CN104732147A - Application program processing method - Google Patents
Application program processing method Download PDFInfo
- Publication number
- CN104732147A CN104732147A CN201510172644.3A CN201510172644A CN104732147A CN 104732147 A CN104732147 A CN 104732147A CN 201510172644 A CN201510172644 A CN 201510172644A CN 104732147 A CN104732147 A CN 104732147A
- Authority
- CN
- China
- Prior art keywords
- authority
- security
- application program
- application
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides an application program processing method. The method includes the steps that a TPM model is applied to a mobile terminal, a series of hook functions are interpolated in kernel system call logic, a third party security module is called back to detect modification operation of an application program, the security module determines whether the access or modification of the application program is allowed or not, detected values before each executable file, each library file and each kernel file are loaded into a system are acquired, and the security state of the system is monitored through the detected values. By the adoption of the application program processing method, the integrity of the application program and the security of the terminal system are guaranteed in the mobile terminal through a virtual machine.
Description
Technical field
The present invention relates to a kind of applied program processing method.
Background technology
When increasing intelligent mobile terminal is linked into internet with the form of networking client, safety problem all can appear in intelligent mobile terminal, especially application security.Although in order to protection application program and data, operating system is coupling system layer security mechanism and the security framework determined by inter-component communication in design, but still the hazardous act existed for application file and system vulnerability.The current common practice adopted mobile terminal safety utilizes intelligent mobile terminal security procedure to detect the malicious act of application program.But this kind of security procedure is just mounted on the client as application program, and can be subject to the restriction of processor and memory device, cannot ensure the security of system of client, also cannot prevent safety product program itself unloaded with revise.
Therefore, for the problems referred to above existing in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
For solving the problem existing for above-mentioned prior art, the present invention proposes a kind of applied program processing method, comprising:
By TPM models applying in mobile terminal, a series of hook function is inserted in core system calling logic, readjustment third party security module detects the retouching operation of application programs, the access or the amendment that whether allow application programs is determined by this security module, obtaining each executable file, library file and kernel file loading into the detected value before system, carrying out supervisory system safe condition by these detected values.
Preferably, described method runs in safety control system, and described safety control system comprises the Surveillance center's subsystem being deployed in server end and the client condition monitoring and the feedback subsystem that operate in mobile terminal;
Described state-detection comprises the checking of the safe guidance of operating system, safety detection and initial security, the kernel file of loading when ensureing that mobile terminal starts by safe guidance is credible, the application program run detect kernel module, executable code, finger daemon, virtual machine initialize process, application layer feedback of status and the safety startup of system loaded in mobile terminal in safety detection after; The testing result that initial security checking comprises guarantee mobile terminal all in start-up course is all believable;
Described feedback of status comprises, and client location monitoring module monitors Client location information all the time, all calls uploading detection value in server when application program detected value uploaded by needs.
Preferably, described Surveillance center subsystem is used for collecting application program for mobile terminal safety detection value and verifying, prevent stealing or revising of security sensitive information, this Surveillance center's subsystem comprises the security information collection module for collecting the safety detection value that mobile terminal sends, the application security detected value collected is compared with security information list in database and returns the security verification module of comparison result to client, and safeguard the security policy manager module comprising the safety detection value information list of the detected value of the application program of operating system security, judge whether it is trusted application, and select to add in corresponding list, or delete from list.
Preferably, described method also comprises:
Hashing algorithm is used to obtain each execute file, the hashed value of library file and kernel module, and replace executable file content to be deposited into being arranged in the detected value list of kernel, examinations comprises and inserts check point in systems in which, actual detection and checking detected value, the method detects next step from BIOS, then continue to detect next part code until feedback of status detects end, and be verified OS and start successfully, for new application program of opening, configuration file in each application program installation kit is mapped to newly assigned virutal machine memory space, safety detection module is by the safety detection module of hook function call kernel state, configuration file in internal memory is detected, generate detected value,
In the positional information of client setting area scope, after service starts, position, open site is monitored automatically, Real-time Obtaining position, judge successfully, user name is sent to Surveillance center, mobile terminal stores the server predistribution password of user's input in internal memory simultaneously, random number is turned back to client by Surveillance center, then Hash operation is carried out to random number and user's predistribution password, the encryption key of generating virtual machines application safety information, the XML comprising virtual machine application safety information after client upload encryption verifies to Surveillance center;
Security information collection, security information verification and security strategy use same database; After dynamically monitoring executable program operation, open Socket and connect monitoring, resolve the XML file received, row format of going forward side by side conversion, finally returns security metadata result in contrast in database;
For user provides the control of authority to there is potential safety hazard immediately to compose power, before application program uses suspicious authority, ask user to confirm, labor is carried out to existing malicious application sample, derive the essential control of authority characteristic set of malicious application, carry out application program control of authority based on this characteristic set, in system operation, when an application program attempt application programs file carry out unloading or deleting time, tackle this control of authority request and be redirected to control of authority watch-dog, the authority information provided according to control of authority watch-dog and application message inquire about corresponding rights state, if corresponding rights state has composed power or stoped, then directly will notify that control of authority watch-dog is agreed to or refuses this request, if corresponding rights state is undetermined, then inquire about malicious application control of authority characteristic set, determine that this asks the feature whether met wherein, if do not meet any one feature, then notify that control of authority watch-dog allows, and upgrade permission status information, otherwise notice control of authority watch-dog confirms this request of access user, all third party applications are tackled the access that related system calls and are redirected to control of authority watch-dog by system call interceptor, and only revise system call wrapper functions, and force third party application to use the function library of current version, and other system process will use master function library, avoid the amendment to kernel, by amendment runtime environment, when third party application loads native code library, class libraries is scanned, to guarantee wherein not comprise weaken rock instruction, ID corresponding for application program is added corresponding user's group, and concrete access control is redirected to decision-making device by system call interceptor manages.
