CN100458700C - Building method and apparatus for application program with safety requirement - Google Patents
Building method and apparatus for application program with safety requirement Download PDFInfo
- Publication number
- CN100458700C CN100458700C CNB2006100655634A CN200610065563A CN100458700C CN 100458700 C CN100458700 C CN 100458700C CN B2006100655634 A CNB2006100655634 A CN B2006100655634A CN 200610065563 A CN200610065563 A CN 200610065563A CN 100458700 C CN100458700 C CN 100458700C
- Authority
- CN
- China
- Prior art keywords
- demand
- security
- executable file
- code segment
- source program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000010276 construction Methods 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000011076 safety test Methods 0.000 abstract 1
- 241000700605 Viruses Species 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
This invention discloses one application program establishing method and device with safety need, which comprises the following steps: in safety coder, safety need part convert module converts the first safety test point codes section into executive files independent part from application logic part; safety need analyzer linkage module tests the relative entrance points between the logical part and source program first safety needs and the linkage safety need analyzer sends the first need part into the executive file position.
Description
Technical field
The present invention relates to computer software technology, relate in particular to the construction method and the device of a kind of security application (PE application program).
Background technology
Current, transplantable execution body (PE, Portable Executable) file layout is applied to 32 systems of Windows of all versions, comprises Windows 9x, Windows NT, Windows 2000 and Windows XP etc.It is a file layout of carrying out body (EXE or DLL) in the Win32 environment.
The PE file layout comprises DOS radicals by which characters are arranged in traditional Chinese dictionaries (DOS Head), PE file header (PEHeader), joint table (section table), joint (Section) and Debugging message as shown in Figure 1.
The DOS radicals by which characters are arranged in traditional Chinese dictionaries are positioned at the file head of PE file, comprise DOS MZ header and DOS Stub.DOS MZ header has been arranged, in case program is carried out under DOS, it is effectively to carry out body that DOS just can identify this, and operation follows MZ Header DOS Stub afterwards closely then.
PE Header is DOS Stub and then.It is an IMAGE_NT_HEADERS structure.Wherein comprised the important territory that to use when a lot of PE files are written into internal memory.
Next PE Header is the joint table (Section Table) of structure of arrays.If 5 joints are arranged in the PE file, in this Section Table structural array 5 members are just arranged so, each member comprises the corresponding attribute that saves, document misregistration amount, virtual shift amount etc.
Joint table (Section Table) is the real content of PE file afterwards, and it is divided into piece, is referred to as joint (sections).Every joint is data that have predicable, such as code/data, read/write etc.Sections arranges with its reference position, rather than arranges with its lexicographical order.By the information that the joint table provides, we can find these joints.Common Sections comprises:
.arch initial structure information (Alpha Architecture Information)
.bss the data of un-initialized
.CRT C runtime read-only data
.data initialized data
.debug Debugging message
.didata postpone the input file famous-brand clock
.edata export famous-brand clock
.idata import table of file name
.pdata abnormal information (Exception Information)
.rdata read-only initialization data
.reloc reset bit table information
.rsrc resource
.text.exe or the executable code of .dll file
.tls the local storage of thread
.xdata tables, exception
Wherein the .text joint is being stored the program implementation code, is realizing programmed logic.At present, for the program that safety requirements is arranged, its security logic also is to realize in this joint.The realization of demand for security and security logic all is embedded in the application program specific implementation logic.The realization of application program depends on the design of software and writing of code, for different designers and different programming personnels, can occur different at the consideration of demand for security with realization to security logic; In applied logic, realize complicated security logic simultaneously, implement also relative difficult, instability and immeasurability can occur; Do not have to describe the program frame of the standard that application security demand and security logic realize in the PE file layout, can not provide consistent security procedure construction method, therefore can not shorten the construction cycle, improve reliability to security procedure.
Summary of the invention
Application program based on present PE form, if secure context is had requirement, relevant demand for security and safety realize that logic all can be designed by the application programming personnel, personnel encode by coding, this has restricted the structure of security procedure, lack of standardization unreliable, increase design and development workload, prolong the construction cycle.In order to solve the problem of this respect, the present invention is based on the PE file layout, a kind of construction method and device with security procedure of the generic structure of describing demand for security, realizing security logic is provided.
