Method and apparatus for protecting code security

By using a customized interpreter and multi-layered encryption technology, the problem of code security protection is solved, ensuring that only legitimate users can use the code, preventing unauthorized migration, and achieving full lifecycle security protection for the code.

CN114329357BActive Publication Date: 2026-07-14ALIBABA (CHINA) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA (CHINA) CO LTD
Filing Date
2021-12-24
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively protect code security, resulting in high code development costs and easy migration by customers, thus damaging the virtuous cycle of research and development and purchase and use.

Method used

It employs a customized interpreter and multi-layered encryption technology, encrypting the original code on the server side and decrypting it on the client side using identification information, ensuring that only authorized users can execute the code file.

Benefits of technology

It effectively prevents the unauthorized migration and use of code, improves code security, increases the difficulty of reverse engineering, and protects the security of code throughout its entire lifecycle.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114329357B_ABST
    Figure CN114329357B_ABST
Patent Text Reader

Abstract

The embodiment of the present specification provides a method for protecting code security, comprising: a server acquires original code corresponding to a request issued by a first user based on a client thereof in response to the request; the server performs encryption processing based on the original code to obtain encrypted data by using identification information of the first user, and sends the encrypted data to the client; the client calls an interpreter to perform decryption processing on the encrypted data by using the identification information of the first user to obtain decrypted data; and the client determines a code file corresponding to the original code based on the decrypted data, and calls the interpreter to execute the code file.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to one or more embodiments in the field of computer technology, and more particularly to a method and apparatus for protecting code security. Background Technology

[0002] Developing and writing code often takes a lot of time, but reproducing and migrating it is easy. Therefore, if the developed source code is delivered directly to the customer, the customer can easily migrate it for use, for example, to other systems or machines, which will disrupt the virtuous cycle between code development and purchase and use.

[0003] However, current methods for protecting code are limited and cannot meet the higher demands of real-world applications. Therefore, there is an urgent need for a solution that can deliver code products securely and easily to customers. Summary of the Invention

[0004] This specification describes one or more embodiments of a method and apparatus for protecting code security, which designs a customized interpreter that can only decrypt and use the code product, thereby preventing malicious users from migrating and using the code product.

[0005] According to a first aspect, a method for protecting code security is provided. The method includes: a server responding to a request issued by a first user based on its client, obtaining the original code corresponding to the request; the server using the first user's identification information to encrypt the original code, obtaining encrypted data, and sending the encrypted data to the client; the client invoking an interpreter to decrypt the encrypted data using the first user's identification information, obtaining decrypted data; and the client, based on the decrypted data, determining the code file corresponding to the original code, and invoking the interpreter to execute the code file.

[0006] In one embodiment, the server uses the identification information of the first user to perform encryption processing based on the original code, including: the server obtaining the identification information of the first user and generating a first key based on the identification information; and performing the encryption processing using the first key; the client calling an interpreter to decrypt the encrypted data using the identification information of the first user includes: the interpreter obtaining the identification information and generating a second key based on the identification information; and performing the decryption processing using the second key.

[0007] In one specific embodiment, the interpreter obtains the identification information by: the interpreter obtaining the identification information when the first user is authenticated.

[0008] In one embodiment, the server uses the first user's identification information to encrypt the original code to obtain encrypted data, including: encapsulating the original code into a function by inserting encapsulation code into the original code to obtain function implementation code; compiling the function implementation code to obtain a compiled file; encrypting the encapsulation code using the identification information to obtain the encrypted data; before the client determines the code file corresponding to the original code based on the decrypted data, the method further includes: the client receiving the compiled file from the server; the client determining the code file corresponding to the original code based on the decrypted data includes: the client calling the function based on the encapsulation code, thereby determining the compiled file corresponding to the function as the code file.

[0009] In one specific embodiment, the method further includes: the client displaying the encapsulated code to the first user, so that the first user can conduct algorithm development based on the encapsulated code.

[0010] In one specific embodiment, the original code is encapsulated into a function by inserting encapsulation code into the original code to obtain function implementation code, including: performing the encapsulation when it is determined that the original code does not belong to the pre-tagged complete code.

[0011] In one specific embodiment, the compilation process based on the function implementation code to obtain a compiled file includes: obfuscating the function implementation code to obtain an obfuscated file; and performing the compilation process on the obfuscated file to obtain the compiled file.

[0012] In one embodiment, the server uses the identification information of the first user to perform encryption processing on the original code to obtain encrypted data, including: constructing a syntax tree corresponding to the original code; performing the encryption processing on the syntax tree to obtain encrypted data; the client determines the code file corresponding to the original code based on the decrypted data, including: determining the syntax tree based on the decrypted data, and rendering the syntax tree into executable code as the code file.

