The network element device generates verification summary information of the software code according to the report request message of the verification summary information. [157] After receiving the report request message of the verification summary information, the network element device calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information to verify the calculation manner and process of the summary information. The original summary information is consistent and will not be described here.
[158]步骤 507 : 网元设备将验证摘要信息发送给网管设备。 [158] Step 507: The network element device sends the verification summary information to the network management device.
[159]步骤 508 : 网管设备比较验证摘要信息与原始摘要信息是否一致, 当验证摘要信 息与原始摘要信息不一致时,确定软件代码不安全, 当验证摘要信息与原始摘要信息 一致时, 确定软件代码安全。 [159] Step 508: The network management device compares the verification summary information with the original summary information. When the verification summary information is inconsistent with the original summary information, determining that the software code is insecure, and determining the software code when the verification summary information is consistent with the original summary information. Safety.
[160]当网管设备接收到验证摘要信息后, 可以获取保存的原始摘要信息, 然后比较 验证摘要信息与原始摘要信息是否一致,如果一致则可以确定软件代码运行过程中未 被篡改, 软件代码安全, 如果不一致则可以确定软件代码运行过程中遭到篡改, 因此 软件代码不安全, 此时网管设备可以触发告警, 或者由管理员进行人工干预。 [161]由上述实施例可见, 由于网元设备可以通过向网管设备发送软件运行过程中的 摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网元设 备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [160] After receiving the verification summary information, the network management device can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during the operation, and the software code is secure. If it is inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not secure. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention. [161] It can be seen from the above embodiment that the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, and thus can run on the network element device. The security of the software in the protection protects the dynamic security of the software.
[162]与本发明方法软件安全性检测方法的实施例相对应, 本发明还提供了软件安全 性检测装置、 网管设备及网元设备的实施例。 [163]参见图 6,为本发明软件安全性检测装置的一个实施例框图,该装置可以设置在 网管设备侧: Corresponding to the embodiment of the method for detecting software security of the method of the present invention, the present invention also provides an embodiment of a software security detecting device, a network management device, and a network element device. [163] Referring to FIG. 6, a block diagram of an embodiment of a software security detecting apparatus according to the present invention may be disposed on a network management device side:
[164]该装置包括: 获得单元 610、 接收单元 620和检测单元 630。 The apparatus includes: an obtaining unit 610, a receiving unit 620, and a detecting unit 630.
[165]其中, 获得单元 610, 用于从网元设备获得原始摘要信息, 所述原始摘要信息是 所述网元设备为加载在内存中的软件代码生成的摘要信息; [166]接收单元 620,用于接收所述网元设备发送的验证摘要信息,所述验证摘要信息 是所述网元设备在所述软件代码运行过程中生成的摘要信息;  [165] The obtaining unit 610 is configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for software code loaded in the memory; [166] receiving unit 620 And for receiving the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
[167]检测单元 630,用于比较所述接收单元 610接收的所述验证摘要信息与所述获得 单元 620获得的所述原始摘要信息是否一致, 若否, 则确定所述软件代码不安全, 若 是, 则确定所述软件代码安全。 [168]可选的, 所述获得单元 610可以包括 (图 6中未示出): [169]请求消息发送子单元, 用于向所述网元设备发送原始摘要信息的请求消息; The detecting unit 630 is configured to compare whether the verification summary information received by the receiving unit 610 is consistent with the original summary information obtained by the obtaining unit 620, and if not, determining that the software code is unsafe. If so, the software code is determined to be secure. [168] Optionally, the obtaining unit 610 may include (not shown in FIG. 6): [169] a request message sending subunit, configured to send a request message of the original digest information to the network element device;
[170]第一原始摘要接收子单元, 用于接收所述网元设备根据所述请求消息发送子单 元发送的所述原始摘要信息的请求消息返回的所述原始摘要信息。 And a first original digest receiving subunit, configured to receive the original digest information returned by the network element device according to the request message that sends the original digest information sent by the subunit according to the request message.
[171]可选的, 所述获得单元 610也可以包括 (图 6中未示出): [172]第二原始摘要接收子单元, 用于接收所述网元设备在内存中加载完所述软件代 码时上报的所述原始摘要信息。 [171] Optionally, the obtaining unit 610 may also include (not shown in FIG. 6): [172] a second original digest receiving subunit, configured to receive, after the network element device is loaded in the memory, The original summary information reported when the software code is reported.
[173]可选的, 所述接收单元 620可以包括 (图 6中未示出): [173] Optionally, the receiving unit 620 may include (not shown in FIG. 6):
[174]第一验证摘要接收子单元, 用于接收所述网元设备按照设置的时间周期上报的 所述验证摘要信息; [175]可选的, 所述接收单元 620也可以包括 (图 6中未示出): [174] The first verification digest receiving subunit is configured to receive the verification digest information reported by the network element device according to the set time period; [175] Optionally, the receiving unit 620 may also include (FIG. 6 Not shown):
[176]上报请求发送子单元,用于向所述网元设备发送验证摘要信息的上报请求消息; [176] a report request sending subunit, configured to send a report request message of the verification summary information to the network element device;