The present invention compared to existing technology, has the following advantages:
The present invention proposes a kind of disposal route of application program, ensured integrality and the terminal system safety of application program by virtual machine in the terminal.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the applied program processing method according to the embodiment of the present invention.
Embodiment
Detailed description to one or more embodiment of the present invention is hereafter provided together with the accompanying drawing of the diagram principle of the invention.Describe the present invention in conjunction with such embodiment, but the invention is not restricted to any embodiment.Scope of the present invention is only defined by the claims, and the present invention contain many substitute, amendment and equivalent.Set forth many details in the following description to provide thorough understanding of the present invention.These details are provided for exemplary purposes, and also can realize the present invention according to claims without some in these details or all details.
An aspect of of the present present invention provides a kind of applied program processing method.Fig. 1 is the applied program processing method process flow diagram according to the embodiment of the present invention.
TPM model use has arrived in mobile terminal by safety control system of the present invention, ensure that from OS, be loaded into feedback of status startup end overall process is not revised.Safety control system comprises security module, it is the lightweight generalized framework for access control designed to strengthen operating system security, it by inserting a series of hook function in core system calling logic, readjustment third party security module realizes, and these third-party security modules determine and whether allow access or carry out other operations.Make use of Security Module framework and obtain each executable file, library file and kernel file loading into the detected value before system, carry out supervisory system safe condition by these detected values.Because Mobile operating system have employed the kernel with security module through cutting out, so safety control system has transplanted safety detection framework in kernel, and extend the function that application programs carries out safety detection.
Safety control system of the present invention by safe guidance module stores in the OTP of mobile terminal.From the boot of the safe guidance module of OTP, clean boot operating system, first boot detects kernel, and the detected value according to being stored in internal memory is verified, after being verified, kernel normally starts.The safety detection module of kernel state detects operating system initialization code, the setup code detected value of initial security authentication module checking input, and export the result, the result is back to safety detection module, this module, according to the result certainty annuity initialization decision-making, namely continues to perform to detect still to forbid that system starts.Repeat the process that this detects and verifies, until the detected value of finger daemon, virtual machine initialize process and feedback of status is all by checking, system starts complete.
Just determine to change to the detection of operating system nucleus module, initial configuration file, finger daemon, virtual machine initialize process after startup.And application program can not be detected before not starting, need, before application program is run, to detect when being mapped to virtual machine.When feedback of status service detection enters safety zone to client, in safety detection value, detected value is generated XML file by transmission module, and encryption uploads to Surveillance center's subsystem.Surveillance center's collection module is collected and is resolved the information received, and query safe information database is verified, the result is returned to mobile terminal.If be proved to be successful, client operation continues; If authentication failed, return untrusted application name, client reminding user this program of hard closing.Meanwhile, back services monitors the startup of new opplication program all the time, once new application program launching, again uploads, and verifies new detected value, after this process can last till that client leaves safety zone.
For meeting above-mentioned requirements, safety control system is divided into two subsystems by the present invention: the Surveillance center's subsystem being deployed in server end and the client condition monitoring operating in mobile terminal and feedback subsystem.
1) state-detection achieves the safe guidance of operating system, safety detection and initial security authentication function.The kernel file of loading when safe guidance here can ensure that mobile terminal starts is credible.The application program that safety detection is run after being responsible for kernel module, executable code, finger daemon, virtual machine initialize process, application layer feedback of status and the safety startup of system loaded in detection mobile terminal.Initial security authentication module, the testing result being responsible for guarantee mobile terminal all in start-up course is all believable.
2) feedback of status is positioned at application layer, and client location monitoring module wherein can monitor Client location information all the time, when application program detected value uploaded by needs, all can call transmission module on detected value.
