WO2015184891A1 - Security management and control method, apparatus, and system for android system - Google Patents

Security management and control method, apparatus, and system for android system Download PDF

Info

Publication number
WO2015184891A1
WO2015184891A1 PCT/CN2015/074647 CN2015074647W WO2015184891A1 WO 2015184891 A1 WO2015184891 A1 WO 2015184891A1 CN 2015074647 W CN2015074647 W CN 2015074647W WO 2015184891 A1 WO2015184891 A1 WO 2015184891A1
Authority
WO
WIPO (PCT)
Prior art keywords
security management
android
terminal
trusted
kernel
Prior art date
Application number
PCT/CN2015/074647
Other languages
French (fr)
Chinese (zh)
Inventor
张敏
何剑
罗志云
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015184891A1 publication Critical patent/WO2015184891A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the invention relates to the technical field of security management and control of an Android system, and in particular to a security management and control method, device and system thereof for an Android system.
  • the smart terminal device adopting the Android system not only exhibits explosive growth in the number of terminals, but also has various types of terminals involved.
  • the Android system is not only applied to smart phone devices, but also can be applied to a television set top box.
  • Terminal devices such as car navigation devices and wearable devices.
  • Android is an open source mobile operating system based on Linux platform announced by Google (Google Inc.) on November 5, 2007.
  • the platform consists of operating system, middleware, user interface and application software. It adopts the architecture of Software Stack (aka Software Stack), which is mainly divided into three parts.
  • the underlying layer is based on the work of the Linux kernel. It is developed by the C language and provides only basic functions.
  • the middle layer includes the library and the virtual machine Virtual Machine, which are usually developed in C++.
  • the top layer is a variety of application software, including call programs, SMS programs, etc., the application software is developed by each company, usually with Java as part of the program.
  • the related art 1 discloses a security monitoring system for an Android system, the system comprising: a configuration management unit configured to configure a security policy; and a centralized management unit configured to be secure A policy to perform security detection; and a plurality of detection units, each of the detection units being configured to detect, by the centralized management unit, whether the application to be executed is secure, wherein the plurality of detection units are located at different levels in the Android system.
  • the technical solution can effectively prevent unauthorized non-secure acquisition of resources, data and access behavior of the Android system, and greatly improve the security of the Android system.
  • its disadvantage is that the technical solution is only The local and local hardening of the kernel and the system will make the software system of the entire terminal tend to be solidified, and it is impossible to perform a trusted upgrade of the software version function or dynamically adjust the security policy.
  • Related Art 2 discloses a security access control method based on an Android terminal, the method comprising: first setting a security policy publisher on a primary server side, and setting a security policy loader on an Android terminal; the security policy loader adopting an air interface protocol And the HTTP protocol communicates with the security policy publisher, receives the message pushed by the security policy publisher; secondly configures the global security policy in the Android terminal; finally, the primary server issues an instruction to the Android terminal, and the Android terminal receives and executes the instruction issued by the primary server, The method does not require the participation of Android terminal users, and automatically loads the global security policy when booting to ensure the minimum security target of the system.
  • the related art 2 prevents the tampering by writing the security policy loader to the kernel on the Android terminal, and then receives the message pushed by the security policy publisher, and then deploys the security policy.
  • its shortcomings are: First, it does not achieve more in-depth research on the anti-tampering of the terminal system, and can not avoid the risk of cracking caused by the entire software kernel being completely brushed; secondly, there is no solution between the security policy issuer and the security policy issuer.
  • the network communication security problem, the so-called security policy publisher may be forged; in addition, the technical solution does not mention how the security policy loader is upgraded with the kernel.
  • Related Art 3 discloses a smart device having a mobile terminal operating system and a desktop operating system.
  • a desktop operating system and a mobile terminal operating system interactive verification operation mode are introduced, and the disadvantage thereof is that it cannot Solve the problem of safe startup of the terminal device after the network is disconnected, and the security of the terminal is greatly reduced when the terminal is operated independently.
  • an object of the embodiments of the present invention is to provide a security management and control method and apparatus for an Android system and a system thereof.
  • a security management method for an Android system for security management of a server including:
  • the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel included in the Android terminal.
  • the security management policy includes one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and modifying the SELinux permission rule of the KERNEL kernel and the iptables network firewall rule to improve security purposes. Monitor the illegal cracking behavior of the Android terminal and alarm, scan the peripherals of the Android terminal for viruses, trigger the Android terminal to upgrade the trusted software version.
  • the method before the step of dynamically sending the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction, the method further includes:
  • the step of dynamically transmitting the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction includes:
  • the security management policy file does not modify the trusted kernel of the target Android terminal, and does not need to modify the key file protected by the trusted kernel in the Android system, the security management policy file is directly delivered to the security management policy file.
  • the method further includes: if the security management policy file is modified to a trusted kernel of the target Android terminal and/or a protected portion of the Android system, calculating a kernel digital summary after implementing the security management policy And the Android system file monitoring credentials, and the new kernel digital summary and Android system file monitoring credentials are encrypted with a private password, and the digital certificate of the server certificate is digitally signed, and then the core digital summary and Android system file monitoring will be encrypted after the signature.
  • the credential is sent to the security management agent module of the target Android terminal.
  • a security management method for an Android system for security management of a server including:
  • the terminal software version upgrade file includes: a new trusted kernel, a new Android version of the IMA file verification policy, and a new trusted kernel.
  • the method further includes
  • a security management method for an Android system for an Android terminal including:
  • the current security management status information is reported in real time.
  • the security management policy refers to a trusted operation behavior applied to an Android system and a KERNEL kernel that are at least included in the Android terminal.
  • the security management policy includes one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and modifying the SELinux permission rule of the KERNEL kernel and the iptables network firewall rule to improve security purposes. Monitor the illegal cracking behavior of the Android terminal and alarm, scan the peripherals of the Android terminal for viruses, trigger the Android terminal to upgrade the trusted software version.
  • the method further includes:
  • the file is executed after receiving the security management policy file delivered by the security management server.
  • the method further includes:
  • the new kernel digital digest is injected into the trusted BOOT of the Android terminal, and the new Android system file monitoring credentials are injected. Go to the trusted kernel of the Android terminal;
  • the trusted BOOT and trusted kernel of the Android terminal decrypt and trust the new digital digest and file monitoring credentials by a private password.
  • the step of guiding the verification is further included:
  • the hardware trust root After the Android terminal is powered on, the hardware trust root performs digital digest verification on the trusted BOOT of the Android terminal, and the trusted BOOT of the Android terminal verifies the trusted kernel, and the trusted kernel of the Android terminal Timed or on-demand file integrity verification of the security management agent part and the Android regular framework.
  • the hardware trust root controls the conventional hardware to perform a power-off operation or prevents the Android terminal from continuing the boot-up operation on the software.
  • a security management method for an Android system for an Android terminal including:
  • the current security management status information is reported in real time.
  • the method further includes:
  • the security management agent module of the Android terminal After receiving the software version upgrade file, the security management agent module of the Android terminal acquires an upgrade license of the Android terminal;
  • the security management agent module of the Android terminal injects a new trusted kernel digital digest into the trusted BOOT of the Android terminal, decrypts by a private password, and from the hardware trust root of the Android terminal. Obtain a certificate and verify the new kernel;
  • the Android terminal downloads a new kernel version, an Android version, and a new security management agent module to the peripheral device of the Android terminal through a website downloading manner, and performs a system on the Android terminal through a website-directed brush operation. upgrade;
  • the new trusted kernel is successfully started by the trusted BOOT, and the Android terminal also loads a new Android version and a new terminal security management agent module.
  • An Android terminal includes: a network management protocol terminal module, a security management agent module, a trusted boot device BOOT, and a hardware trust root, wherein
  • the network management protocol terminal module is configured to: collect the terminal information and the security management server Communication interaction;
  • the security management agent module is configured to: receive and execute a security management policy issued by the security management server, and feed back the security control status of the terminal to the security management server;
  • the hardware trust root is configured to: store the unique identity information of the terminal and the issuing root certificate of the security management server digital certificate.
  • the hardware trust root is the trusted BOOT.
  • the terminal further includes a trusted boot device BOOT and a trusted kernel, where
  • the hardware trust root is further configured to: store digital summary information of the trusted BOOT;
  • the trusted BOOT is configured to: store digital summary information of the trusted kernel;
  • the trusted kernel is configured to verify the integrity of the Android system file and the integrity of the security management agent module.
  • the security management and control method of the technical solution of the present invention forms a complete and firm trust chain from the hardware trust root to the digital certificate center of the security management server, through a trusted interaction process between modules, and Compared with related technologies, it not only achieves the unbreakable effect of the Android terminal on the software, but also achieves the flexibility of flexibly adjusting the terminal security policy and the trusted upgrade terminal software version, ensuring the security management and control while improving the user experience and reducing the follow-up. The cost of upgrading maintenance.
  • FIG. 1 is a schematic structural diagram of a module of an Android terminal device according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of a module of a server in an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for performing secure boot verification in an Android terminal device booting startup process and implementing security monitoring in continuous operation according to an embodiment of the present invention
  • FIG. 4 is a diagram of the security management and control policy on the terminal that needs to be initiated on the server in the embodiment of the present invention. Or initiating a software version update of the terminal, and a schematic diagram of the implemented method flow;
  • a security management policy is implemented, that is, a schematic diagram of an implementation process of installing a trusted application store
  • FIG. 6 is a schematic diagram of another implementation manner of the security management method provided by the present invention. After the trusted boot of the old version of the Android terminal is ensured, the implementation process of triggering the upgrade of the trusted software is performed on the entire terminal.
  • the embodiment of the present invention provides a trusted dynamic interaction between the hardware root of the terminal device and the remote security management server. Method and system for safety control. Therefore, while the hardware-based terminal Android software system is unbreakable, the security status of the terminal can be reported in real time, and the security management policy of the terminal is dynamically adjusted through the remote server, and the terminal device is allowed to perform the function upgrade of the trusted software version. .
