A script program trust measurement method and system for an interpreted language

By using dynamic hooking technology to monitor and intercept the execution of script programs, the problem of difficulty in intercepting script trojans in existing technologies is solved, the trustworthiness of script programs is measured, and the security of trusted computing environments is improved.

CN122153877APending Publication Date: 2026-06-05CHINESE PEOPLES LIBERATION ARMY UNIT 96901

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINESE PEOPLES LIBERATION ARMY UNIT 96901
Filing Date
2026-01-26
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing trusted computing technologies are insufficient to effectively intercept more sophisticated script trojans, especially script programs executed using legitimate script interpreters, resulting in inadequate security.

Method used

By monitoring and intercepting the execution of script programs through dynamic hooking technology, obtaining their content and calculating hash values, and comparing them with a list of expected metrics, illegal execution is blocked, thereby achieving a reliable metric for script programs.

Benefits of technology

Without modifying system files and the original interpreter code, it effectively intercepts and detects malicious scripts, thus improving the security of the trusted computing environment.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153877A_ABST
    Figure CN122153877A_ABST
Patent Text Reader

Abstract

The application provides a script program credibility measurement method and system for an interpretive language, and is used in the technical field of network security. The method comprises the following steps: scanning and traversing script program files in a credibility measurement terminal to obtain a list of expected measurement values; in the process of normal operation of the credibility measurement terminal, for two execution modes of command line parameter execution and runtime dynamic loading, the dynamic hook technology is used to intercept before the execution of the script program, the content of the script program is obtained, and the current measurement value is calculated; the current measurement value is compared with the expected measurement value, and the execution of the script program is blocked or allowed according to the comparison result, so that the credibility measurement of the script program is realized without modifying system files and compiler program files. The application can solve the problem that malicious script programs are difficult to be detected and intercepted, and improve the security of the trusted computing environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, and in particular relates to a method and system for measuring the trustworthiness of script programs for interpreted languages. Background Technology

[0002] In the field of trusted computing, existing mainstream technologies perform integrity measurements on binary programs, comparing the measurement results with reference values ​​to ensure that only authorized and legitimate programs can run. This has proven very effective in intercepting unknown binary viruses and Trojans. However, with the continuous development of network attack and defense technologies, attackers are increasingly using more stealthy script Trojans, which are executed by legitimate script interpreters, bypassing the interception of existing trusted computing protection measures.

[0003] Currently, commonly used interpreted languages ​​include Linux Bash, Python, Perl, Lua, Shell JS, Java, and Ruby. Compared to the single method of loading and starting binary programs via system calls, scripts in these languages ​​have two execution methods. One is to use the format "script interpreter + optional configuration items + script path," executing the script program through command-line arguments from the script interpreter; the other is to dynamically load and execute the script program during the script interpreter's runtime. Considering that both execution methods require the participation of the script interpreter, and that the script interpreter itself is a binary executable program, analyzing and controlling the behavior of the script interpreter to achieve trustworthiness measurement of script programs is of great significance for building a more secure and reliable trusted computing environment. Summary of the Invention

[0004] In view of the above-mentioned technological status, this invention proposes a method and system for measuring the credibility of script programs for interpreted languages.

[0005] This invention discloses a method for measuring the credibility of script programs for interpreted languages, the method comprising: Step 1: Configure the script type to be used for trust measurement in the trusted terminal; Step 2: Based on the file extension of the specified script program type, scan and traverse the script program files in the trusted terminal, read the contents of each script program file one by one and calculate the file hash value to obtain a list of expected metric values ​​in the form of <path, program type, hash value> triples; Step 3: Monitor and intercept the execution of specified script programs in trusted terminals. The execution operations are divided into command line parameter execution and runtime dynamic loading. Command line parameter execution proceeds to step 4, and runtime dynamic loading proceeds to step 5. Step 4: Parse the command-line arguments of the script interpreter process to obtain the path and type of the script to be executed, and proceed to Step 6; Step 5: Based on the interpreter process of the loaded module, determine the type of the script program to be loaded, search for the module name in the loading directory, and obtain the path of the script program to be loaded; Step 6: Take the script program to be executed or loaded as the measurement object, read the file content of the measurement object and calculate the file hash value, compare the <path, program type, hash value> triple of the measurement object with the expected measurement value list. If the path is not in the list or the corresponding type and hash value are inconsistent with the values ​​in the list, the measurement is determined to fail and proceed to step 7; otherwise, the measurement is determined to pass and proceed to step 8. Step 7: Block the execution or dynamic loading of the measurement object, generate an alarm log message indicating illegal execution of the script program, and return to Step 3 to continue the measurement process; Step 8: Allow the execution or dynamic loading of the measurement object, then return to Step 3 to continue the measurement process.