[0013] In one specific embodiment, the encryption process based on the syntax tree includes: randomizing the syntax tree using a random seed to obtain randomized data, and storing the mapping relationship between the random seed and the randomized data; performing the encryption process based on the randomized data; and determining the syntax tree based on the decrypted data, including: determining the randomized data based on the decrypted data; obtaining the corresponding random seed from the server based on the randomized data; and performing derandomization processing on the randomized data using the random seed to obtain the syntax tree.

[0014] In a more specific embodiment, determining the random seed includes: the server generating the random seed based on the identification information and the current timestamp.

[0015] In another, more specific embodiment, the encryption process based on the randomized data includes: serializing the randomized data to obtain sequence data; compressing and encoding the sequence data to obtain encoded data; and encrypting the encoded data. Determining the randomized data based on the decrypted data includes: decoding the decrypted data to obtain the sequenced data; and deserializing the sequenced data to obtain the randomized data.

[0016] On the other hand, in a specific embodiment, constructing a syntax tree corresponding to the original code includes: constructing the syntax tree when it is determined that the original code belongs to pre-tagged complete code.

[0017] In one embodiment, before the client determines the code file corresponding to the original code based on the decrypted data, the method further includes: the client collecting hardware information of the hardware platform where the client is located by executing a hardware permission detection operator received from the server, and determining whether the hardware information is valid; the client determining the code file corresponding to the original code based on the decrypted data includes: determining the code file if the hardware information is determined to be valid.

[0018] In one embodiment, the original code is written based on the Python language; wherein, calling the interpreter to execute the code file includes: the interpreter generating an intermediate file in .pyc format corresponding to the code file; and the interpreter removing the intermediate file after completing the interpretation and execution of the intermediate file.

[0019] According to a second aspect, a system for protecting code security is provided. The system includes: a server, configured to respond to a request issued by a first user based on its client, and obtain the original code corresponding to the request; the server is further configured to: use the first user's identification information to encrypt the original code, obtaining encrypted data, and send the encrypted data to the client; the client is configured to: invoke an interpreter to decrypt the encrypted data using the first user's identification information, obtaining decrypted data; the client is further configured to: based on the decrypted data, determine the code file corresponding to the original code, and invoke the interpreter to execute the code file.

[0020] According to a third aspect, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of the first aspect.

[0021] According to a fourth aspect, a computing device is provided, including a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method of the first aspect.

[0022] Using the methods and apparatus provided in the embodiments of this specification, the code products delivered to users can only be decrypted and used when legitimate users use a customized interpreter, thereby preventing unauthorized users from decrypting the code products. Furthermore, the difficulty of reverse engineering the code products is increased to reverse engineering the customized interpreter, thus effectively protecting code security and preventing the unauthorized migration and use of the code.

[0023] Furthermore, protection can be implemented throughout the entire lifecycle of code execution, including: the code layer (such as encapsulating, obfuscating, randomizing, serializing, compressing, and encrypting the source code), the compiler layer (such as performing compilation processing), the interpreter layer (including customized interpreters), the runtime layer (such as performing hardware permission checks), the scheduling layer (such as requiring users to provide account verification information when authorizing code use), and the physical layer (such as collecting current hardware information). In this way, malicious users must overcome each layer to have a chance of successfully reverse engineering, making the difficulty exponentially higher. This fully and effectively ensures code security, making it possible to output code products offline without leaking the core algorithm logic. Attached Figure Description

[0024] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0025] Figure 1 This specification illustrates the steps of a method for protecting code security as disclosed in an embodiment.

[0026] Figure 2 This diagram illustrates an implementation flow for determining encrypted data according to one embodiment.

[0027] Figure 3 This diagram illustrates an implementation flow for determining encrypted data according to another embodiment.

[0028] Figure 4 A schematic diagram illustrating the implementation process of determining encrypted data according to yet another embodiment is shown;

[0029] Figure 5 This diagram illustrates a multi-layered encryption code protection scheme structure according to one embodiment.

[0030] Figure 6 This diagram illustrates a system architecture for protecting code security as disclosed in the embodiments of this specification. Detailed Implementation

[0031] The solution provided in this specification will now be described with reference to the accompanying drawings.

[0032] As mentioned earlier, code writing often requires a significant amount of time. Especially in the field of artificial intelligence, the innovative development of deep learning model algorithms typically demands substantial human and time resources. Furthermore, the implementation of these algorithms is primarily based on the Python language, which is a dynamically interpreted language that executes code in plaintext. Therefore, the security protection of Python code is particularly urgent. However, current code protection methods are easily reverse-engineered or statically analyzed to reveal the algorithm's logic, making it difficult to meet higher security requirements.