  • the hardware trust root of the terminal device forms a complete trust chain between the digital certificate center of the remote control server, and the security management policy of the terminal device can be flexibly and credibly adjusted remotely;
  • the method of issuing the private password after the encryption process can modify the digest credentials from the hardware to the kernel integrity check when the terminal device starts, so that the terminal device can trust the new version/new function modification and implement the version/function upgrade.
  • the security management system of the embodiment of the present invention includes a terminal part of the Android system and a security management server part. The two are connected through a network, and the security management server can simultaneously manage and maintain multiple Android system terminals.
  • the specific module structure is as follows:
  • an Android system terminal device includes:
  • the conventional Android framework software system 101 includes a CPU, a memory unit, a wireless module, and the like.
  • the Android system terminal device further includes:
  • the network management protocol terminal module 103 is configured to: collect terminal device information and perform communication interaction with the network management protocol server module of the security management server.
  • the network management protocol terminal module 103 optionally implements interaction with the management server by using a terminal of the TR069 network management protocol system.
  • the security management agent module 104 is configured to: receive and execute a security management policy delivered by the security management server, and feed back the security management status of the terminal to the security management server.
  • the security management policy refers to trusted operation behaviors applied to other components such as the Android system and the KERNEL kernel, including but not limited to: installing trusted applications, forcibly uninstalling illegal applications, SELinux permission rules for the kernel, and iptables network firewall rules. Make beneficial modifications to improve security purposes, monitor terminal illegal cracking behaviors and alarms, scan peripherals for viruses, and trigger terminals to upgrade trusted software versions.
  • the hardware trust root 105 is configured to: store the unique identity information of the terminal, manage the issuing root certificate of the server digital certificate, and the digital summary information of the trusted boot (BOOT) 106 used to verify the BOOT.
  • BOOT trusted boot
  • the hardware trust root 105 stores the above content using a trusted chip or card peripheral provided by the hardware.
  • the hardware trust root 105 can store these contents in the form of fingerprints or irises.
  • Trusted Bootstrap (BOOT) 106 A digital digest complete check of the Trusted Bootstrap (BOOT) 106 by the hardware trust root 105 is therefore trusted. At the same time, the trusted boot (BOOT) 106 contains digital summary information of the trusted kernel, which can be used to verify the kernel when the system boots.
  • the trusted boot (BOOT) 106 has been considered sufficiently secure, the functionality of the hardware trust root 105 can be integrated into the trusted boot (BOOT) 106, The Bootable Boot (BOOT) 106 is considered to be a trusted root and does not need to be verified.
  • the Trusted Bootstrap (BOOT) 106 can directly carry the signed root certificate of the security management server digital certificate and the unique identity information of the terminal.
  • the trusted KERNEL kernel 107 which has been digitally verified by the trusted boot (BOOT) 106, is therefore a trusted kernel. It is configured to perform timing verification or access verification on the integrity of the Android system file and the integrity of the security management proxy module 104.
  • the verification mechanism optionally adopts an IMA (integrity measurement architecture) technology. Provides integrity measurement and verification of system critical files/directories and block devices, including the security management agent module 104.
  • the security management server end of the embodiment of the present invention includes: a security management server and a secure digital authentication center 205, wherein:
  • the security management server includes a network management protocol server module 201, a security policy management module 202, a terminal general management module 203, and a background database module 204, wherein
  • the network management protocol server module 201 can implement the network management protocol for coordinated management of multiple terminal devices on the server side.
  • the network management protocol server module 201 can adopt the implementation of the TR069 protocol on the server side, and can support the management of the status of a large number of Android terminals (for example, up to hundreds of thousands of terminals).
  • the security policy management module 202 analyzes and processes the security policy requirements, arranges an execution plan, and collects feedback results.
  • the terminal general management module 203 is configured to: collect information, manage classification, online status, log collection management, and the like on the basic state of the terminal device.
  • the background database module 204 is configured to: provide a database service such as a storage query to the security management server.
  • the secure digital certificate center 205 is configured to: store and maintain digital certificates, private keys, private passwords, etc. of the security management server, and unify the digital certificate revocation and release of the terminal device.
  • the digital certificate authority can be properly isolated from the security management server to ensure its security.
  • the network management protocol terminal module 103 is connected to the security management proxy module 104 to provide the capability of interacting with the security management server, and the Android terminal device can read the digital certificate information from the hardware trust root 105. And thus the SSL encryption connection process The identity of the security management server is verified, and the hardware trust root 105 is also accessed, and the terminal identity information in the hardware trust root 105 is managed by the security management server.
  • the hardware trust root 105 performs a digital digest check on the trusted boot (BOOT) 106, the trusted boot (BOOT) 106 in turn verifies the trusted KERNEL kernel 107, and the trusted KERNEL kernel 107 re-administers the security management proxy module 104.
  • the Android regular framework for timing or on-demand file integrity verification.
  • the hardware trust root 105 and the conventional hardware 102 are also associated, and the power can be turned off in time when a security exception occurs.
  • the function of the security management agent module 104 has a core meaning in the embodiment of the present invention. On the one hand, it can access other modules of the terminal, and applies specific security management policies. On the other hand, it can also be obtained from the security management server.
  • a new version of the integrity check credential that has been privately signed by the private password and the server (integrity check credentials include BOOT's digital digest, kernel's digital digest, and digital summary information for Android system files), and the signed new The version integrity check credentials are injected into the hardware trust root 105, the trusted boot BOOT 106, and the trusted KERNEL kernel 107, respectively, so that the new version is accepted.
  • the background database module 204 and the secure digital certificate center 205 are located in the background, and provide services for the security policy management module 202 and the terminal general management module 203.
  • the two management modules of the backend database module 204 and the secure digital certificate center 205 are While providing the user with an operation interface, the network management protocol server module 201 is also used to obtain contact with the Android terminal device.
  • the above server-side architecture is only for explaining the basic principle structure of the present invention.
  • the server has many additional functions, such as a web service, a remote access service, a file download service, etc., and the actual interaction between these modules is also It will be more complicated, and these are extensions of specific implementations, and those skilled in the art can implement the extension based on the invention and common general knowledge of the present invention, and details are not described herein again.
  • the boot verification process includes the following steps:
  • Step 301 The terminal device is powered on, and the hardware trust root 105 and the conventional hardware 102 start to operate.
  • the hardware trust root does not have to be started immediately upon power up.
  • Step 302 The hardware trust root 105 calculates and compares the integrity of the trusted director BOOT according to the trusted director (BOOT) digital digest value.
  • Step 303 If the hardware trust root 105 finds that the trusted director BOOT 106 has been tampered with, the conventional hardware 102 is contacted to turn off the power supply, and the boot process is interrupted, and the process proceeds to step 305. If the trusted boot BOOT 106 has not been tampered with, then go to step 304.
  • Step 304 The trusted KERNEL kernel 107 is normally loaded, the trusted boot BOOT 106 starts and starts to boot the trusted KERNEL kernel 107, and the trusted boot BOOT 106 calculates and compares the integrity of the kernel with the digital digest value of the trusted KERNEL kernel. Sex.
  • Step 305 Terminate the system loading process.
  • Step 306 Determine whether the trusted KERNEL kernel 107 has been tampered with. If the trusted boot device BOOT 106 finds that the trusted KERNEL kernel 107 has been tampered with, then go to step 305, restart the device or lock the system to pop up a user prompting alarm; if the trusted KERNEL If the kernel 107 has not been tampered with, then go to step 307.
  • Step 307 After the trusted KERNEL kernel 107 is loaded, the security management agent module 104 of the Android and Android terminals continues to be loaded.
  • Step 308 The terminal security management agent module 104 starts, reads the digital certificate information from the hardware trust root, and obtains the SSL authentication encryption link with the security management server by using the TR069 network management protocol.
  • Step 309 The trusted KERNEL kernel 107 initiates a file integrity verification mechanism.
  • the IMA monitoring mechanism may be used, and the Android system key file and the security management agent module 104 may be monitored for tampering by timing monitoring or by access.
  • Step 310 Determine whether the key file of the Android system has been tampered with, and if yes, perform steps 311-312; otherwise, go to step 313.
  • Step 311 If the key file of the Android system is found to have been tampered with, the file tampering information is encrypted by the security management agent module 104 through the private password and SSL, and then sent to the security management server to confirm whether it is a false alarm.
  • Step 312 If the security management server is not available for a certain period of time or the security management server does not exempt the modification, the trusted KERNEL kernel 107 issues an alarm to the user or locks the system. In other application scenarios, the server may also be pre- The sent security policy selects the log or does not process it for the time being.
  • Step 313 Determine whether the security management proxy module 104 has been tampered with. If yes, the trusted KERNEL kernel 107 is required to immediately issue an alarm to the user or immediately lock the system. If the security management server exempts the Android system file modification, Then continue normal operation, go to step 314.
  • Step 314 If the security management agent module 104 itself has not been tampered with, and the Android system key files have not been tampered with or falsified by the security management server, the Android system maintains a normal running state.
  • Step 400 When the security management server detects that the security management policy of the terminal needs to be adjusted, it determines that the target scope of the terminal needs to be executed, and starts to actively access the specified terminal device.
  • Step 401 Determine whether the new security management policy will be modified to the kernel or the protected file of the Android system. If yes, go to step 403. Otherwise, go to step 402.
  • Step 402 If the new security management policy does not modify the trusted kernel of the terminal, and does not need to modify the key files protected by the trusted kernel of the Android system. Then, the security management server directly issues the management policy to the security management agent module, and the security management agent module executes the implementation after receiving the process, and the process ends.
  • Step 403 If the new security management policy is modified to the KERNEL kernel, or the protected portion of the Android system, the security management server calculates the kernel digital digest and the Android system file monitoring credentials after implementing the security policy in advance.
  • Step 404 The security management server side monitors the new kernel digital digest and the system file (the system file monitoring credential in the embodiment may be a digital digest information of a series of monitored files maintained by the IMA file monitoring system), and these Encrypt with a private password and use the server license The private key of the book is digitally signed.
  • the system file monitoring credential in the embodiment may be a digital digest information of a series of monitored files maintained by the IMA file monitoring system
  • Step 405 The security management server sends the above calculation result to the security management agent module of the terminal through the SSL secure channel.
  • Step 406 The security management agent module injects a new kernel digital digest into the trusted director BOOT. Inject new Android system file monitoring credentials into the KERNEL kernel.