On the one hand, a kind of construction method that has the application program of demand for security is proposed.The method comprising the steps of: A, the first demand for security code segment that embeds the applied logic first demand for security checkpoint in the source program is converted to the first demand for security part that is independent of the applied logic part in the executable file that this source program generates; B, in the applied logic of executable file part with corresponding entrance, the source program first demand for security checkpoint, linking secure is realized logic and is transmitted the information of first demand for security part present position in this executable file to it; When C, this applied logic partly run to this corresponding entrance, call this positional information that realizes that safely logical foundation is received and find first demand for security partly and by its demand for security running environment to be detected.
Above-mentioned steps A further comprises: the first demand for security code segment is carried out validity and consistency check, convert the first demand for security code segment to first demand for security part after checking.
In the said method, adopt the unit of extensible markup language XML definition usually to describe at least a code segment in the following type code section:
Embed the demand for security code segment of applied logic in the source program;
Demand for security part in the executable file in the source program after the conversion of demand for security code segment.
In the said method, first demand for security partly is that a secure data saves one of at least one included demand for security section in this executable file.
In the said method, first demand for security part information of present position in described executable file is the corresponding call number of paragraph header in the paragraph header table of secure data joint of first demand for security part.
On the other hand, a kind of construction device that has the application program of demand for security is proposed.This device comprises that storer and at least one are kept at the application source code in the storer, also comprise safe compiler and demand for security interpreter.This safe compiler further comprises: demand for security part modular converter is used for the first demand for security code segment that source program embeds the applied logic first demand for security checkpoint is converted to the first demand for security part that is independent of the applied logic part in the executable file that this source program generates; Demand for security interpreter link module, be used in the applied logic of executable file part and corresponding entrance, the source program first demand for security checkpoint, linking secure demand interpreter also transmits the information of first demand for security part present position in this executable file to it.This demand for security interpreter further comprises: the positional information receiver module is used to receive the positional information that the safe compiler transmission comes; Module is partly searched in demand for security, and the positional information that is used for receiving according to the positional information receiver module is searched the first demand for security part at executable file; Demand for security partial analysis module is used for that first demand for security that module finds is partly searched in demand for security and partly analyzes; Safety detection module is used for according to the analysis result of demand for security partial analysis module running environment being detected.
Above-mentioned safe compiler also comprises validity and consistency check module, is used for the first demand for security code segment is carried out validity and consistency check, after checking the first demand for security code segment is passed to demand for security part modular converter.
Above-mentioned first demand for security partly is that a secure data saves one of at least one included demand for security section in this executable file.
Above-mentioned first demand for security part information of present position in this executable file is the corresponding call number of paragraph header in the paragraph header table of secure data joint of first demand for security part.
In the said apparatus, adopt the unit of extensible markup language XML definition usually to describe at least a code segment in the following type code section:
Embed the demand for security code segment of applied logic in the source program;
Demand for security part in the executable file in the source program after the conversion of demand for security code segment.
Advantage and characteristics that the present invention is main are as follows:
Construction method and device with security procedure of generic structure are separated demand for security and security logic from application program, bring up to a general aspect, by than application program more the related software aspect of low layer realize, these lower software views are mainly by realizations such as operating system (Operating System) supplier, developing instrument suppliers, greatly standard the realization flow of security procedure, reduce the development amount of the application program that demand for security is arranged, improved the reliability and the portability of software.
Description of drawings
Fig. 1 illustrates the framed structure of PE file;
Fig. 2 illustrates PE file increase .secure and saves that part of framework;
Fig. 3 illustrates the demand for security segmentation;
Fig. 4 illustrates the structure that the .secure joint adopts;
Fig. 5 illustrates the application program source program of band demand for security;
Fig. 6 is that the process synoptic diagram that is converted into the demand for security section is described in the demand for security in the application program source program;
Fig. 7 is the processing procedure synoptic diagram of safe compiler;
Fig. 8 is the processing procedure synoptic diagram of demand for security interpreter.
Embodiment
In the file of PE form, be divided into a lot of joints (sections) according to the difference of data attribute, such as the .text joint of save routine code, preserve the .rsrc joint of resource etc.In order to realize that demand for security and safety realization logic are separated from application program, in the PE file, add a .secure joint, be used for preserving the demand for security of application program, as shown in Figure 2 to running environment.
Application program is carried out the demand for security inspection according to the security needs of using in the entrance of program entry point or some code segment.These process points of checking demand for security are called " demand for security checkpoint ".The demand for security of application program is divided into " demand for security section " according to the difference of each " demand for security checkpoint ", and each security checkpoints is corresponding to one " demand for security section ".The demand for security of an application program is made up of several " demand for security sections ", as shown in Figure 3.