Surveillance center's subsystem provides the function of collecting application program for mobile terminal safety detection value and verifying, can prevent stealing or revising of security sensitive information timely.Surveillance center's subsystem comprises 3 parts: 1. security information collection module, for collecting the safety detection value that mobile terminal sends.2. security verification module, compares the application security detected value collected with security information list in database, and returns comparison result to client.3. security policy manager module, safeguards the list of a safety detection value information, lists the detected value of the application program of operating system security.White list will upgrade in time the safety detection value of different editions of identical trusted application.For some application program, as the case may be, can judge whether it is trusted application, and select to add in list, or delete from list.
Application security control system, on the basis constructing safety startup of system TPM, further comprises following subsystem module: 1) Client location information monitoring; 2) detection of application program and feedback; 3) remote validation of client running status and management; 4) management of safety detection data; 5) application program composes power.Here is the introduction of the specific implementation to these system modules.
Client detects and feedback subsystem: use hashing algorithm to obtain the hashed value of each execute file, library file and kernel module, and replaces executable file content with it, is deposited into the detected value list being arranged in kernel.The enforcement detected is divided into 3 parts: 1. insert check point in systems in which; 2. actual detection; 3. detected value is verified.This method detects next step from BIOS, continues afterwards to detect next part code until feedback of status detects terminates, and is verified OS and starts successfully.For new application program of opening, configuration file in each application program installation kit is mapped to newly assigned virutal machine memory space, so safety detection module is by the safety detection module of hook function call kernel state, the configuration file in internal memory is detected, generate detected value.
Feedback of status sets the positional information of sensitizing range scope in client location monitoring module, automatic position, open site audiomonitor after service starts, whether Real-time Obtaining position position judgment enters sensitizing range, judges successfully, transmission module on the detected value calling feedback of status.On detected value, transmission module sends user name to Surveillance center, and mobile terminal stores the server predistribution password of user's input in internal memory simultaneously, and random number is turned back to client by Surveillance center.Next, on detected value, transmission module carries out Hash operation to random number and user's predistribution password, the encryption key of generating virtual machines application safety information, client is by transmission module on detected value, the XML comprising virtual machine application safety information after active upload encryption, to Surveillance center, verifies.
The security information collection module of Surveillance center's subsystem, security information verification module and security policy module use same database.For collection and the authentication module of security information data, the present invention completes by realizing dynamically monitoring executable program, after dynamic monitoring executable program runs, Socket can be opened and connect monitoring, resolve the XML file received, row format of going forward side by side is changed, and finally security metadata result in contrast in database is returned.The security policy manager module of Surveillance center's subsystem have employed white list strategy.
It is that user provides the ability of the control of authority that there is potential safety hazard being carried out to instant tax power that application program composes power subsystem, before application program uses suspicious authority, ask user to confirm.In addition, part authority directly can be given application by user when mounted, also can in use by arranging the authority of each application of interface dynamic conditioning.This system carries out labor to system and existing malicious application sample, derives the essential control of authority characteristic set of malicious application.Effectively can reduce required user interactions based on such characteristic set and compose power.When only having the feature at least met the use request of authority when certain in characteristic set, this control of authority request just needs user interactions to compose power.
Application program is composed power subsystem and is made up of three modules further: (1) application program installation module, for providing the entrance partly composing power during installation; (2) control of authority blocking module, for tackling the use of application program to all authorities; (3) how decision-making module, process these control of authority requests for decision systems: allow, refuse and require that user interactions composes power.
Application program installation module is that user is provided in entrance when installing application, part authority directly being given application.Except non-user determines that application program needs this authority very much, otherwise do not have authority can give tacit consent to imparting application program.When providing installation by amendment installation procedure to user, part composes the entrance of power.The response of tax that user does power will be mounted program and be sent to installation kit manager in system framework layer, and has been responsible for remaining installment work by installation kit manager.
Control of authority blocking module interception application program is to the use request of all authorities.Control of authority request can be redirected to a control of authority watch-dog by the present invention before control of authority.In order to cover all possible control of authority mode completely, the present invention is taked different interception mode when different types of authority uses.Only at scope check point place, authority request need be redirected to control of authority watch-dog, all use requests to authority can be covered completely.Internal Nuclear Authorization controls the interception of request and is redirected and must realizes at inner nuclear layer.Method of the present invention uses system call interceptor to be responsible for tackling all system calls relevant with interior Nuclear Authorization and being redirected to control of authority watch-dog, thus tackles the use request of all internal Nuclear Authorizations.