  • Step 407 The terminal BOOT and KERNEL kernel of the terminal decrypt and trust the new digital digest and file monitoring credentials by the above private password.
  • Step 408 The security management server sends a new terminal security management policy, modifies the KERNEL kernel and the Android file, and modifies the KERNEL kernel and the Android file, that is, the method of directly modifying the security control proxy module, and also allows the terminal user to After downloading the new version of the software on a specific website, it can be updated and modified by other means by brushing into the terminal device. At the time of the next device reboot and file security verification, new summaries and credentials will be adopted, so no falsification of false positives will occur.
  • the method shown in FIG. 4 may also be used, and the description will be omitted.
  • the control method in the software version upgrade may also adopt the method as shown in FIG. 6 .
  • Step 501 Referring to the process of FIG. 1, the terminal starts according to the level-by-level integrity verification from the hardware trust root to the kernel, and the trusted kernel starts to use the IMA to continuously monitor the integrity of the terminal Android system file, and the security management agent module passes the network management protocol server. The module makes SSL connections to the management server.
  • Step 502 The security management server side calculates the file monitoring credentials of the application store in advance, and the kernel digital summary after installing the digital certificate, to obtain a calculation result.
  • Step 503 Encrypt the calculation result with a private password, and simultaneously use the certificate of the management server. Line signature.
  • the security management agent module delivered to the terminal through SSL encryption.
  • Step 504 The security management agent module of the terminal sends the application store file summary information to the kernel IMA file monitoring system, and sends the kernel digital summary after the application of the digital certificate to the boot device BOOT.
  • Step 505 The IMA and the BOOT decrypt the private password and obtain the root certificate of the server-side certificate from the hardware trust root, verify the information of the application store file, and also use the kernel after installing the new mall certificate.
  • Step 506 After the security management server confirms that the terminal has received the information, the security management agent module of the terminal downloads and implements installing a new application store and modifying the kernel injection application to verify the digital certificate.
  • Step 507 After the modification, the new kernel has been adopted by BOOT, and can be correctly booted, and the new application store can also operate normally, because it also incorporates the integrity protection of the new kernel IMA file monitoring system.
  • the method can be applied to the security management and control method when the security management policy is changed, that is, the method described in FIG. 4, and can also be applied to the security management and control method in the software version upgrade, that is, the method described in FIG. 6, and details are not described herein again. .
  • the management server end triggers a trusted upgrade of the software version of the entire terminal, that is, the software modules except the BOOT in this embodiment are all Need to be replaced. It is worth noting that the general system upgrade does not need to modify the upgrade BOOT.
  • Step 601 Referring to the process of FIG. 1, the terminal starts according to the level-by-level integrity verification from the hardware trust root to the kernel, and the trusted kernel starts to use the IMA to continuously monitor the integrity of the terminal Android system file, and the security management agent module passes the network management protocol server. The module makes SSL connections to the management server.
  • Step 602 The security management server prepares a new trusted kernel in advance, and the new Android version of the IMA file verification policy is to be merged into the new trusted kernel.
  • Step 603 The security management server calculates the digital summary information of the new version of the trusted kernel, encrypts the calculation result with a private password, and simultaneously signs the certificate of the management server.
  • the security management agent module delivered to the terminal through SSL encryption.
  • Step 604 The security management agent module of the terminal knows that the entire system is about to be updated, and obtains an upgrade license of the terminal user through a pop-up interface.
  • Step 605 After the user permits, the security management agent module of the terminal injects a new trusted kernel digital digest into the BOOT, decrypts the private password and obtains the certificate from the hardware trust root, and verifies the new kernel.
  • Step 606 The user downloads the new kernel version, the Android version, and the new security management agent module to the peripherals such as the U disk and the TF card through the website downloading manner, and performs system upgrade through the website-driven brush operation.
  • Step 607 After the machine is flashed, the new trusted kernel is picked up by the BOOT and started normally. At the same time, the new Android version and the security management agent module of the terminal are also loaded. The new trusted kernel normally performs IMA tamper-proof monitoring on the new Android file system and the terminal security management agent module.
  • the embodiment of the invention discloses a security management and control method for an Android system, including:
  • the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
  • the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
  • the embodiment of the invention also discloses a computer program, comprising program instructions, when the program instruction is executed by a computer, enabling the computer to perform the security control of any of the above Android systems. method.
  • the embodiment of the invention also discloses a carrier carrying the computer program.
  • the embodiment of the invention also discloses a security management device for an Android system, comprising an instruction receiving unit and a processing unit, wherein:
  • the instruction receiving unit is configured to: receive an adjustment instruction of a security management policy or a terminal software version upgrade instruction;
  • the processing unit is configured to dynamically send the security management policy file or the terminal software version upgrade file corresponding to the instruction to the target terminal device according to the adjustment instruction of the security management policy or the terminal software version upgrade instruction.
  • the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
  • the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
  • the embodiment of the invention also discloses a server, which comprises the security management device of any Android system described above.
  • the embodiment of the invention also discloses a security management and control method for the Android system, including:
  • the current security management status information is reported in real time.
  • the security management policy refers to that the terminal device includes at least a trusted operation behavior applied to the Android system and the KERNEL kernel.
  • the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
  • the method before performing the foregoing step of dynamically receiving the security management policy file or the terminal software version upgrade file, the method further includes:
  • the hardware trust root After the terminal device is powered on, the hardware trust root performs digital digest verification on the trusted boot device BOOT, the trusted boot device BOOT verifies the KERNEL kernel, and the KERNEL kernel performs regular or on-demand security management agent and Android regular framework. File integrity check.
  • the method further includes:
  • the hardware trust root controls the conventional hardware to perform a power down operation or to prevent the device from continuing to boot the boot operation.
  • the embodiment of the invention further discloses a computer program, comprising program instructions, which when executed by the computer, enable the computer to execute the security management method of any of the above Android systems.
  • the embodiment of the invention also discloses a carrier carrying the computer program.
  • the embodiment of the invention further discloses a security management device for an Android system, comprising a file receiving unit and a reporting unit, wherein
  • the file receiving unit is configured to: dynamically receive a security management policy file or a terminal software version upgrade file, and perform a security management policy or a terminal software version upgrade corresponding to the file;
  • the reporting unit is configured to: report current security management status information in real time.
  • the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
  • the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
  • the device further includes a verification unit, wherein
  • the verification unit is configured to: after the terminal device is powered on, the hardware trust root performs digital digest verification on the trusted boot device BOOT, the trusted boot device BOOT verifies the KERNEL kernel, and the KERNEL kernel re-administers the security control proxy portion. And the Android regular framework for timing or on-demand file integrity verification.
  • the device further includes a security execution unit, wherein
  • the security execution unit is configured to notify the hardware trust root to control the conventional hardware to perform the power-off operation when it is determined that an abnormality occurs during the boot verification process.
  • the embodiment of the invention further discloses a terminal device, which comprises the security management device of any Android system described above.
  • the embodiment of the invention also discloses a security management system for an Android system, comprising a server and a terminal device, wherein:
  • the server is configured to: receive a security management policy adjustment instruction or a terminal software version upgrade instruction, and dynamically send a security management policy file or a terminal software version upgrade corresponding to the instruction according to the security management policy adjustment instruction or the terminal software version upgrade instruction.
  • the terminal device is configured to: dynamically receive the security management policy file or the terminal software version upgrade file, and perform the security management policy or the terminal software version upgrade corresponding to the file, and report the current security management state information in real time.
  • the security management and control method of the technical solution of the present invention forms a complete and firm trust chain from the hardware trust root to the digital certificate center of the security management server, and through the trusted interaction process between the modules, compared with related technologies, It not only achieves the unbreakable effect of the Android terminal on the software, but also achieves the flexibility of flexibly adjusting the terminal security policy and the trusted upgrade terminal software version, ensuring the security management and control while improving the user experience and reducing the cost of subsequent upgrade maintenance. Therefore, the present invention has strong industrial applicability.

Abstract

A security management and control method, apparatus, and system for an Android system. The method comprises: receiving a security management and control policy adjusting instruction or a terminal software version upgrade instruction; and dynamically sending a corresponding security management and control policy file or a corresponding terminal software version upgrade file to a target terminal device according to the security management and control policy adjusting instruction or the terminal software version upgrade instruction. In the security management and control method provided by the technical solution of the present invention, a complete and firm chain of trust is formed from the hardware root of trust to the center of the digital certificate of a security management and control server, and by means of reliable interaction processes between the modules, the present invention, compared with the related art, achieves the effect that the software in an Android terminal cannot be cracked, and can flexibly adjust the terminal security policy, improves reliable upgrade of the terminal software version, ensures security management and control and meanwhile improves the user experience, and reduces the subsequent upgrade and maintenance cost.

Description

Android系统的安全管控方法、装置及其系统Android system security management method, device and system thereof 技术领域Technical field
本发明涉及Android系统的安全管控技术领域,具体而言,涉及一种Android系统的安全管控方法、装置及其系统。The invention relates to the technical field of security management and control of an Android system, and in particular to a security management and control method, device and system thereof for an Android system.
背景技术Background technique
当前,采用Android系统的智能终端设备,不仅在终端数量上呈现爆发式增长,其所涉及的终端种类也较为繁多,例如,所述Android系统不仅应用于智能手机设备,同时还可应用于电视机顶盒、车载导航设备、可穿戴设备等终端设备。At present, the smart terminal device adopting the Android system not only exhibits explosive growth in the number of terminals, but also has various types of terminals involved. For example, the Android system is not only applied to smart phone devices, but also can be applied to a television set top box. Terminal devices such as car navigation devices and wearable devices.
