KR101256453B1 - Apparatus and method for detecting rooting - Google Patents
Apparatus and method for detecting rooting Download PDFInfo
- Publication number
- KR101256453B1 KR101256453B1 KR1020120106847A KR20120106847A KR101256453B1 KR 101256453 B1 KR101256453 B1 KR 101256453B1 KR 1020120106847 A KR1020120106847 A KR 1020120106847A KR 20120106847 A KR20120106847 A KR 20120106847A KR 101256453 B1 KR101256453 B1 KR 101256453B1
- Authority
- KR
- South Korea
- Prior art keywords
- routing
- file
- event
- monitoring target
- application
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Telephone Function (AREA)
Abstract
In the present invention, in event-based real-time routing detection, set a directory or file list, etc. that are subject to routing monitoring, register with a file monitoring event provided by the OS of the portable terminal, and an event according to a file attribute change in the corresponding routing monitoring target. Routing detection is performed in real time whenever it occurs, enabling more accurate routing detection even in a custom kernel that dynamically performs routing or unrouting to bypass routing detection.
Description
The present invention relates to a method for detecting rooting, and in particular, in event-based real-time routing detection, operating a portable terminal by setting a directory or a file list to be monitored. By registering in the file observing event provided by the system and performing the routing detection in real time whenever an event occurs due to the change of the file property in the corresponding routing monitoring target, routing or unrouting to bypass the routing detection The present invention relates to a routing detection apparatus and method for more accurately performing routing detection even in a custom kernel that dynamically performs (unrooting).
In general, in the portable terminal equipped with Android as a terminal operating system, the sandbox concept is applied, and each application has a limited access to resources in addition to its own area, and also through each application's own signing Android terminal provides a basic defense against forgery and alteration.
However, forgery-sensitive applications such as banking applications of banks or securities firms' HTS (Home Trading System) applications have their own verification mechanisms for forgery and furthermore, financial trading applications have a defense against forgery. It is legally mandatory and is enacted as IT Compliance.
Therefore, in the case of a financial transaction application that wants to verify forgery and alteration, the mobile terminal checks whether the mobile terminal is rooted before checking forgery, and terminates the financial transaction service if it is determined that it is not. do. As such, rooting detection is an important and essential element for security-sensitive applications.
When the above-described routing detection operation is described in more detail, for example, when a banking application equipped with the routing detection module is executed, the routing detection module is executed first, and the routing detection module is usually executed when the root authority is acquired. It checks whether 'su' file exists or checks whether the adb (Android Debug Bridge) daemon is running as root authority. In this case, the application that receives a normal return is a method of providing a normal service.
However, in order to forge an application, a mobile terminal such as Android acquires system administrator authority through a rooting process, and then uses forgery to bypass the forgery verification module of the application.
In addition, the evolving routing terminals provide the ability to dynamically perform routing or unrouting to bypass routing detection, and use it as a routine for routing and unrouting before an application that detects the routing detection module is executed. After the application is executed and the routing detection module completes the routing detection, the routing detection can be performed again to bypass the routing detection module.
That is, in the case of the rooting terminal which provides the function to dynamically perform the routing and unrouting as above, the su file is created by creating the su file in an executable location (PATH environment variable), for example, when the routing is activated. You can use to get root privileges. You can also hide the su file when disabling the root (unroot) to disallow root privileges using the su file.
As described above, the recent routing terminal bypasses the existing routing detection module by providing a routing and unrouting function so as to be dynamically executed, and it is difficult to detect this.
Accordingly, in the event-based real-time routing detection, the present invention sets a directory or file list to be a routing monitoring target, registers a file monitoring event provided by the OS of the portable terminal, and changes a file attribute in the routing monitoring target. By performing routing detection in real time whenever an event occurs according to the present invention, a routing detection device and method for more accurately performing a routing detection can be performed even in a terminal or an OS that dynamically performs routing or unrouting to bypass the routing detection. .
The above-described present invention is a routing detection apparatus, comprising: a routing monitoring target setting unit for setting a routing monitoring target, a routing event registration unit for registering the routing monitoring target with an operating system (OS) of a portable terminal performing the routing detection; When receiving an event generated in the routing monitoring target from the OS, a routing checking unit for determining whether the event corresponds to a routing behavior, and if the routing behavior is determined from the routing checking unit, a routing behavior is generated to an application requesting the routing monitoring. The notification includes a routing alarm unit.
The routing event registration unit may register the routing monitoring target with a file monitoring event provided by an OS of the portable terminal.
The routing event registration unit may register the routing monitoring target with the file monitoring event by using an API provided by an OS.
The routing monitoring target may be set to a directory list or a file list that can be used as instruction information for determining whether to route.
The event may be generated when a change of a file attribute occurs in a directory list or a file list registered as the routing monitoring target.
The event may be generated when any file creation, deletion, file name change, file move, permission change, or file modification occurs in the directory list or the file list.
In addition, when the routing monitoring is requested, the routing checking unit checks whether a routing action is performed on the portable terminal using a predetermined routing detection policy before executing the application, and transmits a test result to the application. It features.