[177]第二验证摘要接收子单元, 用于接收所述网元设备根据所述上报请求发送子单 元发送的验证摘要信息的上报请求消息返回的所述验证摘要信息。 And a second verification digest receiving subunit, configured to receive the verification digest information returned by the network element device according to the reporting request message of the verification digest information sent by the sub-unit.
[178]参见图 7,为本发明软件安全性检测装置的另一个实施例框图,该装置可以设置 在网元设备侧: FIG. 7 is a block diagram of another embodiment of a software security detecting apparatus according to the present invention. The apparatus may be disposed on a network element device side:
[179]该装置包括: 第一发送单元 710和第二发送单元 720。 The apparatus includes: a first transmitting unit 710 and a second transmitting unit 720.
[180]其中, 第一发送单元 710, 用于将原始摘要信息发送给网管设备, 所述原始摘要 信息是为加载在内存中的软件代码生成的摘要信息;  [180] The first sending unit 710 is configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;
[181]第二发送单元 720,用于在所述软件代码运行过程中向所述网管设备发送所述软 件代码的验证摘要信息,以使所述网管设备通过比较所述第二发送单元发送的验证摘 要信息与所述第一发送单元发送的原始摘要信息确定所述软件代码是否安全。 [181] The second sending unit 720 is configured to send the verification summary information of the software code to the network management device during the running of the software code, so that the network management device sends the comparison by the second sending unit. The verification summary information and the original summary information sent by the first sending unit determine whether the software code is secure.
[182]可选的, 所述第一发送单元 710可以包括 (图 7中未示出): [182] Optionally, the first sending unit 710 may include (not shown in FIG. 7):
[183]请求消息接收子单元,用于接收所述网管设备发送的原始摘要信息的请求消息; [184]第一原始摘要生成子单元, 用于根据所述请求消息接收子单元接收的原始摘要 信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息; [183] a request message receiving subunit, configured to receive a request message of the original digest information sent by the network management device; a first original digest generating subunit, configured to generate the original digest information for the software code loaded in the memory according to the request message that the request message receives the original digest information received by the subunit;
[185]第一原始摘要发送子单元, 用于将所述第一原始摘要生成子单元生成的原始摘 要信息发送给所述网管设备。  [185] The first original digest sending subunit is configured to send the original digest information generated by the first original digest generating subunit to the network management device.
[186]可选的, 所述第一发送单元 710也可以包括 (图 7中未示出): [186] Optionally, the first sending unit 710 may also include (not shown in FIG. 7):
[187]第二原始摘要生成子单元, 用于在内存中加载完所述软件代码时, 为所述软件 代码生成所述原始摘要信息;  [187] a second original digest generating subunit, configured to generate the original digest information for the software code when the software code is loaded in the memory;
[188]第二原始摘要发送子单元, 用于向所述网管设备上报所述第二原始摘要生成子 单元生成的原始摘要信息。  And a second original digest sending subunit, configured to report, to the network management device, original digest information generated by the second original digest generating subunit.
[189]可选的, 所述第二发送单元 720可以包括 (图 7中未示出): [189] Optionally, the second sending unit 720 may include (not shown in FIG. 7):
[190]第一验证摘要生成单元, 用于在所述软件代码运行过程中, 按照设置的时间周 期生成所述软件代码的验证摘要信息;  a first verification digest generating unit, configured to generate verification summary information of the software code according to a set time period during the running of the software code;
[191]第一验证摘要发送子单元, 用于向所述网管设备发送所述第一验证摘要生成单 元生成的验证摘要信息。  [191] The first verification digest sending subunit is configured to send the verification digest information generated by the first verification digest generating unit to the network management device.
[192]可选的, 所述第二发送单元 720也可以包括 (图 7中未示出): [192] Optionally, the second sending unit 720 may also include (not shown in FIG. 7):
[193]上报请求接收子单元, 用于在所述软件代码运行过程中接收所述网管设备发送 的验证摘要信息的上报请求消息;  [193] a report request receiving subunit, configured to receive a report request message of the verification summary information sent by the network management device during the running of the software code;
[194]第二验证摘要生成子单元, 用于根据所述上报请求接收子单元接收的验证摘要 信息的上报请求消息生成所述软件代码的验证摘要信息;  [194] a second verification digest generating subunit, configured to generate verification digest information of the software code according to the reporting request message of the verification digest information received by the reporting request receiving subunit;
[195]第二验证摘要发送子单元, 用于将所述第二验证摘要生成子单元生成的验证摘 要信息发送给所述网管设备。 [195] The second verification digest sending subunit is configured to send the verification digest information generated by the second verification digest generating subunit to the network management device.
[196]参见图 8, 为本发明网管设备的实施例框图:  [196] See FIG. 8, which is a block diagram of an embodiment of the network management device of the present invention:
[197]该网管设备包括: 网络接口 810和处理器 820。 [198]其中, 所述网络接口 810, 用于从网元设备获得原始摘要信息, 所述原始摘要信 息是所述网元设备为加载在内存中的软件代码生成的摘要信息,以及接收所述网元设 备发送的验证摘要信息,所述验证摘要信息是所述网元设备在所述软件代码运行过程 中生成的摘要信息; [199]所述处理器 820,用于比较所述验证摘要信息与所述原始摘要信息是否一致,若 否, 则确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 The network management device includes: a network interface 810 and a processor 820. [198] The network interface 810 is configured to obtain original summary information from a network element device, where the original summary information is summary information generated by the network element device for software code loaded in a memory, and receive the The verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code; [199] the processor 820 is configured to compare the verification summary information Whether it is consistent with the original summary information, if not, determining that the software code is unsafe, and if so, determining that the software code is secure.
[200]可选的,所述网络接口 810,可以具体用于向所述网元设备发送原始摘要信息的 请求消息,并接收所述网元设备根据所述原始摘要信息的请求消息返回的所述原始摘 要信息; 或者, 接收所述网元设备在内存中加载完所述软件代码时, 向所述网管设备 上报的所述原始摘要信息。 [200] Optionally, the network interface 810 may be specifically configured to send a request message of the original digest information to the network element device, and receive a request message returned by the network element device according to the request message of the original digest information. Or the original summary information reported to the network management device when the network element device loads the software code in the memory.
[201]可选的,所述网络接口 810,可以具体用于接收所述网元设备按照设置的时间周 期上报的所述验证摘要信息; 或者, 向所述网元设备发送验证摘要信息的上报请求消 息,并接收所述网元设备根据所述验证摘要信息的上报请求消息返回的所述验证摘要 信息。 [202]参见图 9, 为本发明网元设备的实施例框图: [201] Optionally, the network interface 810 may be specifically configured to receive the verification summary information that is reported by the network element device according to a set time period; or send a report of the verification summary information to the network element device. And requesting the message, and receiving the verification summary information returned by the network element device according to the report request message of the verification summary information. [202] Referring to FIG. 9, a block diagram of an embodiment of a network element device of the present invention is shown:
[203]该网元设备包括: 网络接口 910和处理器 920。 [00] The network element device includes: a network interface 910 and a processor 920.
[204]其中,所述处理器 920,用于通过所述网络接口 910将原始摘要信息发送给网管 设备, 所述原始摘要信息是所述网元设备为加载在内存中的软件代码生成的摘要信 息, 以及,在所述软件代码运行过程中通过所述网络接口 910向所述网管设备发送所 述软件代码的验证摘要信息,以使所述网管设备通过比较所述验证摘要信息与所述原 始摘要信息确定所述软件代码是否安全。  The processor 920 is configured to send the original summary information to the network management device by using the network interface 910, where the original summary information is a summary generated by the network element device for the software code loaded in the memory. And the verification summary information of the software code is sent to the network management device by using the network interface 910 during the running of the software code, so that the network management device compares the verification summary information with the original The summary information determines if the software code is secure.
[205]可选的,所述处理器 920,可以具体用于当所述网络接口接收所述网管设备发送 的原始摘要信息的请求消息后,根据所述原始摘要信息的请求消息为加载在内存中的 软件代码生成所述原始摘要信息,并通过所述网络接口将所述原始摘要信息发送给所 述网管设备; 或者, 在内存中加载完所述软件代码时, 为所述软件代码生成所述原始 摘要信息, 并通过所述网络接口向所述网管设备上报所述原始摘要信息。 [205] Optionally, the processor 920 may be specifically configured to: when the network interface receives the request message of the original digest information sent by the network management device, the request message according to the original digest information is loaded in the memory. The software code in the middle generates the original summary information, and sends the original summary information to the network management device through the network interface; or, when the software code is loaded in the memory, generates the software code The original summary information is reported, and the original summary information is reported to the network management device by using the network interface.
[206]可选的, 所述处理器 920, 可以具体用于在所述软件代码运行过程中, 按照设置 的时间周期生成所述软件代码的验证摘要信息,并通过所述网络接口向所述网管设备 发送所述验证摘要信息; 或者,在所述软件代码运行过程中当所述网络接口接收所述 网管设备发送的验证摘要信息的上报请求消息后,根据所述验证摘要信息的上报请求 消息生成所述软件代码的验证摘要信息,并通过所述网络接口将所述验证摘要信息发 送给所述网管设备。 [206] Optionally, the processor 920 may be specifically configured to follow the setting during the running of the software code. And generating the verification summary information of the software code, and sending the verification summary information to the network management device through the network interface; or, when the software code is running, when the network interface receives the network management After the report request message of the verification summary information sent by the device, the verification summary information of the software code is generated according to the report request message of the verification summary information, and the verification summary information is sent to the network management device by using the network interface. .
[207]由上述实施例可见, 网管设备从网元设备获得原始摘要信息, 该原始摘要信息 是网元设备为加载在内存中的软件代码生成的摘要信息,网元设备在软件代码运行过 程中生成验证摘要信息, 网管设备接收网元设备发送的验证摘要信息, 并比较验证摘 要信息与原始摘要信息是否一致, 若否, 则确定软件代码不安全, 若是, 则确定软件 代码安全。应用本发明实施例, 由于网元设备可以通过向网管设备发送软件运行过程 中的摘要信息, 因此可以检测出软件在运行过程中是否受到恶意攻击, 从而可以对网 元设备上运行过程中的软件的安全性进行保护, 提高了软件的动态安全性。 [207] It can be seen from the foregoing embodiment that the network management device obtains the original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and the network element device is in the process of running the software code. The verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it determines that the software code is insecure, and if so, determines the software code security. According to the embodiment of the present invention, the network element device can send the summary information in the running process of the software to the network management device, so that it can detect whether the software is maliciously attacked during the running process, so that the software in the running process can be performed on the network element device. The security is protected and the dynamic security of the software is improved.