Decision-making module determines the control of authority request how method will process each and be blocked.In the method for the invention, arbitrary authority that each application program is applied for has three possible states: (1) has composed power (directly being allowed the use of this authority), (2) stop (use of this authority will directly be refused), (3) (confirmation of user will be asked to the use of this authority) undetermined.Rights manager be responsible for process all State Transferring and persistent storage permission status information to ensure that equipment is restarted rear information and can not be lost.Participate in reduce unnecessary user, when application program can not bring potential safety hazard to the use of authority, this authority is directly set to compose power state by decision-making module.Whether the use of an authority can bring potential safety hazard then to be judged by a decision-making device, control of authority request and rogue program control of authority feature are compared by this decision-making device, and the control of authority request meeting feature will be considered to bring potential safety hazard.
In system operation, when an application program attempts to use certain authority application programs file to carry out unloading or deleting, this control of authority request can be blocked and be redirected to control of authority watch-dog, and control of authority watch-dog inquiry decision-making module determines how to process current request.The authority information that rights manager provides according to control of authority watch-dog and application message inquire about corresponding rights state, and state is sent to decision-making device.If corresponding rights state has composed power or stoped, then decision-making device directly will notify that control of authority watch-dog is agreed to or refuses this request.If corresponding rights state is undetermined, then decision-making device needs inquiry malicious application control of authority characteristic set, to determine whether this request meets a certain feature.If do not meet any one feature, then notify that control of authority watch-dog allows, and upgrade permission status information.Otherwise will notify that control of authority watch-dog confirms this request of access user.Control of authority watch-dog ejects interactive window with the potential safety hazard providing the details of this control of authority request and may exist to user, and gives user four kinds instant tax power option: the power of tax once, forever composes power, prevention once and forever stops.If user selects to compose power and once or forever composes power, control of authority watch-dog then allows application to use this authority; If user have selected permanent tax and weighs or forever stop, control of authority watch-dog also will notify that rights manager upgrades permission status information.
All third party applications are tackled the access that related system calls and are redirected to control of authority watch-dog by system call interceptor.Owing to can have an impact to all processes comprising system process to the amendment of kernel, system call wrapper functions is only revised with the inventive method by institute, and force third party application to use the function library of current version, and other system process will use master function library, thus avoid the amendment to kernel.When third party application calls wrapper functions by various mode access system, access can be redirected to control of authority watch-dog.With rights manager and decision-making device, control of authority watch-dog will determine that how processing this asks, and result of decision apprizing system is called wrapper functions.
Because system call interceptor is positioned at outside kernel, third party application still can be walked around blocker by the mode of weaken rock and use interior Nuclear Authorization.By amendment runtime environment, when third party application loads native code library, class libraries is scanned, to guarantee wherein not comprise weaken rock instruction, thus ensure that the reliability of blocker.
Directly access kernel resources owing to ensure that third party application to walk around system call interceptor, therefore ID corresponding for application program can be added corresponding user's group.And concrete access control will be redirected to decision-making device by system call interceptor manages.
According to a further embodiment of the invention, above-mentioned security module is in virtualized environment, and whether security when being run by control system is carried out determining program and revised, and the object of detection comprises process, kernel module and dynamic link library.Control system is separated with detected object, ensures the accuracy of detected value.Monitor of virtual machine runs directly on physical hardware layer, has the authority of the establishment to other virtual machine, management and destruction.Directly be responsible for the management to bottom physical memory, ensure that the isolation between virtual machine also externally provides the relevant interface of accesses virtual machine.Detect from virtual machine outside, utilize the strong isolation of Intel Virtualization Technology can reduce control system possibility under fire.The present invention adopts assembly independently detection mode.Detected value is not detected by the program on TPM, can detect separately each assembly at any time.Before carrying out safety detection, determine the position of detected object in internal memory.Realize the conversion from virtual address to machine address.Memory content according to obtaining calculates cryptographic hash.
Method of the present invention is detected by the internal memory obtaining virtual machine from virtual machine outside, is transparent, ensure that the security of control system for virtual machine internal.Adopt intermittent testing mechanism to conduct interviews to specific internal memory, avoid the significant performance cost that frequent internal storage access causes.Avoid modifying to monitor of virtual machine, obtained the information of virtual machine internal by the mode of interface, with the program ease for maintenance kept, prevent control system to be overly dependent upon monitor of virtual machine.
Control system is arranged in the main frame of virtualization layer, completes testing, comprises control system, address translator and safety detector.Virtual machine monitor layer completes virtualization operations to CPU, internal memory, network, block device.In virtualization layer, the main frame being in charge of virtual machine by and multiple virtual machine form.Control system is responsible for the whole process controlling safety detection, receive some parameters of user's input, comprise specify to detect virtual machine title, detected object, virtual machine OS Type etc., call address converter accesses specific virutal machine memory, internal storage data is passed to safety detection program.Address translator needs to obtain the state value of CPU in virtual machine, the length of virtual machine address, and also want can the address maps interface of accesses virtual machine simultaneously.According to concrete virtual machine CPU architecture after obtaining information, carry out address conversion work, the physical address of virtual machine can be obtained thus.According to the virutal machine memory content obtained, carried out the cryptographic hash of calculation procedure, module and dynamic link library by safety detection program, and these values are kept in a detection list.Control system regularly can detect as required and also can detect in real time, and the detected value newly obtained and the originally value be kept in detection list compare, thus can find whether process changes.