[0033] Based on this, the inventors proposed a method to protect code security, which allows the decryption and use of code products only when legitimate users use a customized interpreter, thus preventing unauthorized users from decrypting the code products. Furthermore, the difficulty of reverse engineering code products is increased to reverse engineering a customized interpreter, thereby effectively protecting code security and preventing the unauthorized migration and use of code.

[0034] Figure 1 This diagram illustrates the steps of a method for protecting code security disclosed in embodiments of this specification. The method includes the following steps:

[0035] Step S110: The server responds to the request sent by the first user based on its client and obtains the original code corresponding to the request; Step S120: The server uses the first user's identification information to encrypt the original code to obtain encrypted data; Step S130: The server sends the encrypted data to the client; Step S140: The client calls the interpreter to decrypt the encrypted data using the first user's identification information to obtain decrypted data; Step S150: The client determines the code file corresponding to the original code based on the decrypted data; Step S160: The client calls the interpreter to execute the code file.

[0036] The steps above are explained in detail below:

[0037] First, in step S110, the server responds to the request issued by the first user based on its client and obtains the source code corresponding to the request. It should be understood that the first user can refer to any user, including individual users or enterprise users, and the first user's client login has its registered account; furthermore, the aforementioned source code can be source code, or plaintext code, written in any programming language, such as Python, C / C++, etc.

[0038] In one embodiment, the client displays descriptive information about multiple codes provided by the server to a first user, such as the functionality and price of each code, thereby receiving a selection instruction from the first user for one of the codes. Based on this selection instruction, the client generates a code usage request, or simply a request, and sends it to the server. In one embodiment, the request includes a code identifier, and the server can then obtain the corresponding original code based on this code identifier.

[0039] Based on the above, the server can obtain the original code, and in step S120, it can use the identification information of the first user to perform encryption processing on the original code to obtain encrypted data. It should be understood that the identification information is used to uniquely identify the first user, and may specifically be the first user's registered account, ID card number, mobile phone number, a string identifier assigned to the first user by the server, etc.

[0040] In this step, the data to be encrypted can be determined first based on the original code, and then the above-mentioned identification information can be used to encrypt the data to obtain the encrypted data, or simply encrypted data.

[0041] Regarding the determination of the data to be encrypted, in implementation method A, as follows: Figure 2As shown, by inserting wrapper code into the original code, the original code is encapsulated into a function, resulting in the function implementation code. At this point, the inserted wrapper code corresponds to the data to be encrypted. In one embodiment, the generation and insertion of the wrapper code can be automated using a wrapper decorator; in another embodiment, it can be written and manually inserted by a staff member.

[0042] On the other hand, in implementation method A, such as Figure 2 As shown, the code is also compiled based on the above function implementation to obtain a compiled file.

[0043] In one embodiment, the code implementing the aforementioned function can be directly compiled to obtain the compiled file. It should be understood that a compiler corresponding to the programming language of the original code can be used for compilation. For example, for Python code, the Cython compiler can be used to compile it, resulting in a compiled file in .so or .pyd format. This compiled file is a bytecode file, or binary file. Thus, the compiled file obtained by compiling the original code is difficult to crack, and at the same time, it can effectively improve subsequent execution performance.

[0044] In another embodiment, the code implementing the above function can first be obfuscated to obtain an obfuscated file, and then the obfuscated file can be compiled to obtain the compiled file. It should be understood that code obfuscation refers to transforming the source code of a computer program into a functionally equivalent but difficult-to-read and understand form. Implementation methods for code obfuscation include removing comments and documentation, changing indentation, renaming functions, classes, and variables, and inserting invalid code into blank lines. For example, libraries such as obfuscator can be used to implement code obfuscation. Thus, obfuscating the code before compilation increases the difficulty of decompilation, and even if decompilation is successful, it is difficult to analyze the true semantics of the program.

[0045] Therefore, in implementation method A, the above-mentioned compiled file and the data to be encrypted, i.e., the above-mentioned encapsulation code, can be obtained.

[0046] In implementation method B, such as Figure 3 As shown, a syntax tree (AST) corresponding to the original code is first constructed, and then the data to be encrypted is determined based on this syntax tree. It should be understood that the construction of an AST typically includes lexical analysis and syntax analysis to obtain tree-structured data. This can be implemented using existing methods, which will not be elaborated upon here.

[0047] In one embodiment, the aforementioned AST syntax tree can be directly used as the data to be encrypted.

[0048] In another embodiment, a random seed can be used to randomize the aforementioned AST syntax tree, resulting in randomized data. This randomized data is then used to determine the data to be encrypted. Simultaneously, the server can store the mapping relationship between the random seed and the randomized data. In a specific embodiment, the server can generate the random seed based on the first user's identifier and the current timestamp. In one example, the hash value obtained by hashing the identifier information and the current timestamp can be used as the random seed.

