CN106909833A - A kind of safety protecting method and device - Google Patents
A kind of safety protecting method and device Download PDFInfo
- Publication number
- CN106909833A CN106909833A CN201510982010.4A CN201510982010A CN106909833A CN 106909833 A CN106909833 A CN 106909833A CN 201510982010 A CN201510982010 A CN 201510982010A CN 106909833 A CN106909833 A CN 106909833A
- Authority
- CN
- China
- Prior art keywords
- incubator
- mirror image
- run
- monitoring unit
- control module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of safety protecting method and device, in the method before monitoring unit is loaded into process context, attribute information always according to application program to be run determines to need the event behavior for the Application Monitoring to be run, and monitoring unit is configured when running monitoring unit identified event behavior is monitored, monitoring unit and application program to be run are loaded into the process context using process obtained by mirror image incubator hatching afterwards and are run, by the monitoring unit to the event behavior implementing monitoring of the application program to be run.So enable to monitoring unit only to treat that operation application needs the event behavior of monitoring to be monitored to one, the event behavior of application program execution to be run is allowed without meaningless monitoring such that it is able to reduce the consumption of system resource.
Description
Technical field
The present invention relates to Internet technical field, more particularly to a kind of safety protecting method and device.
Background technology
Sandbox is a kind of performing environment according to security strategy limiting program behavior, is practically applicable to extensively at present
In various operating systems.There are various examples to realize sandbox technology at present.As a example by android system, mesh
A kind of preceding technology for comparing forward position is (also referred to as virtual using incubator (Zygote) component virtual process environment
Machine), and using building the process that produces during virtual process environment by application software to be run and
Monitoring unit for monitoring the application software is loaded into the virtual process environment so that the virtual process ring
Border constitutes a sandbox example.
There is following technical problem in prior art:Due to for different process context loading identical monitoring lists
Unit, in order to realize safe and reliable protection, in the prior art, is loaded into the monitoring list in each process context
Most of event behavior of the unit to corresponding application program is monitored, required for such monitoring unit operation
Resource it is more, the process context set up accordingly can also consume substantial amounts of resource.
The content of the invention
It is an object of the present invention to solve above-mentioned technical problem.
In a first aspect, the invention provides a kind of safety protecting method, comprising the following steps:
It is configured to hatch the mirror image incubator of process context using system original incubator;
Hatched by the mirror image incubator, thought that application program to be run sets up process and the process ring
Border;
Attribute information according to application program to be run determines to need for the Application Monitoring to be run
Event behavior, and monitoring unit is configured when running monitoring unit identified event behavior is carried out
Monitoring;
Monitoring unit and application program to be run are loaded into using process obtained by mirror image incubator hatching
Run in the process context, prison is implemented in the event behavior by the monitoring unit to the application program to be run
Control.
Further, the attribute information of basis application program to be run determines to need to treat that operation should for this
With the event behavior of program monitoring, and monitoring unit is configured when running monitoring unit to identified
Event behavior is monitored, including:
Type according to application program to be run determines the event behavior for allowing the application program to be run to perform,
Generate the white list of corresponding event behavior;
White list is imported into the monitoring unit, so that the monitoring unit is to the thing outside the white list
Part behavior is monitored.
Further, it is described white list is imported into the monitoring unit to specifically include:
The white list is showed into user by interactive interface;
The white list is updated according to user's operation;
White list after renewal is imported into the monitoring unit.
Further, the process that mirror image incubator is constructed using former incubator, is comprised the following steps:
Operation control module;Using the control module, the mirror image hatching is constructed based on former incubator
Device;
Set up the connection of control module and mirror image incubator.
Further, the step of the mirror image incubator is constructed based on former incubator using the control module
Suddenly include:
The control module sets up the connection with former incubator using the socket of former incubator;
The control module is closed campaign management services and is based on the connection that the socket of former incubator is maintained;
The control module replicates the executable code of former incubator and is implanted into for loading the monitoring to it
The call instruction of unit;
The control module runs the code of the mirror image incubator to construct mirror image incubator.
Further, the monitoring unit includes some hook plug-in units, by monitoring the program process
Different call instructions and be applicable corresponding hook plug-in unit, entered with the event behavior to the program process
Row treatment.
Second aspect, the invention provides a kind of safety device, including:
Control module, for being configured to the mirror image incubator for hatching process context simultaneously using system original incubator
Attribute information according to application program to be run determines to need the event for the Application Monitoring to be run
Behavior, is configured when running monitoring unit to monitoring unit and identified event behavior is monitored;
Described mirror image incubator, for by itself hatching process context and the loading monitoring in the process context
Unit and application program to be run;
Described monitoring unit, for the event behavior implementing monitoring to the application program to be run.
Further, the control module determines to allow this specifically for the type according to application program to be run
The event behavior that application program to be run is performed, generates the white list of corresponding event behavior;White list is led
Enter to the monitoring unit, so that the monitoring unit is monitored to the event row outside the white list.
Further, the control module by interactive interface by the white list specifically for showing user;
The white list is updated according to user's operation;White list after renewal is imported into the monitoring unit.
Further, the monitoring unit includes some hook plug-in units, by monitoring the application program
The different call instructions of process and be applicable corresponding hook plug-in unit, with the thing to the program process
Part behavior is processed.
In safety protecting method and device that the present invention is provided, monitoring unit is being loaded into process context
In before, always according to application program to be run attribute information determine need treat operation application journey for this
The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified
Event behavior is monitored, and program to be applied and the monitoring unit for completing to set are loaded into this afterwards
Run in process context.Monitoring unit is so enabled to only to treat that operation application needs monitoring to one
Event behavior is monitored, and the event of application program execution to be run is allowed without meaningless monitoring
Behavior such that it is able to reduce the consumption of system resource.Simultaneously in the present invention, using android system
Intrinsic former incubator Zygote constructs new mirror image incubator to make mirror image incubator independently of original
Incubator, then by controlling the steering of the request of campaign management services, and realize application program by
Run in the mirror image incubator of present invention construction.General forcible entry is based on mechanism known to system
And realize, due to mirror image incubator relative to former incubator independence, rogue program is due to that can not know
The internal mechanism of other mirror image incubator, thus, even if rogue program is looked forward in the case of system Root
Figure gos deep into system bottom to be destroyed to Zygote, or is attempted by the side of such as ELF File Infections
Formula realizes viral transmission, and these attempts may fail to mirror image incubator, be derived by mirror image incubator
The operation of the application program of process loading is also just safer.
As can be seen here, the advantage acquired by the present invention is systematicness, not only with from bottom to application layer
The effect of security protection is carried out, and with the management function for flexible transfer being carried out to process and control.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will be from following
Description in become obvious, or by it is of the invention practice recognize.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are for ability
Domain those of ordinary skill will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and simultaneously
It is not considered as limitation of the present invention.And in whole accompanying drawing, identical is denoted by the same reference numerals
Part.In the accompanying drawings:
Fig. 1 is general idea of the invention and the theory diagram of a kind of system that provides;
Fig. 2 is the schematic flow sheet of safety protecting method of the invention;
Fig. 3 is the specific steps schematic flow sheet of step S12 of the invention;
Fig. 4 is the specific steps schematic flow sheet of step S13 of the invention;
Fig. 5 is the schematic flow sheet of security sandbox building method of the invention;
Fig. 6 is the specific steps schematic flow sheet of step S31 of the invention;
Fig. 7 is the specific fine division step schematic flow sheet of step S312 of the invention..
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although being shown in accompanying drawing
The exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure without should be by
Embodiments set forth here is limited.Conversely, there is provided these embodiments are able to be best understood from this
It is open, and can by the scope of the present disclosure it is complete convey to those skilled in the art.
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein certainly
Beginning to same or similar label eventually represents same or similar element or the unit with same or like function
Part.Embodiment below with reference to Description of Drawings is exemplary, is only used for explaining the present invention, and can not
It is construed to limitation of the present invention.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein,
" one ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that theory of the invention
Used in bright book wording " including " refer to the presence of the feature, integer, step, operation, element and/or group
Part, but it is not excluded that in the presence of or add one or more other features, integer, step, operation, element,
Component and/or their group.It should be understood that when we claim element to be " connected " or during " coupled " to another element,
It can be directly connected or coupled to other elements, or can also there is intermediary element.Additionally, making here
" connection " or " coupling " can include wireless connection or wireless coupling.Wording "and/or" bag used herein
Include one or more associated wholes or any cell of listing item and all combine.
Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein (are wrapped
Include technical term and scientific terminology), with art of the present invention in those of ordinary skill general reason
Solution identical meaning.It should also be understood that those terms defined in such as general dictionary, it should managed
Solution is with the consistent meaning of the meaning in the context with prior art and unless special as here
Definition, will not otherwise be explained with idealization or excessively formal implication.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both included
The equipment of wireless signal receiver, the equipment of its wireless signal receiver for only possessing non-emissive ability is wrapped again
The equipment for receiving and launching hardware is included, it has can perform connecing for two-way communication on bidirectional communication link
The equipment received and launch hardware.This equipment can include:Honeycomb or other communication equipments, it has single line
Road display or multi-line display or the honeycomb without multi-line display or other communication equipments;
PCS (Personal Communications Service, PCS Personal Communications System), it can be with combine voice, data
Treatment, fax and/or its communication ability;PDA (Personal Digital Assistant, personal digital assistant),
It can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad,
Calendar and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop
And/or palmtop computer or other equipment, its have and/or the conventional laptop including radio frequency receiver and/
Or palmtop computer or other equipment." terminal " used herein above, " terminal device " can be it is portable,
Can transport, in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured to
In local runtime, and/or with distribution form, operate in any other position operation in the earth and/or space.
" terminal " used herein above, " terminal device " can also be that communication terminal, access terminals, music/video are broadcast
Put terminal, for example can be PDA, MID (Mobile Internet Device, mobile internet device) and/
Or the equipment such as mobile phone, or intelligent television, the Set Top Box with music/video playing function.
Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, far-end network set
The concept such as standby, with effects equivalent, it includes but is not limited to computer, network host, single network service
The cloud that device, multiple webserver collection or multiple servers are constituted.Here, cloud is by based on cloud computing
A large amount of computers or the webserver of (Cloud Computing) are constituted, wherein, cloud computing is distributed meter
One kind of calculation, a super virtual computer being made up of the computer collection of a group loose couplings.It is of the invention
In embodiment, can be by any communication mode between remote network devices, terminal device and WNS servers
Realize communication, including but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP,
The computer network communication of udp protocol and the low coverage side of being wirelessly transferred based on bluetooth, Infrared Transmission standard
Formula.
It will be appreciated by those skilled in the art that " application ", " application program ", " application software " alleged by the present invention
And the concept of similar statement, it is the same concept well known to those skilled in the art, refer to by series of computation
Machine instruction and the computer software for being suitable to electronics operation of the organic construction of related data resource.Unless specified,
Programming language species, rank are not received in this name in itself, the operating system or platform of operation of also not rely by it
Limited.In the nature of things, this genus is not also limited by any type of terminal.
The application scenarios that the following method and apparatus that will be described of the invention are implemented, are mounted in mobile terminal
On the running environment based on Android operation system.