The memory management of monitor of virtual machine uses 3 kinds of address spaces, is machine address, physical address and virtual address respectively.Machine address, or also referred to as hardware address, only have watch-dog to access, physical address is managed by VME operating system, and virtual address is the address that application program can be accessed.Adopt this address structure, discontinuous machine address just can be converted to and seem continuous print physical address.The machine address of bottom it is seen that physical address, can not be seen by virtual machine institute.It is physical address that monitor of virtual machine is responsible for virtual address translation, safeguards the table changed to machine address by physical address simultaneously.Safety detection needs the position of program of orienting in internal memory, exactly the deviation post of program at virtual machine physical memory page, so first the Physical Page of virtual machine will be copied to the space of authorized user-accessible, position again, and this process need completes the conversion from virtual address to physical address.
First reading Kernel Symbol Table, is physical address by virtual address translation corresponding for interior nuclear symbol.Obtain the physical base address of the page hierarchical structure stored in virtual machine register, finding physical address by changing step by step, completing the conversion of virtual address to physical address, obtaining physics frame number.In Host Administration territory, be responsible for conducting interviews to the content in machine address by the bottom access control interface of monitor of virtual machine.According to the memory headroom that the content map in machine address can be accessed to main frame by physics frame number, thus obtain the content of virutal machine memory.After obtaining required content, be responsible for carrying out safety detection to corresponding content by control system.
Detecting the cryptographic hash obtained is saved in detection list, and same program occurs different detected values in the different moment, and so this program is just detected and is revised.As long as program is loaded in the middle of internal memory, safety detection can be carried out to it.The present invention is loaded into Program Type in internal memory according to when running, mainly consider can from virtual machine external detection to detected object, comprise process, kernel module, dynamic link library.What other were not listed in the present invention also can adopt to use the same method and detect by detected object.
Operating system, for convenience of managing process and kernel module, can adopt chain structure by the process run in system and the model calling loaded.Therefore can be got the physical memory area at detected object place by this structure, then in conjunction with aforesaid address transition mechanism, just can obtain the content of the hardware memory of detected object.Respectively process, module and dynamic link library are illustrated how to carry out safety detection according to the storage area of its internal memory below.
Each process is by process control block (PCB) management related information, and all processes are coupled together by doubly linked list.By traveling through the process that this chained list can obtain running in system, process control block (PCB) contains the name of operation process, according to the skew of name field to this process control block (PCB) start address, can obtain the title of process.Have the pointer pointing to memory management structure in process control block (PCB), memory management structure is the structure that operating system management process virtual address space distributes.The virtual address space of process comprises code segment, data segment, heap, stack, parameter, environmental variance etc.Process operationally code segment can not change, if the code segment of process is different when running from last time when this runs, program corresponding to explanation process there occurs change.Therefore, the safety detection of process is checked by the cryptographic hash of calculation procedure code segment.
Module loads when system starts, and some module is loaded by user space program after the system starts, and no matter be which kind of mode, the allocation scheme of its memory headroom is identical.Module is a kind of obj ect file, can not directly run.After module is read into internal memory, carried out the initialization operation of module by kernel.Module has code region and data area in internal memory, and there are read-only data and read-write data in data area.By calculating immutable region, namely code region and read-only data region obtain cryptographic hash, can indicate the uniqueness of module preferably.Each module has a doubly linked list, is linked to previous module and a rear module, also comprises a name field, the name of representation module.Can obtain by traversal doubly linked list the module that system loads, then according to the skew of name field to this module start address, just have access to certain specific module contents.
Dynamic link library is just loaded into internal memory when being program operation, and when calling the function of dynamic link library, operating system can search for the deposit position of dynamic link library on disk, is loaded into virtual memory region.Each virtual memory region can be divided into 4 classes: readable, can write, can perform, can share.The deposit position of dynamic link library code segment can be marked as can execution area, detects dynamic link library by the cryptographic hash calculating this part.
In sum, the present invention proposes a kind of disposal route of application program, ensured integrality and the terminal system safety of application program by virtual machine in the terminal.
Obviously, it should be appreciated by those skilled in the art, above-mentioned of the present invention each module or each step can realize with general computing system, they can concentrate on single computing system, or be distributed on network that multiple computing system forms, alternatively, they can realize with the executable program code of computing system, thus, they can be stored and be performed by computing system within the storage system.Like this, the present invention is not restricted to any specific hardware and program combination.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.