Be divided into the demand for security of some " demand for security sections " according to the difference of application program " demand for security checkpoint ", all be stored in the .secure joint.Each " demand for security section " is corresponding to one " demand for security checkpoint ", as the safety condition of respective code execution.The retrieval of " demand for security section " for convenience, the structure that the .secure joint adopts is referring to Fig. 4.
.secure joint comprises " section header ", " demand for security paragraph header table " and " demand for security segment table ".
Total general information of " section header " preservation " demand for security section ", as the hop count of " demand for security section ":
Typedef?struct_IMAGE_SECURE_HEAD{
WORD SecureNumber; The hop count * * of/* * demand for security section/
……
}IMAGE_SECURE_HEAD,*PIMAGE_SECURE_HEAD;
The SecureNumber field is the hop count of " demand for security section ".
The quantity of list item is consistent with the value of SecureNumber field in " demand for security paragraph header table ".The structure of each list item is all identical, and the skew of storing corresponding " demand for security section " is the size of relative virtual address and this demand for security section.Its structure is as follows:
typedef?struct_IMAGE_SECURE_SECTION_HEADER{
DWORD VirtualAddress; / * * relative virtual address RVA**/
DWORD SizeOfRawData; The big or small * * of/* * demand for security section/
}IMAGE_SECURE_SECTION_HEADER,
*PIMAGE_SECURE_SECTION_HEADER;
Wherein, VirtualAddress is the relative virtual address (Relative Virtual Address) of corresponding demand for security section with respect to .secure joint base address; SizeOfRawData is the size of corresponding demand for security section.By list item in the demand for security paragraph header table, can locate the position of corresponding demand for security section.
" demand for security section " storing corresponding " demand for security checkpoint " corresponding demand for security.The demand for security of each " demand for security checkpoint " can change bigger according to demand, express various demands for security and combination thereof for convenience, " demand for security section " described by extensible markup language XML (Extensible Markup language), for example:
<SECURE>
<OS_TYPE>WINDOWS</OS_TYPE>
<VERSION>2000</VERSION>
<PATCH>SP3</PATCH>
<FIREWALL>MUST</FIREWALL>
<VIRUS>MUST</VIRUS>
<IDPS>MUST</IDPS>
<AUTHENTICATION>
<TYPE>BIDIRECTIONAL</TYPE>
<SERVER>119.239.112.111</SERVER>
<CERTIFICATE>…</CERTIFICATE>
</AUTHENTICATION>
<ENCRYPT>MUST</ENCRYPT>
</SECURE>
Wherein element S ECURE represents the beginning and the end of " demand for security section ".
Element OS_TYPE represents the type of operating system, but its value WINDOWS or LINUX etc.
Element VERSION represents the version of operating system, and its value is relevant with the OS_TYPE value, such as when OS_TYPE is the WINDOWS value, but VERSION value 9x, 2000 or XP etc.
Element PATCH represents the patch release of operating system, and its value is relevant with the VERSION value with OS_TYPE, and such as being the WINDOWS value as OS_TYPE, VERSION is 2000 o'clock, but PATCH value SP1, SP2, SP3 or SP4 etc.
Element FIREWALL represents whether need fire wall, but its value MUST, and expression must need fire wall; OPTIONAL represents that fire wall can be arranged; NO do not need to represent fire wall.
Element VIRUS represents whether need anti-virus software, but its value MUST, and expression must have anti-virus software; OPTIONAL represents that anti-virus software can be arranged; NO do not need to represent anti-virus software.
Element IDPS represents whether need intrusion detection and guard system, but its value MUST, and expression must have intrusion detection and guard system; OPTIONAL represents that intrusion detection and guard system can be arranged; NO do not need to represent intrusion detection and guard system.
Elements A UTHENTICATION represents to carry out authentication.Wherein also have daughter elements such as TYPE, SERVER, CERTIFICATE.TYPE represents the type of authentication: SINGLE represents unilateral authentication, promptly has only server that the application program of client is authenticated; BIDIRECTIONAL represents two-way authentication, and promptly except server authenticated the application program of client, the application program of client also authenticated server.SERVER represents the network ip address of server.CERTIFICATE has comprised the certificate of relevant client.