[0049] Furthermore, in one specific embodiment, the randomized data can be directly determined as the data to be encrypted. In another specific embodiment, the randomized data can be serialized to obtain sequence data, and then the sequence data can be compressed and encoded to obtain encoded data, which serves as the data to be encrypted. It should be understood that serialization is the process of converting the state information of an object into a form that can be stored or transmitted; for example, the above serialization process can be implemented using libraries such as pickle, json, or shelve. In addition, the above compression and encoding process can be implemented using base64 encoding or base32 encoding.

[0050] It should be noted that the randomization, serialization, and compression encoding processes mentioned above are essentially encrypting and protecting the AST syntax tree. The more layers of encryption protection there are, the more difficult it is for malicious users to reverse engineer the AST syntax tree, resulting in an exponential increase in the difficulty.

[0051] Therefore, in implementation method B, the data to be encrypted can be obtained, specifically the AST syntax tree, randomized data, or encoded data.

[0052] The above describes typical implementation methods A and B for determining the data to be encrypted. It should be understood that other implementation methods can also be used in practice. For example, the above-mentioned encapsulated code and compiled file can be used together to determine the data to be encrypted, or the above-mentioned serialized data can be used to determine the data to be encrypted, or the original code can be used to determine the data to be encrypted.

[0053] Alternatively, this step can be performed using any of the above-described implementation methods. Alternatively, the completeness of the original code can be considered, and a corresponding implementation method can be selected. In one embodiment, the server can classify and mark multiple copies of its developed original code. Specifically, code that is functionally complete and requires no additional development by the user is marked as complete code, while other code is marked as incomplete code. Based on this, in a specific embodiment, such as... Figure 4As shown, when the server determines that the original code obtained from the user's request is incomplete or incomplete, it processes the original code using Implementation Method A to obtain the corresponding data to be encrypted. At this point, the server can also deliver the encapsulated code generated in Implementation Method A to the first user, allowing the first user to perform additional algorithm development based on the encapsulated code. It should be understood that the encapsulated code is similar to a function interface; it does not expose the algorithmic logic of the original code. In another specific embodiment, when the server determines that the obtained original code is complete, it processes the original code using Implementation Method B to obtain the corresponding data to be encrypted.

[0054] Furthermore, for the data to be encrypted as identified above, the identification information of the first user can be used to encrypt it, thereby obtaining the encrypted data. For details, please refer to... Figure 2 , Figure 3 or Figure 4 .

[0055] In one embodiment, the server obtains the identification information of the first user, generates a first key based on this identification information, and then uses this first key for encryption. In one specific embodiment, the generation and use of the first key are based on a symmetric encryption algorithm, such as the Advanced Encryption Standard (AES) algorithm or the Data Encryption Standard (DES) algorithm, etc. In another specific embodiment, the generation and use of the first key can employ an asymmetric encryption algorithm, such as the RSA encryption algorithm or the Elgamal algorithm, etc. It should be understood that asymmetric encryption algorithms involve public and private keys, and the first key can be either the public key or the private key.

[0056] In another embodiment, the server performs hash processing on the aforementioned identification information to obtain the corresponding hash value; then, using this hash value as data coordinates, it encrypts the data to be encrypted. In one specific embodiment, a preset character, such as 0 or 1, is inserted after the character at the corresponding position in the data to be encrypted. In another specific embodiment, a preset mask is used to mask the character at the corresponding position in the data to be encrypted, for example, by adding 1 or 2.

[0057] Therefore, the server can encrypt the data to be encrypted using the first user's identification information to obtain the encrypted data. Then, in step S130, the server can send the encrypted data to the client.

[0058] In one embodiment, the server can also send the compiled files to the client.

[0059] In one embodiment, the server can also send a hardware license operator to the client. It's important to understand that a hardware license operator is essentially a piece of code that performs hardware verification at the runtime level, ensuring the code runs on a licensed machine.

[0060] As described above, the client can receive encrypted data and other code products from the server, and then perform data processing such as decryption to obtain an executable code file. Specifically, in step S140, the client first calls the interpreter to decrypt the encrypted data using the first user's identification information to obtain decrypted data. It should be noted that the interpreter disclosed in this embodiment is deployed on the client and is different from a conventional interpreter that can only run plaintext code. It is customized to have additional decryption capabilities. Thus, even if a user attempts to migrate the encrypted data to another system, the migration will fail because a conventional interpreter cannot directly interpret and execute it. Furthermore, this customized interpreter will not affect version compatibility. In addition, the interpreter needs the first user's identification information to decrypt the code product, thus restricting the users of the code product to specific legitimate users.

