CN106909833A

CN106909833A - A kind of safety protecting method and device

Info

Publication number: CN106909833A
Application number: CN201510982010.4A
Authority: CN
Inventors: 曹阳
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2015-12-23
Filing date: 2015-12-23
Publication date: 2017-06-30

Abstract

The invention discloses a kind of safety protecting method and device, in the method before monitoring unit is loaded into process context, attribute information always according to application program to be run determines to need the event behavior for the Application Monitoring to be run, and monitoring unit is configured when running monitoring unit identified event behavior is monitored, monitoring unit and application program to be run are loaded into the process context using process obtained by mirror image incubator hatching afterwards and are run, by the monitoring unit to the event behavior implementing monitoring of the application program to be run.So enable to monitoring unit only to treat that operation application needs the event behavior of monitoring to be monitored to one, the event behavior of application program execution to be run is allowed without meaningless monitoring such that it is able to reduce the consumption of system resource.

Description

A kind of safety protecting method and device

Technical field

The present invention relates to Internet technical field, more particularly to a kind of safety protecting method and device.

Background technology

Sandbox is a kind of performing environment according to security strategy limiting program behavior, is practically applicable to extensively at present In various operating systems.There are various examples to realize sandbox technology at present.As a example by android system, mesh A kind of preceding technology for comparing forward position is (also referred to as virtual using incubator (Zygote) component virtual process environment Machine), and using building the process that produces during virtual process environment by application software to be run and Monitoring unit for monitoring the application software is loaded into the virtual process environment so that the virtual process ring Border constitutes a sandbox example.

There is following technical problem in prior art：Due to for different process context loading identical monitoring lists Unit, in order to realize safe and reliable protection, in the prior art, is loaded into the monitoring list in each process context Most of event behavior of the unit to corresponding application program is monitored, required for such monitoring unit operation Resource it is more, the process context set up accordingly can also consume substantial amounts of resource.

The content of the invention

It is an object of the present invention to solve above-mentioned technical problem.

In a first aspect, the invention provides a kind of safety protecting method, comprising the following steps：

It is configured to hatch the mirror image incubator of process context using system original incubator；

Hatched by the mirror image incubator, thought that application program to be run sets up process and the process ring Border；

Attribute information according to application program to be run determines to need for the Application Monitoring to be run Event behavior, and monitoring unit is configured when running monitoring unit identified event behavior is carried out Monitoring；

Monitoring unit and application program to be run are loaded into using process obtained by mirror image incubator hatching Run in the process context, prison is implemented in the event behavior by the monitoring unit to the application program to be run Control.

Further, the attribute information of basis application program to be run determines to need to treat that operation should for this With the event behavior of program monitoring, and monitoring unit is configured when running monitoring unit to identified Event behavior is monitored, including：

Type according to application program to be run determines the event behavior for allowing the application program to be run to perform, Generate the white list of corresponding event behavior；

White list is imported into the monitoring unit, so that the monitoring unit is to the thing outside the white list Part behavior is monitored.

Further, it is described white list is imported into the monitoring unit to specifically include：

The white list is showed into user by interactive interface；

The white list is updated according to user's operation；

White list after renewal is imported into the monitoring unit.

Further, the process that mirror image incubator is constructed using former incubator, is comprised the following steps：

Operation control module；Using the control module, the mirror image hatching is constructed based on former incubator Device；

Set up the connection of control module and mirror image incubator.

Further, the step of the mirror image incubator is constructed based on former incubator using the control module Suddenly include：

The control module sets up the connection with former incubator using the socket of former incubator；

The control module is closed campaign management services and is based on the connection that the socket of former incubator is maintained；

The control module replicates the executable code of former incubator and is implanted into for loading the monitoring to it The call instruction of unit；

The control module runs the code of the mirror image incubator to construct mirror image incubator.

Further, the monitoring unit includes some hook plug-in units, by monitoring the program process Different call instructions and be applicable corresponding hook plug-in unit, entered with the event behavior to the program process Row treatment.

Second aspect, the invention provides a kind of safety device, including：

Control module, for being configured to the mirror image incubator for hatching process context simultaneously using system original incubator Attribute information according to application program to be run determines to need the event for the Application Monitoring to be run Behavior, is configured when running monitoring unit to monitoring unit and identified event behavior is monitored； Described mirror image incubator, for by itself hatching process context and the loading monitoring in the process context Unit and application program to be run；

Described monitoring unit, for the event behavior implementing monitoring to the application program to be run.

Further, the control module determines to allow this specifically for the type according to application program to be run The event behavior that application program to be run is performed, generates the white list of corresponding event behavior；White list is led Enter to the monitoring unit, so that the monitoring unit is monitored to the event row outside the white list.

Further, the control module by interactive interface by the white list specifically for showing user； The white list is updated according to user's operation；White list after renewal is imported into the monitoring unit.

Further, the monitoring unit includes some hook plug-in units, by monitoring the application program The different call instructions of process and be applicable corresponding hook plug-in unit, with the thing to the program process Part behavior is processed.

In safety protecting method and device that the present invention is provided, monitoring unit is being loaded into process context In before, always according to application program to be run attribute information determine need treat operation application journey for this The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified Event behavior is monitored, and program to be applied and the monitoring unit for completing to set are loaded into this afterwards Run in process context.Monitoring unit is so enabled to only to treat that operation application needs monitoring to one Event behavior is monitored, and the event of application program execution to be run is allowed without meaningless monitoring Behavior such that it is able to reduce the consumption of system resource.Simultaneously in the present invention, using android system Intrinsic former incubator Zygote constructs new mirror image incubator to make mirror image incubator independently of original Incubator, then by controlling the steering of the request of campaign management services, and realize application program by Run in the mirror image incubator of present invention construction.General forcible entry is based on mechanism known to system And realize, due to mirror image incubator relative to former incubator independence, rogue program is due to that can not know The internal mechanism of other mirror image incubator, thus, even if rogue program is looked forward in the case of system Root Figure gos deep into system bottom to be destroyed to Zygote, or is attempted by the side of such as ELF File Infections Formula realizes viral transmission, and these attempts may fail to mirror image incubator, be derived by mirror image incubator The operation of the application program of process loading is also just safer.

As can be seen here, the advantage acquired by the present invention is systematicness, not only with from bottom to application layer The effect of security protection is carried out, and with the management function for flexible transfer being carried out to process and control.

The additional aspect of the present invention and advantage will be set forth in part in the description, and these will be from following Description in become obvious, or by it is of the invention practice recognize.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are for ability Domain those of ordinary skill will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and simultaneously It is not considered as limitation of the present invention.And in whole accompanying drawing, identical is denoted by the same reference numerals Part.In the accompanying drawings：

Fig. 1 is general idea of the invention and the theory diagram of a kind of system that provides；

Fig. 2 is the schematic flow sheet of safety protecting method of the invention；

Fig. 3 is the specific steps schematic flow sheet of step S12 of the invention；

Fig. 4 is the specific steps schematic flow sheet of step S13 of the invention；

Fig. 5 is the schematic flow sheet of security sandbox building method of the invention；

Fig. 6 is the specific steps schematic flow sheet of step S31 of the invention；

Fig. 7 is the specific fine division step schematic flow sheet of step S312 of the invention..

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although being shown in accompanying drawing The exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure without should be by Embodiments set forth here is limited.Conversely, there is provided these embodiments are able to be best understood from this It is open, and can by the scope of the present disclosure it is complete convey to those skilled in the art.

Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein certainly Beginning to same or similar label eventually represents same or similar element or the unit with same or like function Part.Embodiment below with reference to Description of Drawings is exemplary, is only used for explaining the present invention, and can not It is construed to limitation of the present invention.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein, " one ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that theory of the invention Used in bright book wording " including " refer to the presence of the feature, integer, step, operation, element and/or group Part, but it is not excluded that in the presence of or add one or more other features, integer, step, operation, element, Component and/or their group.It should be understood that when we claim element to be " connected " or during " coupled " to another element, It can be directly connected or coupled to other elements, or can also there is intermediary element.Additionally, making here " connection " or " coupling " can include wireless connection or wireless coupling.Wording "and/or" bag used herein Include one or more associated wholes or any cell of listing item and all combine.

Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein (are wrapped Include technical term and scientific terminology), with art of the present invention in those of ordinary skill general reason Solution identical meaning.It should also be understood that those terms defined in such as general dictionary, it should managed Solution is with the consistent meaning of the meaning in the context with prior art and unless special as here Definition, will not otherwise be explained with idealization or excessively formal implication.

Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both included The equipment of wireless signal receiver, the equipment of its wireless signal receiver for only possessing non-emissive ability is wrapped again The equipment for receiving and launching hardware is included, it has can perform connecing for two-way communication on bidirectional communication link The equipment received and launch hardware.This equipment can include：Honeycomb or other communication equipments, it has single line Road display or multi-line display or the honeycomb without multi-line display or other communication equipments； PCS (Personal Communications Service, PCS Personal Communications System), it can be with combine voice, data Treatment, fax and/or its communication ability；PDA (Personal Digital Assistant, personal digital assistant), It can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, Calendar and/or GPS (Global Positioning System, global positioning system) receiver；Conventional laptop And/or palmtop computer or other equipment, its have and/or the conventional laptop including radio frequency receiver and/ Or palmtop computer or other equipment." terminal " used herein above, " terminal device " can be it is portable, Can transport, in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured to In local runtime, and/or with distribution form, operate in any other position operation in the earth and/or space. " terminal " used herein above, " terminal device " can also be that communication terminal, access terminals, music/video are broadcast Put terminal, for example can be PDA, MID (Mobile Internet Device, mobile internet device) and/ Or the equipment such as mobile phone, or intelligent television, the Set Top Box with music/video playing function.

Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, far-end network set The concept such as standby, with effects equivalent, it includes but is not limited to computer, network host, single network service The cloud that device, multiple webserver collection or multiple servers are constituted.Here, cloud is by based on cloud computing A large amount of computers or the webserver of (Cloud Computing) are constituted, wherein, cloud computing is distributed meter One kind of calculation, a super virtual computer being made up of the computer collection of a group loose couplings.It is of the invention In embodiment, can be by any communication mode between remote network devices, terminal device and WNS servers Realize communication, including but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, The computer network communication of udp protocol and the low coverage side of being wirelessly transferred based on bluetooth, Infrared Transmission standard Formula.

It will be appreciated by those skilled in the art that " application ", " application program ", " application software " alleged by the present invention And the concept of similar statement, it is the same concept well known to those skilled in the art, refer to by series of computation Machine instruction and the computer software for being suitable to electronics operation of the organic construction of related data resource.Unless specified, Programming language species, rank are not received in this name in itself, the operating system or platform of operation of also not rely by it Limited.In the nature of things, this genus is not also limited by any type of terminal.

The application scenarios that the following method and apparatus that will be described of the invention are implemented, are mounted in mobile terminal On the running environment based on Android operation system.

Those skilled in the art should it is contemplated that, due to disclosed technology be related to it is right Android system level resources are called, thus, need to be with present example before the present invention is implemented Application program operation obtain Root authority, but obtain Root authority belong to existing and known elder generation in itself Certainly technology, mobile terminal user has been provided with voluntarily obtaining the operational capacity of Root authority and feels in reality Consciousness.Additionally, the enlightened mobile terminal in part when its machine dispatches from the factory for user has opened system Root authority, or deliberately provide convenience means to obtain Root authority.Therefore, should not serve to The necessary component that the influence present invention is implemented.

It is well known that Root authority refers to the system of Unix type operating systems (including Linux, Android) Administrator right, similar to Administrator (keeper) authority in Windows (form) system；Root Authority can access and change almost all of file (android system file and use in the mobile device of user Family file, not including ROM).But, due to current mobile terminal system for Root authority management according to So strict, most applications or program do not possess Root authority under normal circumstances, therefore for some needs The operation for possessing Root authority cannot just be performed, for example, install or unload the operation such as application, and for example implement this The method and apparatus of invention.Based on this, the present invention recommends to obtain Root authority in the following way：Pass through The built-in SU of calling system (Super User, power user) orders obtain Root authority, or by obtaining Shell with Root authority obtains Root authority and the launching process in shell, is then obtaining described After the Root authority mandate of system, you can need not be weighed when follow-up other calling process is performed associative operation Apply for Root authority again；The Root authority that specific Root authority acquisition process can refer to prior art is called Function, because carrying the realization of power sheerly prior art category on Root, the present invention will not be repeated here.Obtain After taking Root authority, also system can just be implemented in bottom operation, including the present invention to Zygote's ELF infection contact, allow control module to be run as underlying services, even thus set up based on Binder Communication of mechanism etc., is based on this and realizes.

The intrinsic principle for realizing depending on Android operation system of the invention, thus, similarly, it is necessary to First introduce herein below：

First, Zygote start-up courses：

Android system can start Linux basic systems first on startup, then guiding loading Linux Kernel simultaneously start initialization process (Init).Then Linux finger daemons are started.Starting Linux Also need to start Zygote processes while finger daemon.

Zygote is in the field of business to be visually referred to as incubator, after Zygote process initiations, one is initialized first Dalvik VM (virtual machine) example, then for it loads resource and system SB, and opens Socket prisons Service is listened, when establishment Dalvik VM example requests are received, can be by COW (copy on write) technology Oneself is farthest multiplexed, a new Dalvik VM example is generated.The establishment of Dalvik VM examples Method is based on the fork principles of linux system.Zygote processes during system operation, by Socket When listening port receives establishment virtual machine request, by calling fork functions, hatched from itself Dalvik VM examples, can be understood as having hatched the process space for operational objective application program.

After the completion of Zygote process initiations, Init processes can start Runtime processes.Runtime enters Cheng Shouxian initializes service managerZ-HU (Service Manager), and it is registered as binding service The default context manager of (Binder services), is responsible for the registration of binding service and searches.Then Runtime processes can send the request of activation system serviced component (System Server) to Zygote processes, After Zygote processes receive request, meeting " hatching " goes out a new Dalvik VM example and activation system service Process.

SystemServer can first start two local services (native write by C or C++ is serviced), Surface Flinger and Audio Flinger, the two local system services are registered as to service managerZ-HU IPC service objects, to be easy to find when them are needed.Then SystemServer can be opened Some android system management services, including hardware service and the service of system framework product platform are moved, wherein Also include campaign management services ActivityManagerService (AMS), and they are registered as into IPC services Object.

Mean that system is ready for after SystemServer is loaded with all of system service, its meeting A system ready (systemReady) is sent to all services to broadcast.When need start one During Android application programs, ActivityManagerService can by Socket inter-process communication mechanisms, Send request and notify that Zygote processes are that this application program creates a new process.

2nd, AMS response applications program start-up course：

In Android application frameworks layer, it is responsible for by ActivityManagerService components Android application programs create new process, and it was also to operate among an independent process originally, But this process is created during system starts.ActivityManagerService components are general Can in a case where for application program creates a new process：When system decision will be in a new process During one Activity or Service of middle startup, AMS tries to create a new process, then Start this Activity or Service in this new process.

When ActivityManagerService start an application program when, will by Socket with Zygote processes are communicated, and ask mono- subprocess of its fork out as the application that this will start The process of program.Be can see in introduction above, two critical services in system PackageManagerService and ActivityManagerService, is come by SystemServer processes Be responsible for what is started, and SystemServer processes to be in itself Zygote processes fork during startup go out Come.

As can be seen that being to realize communication based on socket sockets between Zygote and AMS.Zygote Socket socket files are created by init before being initiated, are stored under system directory/dev/socket, And the socket file for generally being created, its filename and Zygote process titles are identicals, thus, By this mechanism, socket file is checked at said system catalogue, you can whether checking system creates New incubator.This document stores the setting data on the socket sockets.AMS is exactly based on reading Such socket file is taken to set up it with the direct communication mechanism of Zygote.The follow-up present invention The communication mechanism based on socket that will be disclosed, with similarly realize herein.

3rd, to the reference technique of system service process SystemServer function of injecting modules：

As it was previously stated, after Zygote starts, first thing is to go out SystemServer from itself fork, is made It turns into system service process, and the service processes such as AMS, PMS are loaded by the system service process. Therefore, injection technique is widely used in the prior art will need the power function for realizing specific function to be injected into In SystemServer, it is allowed to be carried out, realizes purpose.

For example it is of the prior art it is a kind of realize system service process code injection process be：

Step 1：In lookup android system Com.android.phone, system_server, tri- process numbers of process of/system/bin/meidaserver Process ID, i.e. PID；

Step 2：Three described runnings state of a process are modified respectively according to described PID, is held Row loading monitor module instruction, opens up memory headroom and the instruction for loading monitor module is write into it In；

Step 3：Three described buffer status of process are changed respectively, CPU is redirected described in execution Instruction；

Step 4：According to described instruction, monitor module is loaded in the memory headroom of injector module, Described monitor module starts initialization operation；

Step 5：Monitor module is after initialization terminates, and the libbinder.so's of lookup current process is initial Address, and it is right in the global object list Global Ojects Table of libbinder.so to position ioctl functions The address of corresponding list item in the address of the list item answered, i.e. GOT；

Step 6：The content of the corresponding GOT list items of modification ioctl, uses Hook Function hooked_ioctl Address be replaced；

Step 7：Software perform sensitive behavior when, can by ioctl and com.android.phone, One or more of tri- processes of system_server ,/system/bin/mediaserver carries out communication sum According to exchange, Hook Function hooked_ioctl reads the sensitive behavior type of simultaneously analysis software；

Step 8：The promoter of described monitor module write-in sensitive behavior and time in journal file, Obtain software sensitive behavior monitoring record；

Step 9：When described monitor module monitors sensitive behavior, user is sent messages to, while making The operation suspension of sensitive behavior；

Step 10：Described user decides whether to run the execution of sensitive behavior, returns and agrees to or refusal life Make to described monitor module；

Step 11：Described monitor module obtains the result of described user's selection, if user's selection is agreed to Then continue executing with sensitive behavior；Terminate continuing executing with for sensitive behavior if user's selection refusal.