[208]本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必需 的通用硬件平台的方式来实现。基于这样的理解,本发明实施例中的技术方案本质上 或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产 品可以存储在存储介质中, 如 R0M/RAM、 磁碟、 光盘等, 包括若干指令用以使得一台 计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例 或者实施例的某些部分所述的方法。 It will be apparent to those skilled in the art that the techniques in the embodiments of the present invention can be implemented by means of software plus the necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM. , a diskette, an optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or in some portions of the embodiments.
[209]本说明书中的各个实施例均采用递进的方式描述, 各个实施例之间相同相似的 部分互相参见即可, 每个实施例重点说明的都是与其他实施例的不同之处。尤其, 对 于系统实施例而言, 由于其基本相似于方法实施例, 所以描述的比较简单, 相关之处 参见方法实施例的部分说明即可。 The various embodiments in the present specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
[210]以上所述的本发明实施方式, 并不构成对本发明保护范围的限定。 任何在本发 明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明的保护范围 之内。 The embodiments of the invention described above are not intended to limit the scope of the invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 Rights request
1、 一种软件安全性检测方法, 其特征在于, 所述方法包括: 1. A software security detection method, characterized in that the method includes:
网管设备从网元设备获得原始摘要信息,所述原始摘要信息是所述网元设备 为加载在内存中的软件代码生成的摘要信息; The network management device obtains original summary information from the network element device, where the original summary information is the summary information generated by the network element device for the software code loaded in the memory;
所述网管设备接收所述网元设备发送的验证摘要信息,所述验证摘要信息是 所述网元设备在所述软件代码运行过程中生成的摘要信息; The network management device receives verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
所述网管设备比较所述验证摘要信息与所述原始摘要信息是否一致, 若否, 则确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 The network management device compares whether the verification summary information is consistent with the original summary information. If not, it is determined that the software code is unsafe. If yes, it is determined that the software code is safe.
2、 根据权利要求 1所述的方法, 其特征在于, 所述网管设备从网元设备获 得原始摘要信息, 包括: 2. The method according to claim 1, characterized in that the network management device obtains original summary information from the network element device, including:
所述网管设备向所述网元设备发送原始摘要信息的请求消息,并接收所述网 元设备根据所述原始摘要信息的请求消息返回的所述原始摘要信息; 或者, 所述网管设备接收所述网元设备在内存中加载完所述软件代码时,向所述网 管设备上报的所述原始摘要信息。 The network management device sends a request message for original summary information to the network element device, and receives the original summary information returned by the network element device according to the request message for the original summary information; or, the network management device receives the original summary information. The original summary information reported to the network management device when the network element device finishes loading the software code in the memory.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述网管设备接收所述 网元设备发送的验证摘要信息, 包括: 3. The method according to claim 1 or 2, characterized in that the network management device receives the verification summary information sent by the network element device, including:
所述网管设备接收所述网元设备按照设置的时间周期上报的所述验证摘要 信息; 或者, The network management device receives the verification summary information reported by the network element device according to a set time period; or,
所述网管设备向所述网元设备发送验证摘要信息的上报请求消息,并接收所 述网元设备根据所述验证摘要信息的上报请求消息返回的所述验证摘要信息。 The network management device sends a verification summary information reporting request message to the network element device, and receives the verification summary information returned by the network element device according to the verification summary information reporting request message.
4、 一种软件安全性检测方法, 其特征在于, 所述方法包括: 4. A software security detection method, characterized in that the method includes:
网元设备将原始摘要信息发送给网管设备,所述原始摘要信息是所述网元设 备为加载在内存中的软件代码生成的摘要信息; The network element device sends the original summary information to the network management device, where the original summary information is the summary information generated by the network element device for the software code loaded in the memory;
所述网元设备在所述软件代码运行过程中向所述网管设备发送所述软件代 码的验证摘要信息,以使所述网管设备通过比较所述验证摘要信息与所述原始摘 要信息确定所述软件代码是否安全。 The network element device sends the verification summary information of the software code to the network management device during the running process of the software code, so that the network management device determines the verification summary information by comparing the verification summary information with the original summary information. Is the software code safe?
