CN106203080A - System calling method and device - Google Patents
System calling method and device Download PDFInfo
- Publication number
- CN106203080A CN106203080A CN201610555203.6A CN201610555203A CN106203080A CN 106203080 A CN106203080 A CN 106203080A CN 201610555203 A CN201610555203 A CN 201610555203A CN 106203080 A CN106203080 A CN 106203080A
- Authority
- CN
- China
- Prior art keywords
- system call
- call request
- authority
- kernel
- safety check
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012795 verification Methods 0.000 claims description 8
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000006854 communication Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000007689 inspection Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000002054 transplantation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The embodiment of the invention provides a system calling method and a system calling device, wherein the method comprises the following steps: after receiving a system calling request of an application, carrying out permission check on the system calling request; after the permission check is passed, taking the permission and a preset safety identification of the safety check module as a sender identification to be carried in a system calling request to be sent to the kernel; and after the kernel receives the system call request, if the sender identification of the received system call request is consistent with the pre-stored safety identification, carrying out corresponding system call. In the embodiment of the invention, the permission check of the applied system call request is carried out in an application layer outside the kernel, and the permission and the preset safety identification of the safety check module are set in the system call request for the kernel to identify, and the part of codes which do not belong to open source codes can not be disclosed, thereby greatly enhancing the safety of system call.
Description
Technical field
The present invention relates to field of terminal technology, specifically, the present invention relates to a kind of system call method and device.
Background technology
Along with the development of science and technology, the intelligent terminal such as smart mobile phone, panel computer and electronic reader is the most widely available.Greatly
The intelligent terminal of amount is mounted with operating system based on linux kernel, such as Android, Tizen, Ubuntu and FireFox
Etc..These operating systems are the most all on the basis of linux kernel, increase the ccf layer of each design and realize.
In operating system based on linux kernel (hereinafter operating system), linux kernel system for unified management provides
Source, the application program of application layer (hereinafter application) carries out the method that system calls and generally includes: application transmission system is called
Ask the system call interfaces in kernel;Respective security mechanism is performed by multiple security module built-in in kernel, the most right
System call request carries out multiple safety or scope check, and such as DAC (Discretionary Access Control, independently
Access and control), MAC (Mandatory Access Control, forced symmetric centralization) and powers and functions detection etc.;Afterwards, by interior
Core performs system according to system call request and calls.
But, it was found by the inventors of the present invention that Linux is open source projects, its kernel code is typically required disclosed.And
The security module of the various security mechanism of existing execution is built in linux kernel, even if improving to change to security module
Enter its security mechanism, but the source code of the security module after improving still needs to follow agreement carries out disclosure, cause hacker etc.
Assailant still can obtain the security mechanism of the security module after improvement, thus causes existing system call method still to hold
Being vulnerable to attack, safety is low, easily brings loss to user, reduces Consumer's Experience.
Summary of the invention
The shortcoming that the present invention is directed to existing mode, proposes a kind of system call method and device, in order to solve prior art
There is the problem that safety that system calls is low.
Embodiments of the invention are according to an aspect, it is provided that a kind of system call method, including:
After receiving the system call request of application, described system call request is carried out scope check;
After described scope check passes through, the secure ID preset of this authority and safety check module is marked as sender
Know to be carried in system call request and send to kernel;
After described kernel receives system call request, however, it is determined that go out the transmitting side marking of the system call request received
Consistent with the secure ID prestored, then carry out corresponding system and call.
Embodiments of the invention, according to another aspect, additionally provide a kind of system calling device, including:
Authority and safety check module, be arranged at application layer, after the system call request receiving application, to described
System call request carries out scope check;After described scope check passes through, by presetting of described authority and safety check module
Secure ID is carried in system call request as transmitting side marking and sends to kernel;
System call interface module, is arranged at described kernel, after being used for receiving system call request, however, it is determined that go out to receive
To the transmitting side marking of system call request consistent with the secure ID prestored, then carry out corresponding system and call.
In the embodiment of the present invention, enter in the scope check of system call request of the application application layer outside kernel
OK, the secure ID preset of authority and safety check module and is set in system call request for kernel identification, this part
Code is not belonging to Open Source Code and will not be disclosed, the safety that the system of greatly strengthen is called.