Claims (4)
1. an applied program processing method, is characterized in that, comprising:
By TPM models applying in mobile terminal, a series of hook function is inserted in core system calling logic, readjustment third party security module detects the retouching operation of application programs, the access or the amendment that whether allow application programs is determined by this security module, obtaining each executable file, library file and kernel file loading into the detected value before system, carrying out supervisory system safe condition by these detected values.
2. method according to claim 1, it is characterized in that, described method runs in safety control system, and described safety control system comprises the Surveillance center's subsystem being deployed in server end and the client condition monitoring and the feedback subsystem that operate in mobile terminal;
Described state-detection comprises the checking of the safe guidance of operating system, safety detection and initial security, the kernel file of loading when ensureing that mobile terminal starts by safe guidance is credible, the application program run detect kernel module, executable code, finger daemon, virtual machine initialize process, application layer feedback of status and the safety startup of system loaded in mobile terminal in safety detection after; The testing result that initial security checking comprises guarantee mobile terminal all in start-up course is all believable;
Described feedback of status comprises, and client location monitoring module monitors Client location information all the time, all calls uploading detection value in server when application program detected value uploaded by needs.
3. method according to claim 2, it is characterized in that, described Surveillance center subsystem is used for collecting application program for mobile terminal safety detection value and verifying, prevent stealing or revising of security sensitive information, this Surveillance center's subsystem comprises the security information collection module for collecting the safety detection value that mobile terminal sends, the application security detected value collected is compared with security information list in database and returns the security verification module of comparison result to client, and safeguard the security policy manager module comprising the safety detection value information list of the detected value of the application program of operating system security, judge whether it is trusted application, and select to add in corresponding list, or delete from list.
4. method according to claim 3, is characterized in that, described method also comprises:
Hashing algorithm is used to obtain each execute file, the hashed value of library file and kernel module, and replace executable file content to be deposited into being arranged in the detected value list of kernel, examinations comprises and inserts check point in systems in which, actual detection and checking detected value, the method detects next step from BIOS, then continue to detect next part code until feedback of status detects end, and be verified OS and start successfully, for new application program of opening, configuration file in each application program installation kit is mapped to newly assigned virutal machine memory space, safety detection module is by the safety detection module of hook function call kernel state, configuration file in internal memory is detected, generate detected value,
In the positional information of client setting area scope, after service starts, position, open site is monitored automatically, Real-time Obtaining position, judge successfully, user name is sent to Surveillance center, mobile terminal stores the server predistribution password of user's input in internal memory simultaneously, random number is turned back to client by Surveillance center, then Hash operation is carried out to random number and user's predistribution password, the encryption key of generating virtual machines application safety information, the XML comprising virtual machine application safety information after client upload encryption verifies to Surveillance center;
Security information collection, security information verification and security strategy use same database; After dynamically monitoring executable program operation, open Socket and connect monitoring, resolve the XML file received, row format of going forward side by side conversion, finally returns security metadata result in contrast in database;
For user provides the control of authority to there is potential safety hazard immediately to compose power, before application program uses suspicious authority, ask user to confirm, labor is carried out to existing malicious application sample, derive the essential control of authority characteristic set of malicious application, carry out application program control of authority based on this characteristic set, in system operation, when an application program attempt application programs file carry out unloading or deleting time, tackle this control of authority request and be redirected to control of authority watch-dog, the authority information provided according to control of authority watch-dog and application message inquire about corresponding rights state, if corresponding rights state has composed power