[0061] In one embodiment, the interpreter can directly perform the decryption process described above. In another embodiment, the interpreter can trigger authentication for the first user, and only perform the decryption process if the first user is successfully authenticated. It should be understood that if the first user has already undergone authentication when logging into the account, the authentication triggered in this step can be a secondary authentication. This enhances the reliability of the authentication result.

[0062] In one embodiment, the interpreter can obtain the identification information of the first user stored locally. In another embodiment, the interpreter can trigger the client to obtain the identification information of the first user from the server based on encrypted data.

[0063] It should be understood that the decryption process in this step is the reverse of the encryption process described above. Accordingly, the decrypted data successfully decrypted in this step is identical to the encrypted data described above. Therefore, in one embodiment, the interpreter generates a second key based on the aforementioned identification information, and then uses the second key for decryption. Further, in a specific embodiment, the generation and use of the second key are based on the aforementioned symmetric encryption algorithm; in this case, the second key is the same as the aforementioned first key. In another specific embodiment, the generation and use of the second key are based on the aforementioned asymmetric encryption algorithm; in this case, the second key and the aforementioned first key are either a public key or a private key, or both a private key and a public key. Thus, decryption can be performed using the second key.

[0064] In another embodiment, the interpreter hashes the aforementioned identification information to obtain a corresponding hash value; then, using this hash value as data coordinates, it decrypts the encrypted data. In one specific embodiment, the positions of preset characters inserted during encryption are deduced based on these data coordinates, and these preset characters are then removed to obtain the decrypted data. In another specific embodiment, the aforementioned preset mask is used to perform inverse masking on the characters at corresponding positions in the encrypted data, for example, by subtracting 1 or 2.

[0065] Therefore, the client can call a customized interpreter to decrypt the decrypted data and obtain the decrypted data, which corresponds to the data to be encrypted mentioned above. For more information, please refer to [link to relevant documentation]. Figure 2 or Figure 3 Then, in step S150, the client decrypts the data based on this and determines the code file corresponding to the original code described above.

[0066] In one embodiment, prior to this step, the method may further include: the client collecting hardware information of the client's hardware platform by executing the aforementioned hardware permission detection operator received from the server, and determining whether the hardware information is valid. Accordingly, this step may include: if the hardware information is determined to be valid, identifying the code file.

[0067] Furthermore, in a specific embodiment, the aforementioned hardware platform may be the local hardware of the client's terminal or the hardware of a remote machine, such as a machine cluster in a cloud resource pool.

[0068] In one specific embodiment, after collecting the hardware information of the aforementioned hardware platform, the client compares it with the registered hardware information. If they match, the hardware information is deemed valid; otherwise, it is deemed invalid. Further, in one example, the client can obtain the registered hardware information from the server; in another example, the hardware permission detection operator includes the registered hardware information written by the server. On the other hand, in one example, the registered hardware information may include hardware information of hardware pre-declared by the first user and approved by the server, or it may include hardware information of hardware instances already purchased by the first user in the cloud resource pool. In one example, the hardware information may include hardware identification information such as hardware serial number, Media Access Control Address (MAC), and root of trust.

[0069] In this way, by performing hardware detection and permission checks, it can be ensured that the code product is used on legitimate hardware, thereby preventing malicious users from illegally migrating the code product to other machines for use.

[0070] It should be noted that, since the decrypted data obtained from the decryption process corresponds to the data to be encrypted determined based on the original code, the method for determining the code file based on the decrypted data in this step is correspondingly related to the method for determining the data to be encrypted. For ease of understanding, the following mainly uses the determination of the data to be encrypted based on the above-described implementation methods A and B as an example to describe the method for determining the code file in this step.

[0071] Assuming the decrypted data corresponds to the data to be encrypted determined based on implementation method A above, and correspondingly, the decrypted data includes the encapsulation code described above, this step can be implemented using... Figure 2 The method shown is as follows: based on the encapsulated code, the function indicated therein is called, which is the function obtained by encapsulating the original code as described above, thereby determining the compiled file corresponding to this function as the code file mentioned above.

[0072] Assuming the decrypted data corresponds to the data to be encrypted determined based on implementation method B above, this step can be implemented as follows: Figure 3 The method shown is as follows: the AST syntax tree is determined based on the decrypted data, and this AST syntax tree is rendered into executable code as the code file. Regarding the determination of the AST syntax tree, in one embodiment, the decrypted data obtained from the decryption process includes the AST syntax tree. In another embodiment, the decrypted data includes the randomized data; correspondingly, a random seed with a mapping relationship can be obtained from the server based on this randomized data, and then the randomized data is de-randomized based on the obtained random seed to obtain the AST syntax tree. In yet another embodiment, the decrypted data includes the encoded data; correspondingly, the encoded data can be decoded to obtain the serialized data, and then deserialized based on this serialized data to obtain the randomized data; then, a random seed is obtained from the server based on this randomized data, and de-randomization is performed to obtain the AST syntax tree.