5、 根据权利要求 4所述的方法, 其特征在于, 所述网元设备将所述原始摘 要信息发送给网管设备, 包括: 5. The method according to claim 4, characterized in that the network element device converts the original abstract The required information is sent to the network management device, including:
所述网元设备接收所述网管设备发送的原始摘要信息的请求消息,根据所述 原始摘要信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息,并 将所述原始摘要信息发送给所述网管设备; 或者, The network element device receives a request message for original summary information sent by the network management device, generates the original summary information for the software code loaded in the memory according to the request message for the original summary information, and converts the original summary information Send to the network management device; or,
所述网元设备在内存中加载完所述软件代码时,为所述软件代码生成所述原 始摘要信息, 并向所述网管设备上报所述原始摘要信息。 When the network element device finishes loading the software code in the memory, it generates the original summary information for the software code, and reports the original summary information to the network management device.
6、 根据权利要求 4或 5所述的方法, 其特征在于, 所述网元设备在所述软 件代码运行过程中向所述网管设备发送所述软件代码的验证摘要信息, 包括: 所述网元设备在所述软件代码运行过程中,按照设置的时间周期生成所述软 件代码的验证摘要信息, 并向所述网管设备发送所述验证摘要信息; 或者, 所述网元设备在所述软件代码运行过程中接收所述网管设备发送的验证摘 要信息的上报请求消息,根据所述验证摘要信息的上报请求消息生成所述软件代 码的验证摘要信息, 并将所述验证摘要信息发送给所述网管设备。 6. The method according to claim 4 or 5, characterized in that the network element device sends the verification summary information of the software code to the network management device during the running of the software code, including: the network During the running process of the software code, the network element device generates the verification summary information of the software code according to the set time period, and sends the verification summary information to the network management device; or, the network element device generates the verification summary information when the software code is running. During the running of the code, receive a reporting request message for verification summary information sent by the network management device, generate verification summary information for the software code based on the reporting request message for verification summary information, and send the verification summary information to the Network management equipment.
7、 一种软件安全性检测装置, 其特征在于, 所述装置包括: 7. A software security detection device, characterized in that the device includes:
获得单元, 用于从网元设备获得原始摘要信息, 所述原始摘要信息是所述网 元设备为加载在内存中的软件代码生成的摘要信息; An obtaining unit, configured to obtain original summary information from the network element device, where the original summary information is the summary information generated by the network element device for the software code loaded in the memory;
接收单元, 用于接收所述网元设备发送的验证摘要信息, 所述验证摘要信息 是所述网元设备在所述软件代码运行过程中生成的摘要信息; A receiving unit, configured to receive verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;
检测单元,用于比较所述接收单元接收的所述验证摘要信息与所述获得单元 获得的所述原始摘要信息是否一致, 若否, 则确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 A detection unit, configured to compare whether the verification summary information received by the receiving unit is consistent with the original summary information obtained by the obtaining unit. If not, determine that the software code is unsafe. If yes, determine that the software code is unsafe. Software code is secure.
8、 根据所述权利要求 7所述的装置, 其特征在于, 8. The device according to claim 7, characterized in that,
所述获得单元包括: 请求消息发送子单元和第一原始摘要接收子单元; 所述请求消息发送子单元,用于向所述网元设备发送原始摘要信息的请求消 息; The obtaining unit includes: a request message sending subunit and a first original summary receiving subunit; the request message sending subunit is used to send a request message for original summary information to the network element device;
所述第一原始摘要接收子单元,用于接收所述网元设备根据所述请求消息发 送子单元发送的所述原始摘要信息的请求消息返回的所述原始摘要信息; The first original summary receiving subunit is configured to receive the original summary information returned by the network element device according to the request message of the original summary information sent by the request message sending subunit;
或者, 所述获得单元包括: 第二原始摘要接收子单元; Alternatively, the obtaining unit includes: a second original summary receiving subunit;
所述第二原始摘要接收子单元,用于接收所述网元设备在内存中加载完所述 软件代码时上报的所述原始摘要信息。 The second original summary receiving subunit is used to receive the network element device after loading the The original summary information reported when the software code is used.
9、 根据权利要求 7或 8所述的装置, 其特征在于, 9. The device according to claim 7 or 8, characterized in that,
所述接收单元包括: 第一验证摘要接收子单元; The receiving unit includes: a first verification digest receiving subunit;
所述第一验证摘要接收子单元,用于接收所述网元设备按照设置的时间周期 上报的所述验证摘要信息; The first verification summary receiving subunit is used to receive the verification summary information reported by the network element device according to a set time period;
或者,所述接收单元包括:上报请求发送子单元和第二验证摘要接收子单元; 所述上报请求发送子单元,用于向所述网元设备发送验证摘要信息的上报请 求消息; Alternatively, the receiving unit includes: a reporting request sending subunit and a second verification summary receiving subunit; the reporting request sending subunit is used to send a reporting request message of verification summary information to the network element device;