[0006] According to the method of the first aspect of the present invention, multiple types of script programs are simultaneously subjected to trust measurement, and the type of script program to be measured is determined according to the system operating environment of the trusted terminal and the actual needs of the user.

[0007] According to the method of the first aspect of the present invention, the measurement objects include the source file and intermediate compiled file of the script program, and the execution of the script program is intercepted without modifying the system file and the original code of the interpreter by dynamically hooking the system command execution operation and the program interpreter loading operation.

[0008] A second aspect of this invention proposes a trustworthiness measurement system for script programs in interpreted languages, the system comprising: The configuration management module is configured to: provide a user configuration interface, interact with the user to obtain the type of script program to be trusted for measurement, start the initialization collection module and process execution interception module according to user instructions, display alarm logs of illegal script program execution to the user and store them in the database; The initialization acquisition module is configured to: traverse and scan the acquisition script program files in the trusted terminal, read the contents of each script program file one by one, call the trusted computing module to calculate the file hash value, form a list of expected metric values ​​and store them in the database; The trusted computing module is configured to calculate the hash value of script program files. The database is configured to store a list of script program metrics and alarm logs for intercepting illegal script program execution. The process execution interception module is configured to: monitor and intercept process startup operations in trusted terminals, filter the interpreter process of a specified script program, send the path of the script program to be executed to the judgment module for judgment, prevent the interpreter process from starting based on the returned judgment result, and send the dynamic loading interception module corresponding to the interpreter process to the configuration management module or start the dynamic loading interception module corresponding to the interpreter process. The dynamic loading interception module is configured to: monitor and intercept the dynamic loading operation of the interpreter process, call the decision module to determine the path of the script program to be loaded, and based on the returned decision result, prevent the script program from loading and send an alarm log to the configuration management module, or allow the script program to load. The decision module is configured to: read the file content of the measurement object and call the trusted computing module to calculate the hash value, look up the corresponding hash value of the measurement object in the database, and return the measurement result to the process execution interception module and the dynamically loaded interception module.

[0009] According to the system of the second aspect of the present invention, all modules except the trusted computing module are implemented in software and run in the same trusted terminal as the measurement object, and have system-level running permissions; the trusted computing module is implemented in hardware, or in a combination of software and hardware.

[0010] In summary, based on the analysis of the scripting language interpreter's operating mechanism, this invention employs dynamic hooking technology to intercept script programs before execution, targeting both command-line parameter execution and runtime dynamic loading. This allows for the acquisition of script program content and verification of its integrity, achieving a trust measurement of script programs without modifying system files or compiler program files. This solves the problem of malicious script programs being difficult to detect and intercept, further enhancing the security of trusted computing environments. Attached Figure Description

[0011] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0012] Figure 1 This is a flowchart of a script program credibility measurement method for interpreted languages ​​according to an embodiment of the present invention; Figure 2 This is a structural diagram of a script program credibility measurement system for interpreted languages ​​according to an embodiment of the present invention. Detailed Implementation

