Background technology
Dalvik virtual machine is the basis of application program operation in Android.By Android system-specific, and be one of core component of Android system, its instruction set, based on register framework, is supported the operation of the java application of dex form.Wherein dex file is the file layout that aims at a kind of compression of Dalvik virtual machine design, for embedded system, is optimized, and has shared a lot of class titles, constant character string, makes its volume smaller, and operational efficiency is also higher.Based on register, realize, make it when program compiler, can shift to an earlier date Optimized code rather than be deferred to while carrying out.
The core of Dalvik virtual machine is to realize storehouse libdvm.so, mainly by C language, is completed.Its operation depends on the threading mechanism of linux kernel and memory management mechanism waits partial function, can effective use internal memory, and with high-performance, on low speed CPU, move therefore applicable internal memory and the limited system of processor speed.Dalvik virtual machine is after optimizing, permission moves the example of a plurality of virtual machines in limited internal memory simultaneously, and each Dalvik virtual machine, as an independently Linux process execution, can prevent that all programs are all closed in virtual machine crashes.Meanwhile, each Android be applied in bottom can be corresponding a Dalvik virtual machine instance independently, its code is carried out under the explanation of virtual machine.
Yet after all, Dalvik is also the Java Virtual Machine of a customization, only realized a set of instruction set of oneself and virtual machine has been carried out to a series of optimization to embedded device, can meet the multiple virtual machine instance of efficient operation.Wherein have a special virtual machine process Zygote, as the incubator of virtual machine instance, it will produce when system starts, and it can complete the initialization of virtual machine, the loading in storehouse and prefabricated class libraries and initialized operation.If system needs a new virtual machine instance, it can copy rapidly self, with the fastest data, offers system.For some read-only system libraries, all virtual machine instance are all shared a region of memory with Zygote.As the middleware between operating system and application program, the security relationship of its safety problem and application program and operating system is very tight.
Along with the development of Mobile operating system, Android has captured most Mobile Market.But because the more fragmentation that causes of Android system version branch is serious, and itself in different editions, there are a lot of different leaks, the version of whole Android system is chaotic in fact, cause the Dalvik virtual machine moving on its system also very dangerous, the applications security operating in virtual machine more cannot be guaranteed.
Summary of the invention
Object of the present invention is intended to propose a kind of Software hardening design method that moves application, and the application program operating in Mobile operating system is protected.
Above-mentioned purpose of the present invention, its technical solution being achieved is: a kind of Software hardening design method that moves application, for the application program in Android system, do consolidation process, it is characterized in that: described Software hardening design method comprises step I, by default safety requirements, customize miniature virtual machine, II is incorporated into miniature virtual machine in application program, make miniature virtual machine become the part that application program can operating component and there is the highest precedence in running, III, when moving, application program first moves miniature virtual machine, application programs integral body is carried out security inspection or checking, and security verification by after the rerun functional module of application program, described default safety requirements comprises the signature verification of application program, illegal command in application program, the removal of disable instruction and the deciphering of enciphered message.
Further, the Integration Mode of described miniature virtual machine is for adopting NDK mode, in application program installation kit, use the primary programming external member of Android and carry out integrated customization with C or C Plus Plus, making miniature virtual machine become the part that application program can operating component.
Further, the Integration Mode of described miniature virtual machine is for to get back to this locality by RPC technology from far-end before application program is moved first, and dynamic load becomes the part that application program can operating component.
Further, it is basis that the miniature virtual machine of take has been incorporated in application program, and the operation of described miniature virtual machine starts in the execution of real-time listening application program corresponding to mobile terminal-opening.
Further, the signature verification function of described miniature virtual machine executive utility utilizes the PKI leaving on far-end server to verify after application program installs, terminator operation or prompting unloading in the situation that checking cannot be passed through.
Further, the removing function of illegal command, disable instruction in described miniature virtual machine executive utility, is inserted under the code or instruction situation that illegally obtains system or user profile in application program, and miniature virtual machine moves and delete those codes or instruction.
Further, described miniature virtual machine is carried out the decipher function of enciphered message, and the enciphered message of process of exchange and Transaction Information in an application of processing mobile payment is decrypted and the server interaction relevant to mobile payment by the miniature virtual machine of correspondence.
The technical scheme of application Software hardening design of the present invention: by integrate the miniature virtual machine of customization in application program; and preferential application programs itself and running environment are carried out safety detection in application program; can effectively prevent that application program from illegally being cracked or reverse; improved the security of application program under Android system; protect user's individual sensitive data, also ensured the confidentiality of business software.
Embodiment
The present invention is the client secure of the day by day serious Mobile operating system of reply, has proposed to innovation a kind of resist technology for application program in Android system.This technical scheme can break through common, the traditional protection scheme based on other application program at present; using for reference the Dalvik virtual machine of Android system own realizes; for the miniature virtual machine of application customization; in the whole or a part of virtual machine that operates in customization of application program; thereby can effectively prevent that application program from illegally being cracked or reverse, the security that has improved application program in Android system.