[0073] On the other hand, when the server determines the data to be encrypted, it selects the corresponding implementation method based on the completeness of the original code. Accordingly, in this step, the client can first determine whether the data to be decrypted corresponds to complete code. If it does not correspond to complete code, then... Figure 2 The code file is determined in the manner shown in the figure; otherwise, it is determined using... Figure 3 The method shown in the figure.

[0074] Based on the above, the client can determine the code file based on the decrypted data, including the compiled file mentioned above or the executable code rendered based on the AST syntax tree. Then, in step S160, the client calls the interpreter to execute the determined code file. Specifically, the client can call the interpreter to interpret and execute the compiled file or executable code.

[0075] In one embodiment, the executable code is Python code. Accordingly, in this step, the interpreter generates an intermediate file in .pyc format corresponding to the Python code, and removes the intermediate file after interpreting and executing it. It should be noted that the removal of the .pyc file can be achieved in various ways, such as setting environment variables or using the -B parameter during execution. Thus, the user cannot obtain the .pyc file and therefore cannot deduce the executable code from it.

[0076] As described above, the client can execute the code file by calling the interpreter to achieve the corresponding code functionality.

[0077] According to another embodiment, after the client calls the interpreter to execute the code file, the server updates the remaining license duration of the first user's license for the server's code product based on the client's feedback.

[0078] In summary, the code security protection method disclosed in the embodiments of this specification can only be used by legitimate users when they use a customized interpreter to decrypt and use the code product delivered to them. This prevents unauthorized users from decrypting the code product and increases the difficulty of reverse engineering the code product to reverse engineering the customized interpreter, thereby effectively protecting code security and preventing the unauthorized migration and use of the code.

[0079] Furthermore, protection is provided throughout the entire lifecycle of code execution, including: the code layer (such as encapsulating, obfuscating, randomizing, serializing, compressing and encrypting the source code), the compiler layer (such as performing compilation processing), the interpreter layer (including customized interpreters), the runtime layer (such as performing hardware permission checks), the scheduling layer (such as requiring users to provide account verification information when authorizing code use), and the physical layer (such as collecting current hardware information). In this way, malicious users must overcome each layer to have a chance of successfully reverse engineering, making the difficulty exponentially higher. This fully and effectively ensures code security, making it possible to output code products offline without leaking the core algorithm logic.

[0080] According to another embodiment, the scheme disclosed in the embodiments of this specification will be described below from the perspective of providing multi-layered encryption protection for the code throughout its entire lifecycle. Figure 5 The diagram illustrates a multi-layered encryption code protection scheme structure according to one embodiment, consisting of, from top to bottom, a code layer, a compiler layer, an interpreter layer, a scheduling layer, and a physical layer. It should be noted that when the original code to be protected is used to implement a model algorithm, an AI environment layer may also be included, located between the interpreter layer and the scheduling layer.

[0081] At the code level, according to one embodiment, code obfuscation can be performed on the original code. For example, the original code can be fully obfuscated, or the encapsulated function implementation code can be obfuscated. For instance, code obfuscation can be implemented using libraries such as obfuscator. According to another embodiment, partial functionalities can be encapsulated in the original code. For example, wrapper code can be inserted into the original code to obtain the function implementation code. According to yet another embodiment, an AST (Abstract Syntax Tree) corresponding to the original code can be constructed, and encryption / decryption can be performed using the AST to prevent reverse engineering at the lexical and semantic analysis levels. In a specific embodiment, the encryption / decryption of the AST includes serialization, deserialization, encoding, and decoding operations. For instance, serialization and deserialization can be implemented using libraries such as pickle, and encoding and decryption can be implemented using libraries such as base64.

[0082] At the compiler level, the original plaintext code can be compile-wise encrypted to obtain a compiled file. In one embodiment, the original plaintext Python code can be compiled, converting the .pyc file into a .so / .pyd binary file. In another specific embodiment, the Cython compiler can be used to perform secondary encryption at the C language level on the Python code, raising the security level to that of a C / C++ binary file. This prevents Python and .pyc files from being easily decompiled to obtain the plaintext source code.

[0083] At the interpreter layer, including the customized interpreter implemented in the embodiments of this specification, the file is essentially a binary file. Decryption requires assembly-level reverse engineering capabilities, making it extremely difficult. Internally, the interpreter performs the decryption operation, requiring the user to input personal information such as their client account to obtain a license secret. This secret is then input into a symmetric cryptographic algorithm (such as AES) for decryption before the file can be executed. Furthermore, the interpreter eliminates the generation of intermediate .pyc files, ensuring that users cannot obtain the actual running source code.