Those skilled in the art should it is contemplated that, due to disclosed technology be related to it is right
Android system level resources are called, thus, need to be with present example before the present invention is implemented
Application program operation obtain Root authority, but obtain Root authority belong to existing and known elder generation in itself
Certainly technology, mobile terminal user has been provided with voluntarily obtaining the operational capacity of Root authority and feels in reality
Consciousness.Additionally, the enlightened mobile terminal in part when its machine dispatches from the factory for user has opened system
Root authority, or deliberately provide convenience means to obtain Root authority.Therefore, should not serve to
The necessary component that the influence present invention is implemented.
It is well known that Root authority refers to the system of Unix type operating systems (including Linux, Android)
Administrator right, similar to Administrator (keeper) authority in Windows (form) system;Root
Authority can access and change almost all of file (android system file and use in the mobile device of user
Family file, not including ROM).But, due to current mobile terminal system for Root authority management according to
So strict, most applications or program do not possess Root authority under normal circumstances, therefore for some needs
The operation for possessing Root authority cannot just be performed, for example, install or unload the operation such as application, and for example implement this
The method and apparatus of invention.Based on this, the present invention recommends to obtain Root authority in the following way:Pass through
The built-in SU of calling system (Super User, power user) orders obtain Root authority, or by obtaining
Shell with Root authority obtains Root authority and the launching process in shell, is then obtaining described
After the Root authority mandate of system, you can need not be weighed when follow-up other calling process is performed associative operation
Apply for Root authority again;The Root authority that specific Root authority acquisition process can refer to prior art is called
Function, because carrying the realization of power sheerly prior art category on Root, the present invention will not be repeated here.Obtain
After taking Root authority, also system can just be implemented in bottom operation, including the present invention to Zygote's
ELF infection contact, allow control module to be run as underlying services, even thus set up based on Binder
Communication of mechanism etc., is based on this and realizes.
The intrinsic principle for realizing depending on Android operation system of the invention, thus, similarly, it is necessary to
First introduce herein below:
First, Zygote start-up courses:
Android system can start Linux basic systems first on startup, then guiding loading
Linux Kernel simultaneously start initialization process (Init).Then Linux finger daemons are started.Starting Linux
Also need to start Zygote processes while finger daemon.
Zygote is in the field of business to be visually referred to as incubator, after Zygote process initiations, one is initialized first
Dalvik VM (virtual machine) example, then for it loads resource and system SB, and opens Socket prisons
Service is listened, when establishment Dalvik VM example requests are received, can be by COW (copy on write) technology
Oneself is farthest multiplexed, a new Dalvik VM example is generated.The establishment of Dalvik VM examples
Method is based on the fork principles of linux system.Zygote processes during system operation, by Socket
When listening port receives establishment virtual machine request, by calling fork functions, hatched from itself
Dalvik VM examples, can be understood as having hatched the process space for operational objective application program.
After the completion of Zygote process initiations, Init processes can start Runtime processes.Runtime enters
Cheng Shouxian initializes service managerZ-HU (Service Manager), and it is registered as binding service
The default context manager of (Binder services), is responsible for the registration of binding service and searches.Then
Runtime processes can send the request of activation system serviced component (System Server) to Zygote processes,
After Zygote processes receive request, meeting " hatching " goes out a new Dalvik VM example and activation system service
Process.
SystemServer can first start two local services (native write by C or C++ is serviced),
Surface Flinger and Audio Flinger, the two local system services are registered as to service managerZ-HU
IPC service objects, to be easy to find when them are needed.Then SystemServer can be opened
Some android system management services, including hardware service and the service of system framework product platform are moved, wherein
Also include campaign management services ActivityManagerService (AMS), and they are registered as into IPC services
Object.
Mean that system is ready for after SystemServer is loaded with all of system service, its meeting
A system ready (systemReady) is sent to all services to broadcast.When need start one
During Android application programs, ActivityManagerService can by Socket inter-process communication mechanisms,
Send request and notify that Zygote processes are that this application program creates a new process.
2nd, AMS response applications program start-up course:
In Android application frameworks layer, it is responsible for by ActivityManagerService components
Android application programs create new process, and it was also to operate among an independent process originally,
But this process is created during system starts.ActivityManagerService components are general
Can in a case where for application program creates a new process:When system decision will be in a new process
During one Activity or Service of middle startup, AMS tries to create a new process, then
Start this Activity or Service in this new process.
When ActivityManagerService start an application program when, will by Socket with
Zygote processes are communicated, and ask mono- subprocess of its fork out as the application that this will start
The process of program.Be can see in introduction above, two critical services in system
PackageManagerService and ActivityManagerService, is come by SystemServer processes
Be responsible for what is started, and SystemServer processes to be in itself Zygote processes fork during startup go out
Come.
As can be seen that being to realize communication based on socket sockets between Zygote and AMS.Zygote
Socket socket files are created by init before being initiated, are stored under system directory/dev/socket,
And the socket file for generally being created, its filename and Zygote process titles are identicals, thus,
By this mechanism, socket file is checked at said system catalogue, you can whether checking system creates
New incubator.This document stores the setting data on the socket sockets.AMS is exactly based on reading
Such socket file is taken to set up it with the direct communication mechanism of Zygote.The follow-up present invention
The communication mechanism based on socket that will be disclosed, with similarly realize herein.
3rd, to the reference technique of system service process SystemServer function of injecting modules:
As it was previously stated, after Zygote starts, first thing is to go out SystemServer from itself fork, is made
It turns into system service process, and the service processes such as AMS, PMS are loaded by the system service process.
Therefore, injection technique is widely used in the prior art will need the power function for realizing specific function to be injected into
In SystemServer, it is allowed to be carried out, realizes purpose.
For example it is of the prior art it is a kind of realize system service process code injection process be:
Step 1:In lookup android system
Com.android.phone, system_server, tri- process numbers of process of/system/bin/meidaserver
Process ID, i.e. PID;
Step 2:Three described runnings state of a process are modified respectively according to described PID, is held
Row loading monitor module instruction, opens up memory headroom and the instruction for loading monitor module is write into it
In;
Step 3:Three described buffer status of process are changed respectively, CPU is redirected described in execution
Instruction;
Step 4:According to described instruction, monitor module is loaded in the memory headroom of injector module,
Described monitor module starts initialization operation;
Step 5:Monitor module is after initialization terminates, and the libbinder.so's of lookup current process is initial
Address, and it is right in the global object list Global Ojects Table of libbinder.so to position ioctl functions
The address of corresponding list item in the address of the list item answered, i.e. GOT;
Step 6:The content of the corresponding GOT list items of modification ioctl, uses Hook Function hooked_ioctl
Address be replaced;
Step 7:Software perform sensitive behavior when, can by ioctl and com.android.phone,
One or more of tri- processes of system_server ,/system/bin/mediaserver carries out communication sum
According to exchange, Hook Function hooked_ioctl reads the sensitive behavior type of simultaneously analysis software;
Step 8:The promoter of described monitor module write-in sensitive behavior and time in journal file,
Obtain software sensitive behavior monitoring record;
Step 9:When described monitor module monitors sensitive behavior, user is sent messages to, while making
The operation suspension of sensitive behavior;
Step 10:Described user decides whether to run the execution of sensitive behavior, returns and agrees to or refusal life
Make to described monitor module;
Step 11:Described monitor module obtains the result of described user's selection, if user's selection is agreed to
Then continue executing with sensitive behavior;Terminate continuing executing with for sensitive behavior if user's selection refusal.
Can realize that the scheme of similar above-mentioned injection is too numerous to enumerate in the prior art, be referred to it is above-mentioned on
The method of monitor module to be the follow-up control module for disclosing of the invention to system service process
The injection of SystemServer provides known arrangement.But for the announcement for making the present invention follow-up more has clear, having must
Know, the shut-off module that the present invention will be disclosed, for Socket between realization closing AMS and Zygote
The correlation function of connection, can be implemented in the shared library file libbinder.so as disclosed in preceding example,
In this case, by carrying out to the dynamic library file reversely, can at least in part understanding and realizing this hair
Bright function realizes details.
4th, the infection contact principle based on Linux executable files ELF
ELF (Excutable Linking Format) file is the executable file of Linux, can be held for depositing
Line code.ELF infection contact principles are a kind of prior arts, by the executable code of reproducer, to
Certain newly-increased code attempted is realized in wherein insertion, amended executable code is then performed, so as to realize
The purpose modified to program.Announcement below the present invention, will utilize this principle, and former to system
Incubator Zygote makes modification, so as to construct mirror image incubator, this hair is realized by mirror image incubator
Bright method, device and sandbox example.
After said system principle and relevant knowledge has been understood, it is easy to further understand implementation of the invention
Example.
It should be noted that the present invention attempts to be retouched with reference to static and two aspects of dynamic of computer program
State, so-called static aspect, refer to that program installation kit, file, database are stored in the storage object of medium;
So-called dynamic aspect, refers to the dynamic object for being transferred and being performed in internal memory, including but not limited to process, line
Journey, used data etc..In view of these features of computer software technology, should not by of the present invention and
Each method, step, sub-step, device, unit, module etc., be interpreted as only static or only in isolation
Dynamic aspect, those skilled in the art should be known this.So, those skilled in the art should
Dynamic Process Movement is corresponded to about static statement according to the present invention, or is had according to the present invention
Close dynamic Process Movement and correspond to its static form of expression, it is established that be static inevitable with of both dynamic
Property association, understand the present invention based on this.
Additionally, the present invention combines sandbox principle and proposes, so, those skilled in the art are able to reference to known
Sandbox realization principle understand implementation of the invention.The effect of sandbox is for destination application is provided relatively
The running environment of closing, makes application program access the resource of system, by the application of sandbox security strategy,
And be limited within the scope of regulation.Thus, the present invention subsequently will disclose its substantive one side and be
A kind of sandbox example is provided.
Understand referring initially to Fig. 1 apply a kind of program process hatching control device of the invention and
The system principle diagram realized.The control device includes control module 12, mirror image incubator 13, with
And the intrinsic former incubator 10 of system and campaign management services scheduler module in system service process 2
3 (ActivityManagerService, hereinafter referred to as AMS).Disclose what modules were realized in detailed below
Function and working mechanism:
Described control module 12, as the independent process based on system bottom, can set up and be based on
The communication of Binder mechanism, can be by the click commands of user triggering interface program by the program process institute
Call;System can also be signed in by adb shell-commands to go to perform.Control module is responsible for setting up process fortune
Row environment, various relevant connections are set up for this.As can be seen that based on the need for accessing android system bottom
Will, control module has relative complex function, is listed below helping to realize several aspects of the invention:
On the one hand, the control module 12 needs to construct one using former incubator 10 (Zygote) in the process of running
Or multiple mirror images incubator 13 (StepZygote), on the other hand, it is necessary to be responsible for being injected to system service process
The Socket connections for turning off module and cutting off between campaign management services and former incubator 10, another further aspect,
Control module 12 also need to be responsible for monitoring and receive system service process 2 registration AMS processes initiated
Request, the request be AMS be based on for load operating application program former incubator 10 socket and
The connection of foundation and propose, control module 12 needs to forward the request to described mirror image incubator 13,
So that the request for ensuring AMS is effectively responded.AMS initiate request, generally include program UID,
The parameter of bag name etc, and under normal circumstances, incubator will be corresponding request return process PID, AMS
It is derived from its program entry address and is able to loading application programs.But due to control module of the invention 12
Control action, this mechanism will by control module 12 come transfer realize.