or stoped, then directly will notify that control of authority watch-dog is agreed to or refuses this request, if corresponding rights state is undetermined, then inquire about malicious application control of authority characteristic set, determine that this asks the feature whether met wherein, if do not meet any one feature, then notify that control of authority watch-dog allows, and upgrade permission status information, otherwise notice control of authority watch-dog confirms this request of access user, all third party applications are tackled the access that related system calls and are redirected to control of authority watch-dog by system call interceptor, and only revise system call wrapper functions, and force third party application to use the function library of current version, and other system process will use master function library, avoid the amendment to kernel, by amendment runtime environment, when third party application loads native code library, class libraries is scanned, to guarantee wherein not comprise weaken rock instruction, ID corresponding for application program is added corresponding user's group, and concrete access control is redirected to decision-making device by system call interceptor manages.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172644.3A CN104732147A (en) | 2015-04-13 | 2015-04-13 | Application program processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172644.3A CN104732147A (en) | 2015-04-13 | 2015-04-13 | Application program processing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104732147A true CN104732147A (en) | 2015-06-24 |
Family
ID=53456028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510172644.3A Pending CN104732147A (en) | 2015-04-13 | 2015-04-13 | Application program processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104732147A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN106650421A (en) * | 2016-12-27 | 2017-05-10 | 中国民生银行股份有限公司 | Program processing method, apparatus and equipment |
| CN107229860A (en) * | 2016-03-24 | 2017-10-03 | 中国电子科技集团公司电子科学研究院 | The method and system of safety management desktop application in environment is concentrated |
| CN107368715A (en) * | 2017-09-14 | 2017-11-21 | 南京百敖软件有限公司 | A kind of method of restricted software access right |
| CN109190411A (en) * | 2018-07-25 | 2019-01-11 | 百富计算机技术(深圳)有限公司 | A kind of active safety means of defence, system and the terminal device of operating system |
| CN109344611A (en) * | 2018-09-06 | 2019-02-15 | 平安普惠企业管理有限公司 | Access control method, terminal device and the medium of application |
| CN109800050A (en) * | 2018-11-22 | 2019-05-24 | 海光信息技术有限公司 | A kind of EMS memory management process of virtual machine, device, relevant device and system |
| CN110188539A (en) * | 2019-05-29 | 2019-08-30 | 中国人民解放军战略支援部队信息工程大学 | A kind of method, apparatus and system of operation application |
| CN110362487A (en) * | 2019-07-11 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of test method and device of application program |
| CN110502901A (en) * | 2019-07-31 | 2019-11-26 | 湖南微算互联信息技术有限公司 | Configuration information guard method, system and the storage medium of cloud cell phone manufacturer |
| CN111190833A (en) * | 2019-11-26 | 2020-05-22 | 腾讯云计算(北京)有限责任公司 | Sensitive data detection method and device, storage medium and equipment |
| CN111201530A (en) * | 2017-10-11 | 2020-05-26 | 微软技术许可有限责任公司 | Secure application monitoring |
| CN112100415A (en) * | 2020-09-14 | 2020-12-18 | 哈尔滨工业大学(威海) | Implementation method of high-reliability large-scale graph database system of heterogeneous platform |
| CN112292678A (en) * | 2019-01-04 | 2021-01-29 | 百度时代网络技术(北京)有限公司 | Method and system for validating a kernel object to be executed by a data processing accelerator of a host system |
| WO2021036811A1 (en) * | 2019-08-29 | 2021-03-04 | 维沃移动通信有限公司 | Application permission displaying method, device, mobile terminal, and storage medium |
| CN112637191A (en) * | 2020-12-19 | 2021-04-09 | 郑州航空工业管理学院 | Network information security management system |
| CN113448690A (en) * | 2021-08-27 | 2021-09-28 | 阿里云计算有限公司 | Monitoring method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN102760213A (en) * | 2012-06-04 | 2012-10-31 | 中国电力科学研究院 | Credible Agent based MT (Mobile Terminal) credible state monitoring method |
| CN103561045A (en) * | 2013-11-21 | 2014-02-05 | 北京网秦天下科技有限公司 | Safety monitoring system and method for Android system |
-
2015
- 2015-04-13 CN CN201510172644.3A patent/CN104732147A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN102760213A (en) * | 2012-06-04 | 2012-10-31 | 中国电力科学研究院 | Credible Agent based MT (Mobile Terminal) credible state monitoring method |
| CN103561045A (en) * | 2013-11-21 | 2014-02-05 | 北京网秦天下科技有限公司 | Safety monitoring system and method for Android system |
Non-Patent Citations (3)
| Title |
|---|
| 徐冰泉等: "GrantDroid:一种支持Android权限即时授予的方法", 《计算机应用与软件》 * |
| 曲海鹏等: "基于上下文的Android移动终端可信运行控制系统的设计与实现", 《北京交通大学学报》 * |
| 林杰等: "IVirt基于虚拟机自省的运行环境完整性度量机制", 《计算机学报》 * |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229860A (en) * | 2016-03-24 | 2017-10-03 | 中国电子科技集团公司电子科学研究院 | The method and system of safety management desktop application in environment is concentrated |
| CN106446672B (en) * | 2016-07-25 | 2020-10-16 | 中国科学院大学 | Android third-party class library permission isolation method and device |
