Abstract: The lack of software deployment licensing and runtime behavior regulation in critical information infrastructure leads to significant security risks. Traditional network monitoring and access control mechanisms are ineffective in preventing threats like malicious tampering and unauthorized execution, as they lack dynamic verification of software licensing and code segment integrity. To address this issue, this paper proposes a software behavior control mechanism that monitors the integrity of runtime-loaded code segments used by software to access resource data. This ensures that software adheres to regulations during use and prevents malicious actions, such as code tampering and unauthorized execution. Based on the concept of zero-trust architecture, the paper introduces a software behavior control scheme using software evidence preservation. This scheme shifts from traditional boundary protection to resource-centered protection. All computational services are treated as resources, and each resource must undergo security evaluation and continuous monitoring. Specifically, the scheme divides the current system into two parts: the data interface and the control interface. The control interface is responsible for making access decisions and includes software endorsement nodes, software certification nodes, and software monitoring nodes. The data interface receives the control interface's decisions and performs the corresponding operations. In the control interface, the software endorsement point (SEP) retrieves the software package uploaded by the resource host and pre-executes the program to simulate its operations. By marking specific bytecodes, generating software evidence, and storing it on IPFS, blind authentication and evidence preservation of the software are achieved. The software supervision point (SSP) receives user access requests and verifies the software’s integrity and legitimacy at runtime via the software authentication point (SAP). SAP uses a blind authentication algorithm to verify if the software has been tampered with or exhibits any anomalies. The daemon process (DP), acting as a prover, uses the software evidence stored in the blockchain to capture and verify runtime code segments, ensuring that software behavior complies with regulatory and licensing requirements. The proposed scheme uses a homomorphic aggregate blind authentication method based on bilinear mapping on elliptic curves. It marks specific bytecodes in the software, generates verifiable cryptographic credentials, and stores them in the software deployment license. During software execution, bytecode in the runtime code segments is captured in real time, and cryptographic blind verification is used to validate these credentials against those stored in the license. This approach resolves the software behavior control issue without needing access to the original bytecode, ensuring the security of critical information infrastructure. The results demonstrate that this scheme can effectively detect malicious tampering and unauthorized execution risks in memory. It provides a verifiable and auditable security solution for real-time monitoring of software behavior in critical information infrastructure.