Can realize that the scheme of similar above-mentioned injection is too numerous to enumerate in the prior art, be referred to it is above-mentioned on The method of monitor module to be the follow-up control module for disclosing of the invention to system service process The injection of SystemServer provides known arrangement.But for the announcement for making the present invention follow-up more has clear, having must Know, the shut-off module that the present invention will be disclosed, for Socket between realization closing AMS and Zygote The correlation function of connection, can be implemented in the shared library file libbinder.so as disclosed in preceding example, In this case, by carrying out to the dynamic library file reversely, can at least in part understanding and realizing this hair Bright function realizes details.

4th, the infection contact principle based on Linux executable files ELF

ELF (Excutable Linking Format) file is the executable file of Linux, can be held for depositing Line code.ELF infection contact principles are a kind of prior arts, by the executable code of reproducer, to Certain newly-increased code attempted is realized in wherein insertion, amended executable code is then performed, so as to realize The purpose modified to program.Announcement below the present invention, will utilize this principle, and former to system Incubator Zygote makes modification, so as to construct mirror image incubator, this hair is realized by mirror image incubator Bright method, device and sandbox example.

After said system principle and relevant knowledge has been understood, it is easy to further understand implementation of the invention Example.

It should be noted that the present invention attempts to be retouched with reference to static and two aspects of dynamic of computer program State, so-called static aspect, refer to that program installation kit, file, database are stored in the storage object of medium； So-called dynamic aspect, refers to the dynamic object for being transferred and being performed in internal memory, including but not limited to process, line Journey, used data etc..In view of these features of computer software technology, should not by of the present invention and Each method, step, sub-step, device, unit, module etc., be interpreted as only static or only in isolation Dynamic aspect, those skilled in the art should be known this.So, those skilled in the art should Dynamic Process Movement is corresponded to about static statement according to the present invention, or is had according to the present invention Close dynamic Process Movement and correspond to its static form of expression, it is established that be static inevitable with of both dynamic Property association, understand the present invention based on this.

Additionally, the present invention combines sandbox principle and proposes, so, those skilled in the art are able to reference to known Sandbox realization principle understand implementation of the invention.The effect of sandbox is for destination application is provided relatively The running environment of closing, makes application program access the resource of system, by the application of sandbox security strategy, And be limited within the scope of regulation.Thus, the present invention subsequently will disclose its substantive one side and be A kind of sandbox example is provided.

Understand referring initially to Fig. 1 apply a kind of program process hatching control device of the invention and The system principle diagram realized.The control device includes control module 12, mirror image incubator 13, with And the intrinsic former incubator 10 of system and campaign management services scheduler module in system service process 2 3 (ActivityManagerService, hereinafter referred to as AMS).Disclose what modules were realized in detailed below Function and working mechanism：

Described control module 12, as the independent process based on system bottom, can set up and be based on The communication of Binder mechanism, can be by the click commands of user triggering interface program by the program process institute Call；System can also be signed in by adb shell-commands to go to perform.Control module is responsible for setting up process fortune Row environment, various relevant connections are set up for this.As can be seen that based on the need for accessing android system bottom Will, control module has relative complex function, is listed below helping to realize several aspects of the invention： On the one hand, the control module 12 needs to construct one using former incubator 10 (Zygote) in the process of running Or multiple mirror images incubator 13 (StepZygote), on the other hand, it is necessary to be responsible for being injected to system service process The Socket connections for turning off module and cutting off between campaign management services and former incubator 10, another further aspect, Control module 12 also need to be responsible for monitoring and receive system service process 2 registration AMS processes initiated Request, the request be AMS be based on for load operating application program former incubator 10 socket and The connection of foundation and propose, control module 12 needs to forward the request to described mirror image incubator 13, So that the request for ensuring AMS is effectively responded.AMS initiate request, generally include program UID, The parameter of bag name etc, and under normal circumstances, incubator will be corresponding request return process PID, AMS It is derived from its program entry address and is able to loading application programs.But due to control module of the invention 12 Control action, this mechanism will by control module 12 come transfer realize.

Finally, control module 12 is also needed to for application program currently to be run, it is determined that need to be directed to being somebody's turn to do The event behavior that application program to be run is monitored, and monitoring unit is set accordingly, make monitoring Event behavior of the unit only to needing to be monitored for the application program to be run is monitored and alarms.

As can be seen that in control module 12 shown in Fig. 1, further comprising connector 122 and construction Device 121, and authentication unit 123.

Described connector 122 is responsible for performing following function：

1st, the connection of control module 12 and former incubator 10 is set up using the socket of former incubator 10.This The realization of one function, is performed after control module 12 is able to operation.After control module 12 is run, Be located at by reading former incubator 10/dev/socket/ catalogues under zygote socket files, the socket File is stored with corresponding socket data to set up the connection that control module 12 is arrived between former incubator 10, So as to other controls subsequently through the construction mirror image of constructor 121 incubator 13 and realization to former incubator 10 System.

2nd, to system service process 2 injection one turn off module 120 to be allowed to perform, with close AMS with Socket between Zygote.Specifically, first connect and be injected into SystemServer processes, obtain The sZygoteSocket member of android.os.process classes, calls the close methods of the member, for example Socket.close (), realizes the shut-off of the Socket connections between AMS and Zygote, thus, adjustable pipe The connection that reason service 3 is maintained based on the socket of former incubator 10 is closed.That is, above AMS is mentioned to be turned off herein by socket and Zygote direct communications, but this communication mechanism, from And prevent AMS from directly being communicated with former incubator 10.It should be noted that to system service process Inject shut-off module 120 this function for closing that campaign management services are connected with former incubator, although Performed by connector in the present embodiment, it is to be understood by those skilled in the art that the function also can by compared with A connector 122 more upper module perform.

3rd, the socket having by mirror image incubator 13 is set up the control module 12 and is incubated with the mirror image Change the connection of device 13, with to the described request of the mirror image incubator 13 (StepZygote) transmission.In the present invention Constructor 121 construct new incubator after, according to the intrinsic functions of Zygote, will be in local mesh Record is lower to produce a socket literary fame corresponding with mirror image incubator 13.This socket file can be with mirror Recognized with profit as the process title (StepZygote) of incubator 13 is of the same name, certainly also can not be of the same name.Similarly, Although this socket file can be stored in other local catalogues, recommendation is stored in/del/socket mesh Record is recognized with profit.Thus, the connector 122 just reads the socket file, with the socket and the mirror image Incubator 13 sets up the communication based on socket mechanism.

The connector 122 is by performing above-mentioned function so that control module 12 can utilize the original The socket of incubator 10 is monitored the process of campaign management services 3 (AMS) and is sent out for operation application program The request for rising, and control the connectivity port of former incubator 10 and mirror image incubator 13.Once AMS Attempt setting up the connection with the former incubator 10 (Zygote) of acquiescence, control module 12 just can receive the request, And it is passed to former incubator 10 or mirror image incubator 13 on demand, returned from corresponding incubator to it Required process PID.

Described constructor 121, with reference to the introduction that contact technique is infected previously with regard to ELF, could be aware that, In function performed by the constructor 121, the executable code of former incubator 10, Ran Hou were replicated before this The call instruction for realizing external call is inserted in execution code, is added realize mirror image incubator 13 if necessary Program self checking code, the executable code of modification is finally run to realize the mirror image incubator 13 Construction, thus just can realize the function using the former construction mirror image of incubator 10 incubator 13.

Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, calling outside one Portion's function, namely call the monitoring unit 130 that will subsequently disclose in detail of the invention to realize one to be aided with Sandbox example, specifically, what realization occurred to the process space that current mirror image incubator 13 is constructed The monitoring of event behavior.It is to be understood that after mirror image incubator 13 calls fork functions to replicate itself, this A little external calls and self-checking code can be replicated, that is to say, that not only the process of mirror image incubator 13 from Body, and described monitoring unit 130 can also be loaded by its process hatched, so that mirror image incubator 13 One new process of hatching, that is, mean to provide a sandbox environment for corresponding destination application, also Realize sandbox example of the invention.

The control module 12 can on demand call constructor 121 to go to realize multiple according to identical logic Mirror image incubator 13, makes multiple mirror image incubators 13 be respectively used to asking for the different application program classification of response Ask, so as to create the incubator of multiple safety for android system.External program is to former incubator 10 Attack, the mirror image incubator 13 built by the control module 12 is will not impact in theory.

The authentication unit 123, is the optional component set so as to realize interaction for the ease of system operatio, The authentication unit 123 is used for after the request that control module 12 receives the AMS, is carried from the request Application features information is taken, such as the information such as previously described UID, bag name, based on those characteristic informations The spy is checked from data (such as being stored in local or remote database) are set known to Local or Remote Whether the corresponding application program of reference breath should be limited or be prohibited, when it is that should be limited or should be prohibited Application program when, by control module 12 be responsible for by this ask in go to outside the former incubator 10 its Remaining mirror image incubator 13 or the not transfer request are to any incubator.The known setting data can be stored respectively Whether individual UID is to the mapping relations between mirror image incubator 13, and limited or forbidden information. Obviously, setting authentication unit 123 can provide safer control effect, by configure it is described known to set Data are put, especially when the known setting data can obtain timely long-range renewal, can be by this Data to control in time the operation of the malicious application of mobile terminal.