[0084] At the AI ​​environment layer, for actual deep learning model algorithms, when implementing the algorithm, a specific hardware permission detection operator (license-operator) is inserted on top of the corresponding framework (including mainstream frameworks such as TensorFlow, PyTorch, and MXNet). This operator can perform verification at the runtime level, mainly to detect the current hardware and ensure that it runs on a licensed machine.

[0085] At the scheduling layer, which mainly targets two types of scenarios: Virtual Machines (VMs) and Docker containers, users need to provide account information for verification to ensure that the code is authorized to the right users.

[0086] At the physical layer, the main focus is on extracting unique identifiers for specific machine hardware, including instance ID, MAC address, and trusted root, to ensure that the offline output of the original code runs on legitimate hardware.

[0087] As described above, through multi-layered encryption, the execution of the code is protected throughout its entire lifecycle. In this way, malicious users must overcome each layer to have a chance of successfully reverse engineering, which is an exponentially difficult challenge. This fully and effectively ensures code security, making it possible to output code products offline without leaking the core algorithm logic.

[0088] Corresponding to the protection methods described above, embodiments of this specification also disclose a system for protecting code security. Figure 6 This specification illustrates a schematic diagram of the system architecture for protecting code security as disclosed in the embodiments, such as... Figure 6 As shown, the system 600 includes:

[0089] Server 610 is configured to respond to a request from a first user based on its client 620, obtain the original code corresponding to the request, and, using the first user's identification information, encrypt the original code to obtain encrypted data, and send the encrypted data to the client 620. Client 620 is configured to call interpreter 621 to decrypt the encrypted data using the first user's identification information to obtain decrypted data, and, based on the decrypted data, determine the code file corresponding to the original code, and call interpreter 621 to execute the code file.

[0090] In one embodiment, server 610 performs the above encryption process, specifically including: obtaining the identification information of the first user, generating a first key based on the identification information, and performing the encryption process using the first key. Client 620 calls interpreter 621 to perform the above decryption process, specifically including: interpreter 621 obtaining the identification information, generating a second key based on the identification information, and performing the decryption process using the second key.

[0091] In one specific embodiment, the interpreter 621 obtains the identification information by: the interpreter 621 obtaining the identification information when the first user is authenticated.

[0092] In one embodiment, the server 610 is used to obtain encrypted data, specifically by: encapsulating the original code into a function by inserting encapsulation code into the original code to obtain function implementation code; compiling the function implementation code to obtain a compiled file; and encrypting the encapsulation code using the identification information to obtain the encrypted data. The client 620 is further used to: receive the compiled file from the server 610. The client 620 is used to determine the code file, specifically by: calling the function based on the encapsulation code, thereby determining the compiled file corresponding to the function as the code file.

[0093] In one specific embodiment, the client 620 is further configured to: display the encapsulated code to the first user, so that the first user can conduct algorithm development based on the encapsulated code.

[0094] In one specific embodiment, the server 610 is used to perform the above encapsulation, specifically including: performing the encapsulation when it is determined that the original code does not belong to the pre-tagged complete code.

[0095] In a specific embodiment, the server 610 specifically performs the above-mentioned compilation process, which includes: obfuscating the function implementation code to obtain an obfuscated file; and performing the compilation process on the obfuscated file to obtain the compiled file.

[0096] In one embodiment, the server 610 is used to obtain encrypted data, specifically including: constructing a syntax tree corresponding to the original code; and performing the encryption process based on the syntax tree to obtain encrypted data. The client 620 is used to determine the code file, specifically including: determining the syntax tree based on the decrypted data, and rendering the syntax tree into executable code as the code file.

[0097] In one specific embodiment, the server 610 is used to perform the above encryption process, specifically including: randomizing the syntax tree using a random seed to obtain randomized data, and storing the mapping relationship between the random seed and the randomized data; and performing the encryption process based on the randomized data. The client 620 is used to determine the syntax tree, specifically including: determining the randomized data based on the decrypted data; obtaining the corresponding random seed from the server 610 based on the randomized data; and performing derandomization processing on the randomized data using the random seed to obtain the syntax tree.

[0098] In one example, the server 610 is further configured to: generate the random seed based on the identification information and the current timestamp.

[0099] In another example, the server 610 is used to perform the encryption process based on the randomized data, specifically including: serializing the randomized data to obtain sequence data; compressing and encoding the sequence data to obtain encoded data; and encrypting the encoded data. The client 620 is used to determine the randomized data based on the decrypted data, specifically including: decoding the decrypted data to obtain the serialized data; and deserializing the serialized data to obtain the randomized data.