Finally, control module 12 is also needed to for application program currently to be run, it is determined that need to be directed to being somebody's turn to do
The event behavior that application program to be run is monitored, and monitoring unit is set accordingly, make monitoring
Event behavior of the unit only to needing to be monitored for the application program to be run is monitored and alarms.
As can be seen that in control module 12 shown in Fig. 1, further comprising connector 122 and construction
Device 121, and authentication unit 123.
Described connector 122 is responsible for performing following function:
1st, the connection of control module 12 and former incubator 10 is set up using the socket of former incubator 10.This
The realization of one function, is performed after control module 12 is able to operation.After control module 12 is run,
Be located at by reading former incubator 10/dev/socket/ catalogues under zygote socket files, the socket
File is stored with corresponding socket data to set up the connection that control module 12 is arrived between former incubator 10,
So as to other controls subsequently through the construction mirror image of constructor 121 incubator 13 and realization to former incubator 10
System.
2nd, to system service process 2 injection one turn off module 120 to be allowed to perform, with close AMS with
Socket between Zygote.Specifically, first connect and be injected into SystemServer processes, obtain
The sZygoteSocket member of android.os.process classes, calls the close methods of the member, for example
Socket.close (), realizes the shut-off of the Socket connections between AMS and Zygote, thus, adjustable pipe
The connection that reason service 3 is maintained based on the socket of former incubator 10 is closed.That is, above
AMS is mentioned to be turned off herein by socket and Zygote direct communications, but this communication mechanism, from
And prevent AMS from directly being communicated with former incubator 10.It should be noted that to system service process
Inject shut-off module 120 this function for closing that campaign management services are connected with former incubator, although
Performed by connector in the present embodiment, it is to be understood by those skilled in the art that the function also can by compared with
A connector 122 more upper module perform.
3rd, the socket having by mirror image incubator 13 is set up the control module 12 and is incubated with the mirror image
Change the connection of device 13, with to the described request of the mirror image incubator 13 (StepZygote) transmission.In the present invention
Constructor 121 construct new incubator after, according to the intrinsic functions of Zygote, will be in local mesh
Record is lower to produce a socket literary fame corresponding with mirror image incubator 13.This socket file can be with mirror
Recognized with profit as the process title (StepZygote) of incubator 13 is of the same name, certainly also can not be of the same name.Similarly,
Although this socket file can be stored in other local catalogues, recommendation is stored in/del/socket mesh
Record is recognized with profit.Thus, the connector 122 just reads the socket file, with the socket and the mirror image
Incubator 13 sets up the communication based on socket mechanism.
The connector 122 is by performing above-mentioned function so that control module 12 can utilize the original
The socket of incubator 10 is monitored the process of campaign management services 3 (AMS) and is sent out for operation application program
The request for rising, and control the connectivity port of former incubator 10 and mirror image incubator 13.Once AMS
Attempt setting up the connection with the former incubator 10 (Zygote) of acquiescence, control module 12 just can receive the request,
And it is passed to former incubator 10 or mirror image incubator 13 on demand, returned from corresponding incubator to it
Required process PID.
Described constructor 121, with reference to the introduction that contact technique is infected previously with regard to ELF, could be aware that,
In function performed by the constructor 121, the executable code of former incubator 10, Ran Hou were replicated before this
The call instruction for realizing external call is inserted in execution code, is added realize mirror image incubator 13 if necessary
Program self checking code, the executable code of modification is finally run to realize the mirror image incubator 13
Construction, thus just can realize the function using the former construction mirror image of incubator 10 incubator 13.
Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, calling outside one
Portion's function, namely call the monitoring unit 130 that will subsequently disclose in detail of the invention to realize one to be aided with
Sandbox example, specifically, what realization occurred to the process space that current mirror image incubator 13 is constructed
The monitoring of event behavior.It is to be understood that after mirror image incubator 13 calls fork functions to replicate itself, this
A little external calls and self-checking code can be replicated, that is to say, that not only the process of mirror image incubator 13 from
Body, and described monitoring unit 130 can also be loaded by its process hatched, so that mirror image incubator 13
One new process of hatching, that is, mean to provide a sandbox environment for corresponding destination application, also
Realize sandbox example of the invention.
The control module 12 can on demand call constructor 121 to go to realize multiple according to identical logic
Mirror image incubator 13, makes multiple mirror image incubators 13 be respectively used to asking for the different application program classification of response
Ask, so as to create the incubator of multiple safety for android system.External program is to former incubator 10
Attack, the mirror image incubator 13 built by the control module 12 is will not impact in theory.
The authentication unit 123, is the optional component set so as to realize interaction for the ease of system operatio,
The authentication unit 123 is used for after the request that control module 12 receives the AMS, is carried from the request
Application features information is taken, such as the information such as previously described UID, bag name, based on those characteristic informations
The spy is checked from data (such as being stored in local or remote database) are set known to Local or Remote
Whether the corresponding application program of reference breath should be limited or be prohibited, when it is that should be limited or should be prohibited
Application program when, by control module 12 be responsible for by this ask in go to outside the former incubator 10 its
Remaining mirror image incubator 13 or the not transfer request are to any incubator.The known setting data can be stored respectively
Whether individual UID is to the mapping relations between mirror image incubator 13, and limited or forbidden information.
Obviously, setting authentication unit 123 can provide safer control effect, by configure it is described known to set
Data are put, especially when the known setting data can obtain timely long-range renewal, can be by this
Data to control in time the operation of the malicious application of mobile terminal.
In view of the authentication unit 123, control module of the invention 12 is being established and miscellaneous part
After socket connections, the effect of router is actually played.Therefore, control module 12 needs a class
Pre-set data like routing table, this pre-set data both can with aforementioned authentication unit 123 in known to
It is consistent, or independent that data are set, authentication unit 123 turns into control module 12 in this case
The foundation of its routing function is realized, is particularly well-suited to that there are multiple mirror image incubators 13.And one
In some simple examples, for example, referring to only by the user that the user interface provided by station terminal before is collected
Order, is run by selected destination application to be run is placed in sandbox of user, that is, mean to apply this
Program is placed in the process space that mirror image incubator 13 is hatched and runs, and in this case, described is default
The parameter that data can be understood as being set for the intended application to be run is put, control module 12 is by obtaining
The parameter is taken, just can determine that will be given to mirror image hatching in the request corresponding with the destination application to be run
Device 13 rather than former incubator 10, so as to the process that the destination application is constructed by the mirror image incubator 13 is empty
Between, loading the destination application runs it.Similarly, if the user that is provided by desk module of user
Non- sandbox operation is selected at interface, then control module 12 can be understood as being given to former incubator 10 in answering, from
And the destination application is run by former incubator 10.
How one or more mirror image incubators 13 and former incubator 10 can be seen that by above-mentioned analysis
Utilize, the security strategy of program offer had both been provided, also may depend on selecting on demand for user;Both can be with
Realized using database technology, it is also possible to realized using the form of parameter;Both single mirror can only be realized
As the Scheduling instances between incubator 13 and former incubator 10, it is also possible to realize multiple mirror image incubators 13
With former incubator 10 and the Scheduling instances deposited.Regardless of according to control module of the invention 12 can be real
Now effective process hatching is controlled and dispatching effect.
As it was previously stated, mirror image incubator 13 of the invention, because the present invention is former using ELF infection contacts
Manage de-duplicate Zygote and construct mirror image incubator 13, in this case, Zygote is per se known and solid
Some operating mechanisms are not changed, therefore, the mirror image incubator 13 produced under the control of control module 12,
Its still according to the realization mechanism of former incubator 10, for the request in response to the transfer of control module 12, and
New process is hatched, and is asked accordingly with process PID responses.AMS obtains process PID, i.e.,
Destination application to be run is loaded into the corresponding process space, destination application is transported
OK.As can be seen that a mirror image incubator 13 collapses, or one by entering that mirror image incubator 13 is hatched
Journey is dead, will not produce influence to former incubator 10 and its associated process, and vice versa.
As can be seen here, security procedure hatching control device of the invention can realize safer process hatching
Mechanism.
In order to illustrate that program process of the invention hatches the detailed implementation of control device, figure is referred to
2, the present invention operates in conjunction with mechanism and provides a kind of program process hatching control.The method bag
Include following steps:
S11, to system service process 2 injection shut-off module 120.
The program realized by the method after operation, based on premised on having obtained Root authority, using known
Method for implanting, to system service process SystemServer 2 inject it is of the invention shut-off module 120, this
A part, both including foregoing shared library file libbinder.so, also including the modification to address table etc.
All are easy to implement the operation successfully injected, to realize closing between AMS and Zygote whereby
Socket is connected.
S12, construct mirror image incubator 13 using former incubator 10 by the control module 12.
It should be noted that the step for realization, with step S13 middle part molecular steps can be according to reality
Situation adjustment order is performed.
This step is substantially that the sequencing of the function that the constructor 121 in aforementioned means is realized was performed
Journey, for realizing obtaining mirror image incubator 13 on demand, and this demand will be by control module 12 according to foregoing
Known setting data and/or pre-set data and realize, or force automatic construction and should according to default rule
With.With reference to the function of the constructor 121, refering to Fig. 3, this step can be subdivided into following steps:
S121, the executable code for replicating former incubator Zygote 10;
S122, to the call instruction inserted in the executable code for realizing external call, according to different realities
The need for applying example, the monitoring unit 130 for realizing sandbox example of the invention is called by the call instruction,
Realized using the monitoring unit 130 to the process space hatched by posttectonic mirror image incubator 13
The monitoring of event behavior;
S123, to the executable code insertion can be used to realize the program of mirror image incubator StepZygote 13
The code of self checking so that mirror image incubator 13 is difficult to be attacked;
S124, the amended executable code of operation, so that the mirror image incubator 13 is able to successfully structure
Make, to await orders and hatch new process for the request for campaign management services ActivityManagerService 3.
It will be appreciated by those skilled in the art that in the present invention, can be by this step S12 in former incubator
Mirror image incubator 13 is constructed on the basis of 10, but the quantity of mirror image incubator 13 is not restricted to one,
The expansible number of mirror image incubator 13 is only limited by memory headroom and copied multiple with phase in theory
Connatural mirror image incubator 13, as long as disclosed herein, being realized to multiple in control module 12
Effective scheduling of such mirror image incubator 13.
It is emphasized that above-mentioned steps S122 and S123 can change order realizing.
S13, the campaign management services 3 registered in system service process 2 are received by the control module 12 (enter
Journey) to run the request that application program is initiated, and pass it to the mirror image incubator 13.
It can be seen from the description previously with regard to device, the present invention is realized to system service process
After the injection of SystemServer 2, control module 12 can erect new system architecture, refering to Fig. 4,
Its build process sees below step:
S131, the connection that control module 12 and former incubator 10 are set up using the socket of former incubator 10.