In view of the authentication unit 123, control module of the invention 12 is being established and miscellaneous part After socket connections, the effect of router is actually played.Therefore, control module 12 needs a class Pre-set data like routing table, this pre-set data both can with aforementioned authentication unit 123 in known to It is consistent, or independent that data are set, authentication unit 123 turns into control module 12 in this case The foundation of its routing function is realized, is particularly well-suited to that there are multiple mirror image incubators 13.And one In some simple examples, for example, referring to only by the user that the user interface provided by station terminal before is collected Order, is run by selected destination application to be run is placed in sandbox of user, that is, mean to apply this Program is placed in the process space that mirror image incubator 13 is hatched and runs, and in this case, described is default The parameter that data can be understood as being set for the intended application to be run is put, control module 12 is by obtaining The parameter is taken, just can determine that will be given to mirror image hatching in the request corresponding with the destination application to be run Device 13 rather than former incubator 10, so as to the process that the destination application is constructed by the mirror image incubator 13 is empty Between, loading the destination application runs it.Similarly, if the user that is provided by desk module of user Non- sandbox operation is selected at interface, then control module 12 can be understood as being given to former incubator 10 in answering, from And the destination application is run by former incubator 10.

How one or more mirror image incubators 13 and former incubator 10 can be seen that by above-mentioned analysis Utilize, the security strategy of program offer had both been provided, also may depend on selecting on demand for user；Both can be with Realized using database technology, it is also possible to realized using the form of parameter；Both single mirror can only be realized As the Scheduling instances between incubator 13 and former incubator 10, it is also possible to realize multiple mirror image incubators 13 With former incubator 10 and the Scheduling instances deposited.Regardless of according to control module of the invention 12 can be real Now effective process hatching is controlled and dispatching effect.

As it was previously stated, mirror image incubator 13 of the invention, because the present invention is former using ELF infection contacts Manage de-duplicate Zygote and construct mirror image incubator 13, in this case, Zygote is per se known and solid Some operating mechanisms are not changed, therefore, the mirror image incubator 13 produced under the control of control module 12, Its still according to the realization mechanism of former incubator 10, for the request in response to the transfer of control module 12, and New process is hatched, and is asked accordingly with process PID responses.AMS obtains process PID, i.e., Destination application to be run is loaded into the corresponding process space, destination application is transported OK.As can be seen that a mirror image incubator 13 collapses, or one by entering that mirror image incubator 13 is hatched Journey is dead, will not produce influence to former incubator 10 and its associated process, and vice versa.

As can be seen here, security procedure hatching control device of the invention can realize safer process hatching Mechanism.

In order to illustrate that program process of the invention hatches the detailed implementation of control device, figure is referred to 2, the present invention operates in conjunction with mechanism and provides a kind of program process hatching control.The method bag Include following steps：

S11, to system service process 2 injection shut-off module 120.

The program realized by the method after operation, based on premised on having obtained Root authority, using known Method for implanting, to system service process SystemServer 2 inject it is of the invention shut-off module 120, this A part, both including foregoing shared library file libbinder.so, also including the modification to address table etc. All are easy to implement the operation successfully injected, to realize closing between AMS and Zygote whereby Socket is connected.

S12, construct mirror image incubator 13 using former incubator 10 by the control module 12.

It should be noted that the step for realization, with step S13 middle part molecular steps can be according to reality Situation adjustment order is performed.

This step is substantially that the sequencing of the function that the constructor 121 in aforementioned means is realized was performed Journey, for realizing obtaining mirror image incubator 13 on demand, and this demand will be by control module 12 according to foregoing Known setting data and/or pre-set data and realize, or force automatic construction and should according to default rule With.With reference to the function of the constructor 121, refering to Fig. 3, this step can be subdivided into following steps：

S121, the executable code for replicating former incubator Zygote 10；

S122, to the call instruction inserted in the executable code for realizing external call, according to different realities The need for applying example, the monitoring unit 130 for realizing sandbox example of the invention is called by the call instruction, Realized using the monitoring unit 130 to the process space hatched by posttectonic mirror image incubator 13 The monitoring of event behavior；

S123, to the executable code insertion can be used to realize the program of mirror image incubator StepZygote 13 The code of self checking so that mirror image incubator 13 is difficult to be attacked；

S124, the amended executable code of operation, so that the mirror image incubator 13 is able to successfully structure Make, to await orders and hatch new process for the request for campaign management services ActivityManagerService 3.

It will be appreciated by those skilled in the art that in the present invention, can be by this step S12 in former incubator Mirror image incubator 13 is constructed on the basis of 10, but the quantity of mirror image incubator 13 is not restricted to one, The expansible number of mirror image incubator 13 is only limited by memory headroom and copied multiple with phase in theory Connatural mirror image incubator 13, as long as disclosed herein, being realized to multiple in control module 12 Effective scheduling of such mirror image incubator 13.

It is emphasized that above-mentioned steps S122 and S123 can change order realizing.

S13, the campaign management services 3 registered in system service process 2 are received by the control module 12 (enter Journey) to run the request that application program is initiated, and pass it to the mirror image incubator 13.

It can be seen from the description previously with regard to device, the present invention is realized to system service process After the injection of SystemServer 2, control module 12 can erect new system architecture, refering to Fig. 4, Its build process sees below step：

S131, the connection that control module 12 and former incubator 10 are set up using the socket of former incubator 10. Address above, the socket file/dev/socket/zygote of former incubator Zygote 10 is to set up socket The basis of connection.In this step, control module 12 reads the socket file, sets up and former incubator 10 connection.Therefore, it can pay the utmost attention to perform abovementioned steps S12 after this sub-step, will more meet Program realizes logic.

S132, execution shut-off module 120 are based on the former incubator to close campaign management services 3 (process) The connection that 10 sockets are maintained.

With reference to knowable to above, AMS processes maintain it and are connected with the socket of former incubator Zygote 10, This step obtains android.os.process by being injected into the shut-off module 120 of systemserver processes The sZygoteSocket member of class, calls the close methods such as socket.close () of the member to close AMS It is connected with the socket of Zygote so that former incubator 10 can not correspond directly to the hatching process of AMS Request, further to obtain bigger control.As can be seen that abovementioned steps S11 should be in step Implement before S132, S11 can be both placed between S131 and S132 and implemented, it is also possible to by step S132 It is placed in after step S11 and immediately implements.Those skilled in the art can become accordingly dissolve it is of the invention multiple real Apply example.

S133, monitor the campaign management services 3 using the socket of the former incubator 10 is operation Application process and the request initiated.

In foregoing step, under the control of control module 12, the mirror image incubator is had been realized in 13 construction, therefore, according to the logic of init function creations Zygote, mirror image incubator StepZygote13 By establishment/dev/socket/stepzygote socket files, certain socket file can be stored in locally Elsewhere, must be not identical with the process title of mirror image incubator 10 yet.In this step, control module 12 Set up by the socket and be connected with the socket of the mirror image incubator 13, at the same time, begin listening for original The socket of incubator 10, to monitor the request of the hatching process of AMS initiations, so as to subsequently by controlling Molding block 12 is to former incubator 10 or the transfer of mirror image incubator 13 request.

In this step, control module 12 realizes building for new system architecture with above-mentioned sub-step, is Further to realize more intelligentized management, control module 12 also achieves the function of similar route.Tool For body, when control module 12 receive AMS initiate described in request when, it is necessary to make transmission to it To the judgement of which kind of incubator, the logic basis of this judgement can have numerous embodiments.Foregoing relevant It is of the invention hatching control device announcement in have been given by pre-set data with it is known setting data and its Related auxiliary logic, is that this method performs basis.

In order to realize the control function of this species route, the control module 12 will be located as follows Manage its AMS request for being listened to：

The control module 12, after the request that control module 12 receives the AMS, from the request The information such as middle extraction application features information, such as previously described UID, bag name, based on those features Information inspection from data (such as being stored in local or remote database) are set known to Local or Remote Whether the application program corresponding to this feature information should be limited or be prohibited, when it is that should be limited or should be by During the application program forbidden, by control module 12 be responsible for by this ask in go to the former incubator 10 outside Remaining mirror image incubator 13 or the not transfer request to any incubator.The known setting data can be deposited Each UID to the mapping relations between mirror image incubator 13 is stored up, and whether is limited or forbidden letter Breath.Obviously, through this processing procedure of control module 12, using the teaching of the invention it is possible to provide safer and more effective control management Effect, by configuring described known setting data, can especially obtain timely in the known setting data During long-range renewal, can control in time the operation of the malicious application of mobile terminal by this kind of data.

Control module of the invention 12 after establishing and being connected with the socket of miscellaneous part, actually Through the effect for playing router.Therefore, what control module 12 needed similar routing table pre-sets number According to this pre-sets data both can be consistent with foregoing known setting data, or even unites two into one, and also may be used To be independent, related data becomes the foundation that its routing function is realized for control module 12 in this case, It is particularly well-suited to that there are multiple mirror image incubators 13.In some simple examples, for example, only The user instruction only collected by the user interface provided by a desk module, being selected by user will be to be run Destination application is placed in sandbox and runs, that is, mean for the application program to be placed in the institute of mirror image incubator 13 Run in the process space of hatching, in this case, the described data that pre-set can be by the user instruction table Levy the parameter to be set for the intended application to be run, control module 12 by obtaining the parameter, just Can determine that will be given to mirror image incubator 13 rather than original in the request corresponding with the destination application to be run Incubator 10, so as to construct the process space of the destination application by the mirror image incubator 13, loading should Destination application runs it.Similarly, if user selectes non-by the user interface that preceding station terminal is provided Sandbox runs, then control module 12 can be understood as being given to former incubator 10 in answering, so as to be hatched by original Device 10 runs the destination application.

