CN105303074A - Method for protecting security of Web application - Google Patents
Method for protecting security of Web application Download PDFInfo
- Publication number
- CN105303074A CN105303074A CN201510663477.2A CN201510663477A CN105303074A CN 105303074 A CN105303074 A CN 105303074A CN 201510663477 A CN201510663477 A CN 201510663477A CN 105303074 A CN105303074 A CN 105303074A
- Authority
- CN
- China
- Prior art keywords
- file
- web application
- shear plate
- api
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/106—Enforcing content protection by specific content processing
- G06F21/1066—Hiding content
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for protecting the security of a Web application. The method comprises: performing transparent encryption on a source file of the Web application, a binary file generated by compiling or a Dll file by adopting an encryption module, and performing transparent decryption when opening the encrypted source file and running the encrypted binary file; and performing control management on development software of the Web application by adopting a software behavior control module. A core technology for the encryption module and the software behavior control module is an API HOOK technology, namely, a function of protecting the security of the application is realized by performing a skip function after intercepting related API requests. According to the method, the secret leakage of the source file of the Web application and the decompilation of the binary file can be prevented, a secure working environment of the application from development to operation is constructed, and the application range is wide. The method is free of extra hardware support, high in cost performance, visual to use, convenient to operate and wide in application range.
Description
Technical field
The present invention relates to computer information safety technique field, be specifically related to a kind of method protecting web application safety.
Background technology
, economic interaction day by day detailed in the division of labor in society day by day closely, infotech today of making rapid progress, the how intellecture property of available protecting oneself, reduction factor, according to leaking the risk caused, is a baptism faced by each enterprise and user have to.
Be easy to copy because web application has, decompiling, the management and control of web application is the problem being difficult to solve always.Application program may suffer malice decompiling at any time, and enterprise key data are stolen, and the stealer of data will have power completely to data, objectively cause the leakage of enterprise key secret.Meanwhile, the leakage of application data and code, makes these personal sensitive informations face threat that is stolen or illegal use.
The method of current protection web application safety mainly contains the methods such as digital signature identification, file layout identification, code and data separating, and the function such as Integrity Verification, information filtering, mandate protection of these methods to program has good effect.But these methods can not effectively prevent application program by decompiling, the function of digital signature identification and soft ware authorization protection etc. simultaneously also can be cracked by the decompiling of application programs.
Therefore, how to solve the problem of web application safety, and the method solved is simple, workable, applicability extensively becomes a problem demanding prompt solution.
Summary of the invention
The object of the invention is to the limitation existed for problem and the prior art of web application safety, a kind of method protecting web application safety is provided.The Life cycle being designed into operation of this method application programs carries out control and management, constructs software development environment and the running environment of a safety, applied widely.This method and system is without the need to additional hardware support, and do not change the operating habit of software developer and software user, cost performance is high.
For achieving the above object, the present invention proposes a kind of method protecting web application safety, web application mainly comprises java applet .Net program, Android program etc. here, mainly protects class file, dll file, exe file etc.Method of the present invention comprises and adopts encrypting module to carry out transparent encryption to the binary file that the source file of web application, compiling generate, and carries out transparent deciphering opening encrypted source file, when running encrypted binary file; And adopt software action control module to carry out Behavior-Based control management to developing software of web application.
The method adopting encrypting module to realize application program source file encryption and deciphering is: the api function of HOOK for preserving/opening file, and performs encrypt/decrypt function, is encrypted source file/deciphers; Continue to perform the api function for preserving/opening file.
Application programs binary file is encrypted, the method for deciphering when running is to adopt encrypting module to realize: HOOK, for generation of the api function of binary file, performs cryptographic operation, continues to perform the api function producing binary file; During the binary file run application, HOOK, for reading the api function of binary file, performs decryption oprerations, continues to perform the api function reading binary file.
Adopt encrypting module to realize being encrypted Dll file, when Dll is loaded into the process space, carry out transparent deciphering; The method of described transparent deciphering is: for the API of the API and file operation that load dynamic base in HOOKNTDLL.dll, carry out transparent deciphering to the ciphertext in Dll.Software action controls to comprise that source file copies, pastes, screenshotss etc.
Software action control module is adopted to the control method that file copy is pasted to be: to carry out HOOK to the setting of shear plate and stickup API, when calling shear plate and arranging function, record the progress information of the writer of current shear plate; When performing shear plate copy content, identity according to the writer of shear plate and the user of shear plate judges whether to allow to copy, if do not allow copy, then returning shear plate is that the information of sky is to user, if allow copy, then the content of shear plate is returned to user.