Address above, the socket file/dev/socket/zygote of former incubator Zygote 10 is to set up socket
The basis of connection.In this step, control module 12 reads the socket file, sets up and former incubator
10 connection.Therefore, it can pay the utmost attention to perform abovementioned steps S12 after this sub-step, will more meet
Program realizes logic.
S132, execution shut-off module 120 are based on the former incubator to close campaign management services 3 (process)
The connection that 10 sockets are maintained.
With reference to knowable to above, AMS processes maintain it and are connected with the socket of former incubator Zygote 10,
This step obtains android.os.process by being injected into the shut-off module 120 of systemserver processes
The sZygoteSocket member of class, calls the close methods such as socket.close () of the member to close AMS
It is connected with the socket of Zygote so that former incubator 10 can not correspond directly to the hatching process of AMS
Request, further to obtain bigger control.As can be seen that abovementioned steps S11 should be in step
Implement before S132, S11 can be both placed between S131 and S132 and implemented, it is also possible to by step S132
It is placed in after step S11 and immediately implements.Those skilled in the art can become accordingly dissolve it is of the invention multiple real
Apply example.
S133, monitor the campaign management services 3 using the socket of the former incubator 10 is operation
Application process and the request initiated.
In foregoing step, under the control of control module 12, the mirror image incubator is had been realized in
13 construction, therefore, according to the logic of init function creations Zygote, mirror image incubator StepZygote13
By establishment/dev/socket/stepzygote socket files, certain socket file can be stored in locally
Elsewhere, must be not identical with the process title of mirror image incubator 10 yet.In this step, control module 12
Set up by the socket and be connected with the socket of the mirror image incubator 13, at the same time, begin listening for original
The socket of incubator 10, to monitor the request of the hatching process of AMS initiations, so as to subsequently by controlling
Molding block 12 is to former incubator 10 or the transfer of mirror image incubator 13 request.
In this step, control module 12 realizes building for new system architecture with above-mentioned sub-step, is
Further to realize more intelligentized management, control module 12 also achieves the function of similar route.Tool
For body, when control module 12 receive AMS initiate described in request when, it is necessary to make transmission to it
To the judgement of which kind of incubator, the logic basis of this judgement can have numerous embodiments.Foregoing relevant
It is of the invention hatching control device announcement in have been given by pre-set data with it is known setting data and its
Related auxiliary logic, is that this method performs basis.
In order to realize the control function of this species route, the control module 12 will be located as follows
Manage its AMS request for being listened to:
The control module 12, after the request that control module 12 receives the AMS, from the request
The information such as middle extraction application features information, such as previously described UID, bag name, based on those features
Information inspection from data (such as being stored in local or remote database) are set known to Local or Remote
Whether the application program corresponding to this feature information should be limited or be prohibited, when it is that should be limited or should be by
During the application program forbidden, by control module 12 be responsible for by this ask in go to the former incubator 10 outside
Remaining mirror image incubator 13 or the not transfer request to any incubator.The known setting data can be deposited
Each UID to the mapping relations between mirror image incubator 13 is stored up, and whether is limited or forbidden letter
Breath.Obviously, through this processing procedure of control module 12, using the teaching of the invention it is possible to provide safer and more effective control management
Effect, by configuring described known setting data, can especially obtain timely in the known setting data
During long-range renewal, can control in time the operation of the malicious application of mobile terminal by this kind of data.
Control module of the invention 12 after establishing and being connected with the socket of miscellaneous part, actually
Through the effect for playing router.Therefore, what control module 12 needed similar routing table pre-sets number
According to this pre-sets data both can be consistent with foregoing known setting data, or even unites two into one, and also may be used
To be independent, related data becomes the foundation that its routing function is realized for control module 12 in this case,
It is particularly well-suited to that there are multiple mirror image incubators 13.In some simple examples, for example, only
The user instruction only collected by the user interface provided by a desk module, being selected by user will be to be run
Destination application is placed in sandbox and runs, that is, mean for the application program to be placed in the institute of mirror image incubator 13
Run in the process space of hatching, in this case, the described data that pre-set can be by the user instruction table
Levy the parameter to be set for the intended application to be run, control module 12 by obtaining the parameter, just
Can determine that will be given to mirror image incubator 13 rather than original in the request corresponding with the destination application to be run
Incubator 10, so as to construct the process space of the destination application by the mirror image incubator 13, loading should
Destination application runs it.Similarly, if user selectes non-by the user interface that preceding station terminal is provided
Sandbox runs, then control module 12 can be understood as being given to former incubator 10 in answering, so as to be hatched by original
Device 10 runs the destination application.
How one or more mirror image incubators 13 and former incubator 10 can be seen that by above-mentioned analysis
Utilize, the security strategy of program offer had both been provided, also may depend on selecting on demand for user;Both can be with
Realized using database technology, it is also possible to realized using the form of parameter;Both single mirror can only be realized
As the Scheduling instances between incubator 13 and former incubator 10, it is also possible to realize multiple mirror image incubators 13
With former incubator 10 and the Scheduling instances deposited.Regardless of according to control module of the invention 12 can be real
Now effective process hatching is controlled and dispatching effect.
S14, hatch new process in response to the request by the mirror image incubator 13.
As it was previously stated, by the control of the control module 12, when control module 12 is by the request of AMS
After carrying out transfer, what its transfer target was to determine, the former incubator 10 of system is given to if not in, then turn
To a mirror image incubator 13 by present invention construction.It should be noted that transfer designated herein, not only
The instruction that the original request of upper and AMS initiations is consistent including form and construction, also including by the control mould
Block 12 according to the agreement of mirror image incubator 13 (for example by construct mirror image incubator 13 when to executable generation
Code insertion correlative code) established rule be processed conversion, can be by the mirror image incubator 13 according to the association
The instruction discussed and read.
After the mirror image incubator 13 receives the request from AMS turned in control module 12,
The intrinsic mechanism of former incubator Zygote 10 is inherited from according to it, new process is copied using its fork () function,
Process PID is returned into AMS.
Step S15, the attribute information according to application program to be run determines to need to treat operation application journey for this
The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified event
Behavior is monitored.
Specifically, can determine in several ways for monitoring required for an application program to be run
Event behavior.Such as, type that can be first according to application program to be run determines to allow this to wait to run
The event behavior that application program is performed, generates the white list of corresponding event behavior;The white list is led afterwards
Enter in monitoring unit, the monitoring unit is monitored the behavior event outside white list.Specifically,
Software such as is taken out for certain O2O, under normal circumstances, it is allowed to which its event behavior for performing there can be tune
With positional information, the event behaviors such as cell-phone number are recognized, and will not typically allow its to perform and read address list, read
The event behavior such as message registration is taken, so in actual applications, the O2O can be set and taken out permitting for software
The white list of the time of the act for performing perhaps is calling station information and identification cell-phone number, without allowing it to perform reading
Take address list, read the event behaviors such as message registration.
Further, before white list is imported into monitoring unit 130, white list is being imported into prison
Before in control unit 130, the monitoring unit 130 can be showed into user by interactive interface first, and
Operation according to user is updated to white list, and the white list after renewal is imported into monitoring unit afterwards
In 130.Specifically, interactive interface here can be editable interface, and user can delete or add
Plus corresponding event behavior (generally can only allow user to delete corresponding event behavior), if user holds
Such edit operation is gone, has then updated white list, if it is not, white list directly then is imported into corresponding prison
In control unit 130.In this way, which event behavior is the wish that can combine user determine without prison
Control, helps to lift Consumer's Experience.
Afterwards, new process produced in step S14 is responsible for being carried in pre- during construction mirror image incubator 13
The monitoring unit 130 of interface is put, has been also responsible for being configured to the destination application that the request is initiated in operation
Virtual machine instance.
AMS is obtained after process entrance, and the destination application just is loaded into entering for the new process
In journey space, make the destination application successful operation.When the destination application terminates operation, by
System reclaims virtual machine space according to its mechanism.
As described above, the program process hatching control that the present invention is provided can be for application program
Play safer protection effect.
As can be seen that to the announcement of program process hatching control of the invention and device above
Focus on the realization of system level.Further, the present invention will be protruded by other examples and disclose the present invention in application
The embodiment of layer.It should be appreciated that based on the fact same inventive concept, method and apparatus disclosed above
Employed in thinking, in also will also apply to method and apparatus hereinafter.
Referring to Fig. 1, the present invention further provides a kind of safety device, including control module
12nd, mirror image incubator 13, and monitoring unit 130.
Described control module 12, with reference to Fig. 1, specifically includes connector 122, constructor 121, enters one
Step can also include an authentication unit 123.The connector 122 is used for MCM maintenance control module 12 and is based on socket
The connection that mouth is carried out, to realize control module 12 respectively between former incubator 10 and mirror image incubator 13
Connection;The constructor 121 is used to construct the mirror image incubator 13 based on former incubator 10;
The authentication unit 123 is used to determine whether that meeting the campaign management services 3 (enters according to the known data that set
Journey) initiate request.Only realize a mirror image incubator 13 and acquiescence be by the mirror image incubator 13
All application programs are hatched in the example of new process, and the authentication unit 123 obviously can be omitted directly.
Described control module 12 is by method disclosed above to system service process SystemServer 2
Injection shut-off module 120, the injection of the shut-off module 120 can be by the connector 122 of control module 12
Called to implement and be responsible for.Described control module 12, as the independent process based on system bottom,
The communication based on Binder mechanism can be set up, interface program can be triggered and quilt by the click commands of user
The program process is called;System can also be signed in by adb shell-commands to go to perform.Control module is born
Duty sets up process running environment, and various relevant connections are set up for this.As can be seen that based on access Android
The need for system bottom, control module has relative complex function, is listed below helping to realize the present invention
Several aspects:On the one hand, it is necessary to construct one using former incubator 10 (Zygote) in the process of running
Or multiple mirror images incubator 13 (StepZygote), on the other hand, it is necessary to be responsible for being injected to system service process
The Socket connections for turning off module and cutting off between campaign management services and former incubator 10, another further aspect,
Control module 12 also need to be responsible for monitoring and receive system service process 2 registration AMS processes initiated
Request, the request be AMS be based on for load operating application program former incubator 10 socket and
The connection of foundation and propose, control module 12 needs to forward the request to described mirror image incubator 13,
So that the request for ensuring AMS is effectively responded.AMS initiate request, generally include program UID,
The parameter of bag name etc, and under normal circumstances, incubator will be corresponding request return process PID, AMS
It is derived from its program entry address and is able to loading application programs.But due to control module of the invention 12
Control action, this mechanism will by control module 12 come transfer realize.Finally, control module 12 is gone back
For being performed according to previously described method:Attribute information according to application program to be run determines that needs are directed to
The event behavior of the Application Monitoring to be run, and monitoring unit is configured when running monitoring unit
Identified event behavior is monitored.