Element ENCRYPT represents whether need the communication information is encrypted.But its value MUST, expression must be encrypted the communication information; NO represents not need the communication information is encrypted.
More than in " demand for security section " element of XML be to carry out brief as demand for security with safety requirements commonly used, need if any expansion, can add corresponding new element, represent new demand for security.
The .secure joint of PE file is being stored the demand for security of application program.Demand for security is determined according to the safety requirements of using by application programming and developer at first, is described in the application source code then.The application source code that has demand for security is when compiling, and after " safe compiler " through having the demand for security processing capacity handled, corresponding demand for security was stored in the .secure joint of corresponding PE file.
The developer of application program describes corresponding demand for security by " security descriptor language " in application source code." security descriptor language " is host language with current high-level programming language such as C language etc.The demand for security that " security descriptor language " described is embedded in the host language written program code, as shown in Figure 5.
Embedding has the application program source program of the demand for security of " security descriptor language " description, compile the execute file body that the back generates the PE file layout by " safe compiler ", demand for security is wherein described and also is converted into demand for security by compiling, and is stored in the .secure joint.Each " demand for security checkpoint " corresponding demand for security is all stored in the .secure joint in one corresponding " demand for security section ", as shown in Figure 6.
" security descriptor language " is used for describing the demand for security of each " demand for security checkpoint " in the application program.Because the demand for security in the .secure joint in each " demand for security section " is described by the XML language, for convenience and simplify, " security descriptor language " also adopts the XML language to be embedded in the application source code, to describe demand for security.XML element basically identical in element in " security descriptor language " and " the demand for security section ".For example:
…
<SECURE>
<AUTHENTICATION>
<TYPE>BIDIRECTINAL</TYPE>
<SERVER>210.223.119.110</SERVER>
<CERTIFICATE>…</CERTIFICATE>
</AUTHENTICATION>
<ENCRYPT>MUST</ENCRYPT>
WithdrawFromAccount (); / * * withdraws the money--demand for security checkpoint * */
…
" safe compiler " is the expansion of various high-level programming language compilers.When " safe compiler " has the application program source program of demand for security in compiling, all carry out following processing for the demand for security of each " demand for security checkpoint " in the source program:
(1) validity and the consistance of inspection demand for security.
The main legitimacy of XML element and the consistance of use etc. checked.
(2) for the demand for security of certain " demand for security checkpoint " by validity and consistency check, " safe compiler " deposits it in PE file .secure joint in, as one " demand for security section ", and write down corresponding " the demand for security paragraph header table list item " call number in " demand for security paragraph header table " of this " demand for security section ", be " N " as call number.
(3) demand for security of " demand for security checkpoint " is converted into the calling of " demand for security interpreter ", and parameter is " demand for security section " corresponding " demand for security paragraph header table list item " call number in " demand for security paragraph header table ", as " N ".
CALL?SECURE_INTERPRETER(N);
Further, this safe compiler comprises validity and consistency check module, the demand for security that each demand for security checkpoint of application programs source program embeds is described and is carried out validity and consistency check, will describe by the demand for security of checking and pass to demand for security part modular converter; Demand for security part modular converter, the demand for security that transmission is next are described to compile to be converted into demand for security and to be stored in .secure and are saved in interior " demand for security section " accordingly; Demand for security interpreter link module saves link demand for security interpreter on each demand for security checkpoint at .text, and transmits the call number of demand for security paragraph header table list item in demand for security paragraph header table of corresponding demand for security section correspondence to it.
After the above-mentioned processing by " safe compiler ", demand for security in the application program finally transforms for calling " demand for security interpreter ", the demand for security that needs " demand for security interpreter " to handle then is stored in the .secure joint of PE file, carry out association by " call number " between them, as shown in Figure 7.
When application program was moved, PE file loader was mapped to each joint in the internal memory on certain block address (VirtualAddress), and wherein the .text joint is the application program run time version, and the .secure joint is demand for security.After the PE file was written into internal memory, application program brought into operation from the program entry point.