The directory list may include one or more of / system, / sbin or / bin.
The file list may include at least one of a su file and an adbd file.
In addition, the application is characterized in that the application for processing financial information or personal information.
In addition, the present invention provides a method for detecting a routing, comprising: setting a routing monitoring target when an application for which a routing monitoring is requested is executed, registering the routing monitoring target with an OS of a portable terminal; And determining whether the event corresponds to a routing behavior when receiving an event occurring in, and notifying the application of the occurrence of the routing behavior when the routing behavior is determined.
The routing monitoring target may be registered in a file monitoring event provided by the OS.
The routing monitoring target may be set to a directory list or a file list that can be used as instruction information for determining whether to route.
The event may be generated when a change of a file attribute occurs in a directory list or a file list registered as the routing monitoring target.
The event may be generated when any file creation, deletion, file name change, file movement, permission change, or file modification occurs in the directory list or the file list.
The method may further include checking whether a routing action is performed on the portable terminal by using a predetermined routing detection policy before the application is executed, and when the routing result is performed on the portable terminal. And transmitting the routing action to the application.
The present invention, in the event-based real-time routing detection, set a directory or file list that is the target of the routing monitoring to register the file monitoring event provided by the OS of the portable terminal, the event according to the file attribute changes in the routing monitoring target By performing routing detection in real time whenever it occurs, there is an advantage that it is possible to perform routing detection more accurately even in a custom kernel that dynamically performs routing or unrouting to bypass the routing detection.
1 is a detailed block diagram of a portable terminal to which a root detection device according to an embodiment of the present invention is applied;
2 is a detailed block diagram of a routing detection apparatus according to an embodiment of the present invention;
3 is a flow chart of event-based real-time routing detection control according to an embodiment of the present invention.
Hereinafter, with reference to the accompanying drawings will be described in detail the operating principle of the present invention. In the following description of the present invention, if it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intentions or customs of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification.
Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created.
These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory. It is also possible for the instructions stored in to produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of each step of the block diagram.
Computer program instructions may also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps may be performed on the computer or other programmable data processing equipment to create a computer-implemented process to create a computer or other programmable data. Instructions that perform processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.
Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.
FIG. 1 illustrates a detailed block diagram of a
Hereinafter, each component of the
First, the
The
The
The
In addition, the
On the other hand, the
At this time, as a method of checking whether the
Therefore, according to the present invention, for example, the
That is, when the
Then, the
2 is a block diagram illustrating a detailed configuration of a
Hereinafter, an operation of each part of the
First, when an
Accordingly, the routing monitoring
At this time, the directory to be detected as a root may be, for example, / system, / sbin, or / bin, which is an indicator file such as a su file that can determine the rooting behavior. This is because such a directory is only an example and the directory list may be updated through an update process.
In addition, the list of files to be monitored for monitoring may be, for example, a su file or an Adbd file. Such a file list is only an example and may be updated through an update process like a directory.
The routing
That is, the
Then, when the
Then, the
Accordingly, the
3 illustrates an operation control flow for performing event-based real-time routing detection in the
First, when there is a routing detection request from an
However, if the
That is, the routing monitoring
In addition, the directory to be monitored for routing may be, for example, / system, / sbin, or / bin, which indicates that an indicator file such as a su file that can determine the rooting behavior is generally created in the above-listed directory. This is because such a directory is only an example and the directory list may be updated through an update process. In addition, the list of files to be monitored for monitoring may be, for example, a su file or an Adbd file. Such a file list is only an example and may be updated through an update process like a directory.
Subsequently, the routing
The registered directory or file may be set in the
Accordingly, the
Then, the
As a result of the inspection, when it is determined that the routing behavior has occurred, the
Then, when the routing action occurs (S312), the
Accordingly, the
As described above, in the event-based real-time routing detection, in the event-based real-time routing detection, by setting a directory or file list that is the target of the routing monitoring target, registers the file monitoring event provided by the OS of the portable terminal, the file in the routing monitoring target Routing detection is performed in real time whenever an event occurs due to a property change, so that even more accurate routing detection can be performed in a custom kernel that dynamically performs routing or unrouting to bypass routing detection.
While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should not be limited by the described embodiments but should be defined by the appended claims.
110: routing detection device 202: routing monitoring target setting unit
204: routing event register 206: routing confirmation unit
Claims (16)
A routing event register configured to register the routing monitoring target with an operating system (OS) of a portable terminal performing routing detection;
A routing checking unit for determining whether the event corresponds to a routing behavior when receiving an event generated in the routing monitoring target from the OS;
Routing alarm unit for informing the occurrence of the routing behavior to the application requesting the routing monitoring when the routing behavior is determined from the routing confirmation unit
Rooting detection device comprising a.
The routing event registration unit,
And the routing monitoring target is registered in a file monitoring event provided by an OS of the portable terminal.
The routing event registration unit,
And the routing monitoring target is registered in the file monitoring event by using an API provided by the OS.
The rooting monitoring target,
And a directory list or a file list which can be used as the indication information for determining whether to determine the routing.