Specifically, can determine in several ways for monitoring required for an application program to be run
Event behavior.Such as, type that can be first according to application program to be run determines to allow this to wait to run
The event behavior that application program is performed, generates the white list of corresponding event behavior;The white list is led afterwards
Enter in monitoring unit, the monitoring unit is monitored the behavior event outside white list.Specifically,
Software such as is taken out for certain O2O, under normal circumstances, it is allowed to which its event behavior for performing there can be tune
With positional information, the event behaviors such as cell-phone number are recognized, and will not typically allow its to perform and read address list, read
The event behavior such as message registration is taken, so in actual applications, the O2O can be set and taken out permitting for software
The white list of the time of the act for performing perhaps is calling station information and identification cell-phone number, without allowing it to perform reading
Take address list, read the event behaviors such as message registration.
Further, before white list is imported into monitoring unit 130, white list is being imported into prison
Before in control unit 130, the monitoring unit 130 can be showed into user by interactive interface first, and
Operation according to user is updated to white list, and the white list after renewal is imported into monitoring unit afterwards
In 130.Specifically, interactive interface here can be editable interface, and user can delete or add
Plus corresponding event behavior (generally can only allow user to delete corresponding event behavior), if user holds
Such edit operation is gone, has then updated white list, if it is not, white list directly then is imported into corresponding prison
In control unit 130.In this way, which event behavior is the wish that can combine user determine without prison
Control, helps to lift Consumer's Experience.
Described connector 122 is responsible for performing following function:
1st, the connection of control module 12 and former incubator 10 is set up using the socket of former incubator 10.
The realization of this function, is performed after control module 12 is able to operation.The operation of control module 12
Afterwards, be located at by reading former incubator 10/dev/socket/ catalogues under zygote socket files, the set
Interface document is stored with corresponding socket data to set up control module 12 between former incubator 10
Connection, to construct mirror image incubator 13 subsequently through constructor 121 and to realize to former incubator 10
Other controls.
2nd, to system service process 2 injection one turn off module 120 to be allowed to perform, with close AMS with
Socket between Zygote.Specifically, first connect and be injected into SystemServer processes, obtain
The sZygoteSocket member of android.os.process classes, calls the close methods of the member, for example
Socket.close (), realizes the shut-off of the Socket connections between AMS and Zygote, thus, adjustable pipe
The connection that reason service 3 is maintained based on the socket of former incubator 10 is closed.That is, above
AMS is mentioned to be turned off herein by socket and Zygote direct communications, but this communication mechanism, from
And prevent AMS from directly being communicated with former incubator 10.
3rd, the socket having by mirror image incubator 13 is set up the control module 12 and is incubated with the mirror image
Change the connection of device 13, with to the described request of the mirror image incubator 13 (StepZygote) transmission.In the present invention
Constructor 121 construct new incubator after, according to the intrinsic functions of Zygote, will be in local mesh
Record is lower to produce a socket literary fame corresponding with mirror image incubator 13.This socket file can be with mirror
Recognized with profit as the process title (StepZygote) of incubator 13 is of the same name, certainly also can not be of the same name.Similarly,
Although this socket file can be stored in other local catalogues, recommendation is stored in/del/socket mesh
Record is recognized with profit.Thus, the connector 122 just reads the socket file, with the socket and the mirror image
Incubator 13 sets up the communication based on socket mechanism.
The connector 122 is by performing above-mentioned function so that control module 12 can utilize the original
The socket of incubator 10 is monitored the process of campaign management services 3 (AMS) and is sent out for operation application program
The request for rising, and control the connectivity port of former incubator 10 and mirror image incubator 13.Once AMS
Attempt setting up the connection with the former incubator 10 (Zygote) of acquiescence, control module 12 just can receive the request,
And it is passed to former incubator 10 or mirror image incubator 13 on demand, returned from corresponding incubator to it
Required process PID.
Described constructor 121, with reference to the introduction that contact technique is infected previously with regard to ELF, could be aware that,
In function performed by the constructor 121, the executable code of former incubator 10, Ran Hou were replicated before this
The call instruction for realizing external call is inserted in execution code, is added realize mirror image incubator 13 if necessary
Program self checking code, the executable code of modification is finally run to realize the mirror image incubator 13
Construction, thus just can realize the function using the former construction mirror image of incubator 10 incubator 13.
Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, calling outside one
Portion's function, namely call the monitoring unit 130 of the present apparatus to realize a sandbox example to be aided with, it is specific and
Speech, the monitoring of the event behavior that realization occurs to the process space that current mirror image incubator 13 is constructed.
It is to be understood that after mirror image incubator 13 calls fork functions to replicate itself, these external calls and self-correcting
Testing code can be replicated, that is to say, that the not only process itself of mirror image incubator 13, and by its hatching
Process can also load described monitoring unit 130 so that mirror image incubator 13 hatches a new process,
Mean to provide a sandbox running environment for corresponding destination application.
In theory, the control module 12 can on demand call constructor 121 to go according to identical logic
Multiple mirror image incubators 13 are realized, multiple mirror image incubators 13 is respectively used to the different application program of response
The request of classification, so as to create the incubator of multiple safety for android system.External program is hatched to original
The attack of device 10, will not impact the mirror image incubator 13 built by the control module 12 in theory.
The authentication unit 123, is the optional component set so as to realize interaction for the ease of system operatio,
The authentication unit 123 is used for after the request that control module 12 receives the AMS, is carried from the request
Application features information is taken, such as the information such as previously described UID, bag name, based on those characteristic informations
The spy is checked from data (such as being stored in local or remote database) are set known to Local or Remote
Whether the corresponding application program of reference breath should be limited or be prohibited, when it is that should be limited or should be prohibited
Application program when, by control module 12 be responsible for by this ask in go to outside the former incubator 10 its
Remaining mirror image incubator 13 or the not transfer request are to any incubator.The known setting data can be stored respectively
Whether individual UID is to the mapping relations between mirror image incubator 13, and limited or forbidden information.
Obviously, setting authentication unit 123 can provide safer control effect, by configure it is described known to set
Data are put, especially when the known setting data can obtain timely long-range renewal, can be by this
Data to control in time the operation of the malicious application of mobile terminal.
In view of the authentication unit 123, control module of the invention 12 is being established and miscellaneous part
After socket connections, the effect of router is actually played.Therefore, control module 12 needs a class
Pre-set data like routing table, this pre-set data both can with aforementioned authentication unit 123 in known to
It is consistent, or independent that data are set, authentication unit 123 turns into control module 12 in this case
The foundation of its routing function is realized, is particularly well-suited to that there are multiple mirror image incubators 13.And one
In some simple examples, for example, referring to only by the user that the user interface provided by station terminal before is collected
Order, is run by selected destination application to be run is placed in sandbox of user, that is, mean to apply this
Program is placed in the process space that mirror image incubator 13 is hatched and runs, and in this case, described is default
The parameter that data can be understood as being set for the intended application to be run is put, control module 12 is by obtaining
The parameter is taken, just can determine that will be given to mirror image hatching in the request corresponding with the destination application to be run
Device 13 rather than former incubator 10, so as to the process that the destination application is constructed by the mirror image incubator 13 is empty
Between, loading the destination application runs it.Similarly, if the user that is provided by desk module of user
Non- sandbox operation is selected at interface, then control module 12 can be understood as being given to former incubator 10 in answering, from
And the destination application is run by former incubator 10.
How one or more mirror image incubators 13 and former incubator 10 can be seen that by above-mentioned analysis
Utilize, the security strategy of program offer had both been provided, also may depend on selecting on demand for user;Both can be with
Realized using database technology, it is also possible to realized using the form of parameter;Both single mirror can only be realized
As the Scheduling instances between incubator 13 and former incubator 10, it is also possible to realize multiple mirror image incubators 13
With former incubator 10 and the Scheduling instances deposited.Regardless of according to control module of the invention 12 can be real
Now effective process hatching is controlled and dispatching effect.
Described mirror image incubator 13, for by itself hatch process context and in the process context plus
Carry monitoring unit 130 and treat operation program.Mirror image incubator 13 is constructed by control module 12, control
Module 12 constructs mirror image incubator 13 using ELF infection contact principle de-duplicate Zygote, this
In the case of, Zygote per se known and intrinsic operating mechanism is not changed, therefore, control module 12 is controlled
Under system produce mirror image incubator 13, its still according to the realization mechanism of former incubator 10, for responding
In the request of the transfer of control module 12, and new process is hatched, and asked accordingly with process PID responses.
AMS obtains process PID, and destination application that will be to be run is loaded into corresponding process sky
Between in, destination application is run.As can be seen that a mirror image incubator 13 collapses, or
The one process death hatched by mirror image incubator 13, will not produce to former incubator 10 and its associated process
Influence, vice versa.And before destination application is able to operation, because control module 12 exists
The instruction for calling the monitoring unit 130 is inserted inside mirror image incubator 13, therefore, in this case,
Monitoring unit 130 will be loaded in advance, and start the event behavior that the process where monitoring it occurs,
Also it is achieved that the monitoring to the event behavior of the destination application of follow-up operation.
The monitoring unit 130, as it was previously stated, being loaded prior to the destination application.The monitoring list
Unit 130 is the implementor of sandbox running environment, using Hook technologies, is made up of some hook plug-in units,
Each hook plug-in unit using Hook Function to destination application in related call instruction entrance
Monitored, intercepted and captured this call instruction, turned to and perform corresponding Hook Function, by the Hook Function foundation
Sandbox inherent logic carrys out the response call instruction, so as to reach the purpose of monitor event behavior.
Need exist for supplement be:Term " hook " is covered for by intercepting the transmission between component software
Function call, message or event come change or increase operating system, application program or other software group
The technology of the behavior of part.And the code for processing this intercepted function call, event or message is thus referred to as
Hook hook functions.Hook is generally used for various targets, including function is debugged and function is carried out
Extension.Its example can be included in keyboard or intercept them before mouse event is delivered to application program, or
Hooking system service call (system call), to monitor or change the function etc. of application program or other assemblies.This
Embodiment can take over installation self checking behaviour required when the application program is run using hook hook functions
Make.
Succinct for what is described, the specific introduction for relating to the use of monitoring unit of the invention 130 will be in subsequent set
Be given, explanation is postponed herein.
The construction of explanation sandbox example is essentially consisted in due to the present apparatus, therefore, it is necessary to further disclose with this
A desk module in the realized program of invention, the desk module can be carried by a fail-safe software
The movable component (Activity) of confession realizes that running the movable component will provide a user interface, by the use
Family interface can be set out all system applications and user's application, when when user's click operation, certain is applied, can
Allow whether user is selected by sandbox runs this intended application further to play frame, when user is selected by sand
Case run when, naturally, during driving is called into the present invention control module 12 on this basis, by AMS because
Mirror image incubator 13 rather than former incubator 10 are given in request produced by above-mentioned interface operation, make the mesh
Mark application is run in the sandbox running environment that monitoring unit of the invention 130 is realized.Certainly, foreground mould
The realization of the user interface that block is provided is very flexible and changeable, and the above only provides an example, ability
Field technique personnel can be with flexible.If considered for convenient, those skilled in the art can avoid this
User interface provides process, is directly defaulted as starting the mesh that user clicks in desktop by mirror image incubator 13
Mark application program, then whole process will become more quick and facilitate, and the route work of control module 12 with
And its work of authentication unit 123 also will accordingly simplify.
It can be seen that, safety device of the invention, by building the form of mirror image incubator 13, Neng Gouwei
Application program to be run realizes safer, reliable, independent running environment.