所述第二验证摘要接收子单元,用于接收所述网元设备根据所述上报请求发 送子单元发送的验证摘要信息的上报请求消息返回的所述验证摘要信息。 The second verification summary receiving subunit is configured to receive the verification summary information returned by the network element device according to the verification summary information reporting request message sent by the reporting request sending subunit.
10、 一种软件安全性检测装置, 其特征在于, 所述装置包括: 10. A software security detection device, characterized in that the device includes:
第一发送单元, 用于将原始摘要信息发送给网管设备, 所述原始摘要信息是 为加载在内存中的软件代码生成的摘要信息; The first sending unit is used to send original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;
第二发送单元,用于在所述软件代码运行过程中向所述网管设备发送所述软 件代码的验证摘要信息,以使所述网管设备通过比较所述第二发送单元发送的验 证摘要信息与所述第一发送单元发送的原始摘要信息确定所述软件代码是否安 全。 The second sending unit is configured to send the verification summary information of the software code to the network management device during the running process of the software code, so that the network management device compares the verification summary information sent by the second sending unit with The original summary information sent by the first sending unit determines whether the software code is safe.
11、 根据权利要求 10所述的装置, 其特征在于, 11. The device according to claim 10, characterized in that,
所述第一发送单元包括: 请求消息接收子单元, 第一原始摘要生成子单元和 第一原始摘要发送子单元; The first sending unit includes: a request message receiving subunit, a first original summary generating subunit and a first original summary sending subunit;
所述请求消息接收子单元,用于接收所述网管设备发送的原始摘要信息的请 求消息; The request message receiving subunit is used to receive the request message of the original summary information sent by the network management device;
所述第一原始摘要生成子单元,用于根据所述请求消息接收子单元接收的原 始摘要信息的请求消息为加载在内存中的软件代码生成所述原始摘要信息; 所述第一原始摘要发送子单元,用于将所述第一原始摘要生成子单元生成的 原始摘要信息发送给所述网管设备; The first original summary generating subunit is configured to generate the original summary information for the software code loaded in the memory according to the request message of the original summary information received by the request message receiving subunit; the first original summary is sent Subunit, configured to send the original summary information generated by the first original summary generation subunit to the network management device;
或者, 所述第一发送单元包括: 第二原始摘要生成子单元和第二原始摘要发 送子单元; Alternatively, the first sending unit includes: a second original summary generating subunit and a second original summary sending subunit;
所述第二原始摘要生成子单元, 用于在内存中加载完所述软件代码时, 为所 述软件代码生成所述原始摘要信息; The second original summary generation subunit is used to generate the The software code generates the original summary information;
所述第二原始摘要发送子单元,用于向所述网管设备上报所述第二原始摘要 生成子单元生成的原始摘要信息。 The second original summary sending subunit is configured to report the original summary information generated by the second original summary generating subunit to the network management device.
12、 根据权利要求 10或 11所述的装置, 其特征在于, 12. The device according to claim 10 or 11, characterized in that,
所述第二发送单元包括: 第一验证摘要生成单元和第一验证摘要发送子单 元; The second sending unit includes: a first verification digest generating unit and a first verification digest sending subunit;
所述第一验证摘要生成单元, 用于在所述软件代码运行过程中, 按照设置的 时间周期生成所述软件代码的验证摘要信息; The first verification summary generation unit is configured to generate verification summary information of the software code according to a set time period during the running process of the software code;
所述第一验证摘要发送子单元,用于向所述网管设备发送所述第一验证摘要 生成单元生成的验证摘要信息; The first verification summary sending subunit is used to send the verification summary information generated by the first verification summary generation unit to the network management device;
或者, 所述第二发送单元包括: 上报请求接收子单元、 第二验证摘要生成子 单元和第二验证摘要发送子单元; Alternatively, the second sending unit includes: a reporting request receiving subunit, a second verification summary generating subunit, and a second verification summary sending subunit;
所述上报请求接收子单元,用于在所述软件代码运行过程中接收所述网管设 备发送的验证摘要信息的上报请求消息; The reporting request receiving subunit is used to receive the reporting request message of the verification summary information sent by the network management device during the running process of the software code;
所述第二验证摘要生成子单元,用于根据所述上报请求接收子单元接收的验 证摘要信息的上报请求消息生成所述软件代码的验证摘要信息; The second verification summary generating subunit is configured to generate verification summary information of the software code according to the reporting request message of the verification summary information received by the reporting request receiving subunit;
所述第二验证摘要发送子单元,用于将所述第二验证摘要生成子单元生成的 验证摘要信息发送给所述网管设备。 The second verification summary sending subunit is used to send the verification summary information generated by the second verification summary generating subunit to the network management device.
13、 一种网管设备, 其特征在于, 所述网管设备包括: 网络接口和处理器, 其中, 13. A network management device, characterized in that, the network management device includes: a network interface and a processor, wherein,
所述网络接口, 用于从网元设备获得原始摘要信息, 所述原始摘要信息是所 述网元设备为加载在内存中的软件代码生成的摘要信息,以及接收所述网元设备 发送的验证摘要信息,所述验证摘要信息是所述网元设备在所述软件代码运行过 程中生成的摘要信息; The network interface is used to obtain original summary information from the network element device. The original summary information is the summary information generated by the network element device for the software code loaded in the memory, and to receive verification sent by the network element device. Summary information, the verification summary information is summary information generated by the network element device during the running of the software code;