When application program runs to " demand for security checkpoint ", be exactly calling in fact to " demand for security interpreter ".When calling, transmit " call number " of corresponding demand for security correspondence, such as N.After " demand for security interpreter " is called, the operation of execution as shown in Figure 8, operating process is specific as follows:
(1) at first obtains the demand for security " call number " that transmission comes;
(2) then according to " call number ", search " demand for security paragraph header table " in the .secure joint, find the list item of corresponding " demand for security paragraph header table ", and from then in the list item of " demand for security paragraph header table ", obtain the start address and the size of corresponding " demand for security section ";
(3) then the demand for security of describing in " demand for security section " is analyzed, and carried out relevant detection and check.Detect the safety requirements whether current running environment can satisfy this demand for security section of application program;
(4) if current running environment can satisfy the safety requirements of this demand for security section of application program, application program begins to carry out from next bar run time version of " demand for security checkpoint "; Otherwise application program is returned upper layer logic, can not carry out corresponding code.
Further, the demand for security interpreter comprises the positional information receiver module, is used for receiving the call number of the demand for security paragraph header table list item of the next demand for security section correspondence of safe compiler transmission at demand for security paragraph header table; Module is partly searched in demand for security, and the call number that is used for receiving according to the positional information receiver module is searched the demand for security section at executable file; Demand for security partial analysis module is used for that the demand for security section that module finds is partly searched in demand for security and analyzes; Safety detection module is used for according to the analysis result of demand for security partial analysis module running environment being detected.
" demand for security interpreter " is responsible for detection with safety condition is analyzed in demand for security, judges whether current running environment satisfies the safety requirements of current " demand for security section "." demand for security interpreter " at first has the partial function of XML interpreter, realizes describing the explanation of the XML of demand for security in " demand for security section "; Secondly, at each XML element of demand for security, " demand for security interpreter " all can have corresponding safe handling mechanism.
For for example element VIRUS:<VIRUS〉MUST</VIRUS 〉, handle as follows:
" demand for security interpreter " can detect current system whether anti-virus software has been installed, if installed, application program will continue to carry out from " demand for security checkpoint "; Otherwise, jump to a logic, can not carry out relevant code.
" demand for security interpreter " can occur with the form of dynamic link library (DLL).Safety requirements commonly used is realized in general " demand for security interpreter ", needs as application program, also can expand.
Generally speaking, this scheme adds the .secure joint in the PE file layout, introduces " security descriptor language ", " safe compiler " and notions such as " demand for security interpreters " simultaneously, and demand for security and safety realization logic are separated from application program." security descriptor language " describes the demand for security of separating, and " demand for security interpreter " realizes the security logic of demand for security.
At first, definition " security descriptor language " is used for describing the various demands for security of application program to running environment." security descriptor language " usefulness " extensible markup language (XML, eXtensible MarkupLanguage) " is described.Definition " security descriptor language " is exactly a relevant XML element of determining to describe demand for security.Each XML element is being represented a kind of demand for security, perhaps an a kind of part of demand for security.
Element commonly used such as:
SECURE element: the beginning of expression " demand for security section "
OS_TYPE element: expression OS Type
VERSION element: the version of expression operating system
PATCH element: expression operating system patch version
The FIREWALL element: whether expression needs fire wall
The VIRUS element: whether expression needs safe anti-virus software
The IDPS element: whether expression needs to install intrusion detection and guard system
The AUTHENTICATION element: expression need be carried out authentication
TYPE element: the type of expression authentication
SERVER element: expression authentication server
CERTIFICATE element: client certificate
The ENCRYPT element: whether expression needs information encryption
Then, the form with dynamic link libraries (DLL) makes up " demand for security interpreter ".At each the XML element in " security descriptor language ", " demand for security interpreter " all will realize corresponding safe handling, and whether detection, verification running environment satisfy corresponding safety requirements." demand for security interpreter " when being written into application program, is written into internal memory by PE file loader; Run to " demand for security checkpoint " time calls in application program.For each " demand for security section ", have only by " demand for security interpreter " verification, and prove that when current running environment satisfied the demand for security of application program, application program could down be moved; Otherwise, forward the upper level logic to.
Then, the compiling/linker of expansion higher level lanquage increases compiling and linking functions to the demand for security of being described by " security descriptor language ".After compiling/link, demand for security deposits in the .secure joint in the PE file, and simultaneously corresponding " demand for security checkpoint " used calling of " demand for security interpreter " replaced.