S14, hatch new process in response to the request by the mirror image incubator 13.

As it was previously stated, by the control of the control module 12, when control module 12 is by the request of AMS After carrying out transfer, what its transfer target was to determine, the former incubator 10 of system is given to if not in, then turn To a mirror image incubator 13 by present invention construction.It should be noted that transfer designated herein, not only The instruction that the original request of upper and AMS initiations is consistent including form and construction, also including by the control mould Block 12 according to the agreement of mirror image incubator 13 (for example by construct mirror image incubator 13 when to executable generation Code insertion correlative code) established rule be processed conversion, can be by the mirror image incubator 13 according to the association The instruction discussed and read.

After the mirror image incubator 13 receives the request from AMS turned in control module 12, The intrinsic mechanism of former incubator Zygote 10 is inherited from according to it, new process is copied using its fork () function, Process PID is returned into AMS.

Step S15, the attribute information according to application program to be run determines to need to treat operation application journey for this The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified event Behavior is monitored.

Specifically, can determine in several ways for monitoring required for an application program to be run Event behavior.Such as, type that can be first according to application program to be run determines to allow this to wait to run The event behavior that application program is performed, generates the white list of corresponding event behavior；The white list is led afterwards Enter in monitoring unit, the monitoring unit is monitored the behavior event outside white list.Specifically, Software such as is taken out for certain O2O, under normal circumstances, it is allowed to which its event behavior for performing there can be tune With positional information, the event behaviors such as cell-phone number are recognized, and will not typically allow its to perform and read address list, read The event behavior such as message registration is taken, so in actual applications, the O2O can be set and taken out permitting for software The white list of the time of the act for performing perhaps is calling station information and identification cell-phone number, without allowing it to perform reading Take address list, read the event behaviors such as message registration.

Further, before white list is imported into monitoring unit 130, white list is being imported into prison Before in control unit 130, the monitoring unit 130 can be showed into user by interactive interface first, and Operation according to user is updated to white list, and the white list after renewal is imported into monitoring unit afterwards In 130.Specifically, interactive interface here can be editable interface, and user can delete or add Plus corresponding event behavior (generally can only allow user to delete corresponding event behavior), if user holds Such edit operation is gone, has then updated white list, if it is not, white list directly then is imported into corresponding prison In control unit 130.In this way, which event behavior is the wish that can combine user determine without prison Control, helps to lift Consumer's Experience.

Afterwards, new process produced in step S14 is responsible for being carried in pre- during construction mirror image incubator 13 The monitoring unit 130 of interface is put, has been also responsible for being configured to the destination application that the request is initiated in operation Virtual machine instance.

AMS is obtained after process entrance, and the destination application just is loaded into entering for the new process In journey space, make the destination application successful operation.When the destination application terminates operation, by System reclaims virtual machine space according to its mechanism.

As described above, the program process hatching control that the present invention is provided can be for application program Play safer protection effect.

As can be seen that to the announcement of program process hatching control of the invention and device above Focus on the realization of system level.Further, the present invention will be protruded by other examples and disclose the present invention in application The embodiment of layer.It should be appreciated that based on the fact same inventive concept, method and apparatus disclosed above Employed in thinking, in also will also apply to method and apparatus hereinafter.

Referring to Fig. 1, the present invention further provides a kind of safety device, including control module 12nd, mirror image incubator 13, and monitoring unit 130.

Described control module 12, with reference to Fig. 1, specifically includes connector 122, constructor 121, enters one Step can also include an authentication unit 123.The connector 122 is used for MCM maintenance control module 12 and is based on socket The connection that mouth is carried out, to realize control module 12 respectively between former incubator 10 and mirror image incubator 13 Connection；The constructor 121 is used to construct the mirror image incubator 13 based on former incubator 10； The authentication unit 123 is used to determine whether that meeting the campaign management services 3 (enters according to the known data that set Journey) initiate request.Only realize a mirror image incubator 13 and acquiescence be by the mirror image incubator 13 All application programs are hatched in the example of new process, and the authentication unit 123 obviously can be omitted directly.

Described control module 12 is by method disclosed above to system service process SystemServer 2 Injection shut-off module 120, the injection of the shut-off module 120 can be by the connector 122 of control module 12 Called to implement and be responsible for.Described control module 12, as the independent process based on system bottom, The communication based on Binder mechanism can be set up, interface program can be triggered and quilt by the click commands of user The program process is called；System can also be signed in by adb shell-commands to go to perform.Control module is born Duty sets up process running environment, and various relevant connections are set up for this.As can be seen that based on access Android The need for system bottom, control module has relative complex function, is listed below helping to realize the present invention Several aspects：On the one hand, it is necessary to construct one using former incubator 10 (Zygote) in the process of running Or multiple mirror images incubator 13 (StepZygote), on the other hand, it is necessary to be responsible for being injected to system service process The Socket connections for turning off module and cutting off between campaign management services and former incubator 10, another further aspect, Control module 12 also need to be responsible for monitoring and receive system service process 2 registration AMS processes initiated Request, the request be AMS be based on for load operating application program former incubator 10 socket and The connection of foundation and propose, control module 12 needs to forward the request to described mirror image incubator 13, So that the request for ensuring AMS is effectively responded.AMS initiate request, generally include program UID, The parameter of bag name etc, and under normal circumstances, incubator will be corresponding request return process PID, AMS It is derived from its program entry address and is able to loading application programs.But due to control module of the invention 12 Control action, this mechanism will by control module 12 come transfer realize.Finally, control module 12 is gone back For being performed according to previously described method：Attribute information according to application program to be run determines that needs are directed to The event behavior of the Application Monitoring to be run, and monitoring unit is configured when running monitoring unit Identified event behavior is monitored.

Described connector 122 is responsible for performing following function：

1st, the connection of control module 12 and former incubator 10 is set up using the socket of former incubator 10. The realization of this function, is performed after control module 12 is able to operation.The operation of control module 12 Afterwards, be located at by reading former incubator 10/dev/socket/ catalogues under zygote socket files, the set Interface document is stored with corresponding socket data to set up control module 12 between former incubator 10 Connection, to construct mirror image incubator 13 subsequently through constructor 121 and to realize to former incubator 10 Other controls.

2nd, to system service process 2 injection one turn off module 120 to be allowed to perform, with close AMS with Socket between Zygote.Specifically, first connect and be injected into SystemServer processes, obtain The sZygoteSocket member of android.os.process classes, calls the close methods of the member, for example Socket.close (), realizes the shut-off of the Socket connections between AMS and Zygote, thus, adjustable pipe The connection that reason service 3 is maintained based on the socket of former incubator 10 is closed.That is, above AMS is mentioned to be turned off herein by socket and Zygote direct communications, but this communication mechanism, from And prevent AMS from directly being communicated with former incubator 10.

Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, calling outside one Portion's function, namely call the monitoring unit 130 of the present apparatus to realize a sandbox example to be aided with, it is specific and Speech, the monitoring of the event behavior that realization occurs to the process space that current mirror image incubator 13 is constructed. It is to be understood that after mirror image incubator 13 calls fork functions to replicate itself, these external calls and self-correcting Testing code can be replicated, that is to say, that the not only process itself of mirror image incubator 13, and by its hatching Process can also load described monitoring unit 130 so that mirror image incubator 13 hatches a new process, Mean to provide a sandbox running environment for corresponding destination application.

In theory, the control module 12 can on demand call constructor 121 to go according to identical logic Multiple mirror image incubators 13 are realized, multiple mirror image incubators 13 is respectively used to the different application program of response The request of classification, so as to create the incubator of multiple safety for android system.External program is hatched to original The attack of device 10, will not impact the mirror image incubator 13 built by the control module 12 in theory.

Described mirror image incubator 13, for by itself hatch process context and in the process context plus Carry monitoring unit 130 and treat operation program.Mirror image incubator 13 is constructed by control module 12, control Module 12 constructs mirror image incubator 13 using ELF infection contact principle de-duplicate Zygote, this In the case of, Zygote per se known and intrinsic operating mechanism is not changed, therefore, control module 12 is controlled Under system produce mirror image incubator 13, its still according to the realization mechanism of former incubator 10, for responding In the request of the transfer of control module 12, and new process is hatched, and asked accordingly with process PID responses. AMS obtains process PID, and destination application that will be to be run is loaded into corresponding process sky Between in, destination application is run.As can be seen that a mirror image incubator 13 collapses, or The one process death hatched by mirror image incubator 13, will not produce to former incubator 10 and its associated process Influence, vice versa.And before destination application is able to operation, because control module 12 exists The instruction for calling the monitoring unit 130 is inserted inside mirror image incubator 13, therefore, in this case, Monitoring unit 130 will be loaded in advance, and start the event behavior that the process where monitoring it occurs, Also it is achieved that the monitoring to the event behavior of the destination application of follow-up operation.