[0013] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0014] This invention discloses a method for measuring the credibility of script programs for interpreted languages, such as... Figure 1 As shown, the method includes: Step 1: Configure the script type to be used for trust measurement in the trusted terminal; Step 2: Based on the file extension of the specified script program type, scan and traverse the script program files in the trusted terminal, read the contents of each script program file one by one and calculate the file hash value to obtain a list of expected metric values ​​in the form of <path, program type, hash value> triples; Step 3: Monitor and intercept the execution of specified script programs in trusted terminals. The execution operations are divided into command line parameter execution and runtime dynamic loading. Command line parameter execution proceeds to step 4, and runtime dynamic loading proceeds to step 5. Step 4: Parse the command-line arguments of the script interpreter process to obtain the path and type of the script to be executed, and proceed to Step 6; Step 5: Based on the interpreter process of the loaded module, determine the type of the script program to be loaded, search for the module name in the loading directory, and obtain the path of the script program to be loaded; Step 6: Take the script program to be executed or loaded as the measurement object, read the file content of the measurement object and calculate the file hash value, compare the <path, program type, hash value> triple of the measurement object with the expected measurement value list. If the path is not in the list or the corresponding type and hash value are inconsistent with the values ​​in the list, the measurement is determined to fail and proceed to step 7; otherwise, the measurement is determined to pass and proceed to step 8. Step 7: Block the execution or dynamic loading of the measurement object, generate an alarm log message indicating illegal execution of the script program, and return to Step 3 to continue the measurement process; Step 8: Allow the execution or dynamic loading of the measurement object, then return to Step 3 to continue the measurement process.

[0015] According to the method of the first aspect of the present invention, multiple types of script programs are simultaneously subjected to trust measurement, and the type of script program to be measured is determined according to the system operating environment of the trusted terminal and the actual needs of the user.

[0016] According to the method of the first aspect of the present invention, the measurement objects include the source file and intermediate compiled file of the script program, and the execution of the script program is intercepted without modifying the system file and the original code of the interpreter by dynamically hooking the system command execution operation and the program interpreter loading operation.

[0017] A second aspect of this invention proposes a trustworthiness measurement system for script programs in interpreted languages, such as... Figure 2 As shown, the system includes: The configuration management module is configured to: provide a user configuration interface, interact with the user to obtain the type of script program to be trusted for measurement, start the initialization collection module and process execution interception module according to user instructions, display alarm logs of illegal script program execution to the user and store them in the database; The initialization acquisition module is configured to: traverse and scan the acquisition script program files in the trusted terminal, read the contents of each script program file one by one, call the trusted computing module to calculate the file hash value, form a list of expected metric values ​​and store them in the database; The trusted computing module is configured to calculate the hash value of script program files. The database is configured to store a list of script program metrics and alarm logs for intercepting illegal script program execution. The process execution interception module is configured to: monitor and intercept process startup operations in trusted terminals, filter the interpreter process of a specified script program, send the path of the script program to be executed to the judgment module for judgment, prevent the interpreter process from starting based on the returned judgment result, and send the dynamic loading interception module corresponding to the interpreter process to the configuration management module or start the dynamic loading interception module corresponding to the interpreter process. The dynamic loading interception module is configured to: monitor and intercept the dynamic loading operation of the interpreter process, call the decision module to determine the path of the script program to be loaded, and based on the returned decision result, prevent the script program from loading and send an alarm log to the configuration management module, or allow the script program to load. The decision module is configured to: read the file content of the measurement object and call the trusted computing module to calculate the hash value, look up the corresponding hash value of the measurement object in the database, and return the measurement result to the process execution interception module and the dynamically loaded interception module.

[0018] According to the system of the second aspect of the present invention, the dynamic loading interception module intercepts dynamic loading operations for each type of script program, such as Python, Perl, Lua, Java, and Ruby, through a dedicated dynamic loading interception module. Based on the type of script program to be measured specified by the user, the corresponding dynamic loading interception module runs as an independent process, with each module operating independently and enabling parallel script program measurement. Furthermore, different dynamic loading interception modules are used for different versions of script interpreters, such as Python 2 and Python 3, achieving compatibility with various script execution environments.

[0019] According to the system of the second aspect of the present invention, all modules except the trusted computing module are implemented in software and run in the same trusted terminal as the measurement object, and have system-level running permissions; the trusted computing module is implemented in hardware, or in a combination of software and hardware.

[0020] In summary, based on the analysis of the scripting language interpreter's operating mechanism, this invention employs dynamic hooking technology to intercept script programs before execution, targeting both command-line parameter execution and runtime dynamic loading. This allows for the acquisition of script program content and verification of its integrity, achieving a trust measurement of script programs without modifying system files or compiler program files. This solves the problem of malicious script programs being difficult to detect and intercept, further enhancing the security of trusted computing environments.