Android是Google(谷歌公司)于2007年11月05日宣布的基于Linux平台的开源移动操作系统,该平台由操作系统、中间件、用户界面和应用软件组成。它采用软件堆层(Software Stack,又名软件叠层)的架构,主要分为三部分。底层以Linux内核工作为基础,由C语言开发,只提供基本功能;中间层包括函数库Library和虚拟机Virtual Machine,通常以C++开发。最上层是各种应用软件,包括通话程序,短信程序等,应用软件则由各公司自行开发,通常以Java作为编写程序的一部分。Android is an open source mobile operating system based on Linux platform announced by Google (Google Inc.) on November 5, 2007. The platform consists of operating system, middleware, user interface and application software. It adopts the architecture of Software Stack (aka Software Stack), which is mainly divided into three parts. The underlying layer is based on the work of the Linux kernel. It is developed by the C language and provides only basic functions. The middle layer includes the library and the virtual machine Virtual Machine, which are usually developed in C++. The top layer is a variety of application software, including call programs, SMS programs, etc., the application software is developed by each company, usually with Java as part of the program.
但是在实际应用当中,正因为Android系统的过度开放,导致系统最高权限(ROOT)可以被任意获取,以致后台病毒窥窃隐私、广告吸费等恶意软件行为屡禁不止。However, in practical applications, due to the excessive opening of the Android system, the system's maximum authority (ROOT) can be arbitrarily obtained, so that the background virus sneak privacy, advertising charges and other malware behaviors are repeatedly prohibited.
为了提高系统的安全性,相关技术1揭示了一种用于Android系统的安全监测系统,所述系统包括:配置管理单元,被配置为对安全策略进行配置;集中管理单元,被配置为根据安全策略来执行安全检测;以及多个检测单元,每一个检测单元被配置为通过集中管理单元来检测要执行的应用是否安全,其中,多个检测单元位于Android系统中的不同层级。采用该技术方案,能够有效地防止对Android系统资源、数据、访问行为的非授权的非安全获取,极大地提高了Android系统的安全性。但其存在的缺点是:该技术方案仅对 内核和系统进行终端本地的加固,会使得整个终端的软件系统趋于固化,无法进行软件版本功能的可信升级或者动态地调整安全策略。In order to improve the security of the system, the related art 1 discloses a security monitoring system for an Android system, the system comprising: a configuration management unit configured to configure a security policy; and a centralized management unit configured to be secure A policy to perform security detection; and a plurality of detection units, each of the detection units being configured to detect, by the centralized management unit, whether the application to be executed is secure, wherein the plurality of detection units are located at different levels in the Android system. The technical solution can effectively prevent unauthorized non-secure acquisition of resources, data and access behavior of the Android system, and greatly improve the security of the Android system. However, its disadvantage is that the technical solution is only The local and local hardening of the kernel and the system will make the software system of the entire terminal tend to be solidified, and it is impossible to perform a trusted upgrade of the software version function or dynamically adjust the security policy.
相关技术2揭示了一种基于Android终端的安全访问控制方法,所述方法包括:首先在主服务器端设置安全策略发布器,在Android终端设置安全策略加载器;所述安全策略加载器通过空口协议和HTTP协议与安全策略发布器通信,接收安全策略发布器推送的消息;其次在Android终端中配置全局安全策略;最后主服务器发布指令给Android终端,Android终端接收并执行主服务器发布的指令,该方法无需Android终端使用者参与,开机自动加载全局安全策略,保证系统最低限度的安全目标。Related Art 2 discloses a security access control method based on an Android terminal, the method comprising: first setting a security policy publisher on a primary server side, and setting a security policy loader on an Android terminal; the security policy loader adopting an air interface protocol And the HTTP protocol communicates with the security policy publisher, receives the message pushed by the security policy publisher; secondly configures the global security policy in the Android terminal; finally, the primary server issues an instruction to the Android terminal, and the Android terminal receives and executes the instruction issued by the primary server, The method does not require the participation of Android terminal users, and automatically loads the global security policy when booting to ensure the minimum security target of the system.
该相关技术2通过在Android终端将安全策略加载器写入内核,防止篡改,之后接收安全策略发布器推送的消息,然后进行安全策略的部署。但其存在的缺点是:首先,其没有在终端系统防篡改方面实现更为深入的研究,不能避免整个软件内核被彻底刷机而造成的破解风险;其次,也没有解决和安全策略发布器之间的网络通讯安全问题,即所谓的安全策略发布器可能被伪造;另外,该技术方案也没有提到安全策略加载器如何随着内核升级的问题。The related art 2 prevents the tampering by writing the security policy loader to the kernel on the Android terminal, and then receives the message pushed by the security policy publisher, and then deploys the security policy. However, its shortcomings are: First, it does not achieve more in-depth research on the anti-tampering of the terminal system, and can not avoid the risk of cracking caused by the entire software kernel being completely brushed; secondly, there is no solution between the security policy issuer and the security policy issuer. The network communication security problem, the so-called security policy publisher may be forged; in addition, the technical solution does not mention how the security policy loader is upgraded with the kernel.
相关技术3揭示了一种具有移动终端操作系统以及桌面操作系统的智能设备,在该技术方案中,引入了桌面操作系统和移动终端操作系统交互验证的运行方式,其存在的缺点是:其无法解决在断网过后终端设备的安全启动问题,终端独立运行时安全性大大降低。Related Art 3 discloses a smart device having a mobile terminal operating system and a desktop operating system. In this technical solution, a desktop operating system and a mobile terminal operating system interactive verification operation mode are introduced, and the disadvantage thereof is that it cannot Solve the problem of safe startup of the terminal device after the network is disconnected, and the security of the terminal is greatly reduced when the terminal is operated independently.
发明内容Summary of the invention
为了解决上述技术问题中的至少一个,本发明实施例的目的在于提供一种Android系统的安全管控方法、装置及其系统。In order to solve at least one of the above technical problems, an object of the embodiments of the present invention is to provide a security management and control method and apparatus for an Android system and a system thereof.
为解决上述技术问题,采用如下技术方案:In order to solve the above technical problems, the following technical solutions are adopted:
一种Android系统的安全管控方法,用于安全管控服务器端,包括:A security management method for an Android system for security management of a server, including:
接收安全管控策略调整指令;Receiving security management policy adjustment instructions;
依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至 目标Android终端。Dynamically transmitting the corresponding security management policy file according to the security management policy adjustment instruction to Target Android terminal.
可选地,所述安全管控策略是指对所述Android终端至少包括的Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel included in the Android terminal.
可选地,所述安全管控策略包括如下策略中的一种或多种:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控Android终端非法破解行为并告警、扫描Android终端的外设是否有病毒、触发Android终端进行可信软件版本升级。Optionally, the security management policy includes one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and modifying the SELinux permission rule of the KERNEL kernel and the iptables network firewall rule to improve security purposes. Monitor the illegal cracking behavior of the Android terminal and alarm, scan the peripherals of the Android terminal for viruses, trigger the Android terminal to upgrade the trusted software version.
可选地,所述依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至目标Android终端的步骤之前,该方法还包括:Optionally, before the step of dynamically sending the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction, the method further includes:
判断所述安全管控策略文件是否会修改到所述目标Android终端的可信内核或者Android系统受保护的文件;Determining whether the security management policy file is modified to a trusted kernel of the target Android terminal or a protected file of the Android system;
所述依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至目标Android终端的步骤包括:The step of dynamically transmitting the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction includes:
如果所述安全管控策略文件并不会修改所述目标Android终端的可信内核,同时不需要修改Android系统受所述可信内核保护的关键文件,则会直接下发该安全管控策略文件给所述目标Android终端的安全管控代理模块;If the security management policy file does not modify the trusted kernel of the target Android terminal, and does not need to modify the key file protected by the trusted kernel in the Android system, the security management policy file is directly delivered to the security management policy file. The security management agent module of the target Android terminal;
可选地,该方法还包括,如果所述安全管控策略文件会修改到所述目标Android终端的可信内核和/或者Android系统受保护部分,则计算出实施该安全管控策略之后的内核数字摘要以及Android系统文件监控凭据,并对新的内核数字摘要及Android系统文件监控凭据用私有的密码加密,同时用服务器证书的私钥进行数字签名,之后将加密签名后内核数字摘要及Android系统文件监控凭据下发给所述目标Android终端的安全管控代理模块。Optionally, the method further includes: if the security management policy file is modified to a trusted kernel of the target Android terminal and/or a protected portion of the Android system, calculating a kernel digital summary after implementing the security management policy And the Android system file monitoring credentials, and the new kernel digital summary and Android system file monitoring credentials are encrypted with a private password, and the digital certificate of the server certificate is digitally signed, and then the core digital summary and Android system file monitoring will be encrypted after the signature. The credential is sent to the security management agent module of the target Android terminal.
一种Android系统的安全管控方法,用于安全管控服务器端,包括:A security management method for an Android system for security management of a server, including:
接收终端软件版本升级指令;Receiving terminal software version upgrade instructions;
依据所述终端软件版本升级指令动态地发送相应的终端软件版本升级文件至目标Android终端。 And dynamically sending the corresponding terminal software version upgrade file to the target Android terminal according to the terminal software version upgrade instruction.
可选地,所述终端软件版本升级文件包括:新的可信内核,新的Android版本的IMA文件校验策略,及新的可信内核。Optionally, the terminal software version upgrade file includes: a new trusted kernel, a new Android version of the IMA file verification policy, and a new trusted kernel.
可选地,该方法还包括,Optionally, the method further includes
计算好新版本的可信内核的数字摘要信息,将该数字摘要信息用私有的密码加密,同时用所述安全管控服务器的证书进行签名,并通过SSL加密下发给Android终端的安全管控代理模块。Calculate the digital summary information of the new version of the trusted kernel, encrypt the digital summary information with a private password, sign the certificate with the security management server, and send the security management agent module to the Android terminal through SSL encryption. .
一种Android系统的安全管控方法,用于Android终端,包括:A security management method for an Android system for an Android terminal, including:
动态地接收安全管控策略文件,并据此执行相应的安全管控策略;Dynamically receive security management policy files and implement corresponding security management policies accordingly;
实时上报当前的安全管控状态信息。The current security management status information is reported in real time.
可选地,所述安全管控策略是指对Android终端至少包括的Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to a trusted operation behavior applied to an Android system and a KERNEL kernel that are at least included in the Android terminal.
可选地,所述安全管控策略包括如下策略中的一种或多种:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控Android终端非法破解行为并告警、扫描Android终端的外设是否有病毒、触发Android终端进行可信软件版本升级。Optionally, the security management policy includes one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and modifying the SELinux permission rule of the KERNEL kernel and the iptables network firewall rule to improve security purposes. Monitor the illegal cracking behavior of the Android terminal and alarm, scan the peripherals of the Android terminal for viruses, trigger the Android terminal to upgrade the trusted software version.