Aspect and advantage that the present invention adds will part be given in the following description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or that add aspect and advantage will become from the following description of the accompanying drawings of embodiments
Substantially with easy to understand, wherein:
Fig. 1 a and 1b is the schematic flow sheet of the system call method of the embodiment of the present invention;
Fig. 2 is the block schematic illustration of the internal structure of the system calling device of the embodiment of the present invention.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, the most from start to finish
Same or similar label represents same or similar element or has the element of same or like function.Below with reference to attached
The embodiment that figure describes is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative used herein " ", "
Individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that use in the description of the present invention arranges
Diction " including " refers to there is described feature, integer, step, operation, element and/or assembly, but it is not excluded that existence or adds
Other features one or more, integer, step, operation, element, assembly and/or their group.It should be understood that when we claim unit
Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist
Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connections or wireless couple.Used herein arrange
Diction "and/or" includes that one or more list the whole of item or any cell being associated combines with whole.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (include technology art
Language and scientific terminology), have with the those of ordinary skill in art of the present invention be commonly understood by identical meaning.Also should
Be understood by, those terms defined in such as general dictionary, it should be understood that have with in the context of prior art
The meaning that meaning is consistent, and unless by specific definitions as here, otherwise will not use idealization or the most formal implication
Explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal unit " had both included wireless communication
The equipment of number receptor, it only possesses the equipment of wireless signal receiver of non-emissive ability, includes again receiving and launching hardware
Equipment, its have on bidirectional communication link, can carry out two-way communication reception and launch hardware equipment.This equipment
May include that honeycomb or other communication equipments, it has single line display or multi-line display or does not has multi-line to show
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), it can
Process with combine voice, data, fax and/or its communication ability;PDA (Personal Digital Assistant, individual
Digital assistants), it can include the access of radio frequency receiver, pager, the Internet/intranet, web browser, notepad, day
Go through and/or GPS (Global Positioning System, global positioning system) receptor;Conventional laptop and/or palm
Type computer or other equipment, its have and/or include the conventional laptop of radio frequency receiver and/or palmtop computer or its
His equipment." terminal " used herein above, " terminal unit " can be portable, can transport, be arranged on the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured at local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal unit " can also is that communication terminal, on
Network termination, music/video playback terminal, such as, can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or there is the mobile phone of music/video playing function, it is also possible to it is the equipment such as intelligent television, Set Top Box.
In the embodiment of the present invention, application layer arranges authority and safety check module;Authority and safety check module connect
After receiving the system call request of application, system call request is carried out scope check;After scope check passes through, by this authority and
The secure ID preset of safety check module is carried in system call request as transmitting side marking and sends to kernel;Kernel
After receiving system call request, however, it is determined that go out the transmitting side marking of the system call request received and the secure ID prestored
Consistent, then carry out corresponding system and call.Visible, in the embodiment of the present invention, to the system call request of application authority inspection
Look in the application layer outside kernel and carry out, and the peace preset of authority and safety check module is set in system call request
Full mark is for kernel identification, and this partial code is not belonging to Open Source Code and will not be disclosed, the safety that the system of greatly strengthen is called
Property.
And, in the embodiment of the present invention, kernel is if it is determined that the transmitting side marking of the system call request received is with pre-
The authority deposited and the secure ID of safety check module are inconsistent, then refusal performs the system call request received.Visible, this
In invention example, the system call request that existing application directly sends to kernel, because not having the peace of inspection module safe to carry
Full mark, all will be performed by kernel rejection;It is prevented from the illegal existing Linux of applications exploiting such as virus, wooden horse, rogue program
Security mechanism invasion, the safety that the system of greatly strengthen is called.
Further, present inventor have further discovered that, in existing system call method, perform the peace of various security mechanism
Full module is built in the kernel of operating system, owing to kernel code amount is huge and the specification of open source community, causes revising safety
The work of module and security mechanism thereof is extremely difficult, causes customizing new security mechanism and becomes extremely difficult.
Based on above-mentioned discovery, in the embodiment of the present invention, can easily the security strategy customized for user be arranged
In application layer so that authority and safety check module can according to the security strategy of customization more flexibly, more personalizedly
The call request of application is carried out scope check, on the basis of ensureing that system calls safety, various user can be met not
Same demand, promotes Consumer's Experience.And, compared with the security module in amendment kernel, code revision amount is substantially reduced, compatible
More preferably, applicable surface is wider for property.
The most specifically introduce the technical scheme of the embodiment of the present invention.
The intelligent terminal of the embodiment of the present invention can be the terminal unit such as smart mobile phone, panel computer.