Accordingly, safety protecting method of the invention, is to do more efficient group according to the handling process of machine
Knit, by performing this method, the operational efficiency of the program that optimization is realized according to the present invention, so as to more efficient
Ground constructs sandbox running environment for application program.
Refer to shown in Fig. 5, safety protecting method of the invention comprises the following steps:
S31, the mirror image incubator 13 for being configured to hatch process context using system original incubator 10.
The purpose of this step is to construct the new mirror image independently of the processes of system original incubator Zygote 10
Incubator 13, can refer to shown in Fig. 6 and be subdivided into following sub-step:
S311, operation control module 12.
As it was previously stated, user can receive what user provided in desktop or the desk module by desk module
The clicking operation of user interface, or instructed by adb shell and to drive certain destination application preceding
Platform module is identified as needing running in sandbox, so as to call control module of the invention 12 to be allowed to be transported
OK.The function of being realized on control module 12 is referred to above, is not repeated for this reason.
S312, using the control module 12, the mirror image incubator is constructed based on former incubator 10
13。
This step obtains mirror image incubator 13 on demand using control module 12, and this demand can be by control mould
Block 12 is according to foregoing known setting data and/or pre-sets data and realizes, or strong according to default rule
System is constructed and applied automatically.With reference to Fig. 7, this sub-step can be subdivided into the following son performed by control module 12
Step:
S3121, the control module 12 are set up and former incubator 10 using the socket of former incubator 10
Connection.
Socket file/the dev/socket/zygote of former incubator Zygote 10 sets up socket connection
Basis.In this step, control module 12 reads the socket file, sets up the company with former incubator 10
Connect.
S3122, to system service process injection shut-off module be allowed to perform to close the base of campaign management services 3
In the connection that the socket of former incubator 10 is maintained.
As it was previously stated, a shut-off module 120 is injected to system service process 2 to be allowed to perform from control module,
To close the Socket between AMS and Zygote.Specifically, first connect and be injected into SystemServer
Process, obtains the sZygoteSocket member of android.os.process classes, calls the close side of the member
Method, such as socket.close (), realize the shut-off of the Socket connections between AMS and Zygote, thus,
Prevent former incubator 10 is further obtained from corresponding directly to the request of the hatching process of AMS, control module
Take bigger control.It is pointed out that refering to described previously, injected to system service process 2 and turned off
Module 120 can be divided into two fine division steps with going to perform shut-off operation using the shut-off module 120, and only
Keeping this precedence relationship, two fine division steps can separate execution.That is, shut-off module 120
And after injecting, be not necessarily to implement shut-off operation immediately, can be subsequently again because latter fine division step
The need for and in advance called implementation turn off.Previous fine division step can be in the called i.e. quilt of control module 12 1
Perform, then perform S3121, then perform later step.Those skilled in the art should know this accommodation,
All changes situation under this principle is acted on is accordingly to be regarded as being same as the present embodiment.
S3123, the executable code for replicating former incubator 10 are simultaneously implanted into for loading the monitoring unit to it
130 call instruction.
The execution of this sub-step, can refer to the process previously with regard to step S121-S124:
S121, the executable code for replicating former incubator Zygote 10;
S122, to the call instruction inserted in the executable code for realizing external call, according to different realities
The need for applying example, monitoring unit of the invention 130 is called by the call instruction, to use the monitoring list
Unit 130 realizes the prison of the event behavior to the process space hatched by posttectonic mirror image incubator 13
Control;
S123, on demand to the executable code insertion can be used to realize mirror image incubator StepZygote's 13
The code of program self checking so that mirror image incubator 13 is difficult to be attacked, it is noted that, this sub-step is at this
It is optional in invention;
S124, the amended executable code of operation, so that the mirror image incubator 13 is able to successfully structure
Make, to await orders and hatch new process for the request for campaign management services ActivityManagerService 3.
S3124, the code of the mirror image incubator is performed to construct mirror image incubator 13.Once the mirror image is incubated
Change device 13 to be run, be just individually present relative to former incubator Zygote 10.
S313, the connection for setting up control module 12 and mirror image incubator 13.
Under the control of control module 12, construction and the operation of the mirror image incubator 13 are had been realized in,
Therefore, the logic of Zygote is created according to ini processes, mirror image incubator StepZygote 13 will be created
/ dev/socket/stepzygote socket files.In this sub-step, control module 12 passes through the socket
Foundation is connected with the socket of the mirror image incubator 13, thus, just can begin listening for the set of former incubator 10
Interface, so as to monitor AMS initiation hatching process request, so as to subsequently from control module 12 to original
Incubator 10 or the transfer of mirror image incubator 13 request.
It will be appreciated by those skilled in the art that in the present invention, can be by this step S31 in former incubator
Mirror image incubator 13 is constructed on the basis of 10, but the quantity of mirror image incubator 13 is not restricted to one,
The expansible number of mirror image incubator 13 is only limited by memory headroom and copied multiple with phase in theory
Connatural mirror image incubator 13, as long as disclosed herein, being realized to multiple in control module 12
Effective scheduling of such mirror image incubator 13.
It is emphasized that in order to simplify length, involved control module 12 in safety means of defence, with
Control device described by safety device of the invention has one-to-one corresponding, therefore control module 12 at this
Other the optional sexual functions realized in device, such as, on transfer, function of route etc., be equally applicable
In this method, a series of change caused by being applicable these optional sexual functions, it should also consider with band
To this method, do not repeat for this reason.
S32, hatched by the mirror image incubator 13, thought that application program to be run sets up the process
Environment.
When reaching this step, by the control of the control module 12, when control module 12 is listened to
After the request of AMS, transfer will be carried out to the request, what its transfer target was to determine, if not transfer
To the former incubator 10 of system, then it is given to by a mirror image incubator 13 of present invention construction.Should be noted
, transfer designated herein is not only upper consistent with the original request of AMS initiations including form and construction
Instruction, also including by the control module 12 according to the agreement of mirror image incubator 13 (such as by structure
When making mirror image incubator 13 to executable code insert correlative code) established rule be processed conversion, energy
The instruction read according to the agreement by the mirror image incubator 13.
After the mirror image incubator 13 receives the request from AMS turned in control module 12,
The intrinsic mechanism of former incubator Zygote 10 is inherited from according to it, new process is copied using its fork () function,
Process PID is returned into AMS, with this just for application program to be run establishes corresponding process context.
Step S33, the attribute information according to application program to be run determines to need to treat operation application journey for this
The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified event
Behavior is monitored.
Specifically, can determine in several ways for monitoring required for an application program to be run
Event behavior.Such as, type that can be first according to application program to be run determines to allow this to wait to run
The event behavior that application program is performed, generates the white list of corresponding event behavior;The white list is led afterwards
Enter in monitoring unit, the monitoring unit is monitored the behavior event outside white list.Specifically,
Software such as is taken out for certain O2O, under normal circumstances, it is allowed to which its event behavior for performing there can be tune
With positional information, the event behaviors such as cell-phone number are recognized, and will not typically allow its to perform and read address list, read
The event behavior such as message registration is taken, so in actual applications, the O2O can be set and taken out permitting for software
The white list of the time of the act for performing perhaps is calling station information and identification cell-phone number, without allowing it to perform reading
Take address list, read the event behaviors such as message registration.
Further, before white list is imported into monitoring unit 130, white list is being imported into prison
Before in control unit 130, the monitoring unit 130 can be showed into user by interactive interface first, and
Operation according to user is updated to white list, and the white list after renewal is imported into monitoring unit afterwards
In 130.Specifically, interactive interface here can be editable interface, and user can delete or add
Plus corresponding event behavior (generally can only allow user to delete corresponding event behavior), if user holds
Such edit operation is gone, has then updated white list, if it is not, white list directly then is imported into corresponding prison
In control unit 130.In this way, which event behavior is the wish that can combine user determine without prison
Control, helps to lift Consumer's Experience.
S34, using the mirror image incubator 13 hatching obtained by process, by monitoring unit 130 and treat operation should
It is loaded into the process context with program and is run, as application program to be run described in the monitoring unit 130 pairs
Event behavior implementing monitoring.
New process is responsible for being prefixed when being carried in construction mirror image incubator 13 monitoring unit 130 of interface, also bears
Duty is configured to the virtual machine instance that the destination application of the request is initiated in operation.AMS obtains process
After entrance, just the destination application is loaded into the process space of the new process, makes the mesh
Mark application program successful operation.When the destination application terminates operation, reclaim empty according to its mechanism by system
Plan machine space.
Disclose in detail above using the sandbox that safety protecting method of the invention is application program construction safety
The overall process of example, can be the safer reliable process fortune of each application program construction by the method
Row environment.
Although disclose in detail many aspects of general idea of the invention above, do not state to the greatest extent yet.This area
Technical staff is it is to be understood that program process hatching control of the invention, device and security protection side
It is two aspects of general idea of the present invention between method, device, the technological means for being used is mutually confirmation
, therefore, the explanation of one aspect, while in will also apply on the other hand.So, even if
There is careless omission in the announcement in terms of certain of the invention, those skilled in the art also can on the other hand search out institute
The explanation for needing, so as to reduce the whole scheme of this aspect, without should as according to negate this certain in terms of fill
Minute mark is carried.
In order to protrude sandbox example of the invention, disclose what many places above of the invention were addressed in further detail below
It is mirrored the related embodiment of the monitoring unit 130 of the loading of incubator 13.
Using monitoring unit of the invention 130, it is possible to achieve the structure of more powerful sandbox running environment.
The monitoring unit 130 can be obtained corresponding to specific event row from a backstage sandbox HOOK frameworks
For hook plug-in unit (Hook Function), using one or more hook plug-in units hook and monitoring objective application spy
Event behavior is determined so as to realize the movable monitoring to destination application process.Described backstage sandbox
The hook plug-in unit of HOOK frameworks, is managed concentratedly beyond the clouds, is distributed to each terminal.Wherein, cloud
End is main to be configured with Java hook plugin libraries and Native hook plugin libraries.Monitoring unit 130 needs hook
During specific event behavior, request is sent to backstage sandbox HOOK frameworks by long-range card i/f, obtained
For the HOOK functions of particular event behavior, i.e., described hook plug-in unit is set up to particular event whereby
The monitoring capture and treatment of behavior.
Mirror image incubator 13 is loaded with after monitoring unit 130, and operation request is initiated to AMS by loading
The destination application.Because monitoring unit 130 is loaded prior to destination application, intended application journey
Once running, just monitored unit 130 establishes monitoring to sequence using plug-in unit is linked up with, therefore, intended application
All event behaviors of program are within the monitoring range of monitoring unit 130.The installation of destination application
Bag be it is complete unmodified, can by the examination of PackageManagerService, therefore, target
After application program is loaded, can completely legal, normally run, realize that destination application originally can be real
Existing institute is functional.
Because monitoring unit 130 and destination application are in the same process space, thus, it is operating
Monitoring unit 130 is to establish the monitoring to all event behaviors of destination application.Destination application is transported
During row produce any event behavior, its event message can monitored unit 130 capture and carry out phase
The treatment answered.