可选地,该方法还包括:Optionally, the method further includes:
接收到安全管控服务器端下发的所述安全管控策略文件后执行该文件。The file is executed after receiving the security management policy file delivered by the security management server.
可选地,该方法还包括:Optionally, the method further includes:
接收到安全管控服务器端下发的加密签名后内核数字摘要及Android系统文件监控凭据后,将新的内核数字摘要注入到所述Android终端的可信BOOT中,将新的Android系统文件监控凭据注入到所述Android终端的可信内核中;After receiving the encrypted digital signature and the Android system file monitoring credential issued by the security management server, the new kernel digital digest is injected into the trusted BOOT of the Android terminal, and the new Android system file monitoring credentials are injected. Go to the trusted kernel of the Android terminal;
所述Android终端的可信BOOT和可信内核通过私有的密码解密并信任该新的数字摘要和文件监控凭据。The trusted BOOT and trusted kernel of the Android terminal decrypt and trust the new digital digest and file monitoring credentials by a private password.
可选地,在执行上述步骤之前,还包括引导校验步骤: Optionally, before performing the above steps, the step of guiding the verification is further included:
所述Android终端上电后,硬件信任根对所述Android终端的可信BOOT进行数字摘要校验,所述Android终端的可信BOOT对可信内核进行校验,所述Android终端的可信内核再对安全管控代理部分及Android常规框架进行定时或按需的文件完整性校验。After the Android terminal is powered on, the hardware trust root performs digital digest verification on the trusted BOOT of the Android terminal, and the trusted BOOT of the Android terminal verifies the trusted kernel, and the trusted kernel of the Android terminal Timed or on-demand file integrity verification of the security management agent part and the Android regular framework.
可选地,在所述Android终端引导校验过程中发生异常时,硬件信任根控制常规硬件执行断电操作或在软件上阻止所述Android终端继续引导启动的操作。Optionally, when an abnormality occurs in the Android terminal boot verification process, the hardware trust root controls the conventional hardware to perform a power-off operation or prevents the Android terminal from continuing the boot-up operation on the software.
一种Android系统的安全管控方法,用于Android终端,包括:A security management method for an Android system for an Android terminal, including:
动态地接收终端软件版本升级文件,并据此执行相应的版本升级;Dynamically receiving the terminal software version upgrade file, and performing the corresponding version upgrade accordingly;
实时上报当前的安全管控状态信息。The current security management status information is reported in real time.
可选地,该方法还包括:Optionally, the method further includes:
Android终端的安全管控代理模块接收到所述了软件版本升级文件后,获取所述Android终端的升级许可;After receiving the software version upgrade file, the security management agent module of the Android terminal acquires an upgrade license of the Android terminal;
所述Android终端许可后,所述Android终端的安全管控代理模块将新的可信内核数字摘要注入给所述Android终端的可信BOOT,通过私有密码解密并从所述Android终端的硬件信任根里获取证书,验证新的内核;After the Android terminal is licensed, the security management agent module of the Android terminal injects a new trusted kernel digital digest into the trusted BOOT of the Android terminal, decrypts by a private password, and from the hardware trust root of the Android terminal. Obtain a certificate and verify the new kernel;
所述Android终端通过网站下载的方式,将新的内核版本、Android版本,以及新的安全管控代理模块下载到所述Android终端的外设中,通过网站指导的刷机操作对所述Android终端进行系统升级;The Android terminal downloads a new kernel version, an Android version, and a new security management agent module to the peripheral device of the Android terminal through a website downloading manner, and performs a system on the Android terminal through a website-directed brush operation. upgrade;
所述Android终端刷机后,新的可信内核被所述可信BOOT采信,正常启动,同时所述Android终端也加载新的Android版本和新的终端的安全管控代理模块。After the Android terminal is flashed, the new trusted kernel is successfully started by the trusted BOOT, and the Android terminal also loads a new Android version and a new terminal security management agent module.
一种Android终端,包括:网管协议终端模块、安全管控代理模块、可信引导器BOOT和硬件信任根,其中,An Android terminal includes: a network management protocol terminal module, a security management agent module, a trusted boot device BOOT, and a hardware trust root, wherein
所述网管协议终端模块设置成:采集所述终端信息并和安全管控服务器 端进行通讯交互;The network management protocol terminal module is configured to: collect the terminal information and the security management server Communication interaction;
所述安全管控代理模块设置成:接收并执行所述安全管控服务器端下发的安全管控策略,还将所述终端的安全管控状态反馈给所述安全管控服务器端;The security management agent module is configured to: receive and execute a security management policy issued by the security management server, and feed back the security control status of the terminal to the security management server;
所述硬件信任根设置成:存储所述终端的唯一身份信息和所述安全管控服务器数字证书的签发根证书。The hardware trust root is configured to: store the unique identity information of the terminal and the issuing root certificate of the security management server digital certificate.
可选地,可信引导器BOOT被确认安全的情况下,所述硬件信任根为所述可信BOOT。Optionally, if the trusted boot BOOT is confirmed to be secure, the hardware trust root is the trusted BOOT.
可选地,该终端还包括可信引导器BOOT和可信内核,其中,Optionally, the terminal further includes a trusted boot device BOOT and a trusted kernel, where
所述硬件信任根还设置成:存储所述可信BOOT的数字摘要信息;The hardware trust root is further configured to: store digital summary information of the trusted BOOT;
所述可信BOOT设置成:存储可信内核的数字摘要信息;The trusted BOOT is configured to: store digital summary information of the trusted kernel;
所述可信内核设置成:对Android系统文件的完整性以及所述安全管控代理模块的完整性进行校验。The trusted kernel is configured to verify the integrity of the Android system file and the integrity of the security management agent module.
与相关技术比较,本发明技术方案所述安全管控方法,从硬件信任根到安全管控服务器的数字证书中心之间,形成了完整牢固的信任链,通过各模块之间可信的交互过程,与相关技术相比,不仅达到了Android终端在软件上不可破解的效果,同时取得了可以灵活调节终端安全策略、可信升级终端软件版本的进步,保证安全管控的同时提高了用户体验,减少了后续升级维护的成本。Compared with the related art, the security management and control method of the technical solution of the present invention forms a complete and firm trust chain from the hardware trust root to the digital certificate center of the security management server, through a trusted interaction process between modules, and Compared with related technologies, it not only achieves the unbreakable effect of the Android terminal on the software, but also achieves the flexibility of flexibly adjusting the terminal security policy and the trusted upgrade terminal software version, ensuring the security management and control while improving the user experience and reducing the follow-up. The cost of upgrading maintenance.
附图概述BRIEF abstract
图1是本发明实施例中Android终端设备的模块结构示意图;1 is a schematic structural diagram of a module of an Android terminal device according to an embodiment of the present invention;
图2是本发明实施例中服务器的模块结构示意图;2 is a schematic structural diagram of a module of a server in an embodiment of the present invention;
图3是本发明实施例中,在Android终端设备引导启动过程中的安全启动验证以及在持续运行中的实现安全监控的方法流程示意图;FIG. 3 is a schematic flowchart of a method for performing secure boot verification in an Android terminal device booting startup process and implementing security monitoring in continuous operation according to an embodiment of the present invention; FIG.
图4是本发明实施例中,在服务端需要发起修改终端上的安全管控策略, 或者发起终端的软件版本更新,所实施的方法流程示意图;FIG. 4 is a diagram of the security management and control policy on the terminal that needs to be initiated on the server in the embodiment of the present invention. Or initiating a software version update of the terminal, and a schematic diagram of the implemented method flow;
图5是本发明提供的所述安全管控方法的一个具体实施例,在保证Android终端可信引导启动之后,再实施一个安全管控策略,即安装一个可信应用商店的实施流程示意图;5 is a specific embodiment of the security management method provided by the present invention. After ensuring that the trusted terminal of the Android terminal is started, a security management policy is implemented, that is, a schematic diagram of an implementation process of installing a trusted application store;
图6是本发明提供的所述安全管控方法的另一个具体实施例,在保证老版本Android终端可信引导之后,触发整个终端进行可信软件升级的实施流程示意图。FIG. 6 is a schematic diagram of another implementation manner of the security management method provided by the present invention. After the trusted boot of the old version of the Android terminal is ensured, the implementation process of triggering the upgrade of the trusted software is performed on the entire terminal.
本发明目的的实现、功能特点及优异效果,下面将结合具体实施例以及附图做进一步的说明。The implementation, functional features and excellent effects of the object of the present invention will be further described below in conjunction with the specific embodiments and the accompanying drawings.
本发明的较佳实施方式Preferred embodiment of the invention
下面结合附图和具体实施例对本发明所述技术方案作进一步的详细描述,但所举实施例不作为对本发明的限定。The technical solutions of the present invention are further described in detail below with reference to the accompanying drawings and specific embodiments, but the embodiments are not intended to limit the invention.
为了克服相关技术中存在的Android系统可破解的安全风险问题以及相关保护策略过于僵化的缺陷,本发明实施例提供了一种终端设备硬件信任根和远程安全管控服务器之间进行可信动态交互的安全管控的方法和系统。从而在基于硬件保证终端Android软件系统不可破解的同时,又能将终端安全状态实时上报,并且通过远程服务器来动态地调节终端具体的安全管控策略,同时允许终端设备进行可信的软件版本功能升级。In order to overcome the security risk problem that the Android system can be cracked in the related art and the defect that the related protection policy is too rigid, the embodiment of the present invention provides a trusted dynamic interaction between the hardware root of the terminal device and the remote security management server. Method and system for safety control. Therefore, while the hardware-based terminal Android software system is unbreakable, the security status of the terminal can be reported in real time, and the security management policy of the terminal is dynamically adjusted through the remote server, and the terminal device is allowed to perform the function upgrade of the trusted software version. .