Summary from Software hardening design method, as shown in Figure 1, this Software hardening design method comprises step I, by default safety requirements, customize miniature virtual machine, II is incorporated into miniature virtual machine in application program, make miniature virtual machine become the part that application program can operating component and there is the highest precedence in running, III, when moving, application program first moves miniature virtual machine, application programs integral body is carried out security inspection or checking, and the functional module of the application program of reruning after safety, described default safety requirements comprises the signature verification of application program, illegal command in application program, the removal of disable instruction and the deciphering of enciphered message, can select one chooses, also can have concurrently all.
The further refinement of such scheme, wherein the Integration Mode of miniature virtual machine can adopt NDK mode, in application program installation kit, use the primary programming external member of Android and carry out integrated customization with C or C Plus Plus, making miniature virtual machine become the part that application program can operating component.Also can be by RPC technology, from far-end, to get back to this locality before application program is moved first, and dynamic load become the part that application program can operating component.
For the miniature virtual machine of customization, should be noted that the problem of following several respects.
1, the miniature virtual machine of customization need to be incorporated into application program the inside, makes the application program of moving customizing virtual machine become in fact a new application program.After application program is installed by system, customizing virtual machine becomes the part that program can operating component, and each miniature virtual machine all will operation before real program operation, and program can be moved all the time in the environment of own subsidiary safety.
To this, consider that customizing virtual machine need to integrate with mobile application, therefore a functional module that can be using the miniature virtual machine of customization as application program, and this miniature virtual machine need to be prior to operation before program operation, therefore placing it in the execution of starting up's real-time listening application program is reasonable selection, this is to realize in miniature virtual machine is incorporated into application program by certain approach in the situation that certainly.If operation for the first time also needs first to go from far-end or the local virtual machine of customization that obtains.
2, miniature virtual machine, when executive utility, application programs to do security inspection.Such as whether the signature of verifying application programs is correct again, and then determine whether in the virtual machine environment of oneself, to move this application program.
To this, each application program has signature separately, and signature oneself is controlled in application developer hand, if signature is not revealed, the puppet of application program brings up and is easy to differentiate so.The virtual machine of customization increases security inspection, it is the checking again that application programs is carried out after system is installed application, PKI corresponding to application can be left in to far-end server, verify with mounted application, if checking, not by operation or the prompting unloading of terminator, has guaranteed the legitimacy of application program better.
3, can in virtual machine, increase the functional module oneself defining.Such as before program is carried out, by the dex file of virtual machine application programs, checked, filter out illegal command or disable instruction wherein, promote whereby the operational efficiency of program, heighten the robustness of program.
To this, the functional module increasing in virtual machine can according to different application need to carry out self-defined.Below two functions for example only, reference only for reference: (1) illegally obtains code or the instruction of system or user profile if an application program has been inserted some, can in customizing virtual machine, increase a module for deleting these disable instructions, make application program reduce as much as possible harm; (2) if an application program of processing mobile payment need to be by the Information hiding of process of exchange and trading time period, can be by these information encryptions in mobile application, only the processing via customizing virtual machine just can be decrypted these data and carry out alternately, having ensured the safety in process of exchange with server.
4, the virtual machine of customization can have two kinds of existing waies in application program: a kind of is in installation kit, to use the primary programming external member of Android to realize with C/C++ language; Another kind is to be placed on far-end server by RPC technology; in application, before operation, fetch this locality for the first time; in when operation dynamic load, its object is all in order to protect customizing virtual machine itself not by reverse or crack, just inherently safe likely guarantees that the application program of moving it on is also safe.
As seen from Figure 1, the miniature virtual machine of the present invention's customization and the functional module in application program are to be present in side by side mobile application, before the real operation of mobile application, start the miniature virtual machine of customization, application programs is carried out security verification, and some self-defining functional modules, such as the encryption and decryption for sensitive data or for the scanning of disable instruction in program etc., after executing the custom feature module of these virtual machines, just can start application program, go the functional module of executive routine itself.The movement that has increased customizing virtual machine is applied as this program operation itself and has created safe running environment, and this environment also carries out alternately, having protected the sensitive data of application program with this program.
Implement situation one: when certain leak of Android system, by hacker, seized, hacker can itself launch a offensive to the virtual machine of Android system by this leak, and then affects the application program in virtual machine.If but this application program has been carried out customizing virtual machine, even if assault virtual machine, but have need to carrying out with virtual machine alternately of some application programs, when virtual machine environment is no longer safe, application program can out of servicely prevent private data leakage.
Implement situation two: if hacker has taken the application program installation kit of processing through customizing virtual machine, want repacking and issue after this program insertion fee suction or wooden horse code.Perhaps, program can be utilized system vulnerability successful installation, but the miniature virtual machine of customization can carry out also will carrying out with ciphertext form and virtual machine alternately of security inspection and some data of application program again in operation, may improve the objective threshold of attacking therefore very greatly.
Visible in sum; the technical scheme of application Software hardening design of the present invention; by integrate the miniature virtual machine of customization in application program; and preferential application programs itself and running environment are carried out safety detection in application program; can effectively prevent that application program from illegally being cracked or reverse; improve the security of application program under Android system, protected user's individual sensitive data, also ensured the confidentiality of business software.