The event,
Routing detection device, characterized in that occurs when a change in the file attribute occurs in the directory list or file list registered as the monitoring target.
The event,
And generating a file, deleting, changing a file name, moving a file, changing a permission, or modifying a file in the directory list or the file list.
The routing check unit,
When the routing monitoring is requested, a routing detection device, which checks whether a routing action is performed on the portable terminal using a predetermined routing detection policy before executing the application, and transmits a test result to the application.
The directory listing is,
Routing detection device comprising at least one of / system, / sbin or / bin.
The file list is,
Routing detection device comprising one or more of the su file or the Adbd file.
The application,
Routing detection device, characterized in that the application for processing financial information or personal information.
Registering the routing monitoring target with an OS of the portable terminal;
Determining whether the event corresponds to a routing behavior when receiving an event occurring in the routing monitoring target from the OS;
Informing the application of the occurrence of the routing behavior when the routing behavior is determined
Routing detection method comprising a.
The rooting monitoring target,
Routing detection method, characterized in that registered in the file monitoring event provided by the OS.
The rooting monitoring target,
Routing detection method characterized in that it is set to a directory list or a file list that can be used as the indication information for determining whether or not the routing.
The event,
Routing detection method, characterized in that occurs when a file attribute change in the directory list or file list registered as the routing monitoring target.
The event,
Routing detection method characterized in that occurs when any file in the directory or file list, file creation, deletion, file name change, file movement, permission change or file modification occurs.
The method comprises:
Checking whether a routing action is being performed on the portable terminal using a predetermined routing detection policy before the application is executed;
Transmitting a routing action to the application when a routing action is being performed on the portable terminal as a result of the inspection;
Routing detection method further comprises.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120106847A KR101256453B1 (en) | 2012-09-26 | 2012-09-26 | Apparatus and method for detecting rooting |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120106847A KR101256453B1 (en) | 2012-09-26 | 2012-09-26 | Apparatus and method for detecting rooting |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101256453B1 true KR101256453B1 (en) | 2013-04-19 |
Family
ID=48443483
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120106847A KR101256453B1 (en) | 2012-09-26 | 2012-09-26 | Apparatus and method for detecting rooting |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101256453B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160074832A (en) | 2014-12-18 | 2016-06-29 | 주식회사 안랩 | Method and apparatus for detection of rooting by analyzing elf binary |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101038048B1 (en) * | 2009-12-21 | 2011-06-01 | 한국인터넷진흥원 | Botnet malicious behavior real-time analyzing system |
-
2012
- 2012-09-26 KR KR1020120106847A patent/KR101256453B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101038048B1 (en) * | 2009-12-21 | 2011-06-01 | 한국인터넷진흥원 | Botnet malicious behavior real-time analyzing system |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160074832A (en) | 2014-12-18 | 2016-06-29 | 주식회사 안랩 | Method and apparatus for detection of rooting by analyzing elf binary |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101161493B1 (en) | Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform | |
CN1322385C (en) | Computer architecture for executing a program in a secure or insecure mode | |
CN107145782B (en) | Abnormal application program identification method, mobile terminal and server | |
CN105531692A (en) | Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines | |
JP6984710B2 (en) | Computer equipment and memory management method | |
CN104143065A (en) | Safety intelligent terminal equipment and information processing method | |
CN102289612A (en) | System and method for n-ary locality in a security co-processor | |
CN111177708A (en) | PLC credibility measuring method, system and measuring device based on TCM chip | |
CN109753793B (en) | Hot patching method and hot patching device | |
Cho et al. | Anti-debugging scheme for protecting mobile apps on android platform | |
Tang et al. | Detecting permission over-claim of android applications with static and semantic analysis approach | |
Yang et al. | {Iframes/Popups} Are Dangerous in Mobile {WebView}: Studying and Mitigating Differential Context Vulnerabilities | |
CN105745896A (en) | Systems and methods for enhancing mobile security via aspect oriented programming | |
KR101256453B1 (en) | Apparatus and method for detecting rooting | |
KR101256461B1 (en) | Apparatus and method for detecting start point of process | |
JP2013222422A (en) | Program, information processing device, and information processing method | |
JP2011145945A (en) | Malware detecting device and malware detecting method | |
EP3136278B1 (en) | Dynamically loaded code analysis device, dynamically loaded code analysis method, and dynamically loaded code analysis program | |
EP3853754B1 (en) | Software policy engine in virtual environment | |
US11611570B2 (en) | Attack signature generation | |
KR102358099B1 (en) | A method for interception of hacker | |
KR101453357B1 (en) | Method and apparatus for diagnosing and removing malware in portable device | |
CN111625784B (en) | Anti-debugging method of application, related device and storage medium | |
KR101549342B1 (en) | Method and apparatus for hacking protection of web browser | |
KR102556413B1 (en) | Method and apparatus for managing a virtual machine using semaphore |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
A302 | Request for accelerated examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20170417 Year of fee payment: 5 |
|
FPAY | Annual fee payment |
Payment date: 20180416 Year of fee payment: 6 |
|
FPAY | Annual fee payment |
Payment date: 20190415 Year of fee payment: 7 |