Judge whether that the method for permission copy is: if the process of the writer of shear plate is controlled process, the process of the user of shear plate is uncontrolled process, then do not allow copy, allows copy in all the other situations.
Employing software action control module to the method that the behavior of file screenshotss controls is: HOOK carries out the api function of screenshotss to file; Judge in the window of current display, whether to comprise the anti-electronic document window of divulging a secret of needs; If comprised, then forbid that screenshotss operate; If do not comprised, then continue the api function performing screenshotss.
A kind of method protecting web application safety of the present invention; construct application development environment and the running environment of a safety; source file encryption process can be accomplished software developer transparent; the operation of application program can be accomplished user transparent; this method and system, without the need to additional hardware support, does not change the operating habit of Software for Design value and user, uses directly perceived; simple operation, widely applicable.
Accompanying drawing explanation
Fig. 1 is APIHOOK technology schematic diagram.
Fig. 2 is encryption process schematic diagram.
Fig. 3 operates in JAVA program under windows system from exploitation to operational scheme schematic diagram.
Fig. 4 is that dynamic base loads HOOK process schematic.
Fig. 5 copies schematic diagram for preventing.
Embodiment
The operation of all window applications all needs the api function of calling system to carry out.But existing api interface can not meet the requirement of all operations, the added value of some function can perform redirect function to realize by after the request of tackling relevant API.This interception API technology APIHOOK technology, as shown in Figure 1.Encrypting module and the software action control module of this method mainly employ APIHOOK technology.
The encrypting module of this method mainly for web application source file open and api function that preservation process uses carries out HOOK.As shown in Figure 2, when preserving file, first performing the encryption function in encrypting module, file is encrypted, then continue to perform the api function being used for preserving file, so just can ensure that the file generated is encryption; As shown in Figure 2, when File Open, first perform the decryption function of encrypting module, then perform the api function being used for opening file, so just can ensure that the file encrypted can be opened.
As shown in Figure 3, when web application (the java program of encryption, .Net program etc.) when running under windows system, when the binary file of application program is loaded into internal memory, first perform the decryption function of encrypting module, perform the function being used for loading binary file again, so just can ensure that encrypted binary file can normally be run.
As shown in Figure 4, when the Dll files loading encrypted is in the process space, need dynamic base loading function LdrInitializeThunk (), load-on module reflection function LdrFixupImports (), write dynamic base entry address function LdrGetExportByOrdinal () and carry out HOOK, first perform the decryption function of encrypting module, perform the function being used for loading dynamic base again, so just can ensure that the Dll encrypted can load successfully smoothly.When quoting the function in Dll, by HOOKwindowsAPIreadfile function, ciphertext being converted into expressly, realizing the reading to Dll.
Under windows system, the file that Software Create is new generally all can call windowsAPIcreatefile function, generally can call windowsAPImovefile, the functions such as copyfile when revising file and clicking and preserve.In time opening application program source file and run binary file, generally windowsAPIopenfile can be called, the functions such as readfile.
Therefore, encrypting module of the present invention needs the windowsAPI such as HOOKcreatefile, movefile, copyfile, openfile, readfile.
Under Windows system, when process carries out replicate run, can arrange shear plate, the content copied is put into shear plate; When process carries out paste operation, shear plate content can be obtained.This just also exists the content of crypto process by copying stickup, the possibility of divulging a secret.
The inventive method monitors shear plate in real time, as shown in Figure 5, when call shear plate api function is set time, HOOK is carried out to the api function arranging shear plate, records the progress information of the writer of current shear plate; When performing the api function of copy shear plate, HOOK is carried out to the api function of copy shear plate, identity according to the writer of shear plate and the user of shear plate judges whether to allow to copy, if do not allow copy, then returning shear plate is that the information of sky is to user, if allow copy, then the content of shear plate is returned to user.
If the process of the writer of shear plate is crypto process, the process of the user of shear plate is non-crypto process, and just do not allow this copy, the content returning shear plate is empty information, and the mode stopping to copy stickup is divulged a secret.Other situations are all allow copy.
The API arranging shear plate is SetClipboardData function, the API of copy shear plate is GetClipboardData function, realize above-mentioned functions, need these two API of HOOK, before process performs SetClipboardData, the progress information of the writer of record shear plate, then perform SetClipboardData operation; Before process performs GetClipboardData, judge whether to allow this to copy according to the copy strategy of shear plate, permission, perform GetClipboardData operation, otherwise the content returning shear plate is empty information.