在本发明实施例中,终端设备的硬件信任根到远程管控服务器数字证书中心之间形成完整信任链,可以灵活并且可信地远程调节终端设备的安全管控策略;另外,通过服务器数字签名并且用私有密码加密处理后下发的方式,能够修改终端设备启动时从硬件到内核完整性校验的摘要凭据,因此使得终端设备可以信任新的版本/新的功能修改,实施版本/功能升级。In the embodiment of the present invention, the hardware trust root of the terminal device forms a complete trust chain between the digital certificate center of the remote control server, and the security management policy of the terminal device can be flexibly and credibly adjusted remotely; The method of issuing the private password after the encryption process can modify the digest credentials from the hardware to the kernel integrity check when the terminal device starts, so that the terminal device can trust the new version/new function modification and implement the version/function upgrade.
可选地,本发明实施例采用以下技术方案:Optionally, the embodiment of the present invention adopts the following technical solutions:
本发明实施例所述的安全管控系统包括Android系统终端部分以及安全管控服务器部分,两者通过网络相连,安全管控服务端可以同时管理维护多个Android系统终端,具体模块结构如下: The security management system of the embodiment of the present invention includes a terminal part of the Android system and a security management server part. The two are connected through a network, and the security management server can simultaneously manage and maintain multiple Android system terminals. The specific module structure is as follows:
参考图1所示,本发明实施例的Android系统终端设备包括:Referring to FIG. 1 , an Android system terminal device according to an embodiment of the present invention includes:
常规Android框架软件系统101,以及常规硬件102,例如,所述常规硬件102包括CPU、内存单元和无线模块等。The conventional Android framework software system 101, as well as conventional hardware 102, for example, includes a CPU, a memory unit, a wireless module, and the like.
除此之外,所述Android系统终端设备还包括:In addition, the Android system terminal device further includes:
网管协议终端模块103,设置成:采集终端设备信息并和安全管控服务器端的网管协议服务端模块进行通讯交互。在一个实施例中,该网管协议终端模块103可选地采用TR069网管协议体系的终端实现与管控服务器端的交互。The network management protocol terminal module 103 is configured to: collect terminal device information and perform communication interaction with the network management protocol server module of the security management server. In an embodiment, the network management protocol terminal module 103 optionally implements interaction with the management server by using a terminal of the TR069 network management protocol system.
安全管控代理模块104,设置成:接收并执行安全管控服务器端下发的安全管控策略,同时能将终端的安全管控状态反馈给安全管控服务器端。The security management agent module 104 is configured to: receive and execute a security management policy delivered by the security management server, and feed back the security management status of the terminal to the security management server.
所述安全管控策略是指对Android系统以及KERNEL内核等其他部件施加的可信操作行为,包括并不限于:安装可信应用,强制卸载非法应用程序、对内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控终端非法破解行为并告警、扫描外设是否有病毒及触发终端进行可信软件版本升级等。The security management policy refers to trusted operation behaviors applied to other components such as the Android system and the KERNEL kernel, including but not limited to: installing trusted applications, forcibly uninstalling illegal applications, SELinux permission rules for the kernel, and iptables network firewall rules. Make beneficial modifications to improve security purposes, monitor terminal illegal cracking behaviors and alarms, scan peripherals for viruses, and trigger terminals to upgrade trusted software versions.
硬件信任根105,设置成:存储终端的唯一身份信息,管控服务器数字证书的签发根证书及用来校验BOOT的可信引导器(BOOT)106的数字摘要信息。The hardware trust root 105 is configured to: store the unique identity information of the terminal, manage the issuing root certificate of the server digital certificate, and the digital summary information of the trusted boot (BOOT) 106 used to verify the BOOT.
可选地,硬件信任根105采用硬件提供的可信性的芯片或者插卡外设存储上述内容。硬件信任根105可以通过指纹或虹膜的形式存储这些内容。Optionally, the hardware trust root 105 stores the above content using a trusted chip or card peripheral provided by the hardware. The hardware trust root 105 can store these contents in the form of fingerprints or irises.
可信引导器(BOOT)106:可以由硬件信任根105对可信引导器(BOOT)106进行数字摘要完整校验,因此是可信的。同时可信引导器(BOOT)106包含可信内核的数字摘要信息,该摘要信息能在系统引导时用于验证内核。Trusted Bootstrap (BOOT) 106: A digital digest complete check of the Trusted Bootstrap (BOOT) 106 by the hardware trust root 105 is therefore trusted. At the same time, the trusted boot (BOOT) 106 contains digital summary information of the trusted kernel, which can be used to verify the kernel when the system boots.
可选的,如果在某实施例中,可信引导器(BOOT)106已经被认为足够安全的情况下,可以将所述硬件信任根105的功能整合入可信引导器(BOOT)106中,即可信引导器(BOOT)106被认为是信任根,不需要被校验,可信引导器(BOOT)106可以直接携带安全管控服务器数字证书的签发根证书和终端的唯一身份信息。 Alternatively, if in some embodiments the trusted boot (BOOT) 106 has been considered sufficiently secure, the functionality of the hardware trust root 105 can be integrated into the trusted boot (BOOT) 106, The Bootable Boot (BOOT) 106 is considered to be a trusted root and does not need to be verified. The Trusted Bootstrap (BOOT) 106 can directly carry the signed root certificate of the security management server digital certificate and the unique identity information of the terminal.
可信KERNEL内核107,该可信KERNEL内核107已经被可信引导器(BOOT)106进行过数字摘要验证,因此是可信内核。设置成:对Android系统文件的完整性以及安全管控代理模块104的完整性进行定时校验或访问校验,在一个实施例中,该校验机制可选地采用IMA(integrity measurement architecture)技术,对包括安全管控代理模块104在内的系统关键文件/目录与块设备提供完整性测量与验证。The trusted KERNEL kernel 107, which has been digitally verified by the trusted boot (BOOT) 106, is therefore a trusted kernel. It is configured to perform timing verification or access verification on the integrity of the Android system file and the integrity of the security management proxy module 104. In one embodiment, the verification mechanism optionally adopts an IMA (integrity measurement architecture) technology. Provides integrity measurement and verification of system critical files/directories and block devices, including the security management agent module 104.
参考图2,本发明实施例的安全管控服务器端包括:安全管控服务器和安全数字认证中心205,其中:Referring to FIG. 2, the security management server end of the embodiment of the present invention includes: a security management server and a secure digital authentication center 205, wherein:
安全管控服务器包括网管协议服务端模块201、安全策略管理模块202、终端常规管理模块203和后台数据库模块204,其中,The security management server includes a network management protocol server module 201, a security policy management module 202, a terminal general management module 203, and a background database module 204, wherein
网管协议服务端模块201,可以对多个终端设备进行协调管理的网管协议在服务器端的实现。在一个实施例中,该网管协议服务端模块201可选采用TR069协议在服务器端的实现,可以支持对大量Android终端的状态进行管理(例如可以多达数十万端)。The network management protocol server module 201 can implement the network management protocol for coordinated management of multiple terminal devices on the server side. In an embodiment, the network management protocol server module 201 can adopt the implementation of the TR069 protocol on the server side, and can support the management of the status of a large number of Android terminals (for example, up to hundreds of thousands of terminals).
安全策略管理模块202,该模块对所述安全策略需求进行分析处理,安排派发执行计划,并收集反馈结果。The security policy management module 202 analyzes and processes the security policy requirements, arranges an execution plan, and collects feedback results.
终端常规管理模块203:该模块设置成:对终端设备的基本状态进行信息采集,管理分类,在线状态,日志采集管理等。The terminal general management module 203 is configured to: collect information, manage classification, online status, log collection management, and the like on the basic state of the terminal device.
后台数据库模块204,设置成:对安全管控服务器提供存储查询等数据库服务。The background database module 204 is configured to: provide a database service such as a storage query to the security management server.
安全数字证书中心205,设置成:对安全管控服务器的数字证书,私钥,私有密码等进行存储维护,并统合终端设备的数字证书吊销发布等。可选地,该数字证书中心可以和安全管控服务器适当的隔离,以确保其安全性。The secure digital certificate center 205 is configured to: store and maintain digital certificates, private keys, private passwords, etc. of the security management server, and unify the digital certificate revocation and release of the terminal device. Optionally, the digital certificate authority can be properly isolated from the security management server to ensure its security.
其中,在Android终端设备中,所述网管协议终端模块103与安全管控代理模块104相连,以提供与安全管控服务器端交互访问的能力,Android终端设备能从硬件信任根105中读取数字证书信息,从而在SSL加密连接过程 中验证安全管控服务器端的身份,同时也要访问硬件信任根105,将硬件信任根105中的终端身份信息交由安全管控服务器端管理。In the Android terminal device, the network management protocol terminal module 103 is connected to the security management proxy module 104 to provide the capability of interacting with the security management server, and the Android terminal device can read the digital certificate information from the hardware trust root 105. And thus the SSL encryption connection process The identity of the security management server is verified, and the hardware trust root 105 is also accessed, and the terminal identity information in the hardware trust root 105 is managed by the security management server.
硬件信任根105对可信引导器(BOOT)106进行数字摘要校验,可信引导器(BOOT)106又对可信KERNEL内核107进行校验,可信KERNEL内核107再对安全管控代理模块104,及安卓常规框架进行定时或按需的文件完整性校验。The hardware trust root 105 performs a digital digest check on the trusted boot (BOOT) 106, the trusted boot (BOOT) 106 in turn verifies the trusted KERNEL kernel 107, and the trusted KERNEL kernel 107 re-administers the security management proxy module 104. , and the Android regular framework for timing or on-demand file integrity verification.
硬件信任根105和常规硬件102也要有所联系,当安全异常发生时能够及时关断电源。The hardware trust root 105 and the conventional hardware 102 are also associated, and the power can be turned off in time when a security exception occurs.