所述处理器, 用于比较所述验证摘要信息与所述原始摘要信息是否一致, 若 否, 则确定所述软件代码不安全, 若是, 则确定所述软件代码安全。 The processor is configured to compare whether the verification summary information is consistent with the original summary information. If not, determine that the software code is unsafe. If yes, determine that the software code is safe.
14、 根据权利要求 13所述的网管设备, 其特征在于, 14. The network management equipment according to claim 13, characterized in that,
所述网络接口, 具体用于向所述网元设备发送原始摘要信息的请求消息, 并 接收所述网元设备根据所述原始摘要信息的请求消息返回的所述原始摘要信息; 或者, 接收所述网元设备在内存中加载完所述软件代码时, 向所述网管设备上报 的所述原始摘要信息。 The network interface is specifically configured to send a request message for original summary information to the network element device, and receive the original summary information returned by the network element device according to the request message for the original summary information; Or, receive the original summary information reported to the network management device when the network element device has loaded the software code in the memory.
15、 根据权利要求 13或 14所述的网管设备, 其特征在于, 15. The network management device according to claim 13 or 14, characterized in that,
所述网络接口,具体用于接收所述网元设备按照设置的时间周期上报的所述 验证摘要信息; 或者, 向所述网元设备发送验证摘要信息的上报请求消息, 并接 收所述网元设备根据所述验证摘要信息的上报请求消息返回的所述验证摘要信 息。 The network interface is specifically configured to receive the verification summary information reported by the network element device according to a set time period; or, send a reporting request message for verification summary information to the network element device, and receive the verification summary information from the network element device. The device returns the verification summary information according to the verification summary information reporting request message.
16、 一种网元设备, 其特征在于, 所述网元设备包括: 网络接口和处理器, 其中, 16. A network element device, characterized in that, the network element device includes: a network interface and a processor, wherein,
所述处理器, 用于通过所述网络接口将原始摘要信息发送给网管设备, 所述 原始摘要信息是所述网元设备为加载在内存中的软件代码生成的摘要信息, 以 及,在所述软件代码运行过程中通过所述网络接口向所述网管设备发送所述软件 代码的验证摘要信息,以使所述网管设备通过比较所述验证摘要信息与所述原始 摘要信息确定所述软件代码是否安全。 The processor is configured to send original summary information to the network management device through the network interface, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and, in the During the running of the software code, the verification summary information of the software code is sent to the network management device through the network interface, so that the network management device determines whether the software code is by comparing the verification summary information with the original summary information. Safety.
17、 根据权利要求 16所述的网元设备, 其特征在于, 17. The network element device according to claim 16, characterized in that,
所述处理器,具体用于当所述网络接口接收所述网管设备发送的原始摘要信 息的请求消息后,根据所述原始摘要信息的请求消息为加载在内存中的软件代码 生成所述原始摘要信息,并通过所述网络接口将所述原始摘要信息发送给所述网 管设备; 或者, 在内存中加载完所述软件代码时, 为所述软件代码生成所述原始 摘要信息, 并通过所述网络接口向所述网管设备上报所述原始摘要信息。 The processor is specifically configured to generate the original summary for the software code loaded in the memory according to the request message of the original summary information after the network interface receives the request message of the original summary information sent by the network management device. information, and send the original summary information to the network management device through the network interface; or, when the software code is loaded in the memory, generate the original summary information for the software code, and use the The network interface reports the original summary information to the network management device.
18、 根据权利要求 16或 17所述的网元设备, 其特征在于, 18. The network element device according to claim 16 or 17, characterized in that,
所述处理器, 具体用于在所述软件代码运行过程中, 按照设置的时间周期生 成所述软件代码的验证摘要信息,并通过所述网络接口向所述网管设备发送所述 验证摘要信息; 或者, 在所述软件代码运行过程中当所述网络接口接收所述网管 设备发送的验证摘要信息的上报请求消息后,根据所述验证摘要信息的上报请求 消息生成所述软件代码的验证摘要信息,并通过所述网络接口将所述验证摘要信 息发送给所述网管设备。 The processor is specifically configured to generate verification summary information of the software code according to a set time period during the running process of the software code, and send the verification summary information to the network management device through the network interface; Or, when the network interface receives the reporting request message of the verification summary information sent by the network management device during the running of the software code, generate the verification summary information of the software code according to the reporting request message of the verification summary information. , and sends the verification summary information to the network management device through the network interface.
PCT/CN2014/072826 2014-03-04 2014-03-04 Software security detection method, apparatus and device WO2015131324A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/072826 WO2015131324A1 (en) 2014-03-04 2014-03-04 Software security detection method, apparatus and device
CN201480000117.8A CN105190637A (en) 2014-03-04 2014-03-04 Software security detection method, apparatus and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/072826 WO2015131324A1 (en) 2014-03-04 2014-03-04 Software security detection method, apparatus and device