The monitoring unit 130, as it was previously stated, being loaded prior to the destination application.The monitoring list Unit 130 is the implementor of sandbox running environment, using Hook technologies, is made up of some hook plug-in units, Each hook plug-in unit using Hook Function to destination application in related call instruction entrance Monitored, intercepted and captured this call instruction, turned to and perform corresponding Hook Function, by the Hook Function foundation Sandbox inherent logic carrys out the response call instruction, so as to reach the purpose of monitor event behavior.

Need exist for supplement be：Term " hook " is covered for by intercepting the transmission between component software Function call, message or event come change or increase operating system, application program or other software group The technology of the behavior of part.And the code for processing this intercepted function call, event or message is thus referred to as Hook hook functions.Hook is generally used for various targets, including function is debugged and function is carried out Extension.Its example can be included in keyboard or intercept them before mouse event is delivered to application program, or Hooking system service call (system call), to monitor or change the function etc. of application program or other assemblies.This Embodiment can take over installation self checking behaviour required when the application program is run using hook hook functions Make.

Succinct for what is described, the specific introduction for relating to the use of monitoring unit of the invention 130 will be in subsequent set Be given, explanation is postponed herein.

The construction of explanation sandbox example is essentially consisted in due to the present apparatus, therefore, it is necessary to further disclose with this A desk module in the realized program of invention, the desk module can be carried by a fail-safe software The movable component (Activity) of confession realizes that running the movable component will provide a user interface, by the use Family interface can be set out all system applications and user's application, when when user's click operation, certain is applied, can Allow whether user is selected by sandbox runs this intended application further to play frame, when user is selected by sand Case run when, naturally, during driving is called into the present invention control module 12 on this basis, by AMS because Mirror image incubator 13 rather than former incubator 10 are given in request produced by above-mentioned interface operation, make the mesh Mark application is run in the sandbox running environment that monitoring unit of the invention 130 is realized.Certainly, foreground mould The realization of the user interface that block is provided is very flexible and changeable, and the above only provides an example, ability Field technique personnel can be with flexible.If considered for convenient, those skilled in the art can avoid this User interface provides process, is directly defaulted as starting the mesh that user clicks in desktop by mirror image incubator 13 Mark application program, then whole process will become more quick and facilitate, and the route work of control module 12 with And its work of authentication unit 123 also will accordingly simplify.

It can be seen that, safety device of the invention, by building the form of mirror image incubator 13, Neng Gouwei Application program to be run realizes safer, reliable, independent running environment.

Accordingly, safety protecting method of the invention, is to do more efficient group according to the handling process of machine Knit, by performing this method, the operational efficiency of the program that optimization is realized according to the present invention, so as to more efficient Ground constructs sandbox running environment for application program.

Refer to shown in Fig. 5, safety protecting method of the invention comprises the following steps：

S31, the mirror image incubator 13 for being configured to hatch process context using system original incubator 10.

The purpose of this step is to construct the new mirror image independently of the processes of system original incubator Zygote 10 Incubator 13, can refer to shown in Fig. 6 and be subdivided into following sub-step：

S311, operation control module 12.

As it was previously stated, user can receive what user provided in desktop or the desk module by desk module The clicking operation of user interface, or instructed by adb shell and to drive certain destination application preceding Platform module is identified as needing running in sandbox, so as to call control module of the invention 12 to be allowed to be transported OK.The function of being realized on control module 12 is referred to above, is not repeated for this reason.

S312, using the control module 12, the mirror image incubator is constructed based on former incubator 10 13。

This step obtains mirror image incubator 13 on demand using control module 12, and this demand can be by control mould Block 12 is according to foregoing known setting data and/or pre-sets data and realizes, or strong according to default rule System is constructed and applied automatically.With reference to Fig. 7, this sub-step can be subdivided into the following son performed by control module 12 Step：

S3121, the control module 12 are set up and former incubator 10 using the socket of former incubator 10 Connection.

Socket file/the dev/socket/zygote of former incubator Zygote 10 sets up socket connection Basis.In this step, control module 12 reads the socket file, sets up the company with former incubator 10 Connect.

S3122, to system service process injection shut-off module be allowed to perform to close the base of campaign management services 3 In the connection that the socket of former incubator 10 is maintained.

As it was previously stated, a shut-off module 120 is injected to system service process 2 to be allowed to perform from control module, To close the Socket between AMS and Zygote.Specifically, first connect and be injected into SystemServer Process, obtains the sZygoteSocket member of android.os.process classes, calls the close side of the member Method, such as socket.close (), realize the shut-off of the Socket connections between AMS and Zygote, thus, Prevent former incubator 10 is further obtained from corresponding directly to the request of the hatching process of AMS, control module Take bigger control.It is pointed out that refering to described previously, injected to system service process 2 and turned off Module 120 can be divided into two fine division steps with going to perform shut-off operation using the shut-off module 120, and only Keeping this precedence relationship, two fine division steps can separate execution.That is, shut-off module 120 And after injecting, be not necessarily to implement shut-off operation immediately, can be subsequently again because latter fine division step The need for and in advance called implementation turn off.Previous fine division step can be in the called i.e. quilt of control module 12 1 Perform, then perform S3121, then perform later step.Those skilled in the art should know this accommodation, All changes situation under this principle is acted on is accordingly to be regarded as being same as the present embodiment.

S3123, the executable code for replicating former incubator 10 are simultaneously implanted into for loading the monitoring unit to it 130 call instruction.

The execution of this sub-step, can refer to the process previously with regard to step S121-S124：

S121, the executable code for replicating former incubator Zygote 10；

S122, to the call instruction inserted in the executable code for realizing external call, according to different realities The need for applying example, monitoring unit of the invention 130 is called by the call instruction, to use the monitoring list Unit 130 realizes the prison of the event behavior to the process space hatched by posttectonic mirror image incubator 13 Control；

S123, on demand to the executable code insertion can be used to realize mirror image incubator StepZygote's 13 The code of program self checking so that mirror image incubator 13 is difficult to be attacked, it is noted that, this sub-step is at this It is optional in invention；

S3124, the code of the mirror image incubator is performed to construct mirror image incubator 13.Once the mirror image is incubated Change device 13 to be run, be just individually present relative to former incubator Zygote 10.

S313, the connection for setting up control module 12 and mirror image incubator 13.

Under the control of control module 12, construction and the operation of the mirror image incubator 13 are had been realized in, Therefore, the logic of Zygote is created according to ini processes, mirror image incubator StepZygote 13 will be created / dev/socket/stepzygote socket files.In this sub-step, control module 12 passes through the socket Foundation is connected with the socket of the mirror image incubator 13, thus, just can begin listening for the set of former incubator 10 Interface, so as to monitor AMS initiation hatching process request, so as to subsequently from control module 12 to original Incubator 10 or the transfer of mirror image incubator 13 request.

It will be appreciated by those skilled in the art that in the present invention, can be by this step S31 in former incubator Mirror image incubator 13 is constructed on the basis of 10, but the quantity of mirror image incubator 13 is not restricted to one, The expansible number of mirror image incubator 13 is only limited by memory headroom and copied multiple with phase in theory Connatural mirror image incubator 13, as long as disclosed herein, being realized to multiple in control module 12 Effective scheduling of such mirror image incubator 13.

It is emphasized that in order to simplify length, involved control module 12 in safety means of defence, with Control device described by safety device of the invention has one-to-one corresponding, therefore control module 12 at this Other the optional sexual functions realized in device, such as, on transfer, function of route etc., be equally applicable In this method, a series of change caused by being applicable these optional sexual functions, it should also consider with band To this method, do not repeat for this reason.

S32, hatched by the mirror image incubator 13, thought that application program to be run sets up the process Environment.

When reaching this step, by the control of the control module 12, when control module 12 is listened to After the request of AMS, transfer will be carried out to the request, what its transfer target was to determine, if not transfer To the former incubator 10 of system, then it is given to by a mirror image incubator 13 of present invention construction.Should be noted , transfer designated herein is not only upper consistent with the original request of AMS initiations including form and construction Instruction, also including by the control module 12 according to the agreement of mirror image incubator 13 (such as by structure When making mirror image incubator 13 to executable code insert correlative code) established rule be processed conversion, energy The instruction read according to the agreement by the mirror image incubator 13.

After the mirror image incubator 13 receives the request from AMS turned in control module 12, The intrinsic mechanism of former incubator Zygote 10 is inherited from according to it, new process is copied using its fork () function, Process PID is returned into AMS, with this just for application program to be run establishes corresponding process context.

Step S33, the attribute information according to application program to be run determines to need to treat operation application journey for this The event behavior of sequence monitoring, and monitoring unit is configured when running monitoring unit to identified event Behavior is monitored.

S34, using the mirror image incubator 13 hatching obtained by process, by monitoring unit 130 and treat operation should It is loaded into the process context with program and is run, as application program to be run described in the monitoring unit 130 pairs Event behavior implementing monitoring.

New process is responsible for being prefixed when being carried in construction mirror image incubator 13 monitoring unit 130 of interface, also bears Duty is configured to the virtual machine instance that the destination application of the request is initiated in operation.AMS obtains process After entrance, just the destination application is loaded into the process space of the new process, makes the mesh Mark application program successful operation.When the destination application terminates operation, reclaim empty according to its mechanism by system Plan machine space.