安全管控代理模块104的功能在本发明实施例中具有核心意义,它一方面能访问终端的其它各个模块,施加具体的所述安全管控策略,另一方面,它也能够从安全管控服务器端获取经过私有密码和服务器数字签名过的新版本的完整性校验凭据(完整性校验凭据包括BOOT的数字摘要、内核的数字摘要和安卓系统文件的数字摘要信息),并将该签名过的新版本的完整性校验凭据分别注入到硬件信任根105、可信引导器BOOT106和可信KERNEL内核107中,从而让新的版本获得采信。The function of the security management agent module 104 has a core meaning in the embodiment of the present invention. On the one hand, it can access other modules of the terminal, and applies specific security management policies. On the other hand, it can also be obtained from the security management server. A new version of the integrity check credential that has been privately signed by the private password and the server (integrity check credentials include BOOT's digital digest, kernel's digital digest, and digital summary information for Android system files), and the signed new The version integrity check credentials are injected into the hardware trust root 105, the trusted boot BOOT 106, and the trusted KERNEL kernel 107, respectively, so that the new version is accepted.
在安全管控服务器中,后台数据库模块204和安全数字证书中心205位于后台,为安全策略管理模块202和终端常规管理模块203提供服务,后台数据库模块204和安全数字证书中心205这两个管理模块在给用户提供操作界面的同时,也通过网管协议服务端模块201来和Android终端设备取得联系。以上服务器端的架构只是为了说明本发明的基本原理结构,在具体实施例中,服务器会有很多额外的功能,比如web服务、远程接入服务、文件下载服务等,这些模块之间的实际交互也会比较复杂,这些都属于具体实施上的扩展,本领域的技术人员基于本发明的发明内容以及公知常识能够实现所述扩展,在此不再赘述。In the security management server, the background database module 204 and the secure digital certificate center 205 are located in the background, and provide services for the security policy management module 202 and the terminal general management module 203. The two management modules of the backend database module 204 and the secure digital certificate center 205 are While providing the user with an operation interface, the network management protocol server module 201 is also used to obtain contact with the Android terminal device. The above server-side architecture is only for explaining the basic principle structure of the present invention. In a specific embodiment, the server has many additional functions, such as a web service, a remote access service, a file download service, etc., and the actual interaction between these modules is also It will be more complicated, and these are extensions of specific implementations, and those skilled in the art can implement the extension based on the invention and common general knowledge of the present invention, and details are not described herein again.
参考图3及之前的图1和2,利用本发明实施例揭示的安全管控方法,当Android终端设备上电启动时,引导校验过程包括以下步骤: With reference to FIG. 3 and the previous FIGS. 1 and 2, with the security management method disclosed in the embodiment of the present invention, when the Android terminal device is powered on, the boot verification process includes the following steps:
步骤301:终端设备上电,硬件信任根105和常规硬件102开始运转。Step 301: The terminal device is powered on, and the hardware trust root 105 and the conventional hardware 102 start to operate.
可选的,在一个实施例中,如果可信引导器(BOOT)被认为是足够安全的,不需要校验,那么硬件信任根也不必在上电时立刻被启动。Alternatively, in one embodiment, if the trusted boot (BOOT) is considered to be sufficiently secure and does not require verification, then the hardware trust root does not have to be started immediately upon power up.
步骤302:硬件信任根105根据可信引导器(BOOT)数字摘要值计算并比对可信引导器BOOT的完整性。Step 302: The hardware trust root 105 calculates and compares the integrity of the trusted director BOOT according to the trusted director (BOOT) digital digest value.
步骤303:如果硬件信任根105发现可信引导器BOOT 106已被篡改,则联系常规硬件102关闭电源供应,中断引导过程,转步骤305。如果可信引导器BOOT 106未被篡改,则转步骤304。Step 303: If the hardware trust root 105 finds that the trusted director BOOT 106 has been tampered with, the conventional hardware 102 is contacted to turn off the power supply, and the boot process is interrupted, and the process proceeds to step 305. If the trusted boot BOOT 106 has not been tampered with, then go to step 304.
步骤304:正常加载可信KERNEL内核107,可信引导器BOOT 106启动并开始引导可信KERNEL内核107加载,可信引导器BOOT 106计算并比对可信KERNEL内核的数字摘要值验证内核的完整性。Step 304: The trusted KERNEL kernel 107 is normally loaded, the trusted boot BOOT 106 starts and starts to boot the trusted KERNEL kernel 107, and the trusted boot BOOT 106 calculates and compares the integrity of the kernel with the digital digest value of the trusted KERNEL kernel. Sex.
步骤305:终止系统加载过程。Step 305: Terminate the system loading process.
步骤306:判断可信KERNEL内核107是否被篡改,如果可信引导器BOOT 106发现可信KERNEL内核107已被篡改,则转步骤305,重启设备或者锁死系统弹出用户提示告警;如果可信KERNEL内核107未被篡改,则转步骤307。Step 306: Determine whether the trusted KERNEL kernel 107 has been tampered with. If the trusted boot device BOOT 106 finds that the trusted KERNEL kernel 107 has been tampered with, then go to step 305, restart the device or lock the system to pop up a user prompting alarm; if the trusted KERNEL If the kernel 107 has not been tampered with, then go to step 307.
步骤307:可信KERNEL内核107加载完毕,继续加载Android和Android终端的安全管控代理模块104。Step 307: After the trusted KERNEL kernel 107 is loaded, the security management agent module 104 of the Android and Android terminals continues to be loaded.
步骤308:终端安全管控代理模块104启动,从硬件信任根读取数字证书信息,采用TR069网管协议与安全管控服务器取得SSL认证加密联系。Step 308: The terminal security management agent module 104 starts, reads the digital certificate information from the hardware trust root, and obtains the SSL authentication encryption link with the security management server by using the TR069 network management protocol.
步骤309:可信KERNEL内核107启动文件完整性校验机制,可选的,可以采用IMA监测机制,定时监控或者按访问监控Android系统关键文件以及安全管控代理模块104是否发生了篡改。Step 309: The trusted KERNEL kernel 107 initiates a file integrity verification mechanism. Optionally, the IMA monitoring mechanism may be used, and the Android system key file and the security management agent module 104 may be monitored for tampering by timing monitoring or by access.
步骤310:判断Android系统关键文件是否被篡改,如果是,则执行步骤311-312,否则,转步骤313。Step 310: Determine whether the key file of the Android system has been tampered with, and if yes, perform steps 311-312; otherwise, go to step 313.
步骤311:如果发现Android系统关键文件发生了篡改,则经由安全管控代理模块104将文件篡改信息通过私有密码及SSL加密过后发送后给安全管控服务器,确认是否属于误报。 Step 311: If the key file of the Android system is found to have been tampered with, the file tampering information is encrypted by the security management agent module 104 through the private password and SSL, and then sent to the security management server to confirm whether it is a false alarm.
步骤312:在一定时间内如果无法联络到安全管控服务器或者安全管控服务器未豁免该修改,可信KERNEL内核107向用户发出告警或者锁死系统,在其他应用场景之下,也可以根据服务器事先下发的安全策略选择记录日志或者暂时不做处理。Step 312: If the security management server is not available for a certain period of time or the security management server does not exempt the modification, the trusted KERNEL kernel 107 issues an alarm to the user or locks the system. In other application scenarios, the server may also be pre- The sent security policy selects the log or does not process it for the time being.
步骤313:判断安全管控代理模块104是否被篡改,如果是,则需要可信KERNEL内核107立刻向用户发出告警或者立刻锁死系统,转步骤312,如果安全管控服务器豁免了该Android系统文件修改,则继续正常运行,转步骤314。Step 313: Determine whether the security management proxy module 104 has been tampered with. If yes, the trusted KERNEL kernel 107 is required to immediately issue an alarm to the user or immediately lock the system. If the security management server exempts the Android system file modification, Then continue normal operation, go to step 314.
步骤314:如果安全管控代理模块104本身未被篡改,Android系统关键文件也没被篡改或者篡改被安全管控服务器所豁免,则Android系统保持正常的运行状态。Step 314: If the security management agent module 104 itself has not been tampered with, and the Android system key files have not been tampered with or falsified by the security management server, the Android system maintains a normal running state.
参考图4所示,利用本发明实施例所述安全管控方法,当终端设备上的安全管控策略需要变更时,采用如下的实施步骤:Referring to FIG. 4, when the security management and control policy on the terminal device needs to be changed by using the security management and control method according to the embodiment of the present invention, the following implementation steps are adopted:
步骤400:安全管控服务器端经管控人员发现需要调整对终端的安全管控策略时,确定需执行终端的对象范围,开始主动访问指定终端设备。Step 400: When the security management server detects that the security management policy of the terminal needs to be adjusted, it determines that the target scope of the terminal needs to be executed, and starts to actively access the specified terminal device.
步骤401:判断新的安全管控策略是否会修改到内核或者Android系统受保护的文件,如果是,转步骤403,否则,转步骤402。Step 401: Determine whether the new security management policy will be modified to the kernel or the protected file of the Android system. If yes, go to step 403. Otherwise, go to step 402.
步骤402:如果新的安全管控策略并不会修改终端的可信内核,同时不需要修改Android系统受可信内核保护的关键文件。则安全管控服务器端会直接下发该管控策略给安全管控代理模块,安全管控代理模块接收到后予以执行实施,流程结束。Step 402: If the new security management policy does not modify the trusted kernel of the terminal, and does not need to modify the key files protected by the trusted kernel of the Android system. Then, the security management server directly issues the management policy to the security management agent module, and the security management agent module executes the implementation after receiving the process, and the process ends.
步骤403:如果新的安全管控策略会修改到KERNEL内核,或者Android系统受保护部分,那么安全管控服务器端事先计算出实施该安全策略之后的内核数字摘要以及Android系统文件监控凭据。Step 403: If the new security management policy is modified to the KERNEL kernel, or the protected portion of the Android system, the security management server calculates the kernel digital digest and the Android system file monitoring credentials after implementing the security policy in advance.
步骤404:安全管控服务器端对新的内核数字摘要及系统文件监控凭据(所述系统文件监控凭据在实施例中可以是IMA文件监控系统维护的一系列被监控文件的数字摘要信息),将这些用私有的密码加密,同时用服务器证 书的私钥进行数字签名。Step 404: The security management server side monitors the new kernel digital digest and the system file (the system file monitoring credential in the embodiment may be a digital digest information of a series of monitored files maintained by the IMA file monitoring system), and these Encrypt with a private password and use the server license The private key of the book is digitally signed.
步骤405:安全管控服务器端通过SSL安全通道将加密签名后上述的计算结果下发给终端的安全管控代理模块。Step 405: The security management server sends the above calculation result to the security management agent module of the terminal through the SSL secure channel.