[0021] Please note that the technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, not all possible combinations of the technical features in the above embodiments have been described. However, as long as the combination of these technical features does not contradict each other, it should be considered within the scope of this specification. The above embodiments only illustrate several implementations of the present invention, and their descriptions are relatively specific and detailed, but they should not be construed as limiting the scope of the invention patent. It should be pointed out that for those skilled in the art, several modifications and improvements can be made without departing from the concept of the present invention, and these all fall within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the appended claims.

Claims

1. A method for measuring the credibility of script programs for interpreted languages, characterized in that, The method includes: Step 1: Configure the script type to be used for trust measurement in the trusted terminal; Step 2: Based on the file extension of the specified script program type, scan and traverse the script program files in the trusted terminal, read the contents of each script program file one by one and calculate the file hash value to obtain a list of expected metric values ​​in the form of <path, program type, hash value> triples; Step 3: Monitor and intercept the execution of specified script programs in trusted terminals. The execution operations are divided into command line parameter execution and runtime dynamic loading. Command line parameter execution proceeds to step 4, and runtime dynamic loading proceeds to step 5. Step 4: Parse the command-line arguments of the script interpreter process to obtain the path and type of the script to be executed, and proceed to Step 6; Step 5: Based on the interpreter process of the loaded module, determine the type of the script program to be loaded, search for the module name in the loading directory, and obtain the path of the script program to be loaded; Step 6: Take the script program to be executed or loaded as the measurement object, read the file content of the measurement object and calculate the file hash value, compare the <path, program type, hash value> triple of the measurement object with the expected measurement value list. If the path is not in the list or the corresponding type and hash value are inconsistent with the values ​​in the list, the measurement is determined to fail and proceed to step 7; otherwise, the measurement is determined to pass and proceed to step 8. Step 7: Block the execution or dynamic loading of the measurement object, generate an alarm log message indicating illegal execution of the script program, and return to Step 3 to continue the measurement process; Step 8: Allow the execution or dynamic loading of the measurement object, then return to Step 3 to continue the measurement process.

2. The method for measuring the credibility of script programs for interpreted languages ​​according to claim 1, characterized in that, Simultaneously, trustworthiness measurement is performed on various types of script programs, and the type of script program to be measured is determined based on the system operating environment of the trusted terminal and the actual needs of the user.

3. The method for measuring the credibility of script programs for interpreted languages ​​according to claim 2, characterized in that, The measurement objects include the source files and intermediate compiled files of the script program, and the execution of the script program is intercepted without modifying the system files and the original code of the interpreter by dynamically hooking the system command execution operation and the program interpreter loading operation.

4. A trustworthiness measurement system for script programs in interpreted languages, characterized in that, The system includes: The configuration management module is configured to: provide a user configuration interface, interact with the user to obtain the type of script program to be trusted for measurement, start the initialization collection module and process execution interception module according to user instructions, display alarm logs of illegal script program execution to the user and store them in the database; The initialization acquisition module is configured to: traverse and scan the acquisition script program files in the trusted terminal, read the contents of each script program file one by one, call the trusted computing module to calculate the file hash value, form a list of expected metric values ​​and store them in the database; The trusted computing module is configured to calculate the hash value of script program files. The database is configured to store a list of script program metrics and alarm logs for intercepting illegal script program execution. The process execution interception module is configured to: monitor and intercept process startup operations in trusted terminals, filter the interpreter process of a specified script program, send the path of the script program to be executed to the judgment module for judgment, prevent the interpreter process from starting based on the returned judgment result, and send the dynamic loading interception module corresponding to the interpreter process to the configuration management module or start the dynamic loading interception module corresponding to the interpreter process. The dynamic loading interception module is configured to: monitor and intercept the dynamic loading operation of the interpreter process, call the decision module to determine the path of the script program to be loaded, and based on the returned decision result, prevent the script program from loading and send an alarm log to the configuration management module, or allow the script program to load. The decision module is configured to: read the file content of the measurement object and call the trusted computing module to calculate the hash value, look up the corresponding hash value of the measurement object in the database, and return the measurement result to the process execution interception module and the dynamically loaded interception module.

5. The method for measuring the credibility of script programs for interpreted languages ​​according to claim 4, characterized in that, Except for the trusted computing module, all other modules are implemented in software and run on the same trusted terminal as the measurement object, with system-level running permissions; the trusted computing module is implemented in hardware, or in a combination of software and hardware.