Disclose in detail above using the sandbox that safety protecting method of the invention is application program construction safety The overall process of example, can be the safer reliable process fortune of each application program construction by the method Row environment.

Although disclose in detail many aspects of general idea of the invention above, do not state to the greatest extent yet.This area Technical staff is it is to be understood that program process hatching control of the invention, device and security protection side It is two aspects of general idea of the present invention between method, device, the technological means for being used is mutually confirmation , therefore, the explanation of one aspect, while in will also apply on the other hand.So, even if There is careless omission in the announcement in terms of certain of the invention, those skilled in the art also can on the other hand search out institute The explanation for needing, so as to reduce the whole scheme of this aspect, without should as according to negate this certain in terms of fill Minute mark is carried.

In order to protrude sandbox example of the invention, disclose what many places above of the invention were addressed in further detail below It is mirrored the related embodiment of the monitoring unit 130 of the loading of incubator 13.

Using monitoring unit of the invention 130, it is possible to achieve the structure of more powerful sandbox running environment. The monitoring unit 130 can be obtained corresponding to specific event row from a backstage sandbox HOOK frameworks For hook plug-in unit (Hook Function), using one or more hook plug-in units hook and monitoring objective application spy Event behavior is determined so as to realize the movable monitoring to destination application process.Described backstage sandbox The hook plug-in unit of HOOK frameworks, is managed concentratedly beyond the clouds, is distributed to each terminal.Wherein, cloud End is main to be configured with Java hook plugin libraries and Native hook plugin libraries.Monitoring unit 130 needs hook During specific event behavior, request is sent to backstage sandbox HOOK frameworks by long-range card i/f, obtained For the HOOK functions of particular event behavior, i.e., described hook plug-in unit is set up to particular event whereby The monitoring capture and treatment of behavior.

Mirror image incubator 13 is loaded with after monitoring unit 130, and operation request is initiated to AMS by loading The destination application.Because monitoring unit 130 is loaded prior to destination application, intended application journey Once running, just monitored unit 130 establishes monitoring to sequence using plug-in unit is linked up with, therefore, intended application All event behaviors of program are within the monitoring range of monitoring unit 130.The installation of destination application Bag be it is complete unmodified, can by the examination of PackageManagerService, therefore, target After application program is loaded, can completely legal, normally run, realize that destination application originally can be real Existing institute is functional.

Because monitoring unit 130 and destination application are in the same process space, thus, it is operating Monitoring unit 130 is to establish the monitoring to all event behaviors of destination application.Destination application is transported During row produce any event behavior, its event message can monitored unit 130 capture and carry out phase The treatment answered.

The particular event behavior monitored unit 130 that destination application is produced is captured, and substantially triggers special When determining event behavior, corresponding hook plug-in unit (hook letter in produced event message monitored unit 130 Number) captured.Capture the event message, you can know the intention of the event, can then carry out follow-up Treatment.

Particular event behavior is processed, it is necessary to be obtained event behavior treatment strategy.In this sub-step, Further human-computer interaction function can be realized by system service.In order to realize man-machine interaction effect, this hair It is bright one interactive module to be registered as into system service with reference to fail-safe software in advance, set up by monitoring unit 130 Interactive interface communicated with the interactive module, so as to realize the acquisition to user instruction or preset instructions.

The acquisition modes of event behavioral strategy are very versatile and flexible, can be held by constructing a strategy generating device OK, it is the strategy selected one or be used in any combination of the invention to be exemplified below several：

(1) after the capture of monitoring unit 130 particular event behavior, by the interactive interface, to the interactive mould Block sends request, and strategy, the bullet are processed from interactive module to the user interface pop-up inquiry user of fail-safe software Window interface can directly inform content and its risk of the user about event behavior, by the corresponding choosing of user's selection Item is used as treatment strategy.After user selects respective selection and determination, interactive module is obtained and is directed to the particular event The treatment strategy of behavior, is fed back to monitoring unit 130, and monitoring unit 130 can refer to according to the user The tactful corresponding event behavior to destination application for the treatment of produced by order carries out the treatment of next step.

(2) when some event behaviors for being acknowledged as relative low-risk occur, for example to contact person only Read operation behavior, or to be taken for particular event behavior for the present invention is provided with voluntarily retrieval in user Treatment strategy when, the present invention is using a local policy database retrieval accordingly for particular event behavior Treatment strategy.That is, in the local policy database, establishing particular event behavior with corresponding place Association between reason strategy, and store corresponding relation between various event behaviors and corresponding treatment strategy Record data, can for the present invention retrieval use.The present invention obtains corresponding from local policy database After treatment strategy, the treatment of next step can be done to corresponding event behavior.

(3) if user is provided with the option for remotely obtaining treatment strategy, or acquiescence local for the present invention Policy data library searching less than particular event behavior specific strategy when can remotely obtain, and or by foregoing (1st) kind situation is interacted and cannot get response of the user to pop-up within the regulation time limit, such feelings Condition, fail-safe software can send request by its built-in remote policy interface to the high in the clouds of pre- framework, obtain The corresponding treatment strategy of the particular event behavior must be corresponded to, and for follow-up treatment.

It is pointed out that relevant three of the above obtains the mode for the treatment of strategy, can intersect and use cooperatively, For example, once interactive module receives the feature of the event message of the transmission of monitoring unit 130, you can according to silent Recognize setting, local policy database is retrieved in advance with reference to (2nd) kind mode, obtain the treatment strategy of system recommendation If (can not be obtained from local policy database, it might even be possible to further plant mode from high in the clouds plan by (3rd) Slightly obtained in database).Then, mode is planted with reference to (1st), the treatment of system recommendation is set at pop-up interface Strategy is default option.If user does not confirm the default option within the regulation time limit, with system recommendation Treatment strategy is defined execution subsequent instructions；It is single to monitoring if it is changed into new default option by user Unit 130 returns to the treatment strategy that user is set.It can be seen that, interactive process can be more it is flexible freely Realize.

Described local policy database, can be a copy of high in the clouds policy database, therefore, this hair In bright, a renewal step is set, for downloading high in the clouds policy database for updating local policy database.

Generally, the strategy for particular event behavior could be arranged to " refusal ", " RUN ", " inquiry " Three common options, its characterize specific purpose be：

Refusal：For the particular event behavior, send event behavior to destination application and be finished Spoofing, to forbid the event behavior to actually occur；

Operation：Do not made any changes for the particular event behavior, corresponding event message is forwarded directly to System message mechanism, it is allowed to which destination application continues its event behavior；

Inquiry：Independence or to depend on both of the aforesaid option one of any, for the particular event behavior, mark Its state is unknown state, it is follow-up when repeating to occur the behavior, it is necessary to row pop-up inquiry user again.

In practical application, option " inquiry " can be ignored, it is only necessary to consider whether to refuse or allow current event row To occur.

Described event behavior, it is varied, specifically include following several big types：

(1) terminal, relevant operation of networking：

Obtain operator's informaiton：Destination application for example can be with by getSimOperatorName () function The IMSI of mobile terminal is obtained, the title of operator thus can be determined whether, further can be to operation Business sends agreement instruction, the illegal objective that realization is deducted fees etc.Monitor supervision platform is by linking up with related to this disappearing Breath, just can be to the capture of event behavior.

Switching APN operations：Similarly, destination application is realized by the function relevant with APN switchings The operation of ANP switching controls, also can monitored unit 130 be monitored by calling corresponding hook plug-in unit.

Similar operation, also including obtaining the operation of handset identity code IME, also with it is above-mentioned similarly.

(2) informing advertisement operation：Informing advertisement is the means for most easily being utilized by rogue program, monitoring unit 130 are monitored by calling corresponding hook plug-in unit to the event message that notify functions are produced, also can be right Its implementing monitoring.

(3) traffic operation：

As phone dials operation, the thing of calling system dialing interface can be monitored by startActivity () function Part behavior, event behavior monitoring can be set up using corresponding hook plug-in unit to dialing phone operation.

Short message is operated, and corresponding to the function of sendTextMessage () etc, similarly, can be inserted by hook Part sets up event behavior monitoring to this class function.

Contact person operates：Query (), insert () function are corresponded generally to, monitoring unit 130 is inserted using hook Part links up with this class function and can realize capturing the monitoring of such event behavior.

(4) command operation：

As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring unit 130 By monitoring the return message of this function, the monitoring of such event behavior just can be realized.

(5) interface and access operation：

The event behavior of shortcut is such as created, then corresponding to sentBroacast () function.Similarly, for hidden The operation of program icon is hidden, specific function can be also corresponded to and be monitored it.

As http network accesses operation, then corresponding to functions such as sentTo (), write ().

(6) procedure operation：

Such as application loading is operated, and refers to that current goal application program loads the operation of related application, by right The functions such as dexClassloader (), loadLibrary () carry out hook monitoring, it is possible to achieve to such event behavior Capture.

Attached bag is and for example installed, then corresponding to installPackage () function.

(7) other risky operation：

For example, subprocess invades operation, derivative operation, the operation of activation equipment manager etc..