The application scenarios of the embodiment of the present invention, for operating system based on linux kernel, such as android system,
Tizen system, Ubuntu system and FireFox system etc..
Embodiments provide the system call method of a kind of application, the schematic flow sheet of the method such as Fig. 1 a institute
Show, comprise the steps:
S101: apply and send system call request to authority and safety check module.
In the embodiment of the present invention, the application layer of operating system pre-sets authority and safety check module and peace thereof
Full mark.The secure ID of authority and safety check module includes: authority and the identity information of safety check module and/or address
Information.
Under client-server mode, application can be as a reality as client, authority and safety check module
Body independent operating (being similar to an application) is as server.Under this pattern, fixing UID (User can be preset
IDentification, ID), PID (Process IDentification, the identity information such as process identification (PID) and/or defeated
Go out the address informations such as address, the identity information special as authority and safety check module and/or address information, belong to authority and
The secure ID of safety check module.
Under resident pattern, authority and safety check module with the form in storehouse together with application link, when running application
Automatically authority and safety check module are run.
Specifically, if authority and safety check module are set to static library, then it are compiled into altogether can transport with application
The program of row;When this application runs, automatically authority and safety check module are arranged fixing address space set in advance.
If authority and safety check module are set to dynamic base, then linked in the program run being compiled into application;Should
With when running, obtain authority and safety check module automatically according to link, and fixing address space set in advance is set to.
This fixing address space preset, as the special address information of authority and safety check module, belongs to authority and safety inspection
The secure ID of module.
Apply its system call request, send to authority and safety check module.System call request is permissible in form
It is similar to be absorbed in instruction.The content of system call request can include following at least one: access data base, access input and output
File, access system service etc..
It is appreciated that its system call request system call interfaces in kernel is typically directly sent out by existing application
Send, and the application in the embodiment of the present invention is improved so that apply and call to authority and safety check module transmission system
Request.
After S102: authority and safety check module receive the system call request of application, system call request is carried out
Scope check;If scope check passes through, then perform step S103;If scope check failure, then ignoring that the system of reception calls please
Ask.
After authority and safety check module receive the system call request of application, according to each in default security strategy
Every authority that application is corresponding, carries out scope check to the system call request of application.
Specifically, it is determined that the authority that the authority that the system call request of application relates to has with this application in security strategy
Whether match;The inspection that the most then defines the competence is passed through, and performs step S103;Otherwise define the competence and check unsuccessfully, ignore reception
System call request.
Easy to understand, the Access Options incompatible with its function has been preset in the most a lot of application.Such as one pocket lamp
Application, in addition to the Access Options of default camera, is also provided with (intelligent terminal's) positional information, WLAN (Wireless
Local Area Network, WLAN) and the Access Options of list of application has been installed, it is therefore apparent that pocket lamp is applied
The light compensating lamp of photographic head is modeled to the realization of the torch function in order to illuminate, with positional information, WLAN and installed application row
These information of table are unrelated.Therefore, it can to predefine out authority that application function needs to use and/or with application function not phase
The authority corresponding to Access Options adapted to, recorded in security strategy, filters according to security strategy and fit mutually with application function
The authority corresponding to Access Options answered, reduces the probability revealing user profile.
It is preferred that authority and safety inspection can be arranged according to the demand of user for the security strategy that user is customized
Look in module;Such as, customize security strategy A for company A, customize security strategy B for B company, security strategy A, B are respectively provided with
In the authority of intelligent terminal and safety check module of A, B company.
Authority and safety check module can according to the security strategy of customization more flexibly, more personalizedly to application
Call request carries out scope check, on the basis of ensureing that system calls safety, can meet the demand that various user is different,
Promote Consumer's Experience.And, compared with the security module in amendment kernel, code revision amount is substantially reduced, and compatibility is more preferably, suitable
Wider with face.
S103: the secure ID preset of this authority and safety check module is carried on system as transmitting side marking and adjusts
Send to kernel with in request.
The secure ID of authority and safety check module includes: authority and the identity information of safety check module and/or ground
Location information;Identity information can include following at least one: fixing UID, PID etc.;Address information can include the most at least
One: fixing OPADD, address space etc..
Authority and safety check module, by this authority and the secure ID preset of safety check module, are marked as sender
Know and be carried in system call request, send to kernel.
After S104: kernel receives system call request, determine the transmitting side marking of the system call request received with
The secure ID prestored is the most consistent, if unanimously, then performs step S105;If inconsistent, then perform step S106.
