如何从服务器验证客户端代码未被修改 [英] How to verify from server that client code hasn't been modified
问题描述
我有一个java服务器通过json-rpc与java客户端通信。客户端应该向修改服务器行为的服务器报告内部统计信息。客户端和服务器组件都是在内部编写的,所以我可以控制客户端的工作,以及它如何报告统计信息,但有一种方法,我可以验证客户端代码没有被修改?如果它有它将仍然服务客户端,但使用一些默认行为。
客户端将是公开的,所以它不是一个人反编译和改变行为。
只要让客户端发送代码的签名没有好处,因为通过保存客户端的原始副本,可以很容易地欺骗客户端。
你不能。你基本上没有办法知道什么代码在客户端上运行,并且您的程序逻辑都不应该将客户端视为受信任。所有访问控制,验证等都应在服务器(或两个地方)完成。
某些专业环境(例如嵌入智能卡的代码,游戏机whoes操作系统被设计为只运行签名的代码)给你一个更多的保证,因为逆向工程/获得设备的适当控制增加的困难。但是即使这些也不是不可靠的(看看iPhone或任何控制台,看看设备被破解所花费的时间,而这样做的目的是让你了解安全级别)。 p>
I have a java server that communicates with a java client via json-rpc. The client is supposed to report internal stats to the server which modifies the servers behaviour. Both client and server compenents are written in house so I can control what the client does and how it reports stats but is there a way I can verify that the client code hasn't been modified? If it has it will still service the client but using some default behaviours.
The clients will be publicly available so it's not a big deal for someone to decompile them and alter behaviours.
Simply having the client send a signature of the code no good because could be easily spoofed by keeping an original copy of the client alongside the modified one.
You can't. You essentially have no way of knowing what code is running on the client, and none of your program logic should rely on treating the client as "trusted". All access control, validation etc should be done on the server (or in both places).
Certain specialist environments (e.g. code embedded on a smart card, or devices such as games consoles whoes OS is designed to only run signed code) give you a bit more of a guarantee because of the increased difficulty of reverse engineering/gaining appropriate control of the device. But even these aren't infallible (look at the iPhone or any console and see how long it took for the devices to be 'cracked' compared with the interest in doing so to give you an idea of the level of security).
这篇关于如何从服务器验证客户端代码未被修改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