Screenshotss also can be a kind of methods of divulging a secret, and copying screen can save in the mode of picture after needing the content screenshotss of anti-source file of divulging a secret.Windows inherently carries screenshotss instrument, a lot of screenshotss software, or even chat tool all can with the function of screenshotss.The inventive method can monitor the operation of various screenshotss, when user's screenshotss time, can judge whether comprise the anti-file window of divulging a secret of needs in the window of current display, if comprised, then forbid screenshotss, if do not comprised, then allow the normal screenshotss of user.The implementation method that screenshotss control, file printout controls is similar, just wants the API of HOOK different, so no longer describe in detail.
More than by describing the enforcement scene case of each process respectively, describe the present invention in detail, those skilled in the art will be understood that in the scope not departing from essence of the present invention, can make an amendment and be out of shape.
Claims (7)
1. protect the method for web application safety for one kind, it is characterized in that: adopt encrypting module, the binary file that described encrypting module generates the source file of web application, compiling or Dll file carry out transparent encryption, carry out transparent deciphering opening encrypted source file, when running encrypted binary file or Dll file; And adopt software action control module to carry out Behavior-Based control management to developing software of web application.
2. the method for protection web application safety according to claim 1, it is characterized in that: the method adopting encrypting module to realize the encryption and decryption of application programs source file is: the api function of HOOK for preserving/opening file, perform encrypt/decrypt function, source file is encrypted/is deciphered; Continue to perform the api function for preserving/opening file.
3. the method for protection web application safety according to claim 1, it is characterized in that: application programs binary file is encrypted, the method for deciphering when running is to adopt encrypting module to realize: HOOK is for generation of the api function of binary file, perform cryptographic operation, continue to perform the api function producing binary file; During the binary file run application, HOOK, for reading the api function of binary file, performs decryption oprerations, continues to perform the api function reading binary file.
4. the method for protection web application safety according to claim 1, is characterized in that: adopt encrypting module to realize being encrypted Dll file, when Dll is loaded into the process space, carry out transparent deciphering; The method of described transparent deciphering is: for the API of the API and file operation that load dynamic base in HOOKNTDLL.dll, carry out transparent deciphering to the ciphertext in Dll.
5. the method for protection web application safety according to claim 1, is characterized in that: carry out Behavior-Based control to software and comprise source file and copy stickup, printing, screenshotss.
6. the method for protection web application safety according to claim 5, it is characterized in that: adopt software action control module to the control method that source file copies stickup to be: to the setting of shear plate and paste API and carry out HOOK, when calling shear plate and arranging function, record the progress information of the writer of current shear plate; When performing shear plate copy content, the identity according to the writer of shear plate and the user of shear plate judges whether to allow to copy, if do not allow copy, then returning shear plate is that the information of sky is to user; If allow copy, then the content of shear plate is returned to user.
7. the method for protection web application safety according to claim 5, is characterized in that: employing software action control module to the method for the control of file screenshotss is: HOOK carries out the api function of screenshotss to file; Judge in the window of current display, whether to comprise the anti-source file window of divulging a secret of needs; If comprised, then forbid that screenshotss operate; If do not comprised, then continue the api function performing screenshotss.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510663477.2A CN105303074A (en) | 2015-10-15 | 2015-10-15 | Method for protecting security of Web application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510663477.2A CN105303074A (en) | 2015-10-15 | 2015-10-15 | Method for protecting security of Web application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105303074A true CN105303074A (en) | 2016-02-03 |
Family
ID=55200336
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510663477.2A Pending CN105303074A (en) | 2015-10-15 | 2015-10-15 | Method for protecting security of Web application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105303074A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203162A (en) * | 2016-06-30 | 2016-12-07 | 中国地质大学(武汉) | The method for secret protection of a kind of combining the two ways of dredging and plugging and system |
| CN106295370A (en) * | 2016-08-19 | 2017-01-04 | 北京奇虎科技有限公司 | A kind of method and apparatus of the dynamic link library (DLL) file reinforcing installation kit |
| CN106446714A (en) * | 2016-10-12 | 2017-02-22 | 北京元心科技有限公司 | Data access method and device of multi-clipboard |