Utilize " security descriptor language ", " safe compiler " and " demand for security interpreter ", for making up, security application provides a kind of general framework, separate from application program because demand for security and safety realize logic, this is for the application program that makes up suitable various demands for security provides flexibly, method efficiently.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1, a kind of construction method that has the application program of demand for security may further comprise the steps:
A, the first demand for security code segment that embeds the applied logic first demand for security checkpoint in the source program is converted to the first demand for security part that is independent of the applied logic part in the executable file that described source program generates;
B, in the applied logic of executable file part with corresponding entrance, the source program first demand for security checkpoint, linking secure is realized logic and is transmitted the information of first demand for security part present position in described executable file to it;
C, when described applied logic partly runs to the entrance of described correspondence, call positional information that described safety realizes that logical foundation is received and find first demand for security part and running environment is detected by its demand for security.
2, the method for claim 1 is characterized in that steps A further comprises: the first demand for security code segment is carried out validity and consistency check, convert the first demand for security code segment to first demand for security part after checking.
3, the method for claim 1 is characterized in that adopting the unit of extensible markup language XML definition usually to describe at least a code segment in the following type code section:
Embed the demand for security code segment of applied logic in the source program;
Demand for security part in the executable file in the source program after the conversion of demand for security code segment.
4, the method for claim 1 is characterized in that first demand for security partly is that a secure data saves one of at least one included demand for security section in the described executable file.
5, method as claimed in claim 4 is characterized in that first demand for security part information of present position in described executable file is the corresponding call number of paragraph header in the paragraph header table of secure data joint of first demand for security part.
6, a kind of construction device that has the application program of demand for security comprises that storer and at least one are kept at the application source code in the storer, it is characterized in that also comprising safe compiler and demand for security interpreter,
Described safe compiler further comprises: demand for security part modular converter is used for the first demand for security code segment that source program embeds the applied logic first demand for security checkpoint is converted to the first demand for security part that is independent of the applied logic part in the executable file that described source program generates; Demand for security interpreter link module, be used in the applied logic of executable file part and corresponding entrance, the source program first demand for security checkpoint, linking secure demand interpreter also transmits the information of first demand for security part present position in described executable file to it;
Described demand for security interpreter further comprises:
The positional information receiver module is used to receive the positional information that the safe compiler transmission comes;
Module is partly searched in demand for security, and the positional information that is used for receiving according to the positional information receiver module is searched the first demand for security part at executable file;
Demand for security partial analysis module is used for that first demand for security that module finds is partly searched in demand for security and partly analyzes;
Safety detection module is used for according to the analysis result of demand for security partial analysis module running environment being detected.
7, device as claimed in claim 6, it is characterized in that safe compiler also comprises validity and consistency check module, be used for the first demand for security code segment is carried out validity and consistency check, after checking, the first demand for security code segment passed to demand for security part modular converter.
8, device as claimed in claim 6 is characterized in that first demand for security partly is that a secure data saves one of at least one included demand for security section in the described executable file.
9, device as claimed in claim 8 is characterized in that first demand for security part information of present position in described executable file is the corresponding call number of paragraph header in the paragraph header table of secure data joint of first demand for security part.
10, device as claimed in claim 6 is characterized in that adopting the unit of extensible markup language XML definition usually to describe at least a code segment in the following type code section:
Embed the demand for security code segment of applied logic in the source program;
Demand for security part in the executable file in the source program after the conversion of demand for security code segment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100655634A CN100458700C (en) | 2006-03-22 | 2006-03-22 | Building method and apparatus for application program with safety requirement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100655634A CN100458700C (en) | 2006-03-22 | 2006-03-22 | Building method and apparatus for application program with safety requirement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101042657A CN101042657A (en) | 2007-09-26 |