Publications (1)

Publication Number Publication Date
WO2015131324A1 true WO2015131324A1 (en) 2015-09-11

Family

ID=54054338

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/072826 WO2015131324A1 (en) 2014-03-04 2014-03-04 Software security detection method, apparatus and device

Country Status (2)

Country Link
CN (1) CN105190637A (en)
WO (1) WO2015131324A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106096388A (en) * 2016-05-31 2016-11-09 北京小米移动软件有限公司 A kind of code security processing method, device, terminal unit and system
CN107085675A (en) * 2016-02-16 2017-08-22 爱特梅尔公司 Controlled security code verification

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108875372B (en) * 2017-12-29 2022-07-26 安天科技集团股份有限公司 Code detection method and device, electronic equipment and storage medium
US11128474B2 (en) * 2019-03-25 2021-09-21 Micron Technology, Inc. Secure device communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1514375A (en) * 2003-07-21 2004-07-21 蒋正华 Software protection method
CN102208003A (en) * 2010-03-31 2011-10-05 鸿富锦精密工业(深圳)有限公司 Software program protection system and method
CN103065072A (en) * 2011-10-21 2013-04-24 北京大学 Method and device to improve Java software jailbreak difficulty and copyright verification method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69724235T2 (en) * 1997-05-28 2004-02-26 Siemens Ag Computer system and software protection method
CN101996286B (en) * 2009-08-10 2013-01-16 北京多思科技发展有限公司 Dynamic security measure implementation method, security measurement device and application system
CN101783801B (en) * 2010-01-29 2013-04-24 福建星网锐捷网络有限公司 Software protection method based on network, client side and server
CN102375953B (en) * 2010-08-10 2015-03-18 上海贝尔股份有限公司 Software certification method and software certification device
CN103501294B (en) * 2010-08-18 2017-03-08 北京奇虎科技有限公司 The determining program whether method of malice

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1514375A (en) * 2003-07-21 2004-07-21 蒋正华 Software protection method
CN102208003A (en) * 2010-03-31 2011-10-05 鸿富锦精密工业(深圳)有限公司 Software program protection system and method
CN103065072A (en) * 2011-10-21 2013-04-24 北京大学 Method and device to improve Java software jailbreak difficulty and copyright verification method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107085675A (en) * 2016-02-16 2017-08-22 爱特梅尔公司 Controlled security code verification
CN107085675B (en) * 2016-02-16 2022-05-17 爱特梅尔公司 Controlled security code authentication
CN106096388A (en) * 2016-05-31 2016-11-09 北京小米移动软件有限公司 A kind of code security processing method, device, terminal unit and system
CN106096388B (en) * 2016-05-31 2019-04-16 北京小米移动软件有限公司 A kind of code security processing method, device, terminal device and system

Also Published As

Publication number Publication date
CN105190637A (en) 2015-12-23

Similar Documents

Publication Publication Date Title
US11632248B2 (en) Systems, methods and apparatuses for device attestation based on speed of computation
US11722308B2 (en) Systems, methods and apparatuses for device attestation based on speed of computation
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
WO2018050081A1 (en) Device identity authentication method and apparatus, electric device, and storage medium
JP5949572B2 (en) Vehicle improper state detection method, control method in vehicle system, and system
US20090013181A1 (en) Method and attestation system for preventing attestation replay attack
WO2016019790A1 (en) Verification method, client, server and system for installation package
JP6190404B2 (en) Receiving node, message receiving method and computer program
CN105491062A (en) Client software protection method and device, and client
CN111538961B (en) Method, device, equipment and storage medium for activating software
US20180204004A1 (en) Authentication method and apparatus for reinforced software
US11153074B1 (en) Trust framework against systematic cryptographic
US20160028549A1 (en) Information processing system and electronic device
WO2015131324A1 (en) Software security detection method, apparatus and device
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
US11222116B2 (en) Heartbeat signal verification
CN106713256A (en) Method for authenticating software and hardware binding of computer special for tax control
WO2015058324A1 (en) Method for verifying security of tcp connection
CN108242997B (en) Method and apparatus for secure communication
Wu et al. Research on vehicle cybersecurity based on dedicated security hardware and ECDH algorithm
EP4235468A2 (en) Systems, methods and apparatuses for device attestation based on speed of computation
CN117614670A (en) Communication control method and device, electronic equipment and storage medium
CN110704815A (en) Data packet code signature and verification method, device, system and storage medium thereof
CN117112428A (en) Method, device, equipment and storage medium for detecting software
CN112541187A (en) Cloud computing method and cloud computing cluster

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480000117.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884563

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14884563

Country of ref document: EP

Kind code of ref document: A1