| CN106845255A (en) * | 2017-01-23 | 2017-06-13 | 北京奇虎科技有限公司 | Prevent information processing method, device and the mobile terminal divulged a secret |
| CN107944233A (en) * | 2017-12-11 | 2018-04-20 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable file and device |
| CN108229152A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | Method and system based on ios platform dynamic monitoring |
| CN109409098A (en) * | 2017-10-24 | 2019-03-01 | 浙江华途信息安全技术股份有限公司 | The method and apparatus for preventing shear plate leaking data |
| CN111259431A (en) * | 2020-02-18 | 2020-06-09 | 上海迅软信息科技有限公司 | Computer software data encryption system and encryption method thereof |
| CN114491425A (en) * | 2022-01-07 | 2022-05-13 | 大连九锁网络有限公司 | A kind of Web program security reinforcement and anti-decompilation method and device for operating system kernel layer |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611732A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | Encryption document outgoing control system and method on basis of B/S (Browser/Server) framework |
| US20140007048A1 (en) * | 2011-10-11 | 2014-01-02 | Zenprise, Inc. | Modifying pre-existing mobile applications to implement enterprise security policies |
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
-
2015
- 2015-10-15 CN CN201510663477.2A patent/CN105303074A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140007048A1 (en) * | 2011-10-11 | 2014-01-02 | Zenprise, Inc. | Modifying pre-existing mobile applications to implement enterprise security policies |
| CN102611732A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | Encryption document outgoing control system and method on basis of B/S (Browser/Server) framework |
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203162A (en) * | 2016-06-30 | 2016-12-07 | 中国地质大学(武汉) | The method for secret protection of a kind of combining the two ways of dredging and plugging and system |
| CN106203162B (en) * | 2016-06-30 | 2019-03-19 | 中国地质大学(武汉) | A kind of method for secret protection and system of combining the two ways of dredging and plugging |
| CN106295370A (en) * | 2016-08-19 | 2017-01-04 | 北京奇虎科技有限公司 | A kind of method and apparatus of the dynamic link library (DLL) file reinforcing installation kit |
| CN106446714A (en) * | 2016-10-12 | 2017-02-22 | 北京元心科技有限公司 | Data access method and device of multi-clipboard |
| CN108229152A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | Method and system based on ios platform dynamic monitoring |
| CN106845255A (en) * | 2017-01-23 | 2017-06-13 | 北京奇虎科技有限公司 | Prevent information processing method, device and the mobile terminal divulged a secret |
| CN109409098A (en) * | 2017-10-24 | 2019-03-01 | 浙江华途信息安全技术股份有限公司 | The method and apparatus for preventing shear plate leaking data |
| CN107944233A (en) * | 2017-12-11 | 2018-04-20 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable file and device |
| CN111259431A (en) * | 2020-02-18 | 2020-06-09 | 上海迅软信息科技有限公司 | Computer software data encryption system and encryption method thereof |
| CN114491425A (en) * | 2022-01-07 | 2022-05-13 | 大连九锁网络有限公司 | A kind of Web program security reinforcement and anti-decompilation method and device for operating system kernel layer |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105303074A (en) | Method for protecting security of Web application | |
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| CN101853363B (en) | File protection method and system | |
| US8433901B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US6976167B2 (en) | Cryptography-based tamper-resistant software design mechanism | |
| CN104715209B (en) | A kind of outgoing document encryption protecting method | |
| JP2004038394A (en) | Method of using shared library in tamper-resistant processor and program therefor | |
| US20150127936A1 (en) | User terminal device and encryption method for encrypting in cloud computing environment | |
| EP1596269A2 (en) | A system and method for rendering selective presentation of documents | |
| CN101271497A (en) | Electric document anti-disclosure system and its implementing method | |
| US20140281499A1 (en) | Method and system for enabling communications between unrelated applications | |
| CN109508224A (en) | A kind of user data isolating and protecting system and method based on KVM virtual machine | |
| CN104361291B (en) | Data processing method and device | |
| WO2012094969A1 (en) | Data protection method and apparatus | |
| CN110807191B (en) | Method and device for safe operation of application programs | |
| WO2025092260A1 (en) | Data processing method and data processing engine based on trusted execution environment | |
| WO2016206393A1 (en) | Method and apparatus for managing application and method and apparatus for implementing read-write operation | |
| CN109871327B (en) | Trusted execution environment security storage security testing method and device | |
| CN108491724A (en) | A kind of hardware based computer interface encryption device and method | |
| CN113591107A (en) | System and method for realizing file redirection encryption and decryption | |
| JP2009059008A (en) | File management system | |
| CN117150521A (en) | Transparent encryption and decryption method and device for universal encryption card | |
| CN107688729B (en) | Application program protection system and method based on trusted host | |
| KR100901014B1 (en) | Apparatus and method for running an application in a virtual environment | |
| Deshmukh et al. | Providing data security on cell phones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160203 |