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN106650421B (en) * | 2016-12-27 | 2020-04-28 | 中国民生银行股份有限公司 | Program processing method, device and equipment |
| CN106650421A (en) * | 2016-12-27 | 2017-05-10 | 中国民生银行股份有限公司 | Program processing method, apparatus and equipment |
| CN107368715B (en) * | 2017-09-14 | 2019-08-30 | 南京百敖软件有限公司 | A kind of method of restricted software access right |
| CN107368715A (en) * | 2017-09-14 | 2017-11-21 | 南京百敖软件有限公司 | A kind of method of restricted software access right |
| CN111201530A (en) * | 2017-10-11 | 2020-05-26 | 微软技术许可有限责任公司 | Secure application monitoring |
| CN111201530B (en) * | 2017-10-11 | 2023-09-05 | 微软技术许可有限责任公司 | System and method for security application monitoring |
| CN109190411A (en) * | 2018-07-25 | 2019-01-11 | 百富计算机技术(深圳)有限公司 | A kind of active safety means of defence, system and the terminal device of operating system |
| CN109344611B (en) * | 2018-09-06 | 2024-02-27 | 天翼安全科技有限公司 | Application access control method, terminal equipment and medium |
| CN109344611A (en) * | 2018-09-06 | 2019-02-15 | 平安普惠企业管理有限公司 | Access control method, terminal device and the medium of application |
| CN109800050A (en) * | 2018-11-22 | 2019-05-24 | 海光信息技术有限公司 | A kind of EMS memory management process of virtual machine, device, relevant device and system |
| CN112292678A (en) * | 2019-01-04 | 2021-01-29 | 百度时代网络技术(北京)有限公司 | Method and system for validating a kernel object to be executed by a data processing accelerator of a host system |
| CN110188539A (en) * | 2019-05-29 | 2019-08-30 | 中国人民解放军战略支援部队信息工程大学 | A kind of method, apparatus and system of operation application |
| CN110188539B (en) * | 2019-05-29 | 2021-06-15 | 中国人民解放军战略支援部队信息工程大学 | Method, device and system for running application |
| CN110362487B (en) * | 2019-07-11 | 2024-05-10 | 腾讯科技(深圳)有限公司 | Application program testing method and device |
| CN110362487A (en) * | 2019-07-11 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of test method and device of application program |
| CN110502901A (en) * | 2019-07-31 | 2019-11-26 | 湖南微算互联信息技术有限公司 | Configuration information guard method, system and the storage medium of cloud cell phone manufacturer |
| WO2021036811A1 (en) * | 2019-08-29 | 2021-03-04 | 维沃移动通信有限公司 | Application permission displaying method, device, mobile terminal, and storage medium |
| CN111190833A (en) * | 2019-11-26 | 2020-05-22 | 腾讯云计算(北京)有限责任公司 | Sensitive data detection method and device, storage medium and equipment |
| CN111190833B (en) * | 2019-11-26 | 2023-03-24 | 腾讯云计算(北京)有限责任公司 | Sensitive data detection method and device, storage medium and equipment |
| CN112100415B (en) * | 2020-09-14 | 2023-03-17 | 哈尔滨工业大学(威海) | Implementation method of high-reliability large graph database system of heterogeneous platform |
| CN112100415A (en) * | 2020-09-14 | 2020-12-18 | 哈尔滨工业大学(威海) | Implementation method of high-reliability large-scale graph database system of heterogeneous platform |
| CN112637191A (en) * | 2020-12-19 | 2021-04-09 | 郑州航空工业管理学院 | Network information security management system |
| CN113448690A (en) * | 2021-08-27 | 2021-09-28 | 阿里云计算有限公司 | Monitoring method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104732147A (en) | Application program processing method | |
| CN104751050A (en) | Client application program management method | |
| US11762986B2 (en) | System for securing software containers with embedded agent | |
| US10735472B2 (en) | Container authorization policies for network trust | |
| JP6484255B2 (en) | Host attestation, including trusted execution environment | |
| CN104732140A (en) | Program data processing method | |
| US10073966B2 (en) | Operating system-independent integrity verification | |
| CN103858113B (en) | For the protection of the methods, devices and systems of the internal memory of virtual client | |
| CN102667712B (en) | System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies | |
| CN110661831B (en) | Big data test field security initialization method based on trusted third party | |
| CN101520831B (en) | Safe terminal system and terminal safety method | |
| US8056119B2 (en) | Method and system for controlling inter-zone communication | |
| KR101565590B1 (en) | A system for expanding the security kernel with system for privilege flow prevention based on white list | |
| CN103959247A (en) | Security in virtualized computer programs | |
| WO2002008870A2 (en) | Distributive access controller | |
| WO2015074512A1 (en) | Method and apparatus for accessing physical resources | |
| DE112016000576T5 (en) | Boot a computer securely from a user-trusted unit | |
| CN109074450A (en) | Intimidation defense technology | |
| CN104252377A (en) | Virtualized host ID key sharing | |
| CN106911814A (en) | Large-scale data distributed storage method | |
| CN107147649A (en) | Data-optimized dispatching method based on cloud storage | |
| CN104462982A (en) | Combining algorithm of cross application shared delegated strategy object, object definition and decision | |
| CN110188574A (en) | A kind of the webpage tamper resistant systems and its method of Docker container | |
| Larsen et al. | Cloudvaults: Integrating trust extensions into system integrity verification for cloud-based environments | |
| CN107135223A (en) | The data persistence method of Mass Data Management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150624 |
|
| RJ01 | Rejection of invention patent application after publication |