Wherein, subprocess refers to the subprocess that destination application is set up, and creating son in destination application enters Cheng Shi, the process space of the subprocess equally constructs generation by mirror image incubator 13, therefore, subprocess Monitoring unit 130 is unable to escape to monitor.Thus, the either own process of destination application, or its establishment Subprocess, the event behavior that they are directly or indirectly triggered can be by monitoring unit of the invention 130 Monitored, realized that preferably Initiative Defense is better.

And the derivative, refer to file that destination application is voluntarily created, or remote download file, Typically refer to the derivative of sensitivity, such as installation kit.The event can be captured by linking up with fClose () function. It is pointed out that after monitoring unit 130 captures the event behavior, can enter as the method previously described One step transmit a request to high in the clouds using remote layout bank interface, by high in the clouds using its black, white, grey safety etc. Level rule of conduct judges the safe class of the derivative, and the present invention obtains high in the clouds and sentences by remote layout bank interface After determining result, further pop-up asks the user whether to set up the Initiative Defense to the sensitive derivative, thus just The effect of Initiative Defense can further be consolidated.

Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the limit of the event behavior to present invention monitoring System.

According to the above-mentioned tactful and above-mentioned explanation on event behavior for the treatment of, active defense method of the invention Just various event behaviors can accordingly be processed.It is exemplified below several typical application examples：

(1) to the application of the fine interception of destination application：

After part rogue program is mounted, the state in normally using within the quite a long time, fiber crops The awareness of safety of numbness user.But, after one rapid lapse of time of operation, the destination application is attempted from backstage The concern that a short message causes user is inserted, the effect of advertisement and swindle is reached.To the destination application application After sandbox example of the invention, by corresponding hook plug-in unit in monitoring unit 130 to short message handling function Monitoring, once destination application produce short message operation event behavior, just can capture this event behavior, Then, the interactive module that monitoring unit 130 notifies to be run as system service by its interactive interface, by handing over Mutual module is warned to user interface pop-up.After user clicks the treatment strategy of " refusal ", by converse prison of feeding Control unit 130, wherein hook plug-in unit just can hinder actually occurring for the event behavior accordingly, reaches strick precaution wind The purpose of danger.

(2) application of malicious file is discharged to destination application.

Destination application is a Games Software, is downloaded by way of checking and updating and discharges malice attached bag, And the calling system function mounting attached bag.The present invention establishes the sand of Initiative Defense to the destination application After case running environment, its event behavior downloaded file and produced can be monitored, accordingly by interaction Module pop-up is alerted.After user instruction refusal, corresponding hook plug-in unit just can be direct in monitoring unit 130 This document is deleted, or only refuses the installation behavior of this document.

In the present invention, for such malice attached bag, it is considered as sensitive derivative, whether derivative is deposited In the judgement of malice, can remotely be judged by using predetermined safe class.Specifically, When generation derivative is detected, by the characteristic information of corresponding file or its signature etc by long-range rule Then bank interface is sent to high in the clouds, and obtains its safe class from high in the clouds, if black, grey application, then in bullet Advise that user's refusal is installed in window；If white application, then it can be allowed to pass through.By this method, just It is capable of achieving the Prevention-Security to sensitive derivative.If high in the clouds can't detect the relative recording of the derivative, can To require that this method uploads this document as it, and unknown applications are denoted as by high in the clouds, accordingly, are applied with ash It is marked, for future use.

(3) application invaded subprocess.

Monitored destination application creates subprocess in the process of running, and subprocess further discharges evil Meaning event behavior.When monitoring unit 130 monitors destination application establishment subprocess, that is, obtain subprocess Entrance, in theory i.e. can the mode of inline hook be loaded into the subprocess event row to the subprocess For monitoring.However, subprocess is due to being also to be hatched by mirror image incubator 13, therefore, mirror image hatching The new process that device 13 is hatched will load the monitoring unit 130 prior to the subprocess, it is not necessary to using inline Hook can also realize the monitoring to the subprocess.As can be seen that either by destination application process Directly triggering event behavior, or by the subprocess that destination application process is created triggered it is indirect Event behavior, energy monitored unit 130 is successfully monitored.

From above-mentioned analysis, the sandbox running environment of institute of the present invention construction, with highly efficient feasible Property.

Further realize the present invention for ease of those skilled in the art, further below disclose cloud server with How terminal device cooperates is realized the related content of installation kit safe class judgement：

As it was previously stated, the characteristic information of cloud server is sent to by remote layout bank interface by client, Including：The bag name of Android installation kits, and/or, version number, and/or, digital signature, and/or, Android The feature of component receiver, and/or, the feature of Android components service, and/or, Android groups The feature of part activity, and/or, instruction or character string in executable file, and/or, Android peaces The MD5 values (signature) of each file under dress bag catalogue.

The client of the method for the present invention or device is realized, specified characteristic information is uploaded onto the server (high in the clouds), searched in the preset rule base of server with specified single feature information or its combine and match Feature record；Wherein, comprising feature record and feature record correspondence in the preset rule base of the server Level of security, the combination comprising single feature information or characteristic information in every feature record；

Thousands of feature records are prefixed in server end rule base, wherein, listed in first feature record Certain viral Android installation kits bags name, certain normal use is listed in Article 2 feature record Android installation kits version number and its MD5 values of digital signature, certain is listed in Article 3 feature record The Android installation kits bag name and its receiver features of normal use, list in Article 4 feature record Specific character string in Android installation kits bag name, version number and its ELF files of certain wooden horse, etc.. Mark on safe class, i.e., black, white (safety) or grey (unknown, suspicious) three kinds of marks, Ke Yijin One step it is expressed as：

Safety：The application is a normal application, the behavior for not having any threat user mobile phone safety； It is dangerous：There is security risk in the application, it is possible to the application inherently Malware；Being also possible to this should With being originally normal software that regular company issues, but because there are security breaches, cause user privacy, Mobile phone safe is on the hazard；

With caution：The application is a normal application, but be there are problems that, for example, user can be allowed not small The heart is deducted fees, or has disagreeableness advertisement to be complained；After this kind of application is found, can point out to use Whether family uses and informs this using possible behavior with caution, but decides remove the application in its sole discretion by user；

Wooden horse：The application is virus, wooden horse or other Malwares, here for being referred to generally simply as wooden horse, It is not intended that this is using only wooden horse.

It should be appreciated that the cooperation between high in the clouds and client, can be by those skilled in the art according to the present invention Disclosed content further expands, converts, additions and deletions and improve.Thus, disclosure recited above should not be managed Solve to realize the limitation of methods and apparatus of the present invention.

By test, the present invention has broader range of application and application effect relative to prior art, with Under illustrate slightly：

Due to the present invention HOOK frameworks have been made into service platform, to link up with plug-in unit in the way of for end End configuration monitoring unit 130, therefore, its loading only needs to depend on corresponding configuration file, efficient administration and It is easily achieved, for technical personnel, some simple function calls are only needed to write configuration file and are capable of achieving The configuration of plug-in unit is linked up with, HOOK reentries, concurrency performance is high.

The loading to monitoring unit 130 and destination application is successively realized using host application, then Monitoring is set up to the event behavior of destination application by monitoring unit 130, it is possible to achieve to Java functions, The hook of Native functions.

In sum, during safer sandbox running environment can be run on the invention enables destination application. The above is only some embodiments of the invention, it is noted that for the ordinary skill of the art For personnel, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these Improvements and modifications also should be regarded as protection scope of the present invention.

Claims

1. a kind of safety protecting method, it is characterised in that comprise the following steps：

2. the method for claim 1, it is characterised in that the basis application program to be run Attribute information determines to need the event behavior for the Application Monitoring to be run, and monitoring unit is carried out Identified event behavior is monitored when setting runs monitoring unit, including：

3. method as claimed in claim 2, it is characterised in that described that white list is imported into the prison Control unit is specifically included：

The white list is showed into user by interactive interface；

The white list is updated according to user's operation；

White list after renewal is imported into the monitoring unit.

4. safety protecting method as claimed in claim 1, it is characterised in that described using former incubator The process of mirror image incubator is constructed, is comprised the following steps：

Set up the connection of control module and mirror image incubator.

5. safety protecting method according to claim 4, it is characterised in that utilize the control module The step of mirror image incubator is constructed based on former incubator includes：

6. safety protecting method according to claim 1, it is characterised in that the monitoring unit includes Some hook plug-in units, corresponding hook is applicable by monitoring the different call instructions of the program process Plug-in unit, is processed with the event behavior to the program process.

7. a kind of safety device, it is characterised in that including：

8. safety device according to claim 7, it is characterised in that the control module is specific For the event behavior that the type according to application program to be run determines to allow the application program to be run to perform, Generate the white list of corresponding event behavior；White list is imported into the monitoring unit, so that the monitoring Unit is monitored to the event row outside the white list.

9. safety device according to claim 8, it is characterised in that the control module is specific For the white list to be showed into user by interactive interface；The white list is carried out according to user's operation Update；White list after renewal is imported into the monitoring unit.

10. the safety device according to any one in claim 7 to 9, it is characterised in that The monitoring unit includes some hook plug-in units, by the different call instructions for monitoring the program process And corresponding hook plug-in unit is applicable, processed with the event behavior to the program process.