After kernel receives system call request, determine in transmitting side marking and the kernel of the system call request received
The authority prestored and the secure ID of safety check module are the most consistent, if unanimously, then perform step S105;If it is inconsistent,
Then perform step S106.
S105: kernel carries out corresponding system and calls.
The transmitting side marking that kernel determines system call request in above-mentioned steps S104 and the authority prestored and safety
Check module secure ID consistent after, in this step, perform receive system call request, carry out corresponding system tune
With.
S106: kernel refusal performs the system call request received, and returns to the application sending this system call request
Return denied access message.
The transmitting side marking that kernel determines system call request in above-mentioned steps S104 and the authority prestored and safety
After checking that the secure ID of module is inconsistent, in this step, refusal performs the system call request that receives, and should to sending
The application of system call request returns denied access message.
It is preferred that the return path that kernel is called by traditional system, by denied access message to sending this it is directly
The application of system call request returns.Denied access message carries refuses the return value that this system call request is corresponding, this return
Value is typically integer (such as integer 13), meets POSIX (Portable Operating System Interface, transplantation
Operating system interface) standard.
It is appreciated that for still with traditional Linux security mechanism, directly to kernel transmission system call request
Application, these application Virus, trojan horse program or rogue program etc. often are illegal to be applied or without company or relevant
Partly allow the application privately installed by the user of intelligent terminal, refuse the system call request of these application, can be significantly
Reduce intelligent terminal and be broken into, reveal the probability of information, thus force the safety of the information in intelligent terminal.
It is preferred that embodiments provide the system call method of another kind of application, the schematic flow sheet of the method
As shown in Figure 1 b, comprise the steps:
S111: apply and send system call request to authority and safety check module.
The concrete grammar of this step is consistent with the concrete grammar in above-mentioned steps S101, and here is omitted.
After S112: authority and safety check module receive the system call request of application, system call request is carried out
Scope check;If scope check passes through, then perform step S113;If scope check failure, then ignoring that the system of reception calls please
Ask.
The concrete grammar of this step is consistent with the concrete grammar in above-mentioned steps S102, and here is omitted.
S113: the secure ID preset of this authority and safety check module is carried on system as transmitting side marking and adjusts
Send to kernel with in request.
The concrete grammar of this step is consistent with the concrete grammar in above-mentioned steps S103, and here is omitted.
After S114: kernel receives system call request, determine the transmitting side marking of the system call request received with
The secure ID prestored is the most consistent, if unanimously, then performs step S115;If inconsistent, then perform step S117.
After kernel receives system call request, determine in transmitting side marking and the kernel of the system call request received
The authority prestored and the secure ID of safety check module are the most consistent, if unanimously, then perform step S115;If it is inconsistent,
Then perform step S117.
S115: kernel carries out legitimate verification according to secure ID to the relevant information of authority and safety check module;If
The result is legal, then perform step S116;If the result is illegal, then perform step S117.
It is preferred that authority in the embodiment of the present invention and safety check module are provided with its relevant information and numeral is signed
Name.The relevant information of authority and safety check module can be source code (all or part of source of authority and safety check module
Code) or other may indicate that the information of content of authority and safety check module.Can be according to predetermined algorithm, to power
The relevant information of limit and safety check module carries out the summary info of a calculated uniqueness, according to predetermined private key pair
Summary info is encrypted, and obtains digital signature.
Kernel prestores predetermined algorithm and the PKI corresponding with predetermined private key.Kernel according to obtain authority and
The digital signature of safety check module relevant information, authority and safety check module relevant information to obtaining carry out legitimacy and test
Card.
Specifically, kernel, according to authority and the secure ID of safety check module, obtains from authority and safety check module
Take default authority and the relevant information of safety check module and digital signature thereof;Kernel is according to the predetermined algorithm prestored, meter
Calculate authority and the summary info of safety check module relevant information of acquisition;Kernel is according to the PKI prestored, to digital signature
It is decrypted and obtains summary info;Determine that the summary info calculated is the most consistent with the summary info decrypted;The most then
Determine that the result is legal, perform step S116;Otherwise determine that the result is illegal, perform step S117.
Further, in authority and safety check module, corresponding digital signature storage has predetermined algorithm and pre-with above-mentioned
The PKI that fixed private key is corresponding.