The particular event behavior monitored unit 130 that destination application is produced is captured, and substantially triggers special
When determining event behavior, corresponding hook plug-in unit (hook letter in produced event message monitored unit 130
Number) captured.Capture the event message, you can know the intention of the event, can then carry out follow-up
Treatment.
Particular event behavior is processed, it is necessary to be obtained event behavior treatment strategy.In this sub-step,
Further human-computer interaction function can be realized by system service.In order to realize man-machine interaction effect, this hair
It is bright one interactive module to be registered as into system service with reference to fail-safe software in advance, set up by monitoring unit 130
Interactive interface communicated with the interactive module, so as to realize the acquisition to user instruction or preset instructions.
The acquisition modes of event behavioral strategy are very versatile and flexible, can be held by constructing a strategy generating device
OK, it is the strategy selected one or be used in any combination of the invention to be exemplified below several:
(1) after the capture of monitoring unit 130 particular event behavior, by the interactive interface, to the interactive mould
Block sends request, and strategy, the bullet are processed from interactive module to the user interface pop-up inquiry user of fail-safe software
Window interface can directly inform content and its risk of the user about event behavior, by the corresponding choosing of user's selection
Item is used as treatment strategy.After user selects respective selection and determination, interactive module is obtained and is directed to the particular event
The treatment strategy of behavior, is fed back to monitoring unit 130, and monitoring unit 130 can refer to according to the user
The tactful corresponding event behavior to destination application for the treatment of produced by order carries out the treatment of next step.
(2) when some event behaviors for being acknowledged as relative low-risk occur, for example to contact person only
Read operation behavior, or to be taken for particular event behavior for the present invention is provided with voluntarily retrieval in user
Treatment strategy when, the present invention is using a local policy database retrieval accordingly for particular event behavior
Treatment strategy.That is, in the local policy database, establishing particular event behavior with corresponding place
Association between reason strategy, and store corresponding relation between various event behaviors and corresponding treatment strategy
Record data, can for the present invention retrieval use.The present invention obtains corresponding from local policy database
After treatment strategy, the treatment of next step can be done to corresponding event behavior.
(3) if user is provided with the option for remotely obtaining treatment strategy, or acquiescence local for the present invention
Policy data library searching less than particular event behavior specific strategy when can remotely obtain, and or by foregoing
(1st) kind situation is interacted and cannot get response of the user to pop-up within the regulation time limit, such feelings
Condition, fail-safe software can send request by its built-in remote policy interface to the high in the clouds of pre- framework, obtain
The corresponding treatment strategy of the particular event behavior must be corresponded to, and for follow-up treatment.
It is pointed out that relevant three of the above obtains the mode for the treatment of strategy, can intersect and use cooperatively,
For example, once interactive module receives the feature of the event message of the transmission of monitoring unit 130, you can according to silent
Recognize setting, local policy database is retrieved in advance with reference to (2nd) kind mode, obtain the treatment strategy of system recommendation
If (can not be obtained from local policy database, it might even be possible to further plant mode from high in the clouds plan by (3rd)
Slightly obtained in database).Then, mode is planted with reference to (1st), the treatment of system recommendation is set at pop-up interface
Strategy is default option.If user does not confirm the default option within the regulation time limit, with system recommendation
Treatment strategy is defined execution subsequent instructions;It is single to monitoring if it is changed into new default option by user
Unit 130 returns to the treatment strategy that user is set.It can be seen that, interactive process can be more it is flexible freely
Realize.
Described local policy database, can be a copy of high in the clouds policy database, therefore, this hair
In bright, a renewal step is set, for downloading high in the clouds policy database for updating local policy database.
Generally, the strategy for particular event behavior could be arranged to " refusal ", " RUN ", " inquiry "
Three common options, its characterize specific purpose be:
Refusal:For the particular event behavior, send event behavior to destination application and be finished
Spoofing, to forbid the event behavior to actually occur;
Operation:Do not made any changes for the particular event behavior, corresponding event message is forwarded directly to
System message mechanism, it is allowed to which destination application continues its event behavior;
Inquiry:Independence or to depend on both of the aforesaid option one of any, for the particular event behavior, mark
Its state is unknown state, it is follow-up when repeating to occur the behavior, it is necessary to row pop-up inquiry user again.
In practical application, option " inquiry " can be ignored, it is only necessary to consider whether to refuse or allow current event row
To occur.
Described event behavior, it is varied, specifically include following several big types:
(1) terminal, relevant operation of networking:
Obtain operator's informaiton:Destination application for example can be with by getSimOperatorName () function
The IMSI of mobile terminal is obtained, the title of operator thus can be determined whether, further can be to operation
Business sends agreement instruction, the illegal objective that realization is deducted fees etc.Monitor supervision platform is by linking up with related to this disappearing
Breath, just can be to the capture of event behavior.
Switching APN operations:Similarly, destination application is realized by the function relevant with APN switchings
The operation of ANP switching controls, also can monitored unit 130 be monitored by calling corresponding hook plug-in unit.
Similar operation, also including obtaining the operation of handset identity code IME, also with it is above-mentioned similarly.
(2) informing advertisement operation:Informing advertisement is the means for most easily being utilized by rogue program, monitoring unit
130 are monitored by calling corresponding hook plug-in unit to the event message that notify functions are produced, also can be right
Its implementing monitoring.
(3) traffic operation:
As phone dials operation, the thing of calling system dialing interface can be monitored by startActivity () function
Part behavior, event behavior monitoring can be set up using corresponding hook plug-in unit to dialing phone operation.
Short message is operated, and corresponding to the function of sendTextMessage () etc, similarly, can be inserted by hook
Part sets up event behavior monitoring to this class function.
Contact person operates:Query (), insert () function are corresponded generally to, monitoring unit 130 is inserted using hook
Part links up with this class function and can realize capturing the monitoring of such event behavior.
(4) command operation:
As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring unit 130
By monitoring the return message of this function, the monitoring of such event behavior just can be realized.
(5) interface and access operation:
The event behavior of shortcut is such as created, then corresponding to sentBroacast () function.Similarly, for hidden
The operation of program icon is hidden, specific function can be also corresponded to and be monitored it.
As http network accesses operation, then corresponding to functions such as sentTo (), write ().
(6) procedure operation:
Such as application loading is operated, and refers to that current goal application program loads the operation of related application, by right
The functions such as dexClassloader (), loadLibrary () carry out hook monitoring, it is possible to achieve to such event behavior
Capture.
Attached bag is and for example installed, then corresponding to installPackage () function.
(7) other risky operation:
For example, subprocess invades operation, derivative operation, the operation of activation equipment manager etc..
Wherein, subprocess refers to the subprocess that destination application is set up, and creating son in destination application enters
Cheng Shi, the process space of the subprocess equally constructs generation by mirror image incubator 13, therefore, subprocess
Monitoring unit 130 is unable to escape to monitor.Thus, the either own process of destination application, or its establishment
Subprocess, the event behavior that they are directly or indirectly triggered can be by monitoring unit of the invention 130
Monitored, realized that preferably Initiative Defense is better.
And the derivative, refer to file that destination application is voluntarily created, or remote download file,
Typically refer to the derivative of sensitivity, such as installation kit.The event can be captured by linking up with fClose () function.
It is pointed out that after monitoring unit 130 captures the event behavior, can enter as the method previously described
One step transmit a request to high in the clouds using remote layout bank interface, by high in the clouds using its black, white, grey safety etc.
Level rule of conduct judges the safe class of the derivative, and the present invention obtains high in the clouds and sentences by remote layout bank interface
After determining result, further pop-up asks the user whether to set up the Initiative Defense to the sensitive derivative, thus just
The effect of Initiative Defense can further be consolidated.
Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the limit of the event behavior to present invention monitoring
System.
According to the above-mentioned tactful and above-mentioned explanation on event behavior for the treatment of, active defense method of the invention
Just various event behaviors can accordingly be processed.It is exemplified below several typical application examples:
(1) to the application of the fine interception of destination application:
After part rogue program is mounted, the state in normally using within the quite a long time, fiber crops
The awareness of safety of numbness user.But, after one rapid lapse of time of operation, the destination application is attempted from backstage
The concern that a short message causes user is inserted, the effect of advertisement and swindle is reached.To the destination application application
After sandbox example of the invention, by corresponding hook plug-in unit in monitoring unit 130 to short message handling function
Monitoring, once destination application produce short message operation event behavior, just can capture this event behavior,
Then, the interactive module that monitoring unit 130 notifies to be run as system service by its interactive interface, by handing over
Mutual module is warned to user interface pop-up.After user clicks the treatment strategy of " refusal ", by converse prison of feeding
Control unit 130, wherein hook plug-in unit just can hinder actually occurring for the event behavior accordingly, reaches strick precaution wind
The purpose of danger.
(2) application of malicious file is discharged to destination application.
Destination application is a Games Software, is downloaded by way of checking and updating and discharges malice attached bag,
And the calling system function mounting attached bag.The present invention establishes the sand of Initiative Defense to the destination application
After case running environment, its event behavior downloaded file and produced can be monitored, accordingly by interaction
Module pop-up is alerted.After user instruction refusal, corresponding hook plug-in unit just can be direct in monitoring unit 130
This document is deleted, or only refuses the installation behavior of this document.
In the present invention, for such malice attached bag, it is considered as sensitive derivative, whether derivative is deposited
In the judgement of malice, can remotely be judged by using predetermined safe class.Specifically,
When generation derivative is detected, by the characteristic information of corresponding file or its signature etc by long-range rule
Then bank interface is sent to high in the clouds, and obtains its safe class from high in the clouds, if black, grey application, then in bullet
Advise that user's refusal is installed in window;If white application, then it can be allowed to pass through.By this method, just
It is capable of achieving the Prevention-Security to sensitive derivative.If high in the clouds can't detect the relative recording of the derivative, can
To require that this method uploads this document as it, and unknown applications are denoted as by high in the clouds, accordingly, are applied with ash
It is marked, for future use.
(3) application invaded subprocess.
Monitored destination application creates subprocess in the process of running, and subprocess further discharges evil
Meaning event behavior.When monitoring unit 130 monitors destination application establishment subprocess, that is, obtain subprocess
Entrance, in theory i.e. can the mode of inline hook be loaded into the subprocess event row to the subprocess
For monitoring.However, subprocess is due to being also to be hatched by mirror image incubator 13, therefore, mirror image hatching
The new process that device 13 is hatched will load the monitoring unit 130 prior to the subprocess, it is not necessary to using inline
Hook can also realize the monitoring to the subprocess.As can be seen that either by destination application process
Directly triggering event behavior, or by the subprocess that destination application process is created triggered it is indirect
Event behavior, energy monitored unit 130 is successfully monitored.
From above-mentioned analysis, the sandbox running environment of institute of the present invention construction, with highly efficient feasible
Property.
Further realize the present invention for ease of those skilled in the art, further below disclose cloud server with
How terminal device cooperates is realized the related content of installation kit safe class judgement:
As it was previously stated, the characteristic information of cloud server is sent to by remote layout bank interface by client,
Including:The bag name of Android installation kits, and/or, version number, and/or, digital signature, and/or, Android
The feature of component receiver, and/or, the feature of Android components service, and/or, Android groups
The feature of part activity, and/or, instruction or character string in executable file, and/or, Android peaces
The MD5 values (signature) of each file under dress bag catalogue.