| CN100458700C true CN100458700C (en) | 2009-02-04 |
Family
ID=38808191
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100655634A Expired - Fee Related CN100458700C (en) | 2006-03-22 | 2006-03-22 | Building method and apparatus for application program with safety requirement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100458700C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101853205A (en) * | 2010-06-23 | 2010-10-06 | 山东中创软件商用中间件股份有限公司 | Method and apparatus for monitoring the running of program |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104216946B (en) * | 2014-07-31 | 2019-03-26 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for beating again packet application program for determination |
| CN111324890B (en) * | 2018-12-14 | 2022-12-02 | 华为技术有限公司 | Processing method, detection method and device of portable executive body file |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020129078A1 (en) * | 2001-03-07 | 2002-09-12 | Plaxton Iris M. | Method and device for creating and using pre-internalized program files |
| CN1371050A (en) * | 2001-02-20 | 2002-09-25 | 英业达股份有限公司 | A method for generating self-testing and self-healing applications |
| CN1373418A (en) * | 2001-02-28 | 2002-10-09 | 无敌科技(西安)有限公司 | Method for extracting and exchanging formatted document of portable executable file |
| US20030035004A1 (en) * | 2001-08-14 | 2003-02-20 | Andrew Dove | System and method for deploying a graphical program to a PDA device |
-
2006
- 2006-03-22 CN CNB2006100655634A patent/CN100458700C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1371050A (en) * | 2001-02-20 | 2002-09-25 | 英业达股份有限公司 | A method for generating self-testing and self-healing applications |
| CN1373418A (en) * | 2001-02-28 | 2002-10-09 | 无敌科技(西安)有限公司 | Method for extracting and exchanging formatted document of portable executable file |
| US20020129078A1 (en) * | 2001-03-07 | 2002-09-12 | Plaxton Iris M. | Method and device for creating and using pre-internalized program files |
| US20030035004A1 (en) * | 2001-08-14 | 2003-02-20 | Andrew Dove | System and method for deploying a graphical program to a PDA device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101853205A (en) * | 2010-06-23 | 2010-10-06 | 山东中创软件商用中间件股份有限公司 | Method and apparatus for monitoring the running of program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101042657A (en) | 2007-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Linares-Vásquez et al. | Enabling mutation testing for android apps | |
| Romano et al. | An empirical study of bugs in webassembly compilers | |
| US6662359B1 (en) | System and method for injecting hooks into Java classes to handle exception and finalization processing | |
| US8510717B2 (en) | Method and system for testing application modules using static tests from a test suite | |
| US6993751B2 (en) | Placing exception throwing instructions in compiled code | |
| US7818721B2 (en) | Dynamic application tracing in virtual machine environments | |
| US8359582B2 (en) | Compiling and inserting code snippets at runtime | |
| Tang et al. | Xdebloat: Towards automated feature-oriented app debloating | |
| Shen et al. | Tardis: Coverage-guided embedded operating system fuzzing | |
| Ročkai et al. | Reproducible execution of POSIX programs with DiOS | |
| Fan et al. | ARM-AFL: coverage-guided fuzzing framework for ARM-based IoT devices | |
| CN100458700C (en) | Building method and apparatus for application program with safety requirement | |
| Casey et al. | A large-scale exploit instrumentation study of AI/ML supply chain attacks in hugging face models | |
| Lei et al. | A Friend's Eye is A Good Mirror: Synthesizing {MCU} Peripheral Models from Peripheral Drivers | |
| Zheng et al. | Wasm-bpf: Streamlining ebpf deployment in cloud environments with webassembly | |
| Shastry et al. | Towards vulnerability discovery using staged program analysis | |
| Wang et al. | DisTA: Generic dynamic taint tracking for java-based distributed systems | |
| US7631302B2 (en) | System and method for validation of arguments provided to an application | |
| Kneuss et al. | Runtime instrumentation for precise flow-sensitive type analysis | |
| Yu et al. | Senfuzzer: Detecting sgx memory corruption via information feedback and tailored interface analysis | |
| Sutton et al. | How we manage portability and configuration with the C preprocessor | |
| CN114491557A (en) | Java memory Trojan horse threat detection method based on container environment | |
| Zhu et al. | Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs | |
| Guo et al. | Operand-Variation-Oriented Differential Analysis for Fuzzing Binding Calls in PDF Readers | |
| Usui et al. | Automatic reverse engineering of script engine binaries for building script API tracers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: BEIJING WATCHSMART TECHNOLOGIES Co.,Ltd. Assignor: BEIJING WATCH DATA SYSTEM Co.,Ltd. Contract fulfillment period: 2009.1.1 to 2015.1.1 Contract record no.: 2009990000420 Denomination of invention: Building method and apparatus for application program with safety requirement Granted publication date: 20090204 License type: Exclusive license Record date: 20090505 |
|
| LIC | Patent licence contract for exploitation submitted for record |
Free format text: EXCLUSIVE LICENSE; TIME LIMIT OF IMPLEMENTING CONTACT: 2009.1.1 TO 2015.1.1; CHANGE OF CONTRACT Name of requester: BEIJING WOQI SMART SCIENCE + TECHNOLOGY CO., LTD. Effective date: 20090505 |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden Patentee after: BEIJING WATCHDATA Co.,Ltd. Address before: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden Patentee before: BEIJING WATCH DATA SYSTEM Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090204 |