And, kernel, according to authority and the secure ID of safety check module, obtains from authority and safety check module
The authority preset and the relevant information of safety check module and digital signature thereof and PKI and algorithm;Kernel is according to acquisition
Algorithm, calculates authority and the summary info of safety check module relevant information of acquisition;Kernel is according to the PKI logarithm obtained
Word signature is decrypted and obtains summary info;Determine that the summary info calculated is the most consistent with the summary info decrypted;
If, it is determined that the result is legal, performs step S116;Otherwise determine that the result is illegal, perform step S117.
Be appreciated that the relevant information to authority and safety check module carries out legitimate verification, be possible to prevent authority and
Safety check module is illegally distorted, and strengthens authority and the safety of safety check module, thus strengthens the most on the whole
The safety of the embodiment of the present invention.
S116: kernel carries out corresponding system and calls.
Kernel determines the legitimate verification knot of the relevant information of authority and safety check module in above-mentioned steps S115
Fruit be legal after, in this step, perform reception system call request, carry out corresponding system and call.
S117: kernel refusal performs the system call request received, and returns to the application sending this system call request
Return denied access message.
The transmitting side marking that kernel determines system call request in above-mentioned steps S114 and the authority prestored and safety
Check the inconsistent relevant letter afterwards or determining authority and safety check module in above-mentioned steps S115 of secure ID of module
The legitimate verification result of breath be illegal after, in this step, refusal performs the system call request that receives, and to transmission
The application of this system call request returns denied access message.
It is preferred that the return path that kernel is called by traditional system, by denied access message to sending this it is directly
The application of system call request returns.Denied access message carries refuses the return value that this system call request is corresponding, this return
Value is typically integer (such as integer 13), meets POSIX standard.
Based on said system call method, additionally providing a kind of system calling device in the embodiment of the present invention, this device sets
Being placed in the intelligent terminal of the embodiment of the present invention, the block schematic illustration of the internal structure of this device is as in figure 2 it is shown, include: authority
And safety check module 201 and system call interface module 202 set.
Wherein, the application layer that authority and safety check module 201 are arranged in the intelligent terminal of the embodiment of the present invention, it is used for
After receiving the system call request of application, system call request is carried out scope check;After scope check passes through, by authority and
The secure ID preset of safety check module 201 is carried in system call request as transmitting side marking and sends to kernel.
System call interface module 202 is arranged at the kernel in the intelligent terminal of the embodiment of the present invention, is used for receiving and is
After system call request, however, it is determined that go out transmitting side marking and the authority prestored and the safety inspection mould of the system call request received
The secure ID of block 201 is consistent, then carry out corresponding system and call.
It is preferred that system call interface module 202 is additionally operable to if it is determined that the sender of the system call request received
Identify inconsistent with the secure ID prestored, then refusal performs the system call request received, and calls to sending this system
The application of request returns denied access message.
Specifically, system call request, for the security strategy according to customization, is carried out by authority and safety check module 201
Scope check.
It is preferred that system call interface module 202 is additionally operable to the sender determining the system call request received
Identify consistent with the secure ID prestored after, according to secure ID, the relevant information of authority and safety check module 201 is entered
Row legitimate verification;If the result is legal, then carries out corresponding system and call;If the result is illegal, then refuse
Perform the system call request received, and return denied access message to the application sending this system call request.
Further, system call interface module 202 is specifically for according to authority and the safety post of safety check module 201
Know, obtain the authority and the relevant information of safety check module 201 and digital signature thereof preset;Calculate authority and the peace of acquisition
The summary info of the relevant information of total inspection module 201, and decrypt the summary info that digital signature is corresponding;Determine and calculate
Summary info is the most consistent with the summary info decrypted;If, it is determined that the result is legal;Otherwise determine checking knot
Fruit is illegal.
Above-mentioned authority and safety check module 201 and the implementation method of system call interface module 202 function, be referred to
The particular content of the process step as shown in figure 1 above, here is omitted.
In the embodiment of the present invention, enter in the scope check of system call request of the application application layer outside kernel
OK, the secure ID preset of authority and safety check module and is set in system call request for kernel identification, this part
Code is not belonging to Open Source Code and will not be disclosed, the safety that the system of greatly strengthen is called.
And, in the embodiment of the present invention, the illegal application of existing application or the existing application that disguises oneself as is directly to kernel
The system call request sent, because not having the secure ID of inspection module safe to carry, all will be performed by kernel rejection;Can prevent
The only security mechanism invasion of the illegal existing Linux of applications exploiting such as virus, wooden horse, rogue program, the system that greatly strengthen is adjusted
Safety.