The client of the method for the present invention or device is realized, specified characteristic information is uploaded onto the server
(high in the clouds), searched in the preset rule base of server with specified single feature information or its combine and match
Feature record;Wherein, comprising feature record and feature record correspondence in the preset rule base of the server
Level of security, the combination comprising single feature information or characteristic information in every feature record;
Thousands of feature records are prefixed in server end rule base, wherein, listed in first feature record
Certain viral Android installation kits bags name, certain normal use is listed in Article 2 feature record
Android installation kits version number and its MD5 values of digital signature, certain is listed in Article 3 feature record
The Android installation kits bag name and its receiver features of normal use, list in Article 4 feature record
Specific character string in Android installation kits bag name, version number and its ELF files of certain wooden horse, etc..
Mark on safe class, i.e., black, white (safety) or grey (unknown, suspicious) three kinds of marks, Ke Yijin
One step it is expressed as:
Safety:The application is a normal application, the behavior for not having any threat user mobile phone safety;
It is dangerous:There is security risk in the application, it is possible to the application inherently Malware;Being also possible to this should
With being originally normal software that regular company issues, but because there are security breaches, cause user privacy,
Mobile phone safe is on the hazard;
With caution:The application is a normal application, but be there are problems that, for example, user can be allowed not small
The heart is deducted fees, or has disagreeableness advertisement to be complained;After this kind of application is found, can point out to use
Whether family uses and informs this using possible behavior with caution, but decides remove the application in its sole discretion by user;
Wooden horse:The application is virus, wooden horse or other Malwares, here for being referred to generally simply as wooden horse,
It is not intended that this is using only wooden horse.
It should be appreciated that the cooperation between high in the clouds and client, can be by those skilled in the art according to the present invention
Disclosed content further expands, converts, additions and deletions and improve.Thus, disclosure recited above should not be managed
Solve to realize the limitation of methods and apparatus of the present invention.
By test, the present invention has broader range of application and application effect relative to prior art, with
Under illustrate slightly:
Due to the present invention HOOK frameworks have been made into service platform, to link up with plug-in unit in the way of for end
End configuration monitoring unit 130, therefore, its loading only needs to depend on corresponding configuration file, efficient administration and
It is easily achieved, for technical personnel, some simple function calls are only needed to write configuration file and are capable of achieving
The configuration of plug-in unit is linked up with, HOOK reentries, concurrency performance is high.
The loading to monitoring unit 130 and destination application is successively realized using host application, then
Monitoring is set up to the event behavior of destination application by monitoring unit 130, it is possible to achieve to Java functions,
The hook of Native functions.
In sum, during safer sandbox running environment can be run on the invention enables destination application.
The above is only some embodiments of the invention, it is noted that for the ordinary skill of the art
For personnel, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these
Improvements and modifications also should be regarded as protection scope of the present invention.
Claims (10)
1. a kind of safety protecting method, it is characterised in that comprise the following steps:
It is configured to hatch the mirror image incubator of process context using system original incubator;
Hatched by the mirror image incubator, thought that application program to be run sets up process and the process ring
Border;
Attribute information according to application program to be run determines to need for the Application Monitoring to be run
Event behavior, and monitoring unit is configured when running monitoring unit identified event behavior is carried out
Monitoring;
Monitoring unit and application program to be run are loaded into using process obtained by mirror image incubator hatching
Run in the process context, prison is implemented in the event behavior by the monitoring unit to the application program to be run
Control.
2. the method for claim 1, it is characterised in that the basis application program to be run
Attribute information determines to need the event behavior for the Application Monitoring to be run, and monitoring unit is carried out
Identified event behavior is monitored when setting runs monitoring unit, including:
Type according to application program to be run determines the event behavior for allowing the application program to be run to perform,
Generate the white list of corresponding event behavior;
White list is imported into the monitoring unit, so that the monitoring unit is to the thing outside the white list
Part behavior is monitored.
3. method as claimed in claim 2, it is characterised in that described that white list is imported into the prison
Control unit is specifically included:
The white list is showed into user by interactive interface;
The white list is updated according to user's operation;
White list after renewal is imported into the monitoring unit.
4. safety protecting method as claimed in claim 1, it is characterised in that described using former incubator
The process of mirror image incubator is constructed, is comprised the following steps:
Operation control module;Using the control module, the mirror image hatching is constructed based on former incubator
Device;
Set up the connection of control module and mirror image incubator.
5. safety protecting method according to claim 4, it is characterised in that utilize the control module
The step of mirror image incubator is constructed based on former incubator includes:
The control module sets up the connection with former incubator using the socket of former incubator;
The control module is closed campaign management services and is based on the connection that the socket of former incubator is maintained;
The control module replicates the executable code of former incubator and is implanted into for loading the monitoring to it
The call instruction of unit;
The control module runs the code of the mirror image incubator to construct mirror image incubator.
6. safety protecting method according to claim 1, it is characterised in that the monitoring unit includes
Some hook plug-in units, corresponding hook is applicable by monitoring the different call instructions of the program process
Plug-in unit, is processed with the event behavior to the program process.
7. a kind of safety device, it is characterised in that including:
Control module, for being configured to the mirror image incubator for hatching process context simultaneously using system original incubator
Attribute information according to application program to be run determines to need the event for the Application Monitoring to be run
Behavior, is configured when running monitoring unit to monitoring unit and identified event behavior is monitored;
Described mirror image incubator, for by itself hatching process context and the loading monitoring in the process context
Unit and application program to be run;
Described monitoring unit, for the event behavior implementing monitoring to the application program to be run.
8. safety device according to claim 7, it is characterised in that the control module is specific
For the event behavior that the type according to application program to be run determines to allow the application program to be run to perform,
Generate the white list of corresponding event behavior;White list is imported into the monitoring unit, so that the monitoring
Unit is monitored to the event row outside the white list.
9. safety device according to claim 8, it is characterised in that the control module is specific
For the white list to be showed into user by interactive interface;The white list is carried out according to user's operation
Update;White list after renewal is imported into the monitoring unit.
10. the safety device according to any one in claim 7 to 9, it is characterised in that
The monitoring unit includes some hook plug-in units, by the different call instructions for monitoring the program process
And corresponding hook plug-in unit is applicable, processed with the event behavior to the program process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510982010.4A CN106909833A (en) | 2015-12-23 | 2015-12-23 | A kind of safety protecting method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510982010.4A CN106909833A (en) | 2015-12-23 | 2015-12-23 | A kind of safety protecting method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106909833A true CN106909833A (en) | 2017-06-30 |
Family
ID=59206219
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510982010.4A Pending CN106909833A (en) | 2015-12-23 | 2015-12-23 | A kind of safety protecting method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106909833A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
CN111356985A (en) * | 2017-08-29 | 2020-06-30 | 赛门铁克公司 | System and method for preventing malicious applications from utilizing application services |
CN111399927A (en) * | 2018-12-14 | 2020-07-10 | 北京奇虎科技有限公司 | Method and device for sharing Class file by application and computing equipment |
CN113590133A (en) * | 2021-08-09 | 2021-11-02 | 咪咕文化科技有限公司 | Android system injection detection method, device, equipment and computer storage medium |
CN113835889A (en) * | 2021-09-24 | 2021-12-24 | 青岛海信移动通信技术股份有限公司 | Method for acquiring input event and related device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120054868A1 (en) * | 2010-08-30 | 2012-03-01 | International Business Machines Corporation | Rootkit monitoring agent built into an operating system kernel |
CN103634268A (en) * | 2012-08-20 | 2014-03-12 | 中国联合网络通信集团有限公司 | A safety control method and an apparatus |
CN103927485A (en) * | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
CN104239797A (en) * | 2014-10-13 | 2014-12-24 | 北京奇虎科技有限公司 | Active defense method and device |
CN104375494A (en) * | 2014-12-02 | 2015-02-25 | 北京奇虎科技有限公司 | Security sandbox construction method and security sandbox construction device |
CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
-
2015
- 2015-12-23 CN CN201510982010.4A patent/CN106909833A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120054868A1 (en) * | 2010-08-30 | 2012-03-01 | International Business Machines Corporation | Rootkit monitoring agent built into an operating system kernel |
CN103634268A (en) * | 2012-08-20 | 2014-03-12 | 中国联合网络通信集团有限公司 | A safety control method and an apparatus |
CN103927485A (en) * | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
CN104239797A (en) * | 2014-10-13 | 2014-12-24 | 北京奇虎科技有限公司 | Active defense method and device |
CN104375494A (en) * | 2014-12-02 | 2015-02-25 | 北京奇虎科技有限公司 | Security sandbox construction method and security sandbox construction device |
CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
CN111356985A (en) * | 2017-08-29 | 2020-06-30 | 赛门铁克公司 | System and method for preventing malicious applications from utilizing application services |
CN111399927A (en) * | 2018-12-14 | 2020-07-10 | 北京奇虎科技有限公司 | Method and device for sharing Class file by application and computing equipment |
CN113590133A (en) * | 2021-08-09 | 2021-11-02 | 咪咕文化科技有限公司 | Android system injection detection method, device, equipment and computer storage medium |
CN113835889A (en) * | 2021-09-24 | 2021-12-24 | 青岛海信移动通信技术股份有限公司 | Method for acquiring input event and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104375494B (en) | Security sandbox construction method and security sandbox construction device | |
CN104376256B (en) | Program process hatching control and device | |
CN105427096A (en) | Payment security sandbox realization method and system and application program monitoring method and system | |
CN104408367B (en) | Application program configuration method and device | |
CN106909833A (en) | A kind of safety protecting method and device | |
CN103198255B (en) | Method and system for monitoring and intercepting sensitive behaviour of Android software | |
CN104376255B (en) | Application program running control method and device | |
CN104346559B (en) | Authority request response method and corresponding device | |
CN104462879B (en) | Application program exempts from Root progress control methods and device | |
CN104239786A (en) | ROOT-free active defense configuration method and device | |
CN105183307A (en) | Application message display control method and application message display control device | |
CN104376257B (en) | Application program self-protection, active defense method and device | |
CN105095746A (en) | Method and device for application program starting authentication | |
CN104462880B (en) | Application program shell adding collocation method and device | |
CN104239797B (en) | Active defense method and device | |
CN104881601A (en) | Floating window display setup, control method and device | |
CN104573497B (en) | A kind for the treatment of method and apparatus of startup item | |
CN104462961A (en) | Mobile terminal and privacy permission optimizing method thereof | |
CN104375869A (en) | Self-starting application control method and device | |
CN105631335B (en) | A kind of dynamic hulling method, device and equipment | |
CN108399331A (en) | Application process trial method and system | |
CN109947534B (en) | Cloud security function scheduling system based on SDN | |
Pecka et al. | Privilege escalation attack scenarios on the devops pipeline within a kubernetes environment | |
CN106293821A (en) | Obtain and transmission application data, the method and device of operation application program | |
CN106355100A (en) | Safety protection system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170630 |
|
RJ01 | Rejection of invention patent application after publication |