[0100] On the other hand, in a specific embodiment, the server 610 is used to construct a syntax tree corresponding to the original code, specifically including: constructing the syntax tree when it is determined that the original code belongs to pre-tagged complete code.

[0101] In one embodiment, the client 620 is further configured to: collect hardware information of the hardware platform where the client 620 is located by executing a hardware permission detection operator received from the server 610, and determine whether the hardware information is valid. The client 620 is configured to determine a code file, specifically including: determining the code file if the hardware information is determined to be valid.

[0102] In one embodiment, the original code is written based on the Python language; the client 620 is used to call the interpreter 621 to execute the code file, specifically including: calling the interpreter 621 to generate an intermediate file in pyc format corresponding to the code file, and removing the intermediate file after completing the interpretation and execution of the intermediate file.

[0103] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 1 or Figure 2 or Figure 3 or Figure 4 The method described.

[0104] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, it implements a combination... Figure 1 or Figure 2 or Figure 3 or Figure 4 The method described.

[0105] Those skilled in the art will recognize that, in one or more of the examples above, the functions described in this invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0106] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for protecting code security, comprising: The server responds to the request made by the first user based on their client and obtains the source code corresponding to that request; The server determines whether the original code belongs to pre-tagged complete code; If the original code is not part of the pre-tagged complete code, the server encapsulates the original code into a function by inserting encapsulation code into the original code, thereby obtaining the function implementation code; The code based on the function implementation is compiled to obtain a compiled file; The encapsulation code is encrypted using the identification information of the first user to obtain encrypted data, and the encrypted data and the compiled file are sent to the client. If the original code is pre-tagged complete code, the server constructs a syntax tree corresponding to the original code; based on the syntax tree and the identification information of the first user, it performs encryption processing to obtain encrypted data, and sends the encrypted data to the client; The client calls the interpreter to decrypt the encrypted data using the first user's identification information, thereby obtaining decrypted data; Based on the decrypted data, the client determines the code file corresponding to the original code and calls the interpreter to execute the code file.

2. The method according to claim 1, wherein, The interpreter obtains the identification information, including: The interpreter obtains the identification information when the first user is authenticated.

3. The method according to claim 1, wherein, Before the client determines the code file corresponding to the original code based on the decrypted data, the method further includes: the client receiving the compiled file from the server; The client determines the code file corresponding to the original code based on the decrypted data, including: the client calls the function based on the encapsulated code, thereby determining the compiled file corresponding to the function as the code file.

4. The method according to claim 3, wherein, The method further includes: The client displays the encapsulated code to the first user, enabling the first user to develop algorithms based on the encapsulated code.

5. The method according to claim 3, wherein, The code implementing the function is compiled to obtain a compiled file, including: The code implementation of the function is obfuscated to obtain an obfuscated file; The obfuscated file is then subjected to the compilation process to obtain the compiled file.

6. The method according to claim 1, wherein, The client determines the code file corresponding to the original code based on the decrypted data, including: determining the syntax tree based on the decrypted data, and rendering the syntax tree into executable code as the code file.

7. The method according to claim 6, wherein, The encryption process based on the syntax tree includes: randomizing the syntax tree using a random seed to obtain randomized data, and storing the mapping relationship between the random seed and the randomized data; and performing the encryption process based on the randomized data. Determining the syntax tree based on the decrypted data includes: determining the randomized data based on the decrypted data; obtaining the corresponding random seed from the server based on the randomized data; and performing derandomization processing on the randomized data using the random seed to obtain the syntax tree.

8. The method according to claim 7, wherein, The determination of the random seed includes: The server generates the random seed based on the identifier information and the current timestamp.

9. The method according to claim 7, wherein, The encryption process based on the randomized data includes: serializing the randomized data to obtain sequence data; compressing and encoding the sequence data to obtain encoded data; and encrypting the encoded data. Determining the randomized data based on the decrypted data includes: decoding the decrypted data to obtain the serialized data; and deserializing the serialized data to obtain the randomized data.

10. The method according to claim 1, wherein, Before the client determines the code file corresponding to the original code based on the decrypted data, the method further includes: the client collecting hardware information of the hardware platform where the client is located by executing a hardware permission detection operator received from the server, and determining whether the hardware information is legal; The client determines the code file corresponding to the original code based on the decrypted data, including: determining the code file if the hardware information is deemed valid.

11. The method according to claim 1, wherein, The original code is written in Python; wherein, calling the interpreter to execute the code file includes: The interpreter generates an intermediate file in pyc format corresponding to the code file; After the interpreter completes the interpretation and execution of the intermediate file, it removes the intermediate file.