Further, in the embodiment of the present invention, easily the security strategy customized for user can be arranged application
In Ceng so that authority and safety check module can according to the security strategy of customization more flexibly, more personalizedly to application
Call request carry out scope check, on the basis of ensureing that system calls safety, the need that various user is different can be met
Ask, promote Consumer's Experience.And, compared with the security module in amendment kernel, code revision amount is substantially reduced, and compatibility is more
Good, applicable surface is wider.
Those skilled in the art of the present technique are appreciated that the present invention includes relating to perform in operation described herein
One or more equipment.These equipment can be required purpose and specialized designs and manufacture, or can also include general
Known device in computer.These equipment have storage computer program within it, and these computer programs are optionally
Activate or reconstruct.Such computer program can be stored in equipment (such as, computer) computer-readable recording medium or be stored in
In being suitable to store e-command and be coupled to any kind of medium of bus respectively, described computer-readable medium include but not
Be limited to any kind of dish (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, only
Read memorizer), RAM (Random Access Memory, memorizer immediately), EPROM (Erasable Programmable
Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically Erasable
Programmable Read-Only Memory, EEPROM), flash memory, magnetic card or light line card
Sheet.It is, computer-readable recording medium includes by equipment (such as, computer) with the form storage that can read or any Jie of transmission information
Matter.
Those skilled in the art of the present technique be appreciated that can with computer program instructions realize these structure charts and/or
The combination of the frame in each frame in block diagram and/or flow graph and these structure charts and/or block diagram and/or flow graph.This technology is led
Field technique personnel be appreciated that these computer program instructions can be supplied to general purpose computer, special purpose computer or other
The processor of programmable data processing method realizes, thus by computer or the process of other programmable data processing methods
Device performs the scheme specified in structure chart disclosed by the invention and/or block diagram and/or the frame of flow graph or multiple frame.
Those skilled in the art of the present technique be appreciated that the various operations discussed in the present invention, method, in flow process
Step, measure, scheme can be replaced, changed, combined or deleted.Further, there is discussed in the present invention each
Other steps in kind operation, method, flow process, measure, scheme can also be replaced, changed, reset, decomposed, combined or deleted.
Further, of the prior art have and the step in the various operations disclosed in the present invention, method, flow process, measure, scheme
Can also be replaced, changed, reset, decomposed, combined or deleted.
The above is only the some embodiments of the present invention, it is noted that for the ordinary skill people of the art
For Yuan, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a system call method, it is characterised in that including:
After receiving the system call request of application, described system call request is carried out scope check;
After described scope check passes through, the secure ID preset of this authority and safety check module is taken as transmitting side marking
Band sends to kernel in system call request;
After described kernel receives system call request, however, it is determined that go out the transmitting side marking of the system call request received with pre-
The secure ID deposited is consistent, then carry out corresponding system and call.
Method the most according to claim 1, it is characterised in that also include: described kernel is if it is determined that the system that receives
The transmitting side marking of call request is inconsistent with the secure ID prestored, then refusal performs the system call request received, and
Denied access message is returned to the application sending this system call request.
Method the most according to claim 1, it is characterised in that described described system call request is carried out scope check,
Specifically include:
According to the security strategy of customization, described system call request is carried out scope check.
Method the most according to claim 1, it is characterised in that the secure ID bag of described authority and safety check module
Include: described authority and the identity information of safety check module and/or address information.
Method the most according to claim 1, it is characterised in that sending out in the described system call request determined and receive
After the side's of sending mark is consistent with the secure ID prestored, also include:
Described kernel carries out legitimate verification according to described secure ID to the relevant information of described authority and safety check module;
And
Described carry out corresponding system and call, including:
If the result is legal, then carries out corresponding system and call.
Method the most according to claim 5, it is characterised in that described according to described secure ID to described authority and safety
Check that the relevant information of module carries out legitimate verification, specifically include:
Described kernel, according to described secure ID, obtains the described authority and the relevant information of safety check module and number thereof preset
Word is signed;
Described kernel according to obtain digital signature to obtain described authority and safety check module relevant information carry out legal
Property checking.
