Abstract: Critical information infrastructures (CIIs) serve as the vital cornerstone of a country’s economic and social operation, and they constitute the crucial protection for national security and public benefits. Within CIIs, implementing strict software deployment licensing and runtime behavior regulation is essential to ensure the security and stability of systems while preventing malicious acts from within. Otherwise, the absence of such functions would lead to significant security risks. Traditional network monitoring and access control mechanisms are ineffective in preventing threats such as malicious tampering and unauthorized execution, as they lack dynamic verification of software licensing and code segment integrity. To address this issue, this study proposes a software behavior control mechanism that monitors the integrity of runtime-loaded code segments used by software to access resource data. This ensures that the software adheres to regulations during use and prevents malicious actions, such as code tampering and unauthorized execution. Based on the concept of zero-trust architecture, it introduces a software behavior control scheme using software evidence preservation, which shifts from traditional boundary protection to resource-centered protection. All computational services are treated as resources, and each resource must undergo security evaluation and continuous monitoring. Specifically, the scheme divides the current system into two parts: data interface and control interface. The control interface is responsible for making access decisions and includes software endorsement, software certification, and software monitoring nodes. The data interface receives the control interface’s decisions and performs the corresponding operations. In the control interface, the software endorsement point retrieves the software package uploaded by the resource host and pre-executes the program to simulate its operations. By marking specific bytecodes, generating software evidence, and storing it on the inter planetary file system, blind authentication and evidence preservation of the software are achieved. The software supervision point receives user access requests and verifies the software’s integrity and legitimacy at runtime via the software authentication point (SAP). The SAP uses a blind authentication algorithm to verify if the software has been tampered with or exhibits any anomalies. The daemon process, acting as a prover, uses the software evidence stored in the blockchain to capture and verify runtime code segments, ensuring that the software behavior complies with regulatory and licensing requirements. The proposed scheme uses a homomorphic aggregate blind authentication method based on bilinear mapping on elliptic curves. It marks specific bytecodes in the software, generates verifiable cryptographic credentials, and stores them in the software deployment license. During software execution, bytecode in the runtime code segments is captured in real time, and cryptographic blind verification is used to validate these credentials against those stored in the license. This approach resolves the software behavior control issue without requiring access to the original bytecode, ensuring the security of CII. The proposed software behavior control scheme has been deployed and operated on the Beijing Government Data Cloud Platform, completing security assessments, license issuance, and runtime behavior monitoring for more than 200 applications. The results demonstrate that this scheme can effectively detect malicious tampering and unauthorized execution risks in memory. It provides a verifiable and auditable security solution for the real-time monitoring of software behavior in CII.