7. a system calling device, it is characterised in that including:
Authority and safety check module, be arranged at application layer, after the system call request receiving application, to described system
Call request carries out scope check;After described scope check passes through, by described authority and the safety preset of safety check module
Identify to be carried in system call request as transmitting side marking and send to kernel;
System call interface module, is arranged at described kernel, after being used for receiving system call request, however, it is determined that go out to receive
The transmitting side marking of system call request is consistent with the secure ID prestored, then carry out corresponding system and call.
Device the most according to claim 7, it is characterised in that
Described system call interface module be additionally operable to if it is determined that the system call request received transmitting side marking with prestore
Secure ID inconsistent, then refusal performs the system call request that receives, and to sending the application of this system call request
Return denied access message.
Device the most according to claim 7, it is characterised in that
Described system call request, specifically for the security strategy according to customization, is weighed by described authority and safety check module
Limit checks.
Device the most according to claim 7, it is characterised in that
Described system call interface module be additionally operable to the described system call request determined and receive transmitting side marking with
After the secure ID that prestores is consistent, according to described secure ID, the relevant information of described authority and safety check module is carried out
Legitimate verification;If the result is legal, then carries out corresponding system and call.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555203.6A CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555203.6A CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106203080A true CN106203080A (en) | 2016-12-07 |
| CN106203080B CN106203080B (en) | 2019-02-15 |
Family
ID=57475678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610555203.6A Active CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106203080B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108170543A (en) * | 2017-12-26 | 2018-06-15 | 上海展扬通信技术有限公司 | The synchronization processing method and device of Kernel codes and thereon layer identification code |
| CN114579254A (en) * | 2022-03-02 | 2022-06-03 | 科东(广州)软件科技有限公司 | System calling method and device of microkernel virtualization operating system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1808325A (en) * | 2004-10-01 | 2006-07-26 | 微软公司 | API for access authorization |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102737193A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Equipment shielding method and device for data security prevention and control |
-
2016
- 2016-07-14 CN CN201610555203.6A patent/CN106203080B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1808325A (en) * | 2004-10-01 | 2006-07-26 | 微软公司 | API for access authorization |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102737193A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Equipment shielding method and device for data security prevention and control |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108170543A (en) * | 2017-12-26 | 2018-06-15 | 上海展扬通信技术有限公司 | The synchronization processing method and device of Kernel codes and thereon layer identification code |
| CN114579254A (en) * | 2022-03-02 | 2022-06-03 | 科东(广州)软件科技有限公司 | System calling method and device of microkernel virtualization operating system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106203080B (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8086536B2 (en) | Location based licensing | |
| CN106534148B (en) | Access control method and device for application | |
| CN106778291B (en) | The partition method and isolating device of application program | |
| CN106330984A (en) | Dynamic updating method and device of access control strategy | |
| ES2385565T3 (en) | System and method of signing by software code | |
| RU2494456C2 (en) | Method, device and computer software product for software versions control | |
| EP3186747B1 (en) | Secure remote user device unlock | |
| EP1680719B1 (en) | Method and device for controlling installation of applications using operator root certificates | |
| US20050170813A1 (en) | Apparatus and method for setting use restriction of mobile communication terminal | |
| CN112016106B (en) | Authentication calling method, device and equipment of open interface and readable storage medium | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| US20140289809A1 (en) | Cell-Phone-and Watermark-Dependent Authentication | |
| CN102457766B (en) | Method for checking access authority of Internet protocol television | |
| US6988279B1 (en) | Intelligent agent authentication via position locator system | |
| CN112804240A (en) | Function control method, device, server, storage medium and product | |
| CN104486364A (en) | Access control method based on electronic certificate | |
| CN106778228A (en) | Control the method and device of application call | |
| US20120144470A1 (en) | User authentication method using location information | |
| US8285253B2 (en) | Method for managing a telecommunication network and associated devices | |
| CN106203080A (en) | System calling method and device | |
| CN106789928A (en) | Unlocking method and device based on system bidirectional authentication | |
| CN106529297B (en) | Obtain the method and device of application state information | |
| JP5004635B2 (en) | Authentication device, authentication system, broadcast device, authentication method, and broadcast method | |
| CN113468606A (en) | Application program access method and electronic equipment | |
| CN105764057A (en) | Registration method of mobile terminal and server platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210129 Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20161207 Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd. Assignor: Yuanxin Information Technology Group Co.,Ltd. Contract record no.: X2021110000018 Denomination of invention: System call method and device Granted publication date: 20190215 License type: Common License Record date: 20210531 |