步骤406:安全管控代理模块将新的内核数字摘要注入到可信引导器BOOT中。将新的Android系统文件监控凭据注入到KERNEL内核之中。Step 406: The security management agent module injects a new kernel digital digest into the trusted director BOOT. Inject new Android system file monitoring credentials into the KERNEL kernel.
步骤407:终端的引导器BOOT和KERNEL内核通过上述私有的密码解密并信任该新的数字摘要和文件监控凭据。Step 407: The terminal BOOT and KERNEL kernel of the terminal decrypt and trust the new digital digest and file monitoring credentials by the above private password.
至此,向安全管控服务端反馈注入成功。At this point, the feedback to the security management server is successful.
步骤408:安全管控服务器端下发新的终端安全管控策略,修改KERNEL内核和Android文件,修改KERNEL内核和Android文件的方式,即包括通过安全管控代理模块直接修改的方式,也包括允许终端用户到特定网站下载新版本软件后通过其他方式刷入终端设备进行更新修改。当时下次设备重新引导和文件安全验证时,将采纳新的摘要和凭据,因此不会发生篡改误报。Step 408: The security management server sends a new terminal security management policy, modifies the KERNEL kernel and the Android file, and modifies the KERNEL kernel and the Android file, that is, the method of directly modifying the security control proxy module, and also allows the terminal user to After downloading the new version of the software on a specific website, it can be updated and modified by other means by brushing into the terminal device. At the time of the next device reboot and file security verification, new summaries and credentials will be adopted, so no falsification of false positives will occur.
当终端设备上需要进行软件版本升级时,也可以采用图4所示的方法,再次不再赘述,可选地,软件版本升级时的管控方法也可以采用如图6所述的方法。When the software version is upgraded on the terminal device, the method shown in FIG. 4 may also be used, and the description will be omitted. Alternatively, the control method in the software version upgrade may also adopt the method as shown in FIG. 6 .
需要在保证Android终端安全可信启动运行的同时,还需要在上面加载安装一个新的应用商城应用(通过该应用商城可以安全的下载其他的应用程序),该应用商城还需要一个数字证书安装进内核中,以对商城里下载的其他应用进行校签时,参考图5所示,该实施例的具体实施步骤如下:It is necessary to ensure that the Android terminal is safely and reliably booted, and also needs to load and install a new application mall application (you can safely download other applications through the application mall), and the application mall needs a digital certificate to be installed. In the kernel, when the other applications downloaded in the mall are checked, referring to FIG. 5, the specific implementation steps of the embodiment are as follows:
步骤501:参考图1的过程,终端按照从硬件信任根到内核的逐级完整性验证启动,可信内核开始采用IMA持续监控终端Android系统文件的完整性,安全管控代理模块通过网管协议服务端模块进行SSL连接到了管控服务器端。Step 501: Referring to the process of FIG. 1, the terminal starts according to the level-by-level integrity verification from the hardware trust root to the kernel, and the trusted kernel starts to use the IMA to continuously monitor the integrity of the terminal Android system file, and the security management agent module passes the network management protocol server. The module makes SSL connections to the management server.
步骤502:安全管控服务器端事先计算好应用商店的文件监控凭据,以及安装数字证书后的内核数字摘要,得到计算结果。Step 502: The security management server side calculates the file monitoring credentials of the application store in advance, and the kernel digital summary after installing the digital certificate, to obtain a calculation result.
步骤503:对计算结果用私有的密码加密,同时用管控服务器的证书进 行签名。通过SSL加密下发给终端的安全管控代理模块。Step 503: Encrypt the calculation result with a private password, and simultaneously use the certificate of the management server. Line signature. The security management agent module delivered to the terminal through SSL encryption.
步骤504:终端的安全管控代理模块将应用商店文件摘要信息下发给内核IMA文件监控系统,将安装应用数字证书后的内核数字摘要下发给引导器BOOT。Step 504: The security management agent module of the terminal sends the application store file summary information to the kernel IMA file monitoring system, and sends the kernel digital summary after the application of the digital certificate to the boot device BOOT.
步骤505:IMA和BOOT通过私有密码解密并从硬件信任根里获取了服务器端证书的根证书,验证采信了该应用商店文件信息,同时也采信了安装新商城证书之后的内核。Step 505: The IMA and the BOOT decrypt the private password and obtain the root certificate of the server-side certificate from the hardware trust root, verify the information of the application store file, and also use the kernel after installing the new mall certificate.
步骤506:安全管控服务器端确认终端已采信了以后,通过终端的安全管控代理模块,下载并实施安装新的应用商店以及修改内核注入应用校签数字证书。Step 506: After the security management server confirms that the terminal has received the information, the security management agent module of the terminal downloads and implements installing a new application store and modifying the kernel injection application to verify the digital certificate.
步骤507:修改后新内核已经被BOOT采信,可以正确被引导,同时新的应用商店也能正常运行,因为它也纳入了新内核的IMA文件监控系统受完整性保护。Step 507: After the modification, the new kernel has been adopted by BOOT, and can be correctly booted, and the new application store can also operate normally, because it also incorporates the integrity protection of the new kernel IMA file monitoring system.
该方法既可以应用于安全管控策略变更时的安全管控方法,即图4所描述的方法,也可以应用于软件版本升级时的安全管控方法,即图6所描述的方法,在此不再赘述。The method can be applied to the security management and control method when the security management policy is changed, that is, the method described in FIG. 4, and can also be applied to the security management and control method in the software version upgrade, that is, the method described in FIG. 6, and details are not described herein again. .
利用本发明实施例所述安全管控方法,当终端设备的软件版本需要升级更新时,采用如下的实施步骤:When the software version of the terminal device needs to be upgraded and updated, the following implementation steps are adopted:
该实施例中,需要在保证Android终端老版本安全可信启动运行的同时,还需要由管控服务器端触发对整个终端的软件版本实施可信升级,即在该实施例中BOOT除外的软件模块都需要被更换。值得注意的是,一般的系统升级无需修改升级BOOT。In this embodiment, it is required to ensure that the old version of the Android terminal is safely and reliably booted, and the management server end triggers a trusted upgrade of the software version of the entire terminal, that is, the software modules except the BOOT in this embodiment are all Need to be replaced. It is worth noting that the general system upgrade does not need to modify the upgrade BOOT.
参考图6所示,该实施例的具体实施步骤如下:Referring to FIG. 6, the specific implementation steps of this embodiment are as follows:
步骤601:参考图1的过程,终端按照从硬件信任根到内核的逐级完整性验证启动,可信内核开始采用IMA持续监控终端Android系统文件的完整性,安全管控代理模块通过网管协议服务端模块进行SSL连接到了管控服务器端。 Step 601: Referring to the process of FIG. 1, the terminal starts according to the level-by-level integrity verification from the hardware trust root to the kernel, and the trusted kernel starts to use the IMA to continuously monitor the integrity of the terminal Android system file, and the security management agent module passes the network management protocol server. The module makes SSL connections to the management server.
步骤602:安全管控服务端事先准备好新的可信内核,新的安卓版本的IMA文件校验策略要合并到该新的可信内核中。Step 602: The security management server prepares a new trusted kernel in advance, and the new Android version of the IMA file verification policy is to be merged into the new trusted kernel.
步骤603:安全管控服务端计算好新版本的可信内核的数字摘要信息,对计算结果用私有的密码加密,同时用管控服务器的证书进行签名。通过SSL加密下发给终端的安全管控代理模块。Step 603: The security management server calculates the digital summary information of the new version of the trusted kernel, encrypts the calculation result with a private password, and simultaneously signs the certificate of the management server. The security management agent module delivered to the terminal through SSL encryption.
步骤604:终端的安全管控代理模块了解到整个系统即将被更新,通过弹出界面获取终端用户的升级许可。Step 604: The security management agent module of the terminal knows that the entire system is about to be updated, and obtains an upgrade license of the terminal user through a pop-up interface.
步骤605:用户许可后,终端的安全管控代理模块将新的可信内核数字摘要注入给BOOT,通过私有密码解密并从硬件信任根里获取证书,验证采信新的内核。Step 605: After the user permits, the security management agent module of the terminal injects a new trusted kernel digital digest into the BOOT, decrypts the private password and obtains the certificate from the hardware trust root, and verifies the new kernel.
步骤606:用户通过网站下载的方式,将新的内核版本、Android版本,以及新的安全管控代理模块下载到U盘、TF卡等外设中,通过网站指导的刷机操作进行系统升级。Step 606: The user downloads the new kernel version, the Android version, and the new security management agent module to the peripherals such as the U disk and the TF card through the website downloading manner, and performs system upgrade through the website-driven brush operation.
步骤607:刷机后,新的可信内核被BOOT采信,正常启动,同时也加载新的Android版本和终端的安全管控代理模块。新的可信内核正常对新的Android文件系统和终端的安全管控代理模块正常做IMA防篡改监控。Step 607: After the machine is flashed, the new trusted kernel is picked up by the BOOT and started normally. At the same time, the new Android version and the security management agent module of the terminal are also loaded. The new trusted kernel normally performs IMA tamper-proof monitoring on the new Android file system and the terminal security management agent module.
本发明实施例公开了一种Android系统的安全管控方法,包括:The embodiment of the invention discloses a security management and control method for an Android system, including:
接收安全管控策略的调整指令或终端软件版本升级指令;Receiving an adjustment instruction of a security management policy or a terminal software version upgrade instruction;
依据所述安全管控策略的调整指令或终端软件版本升级指令动态地发送与指令相应的安全管控策略文件或终端软件版本升级文件至目标终端设备。And dynamically transmitting the security management policy file or the terminal software version upgrade file corresponding to the instruction to the target terminal device according to the adjustment instruction of the security management policy or the terminal software version upgrade instruction.
可选地,所述安全管控策略是指对终端设备至少包括的Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
可选地,所述安全管控策略包括:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控终端设备非法破解行为并告警、扫描终端设备的外设是否有病毒、触发终端设备进行可信软件版本升级。Optionally, the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
本发明实施例还公开了一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行上述任意的Android系统的安全管控 方法。本发明实施例还公开了一种载有所述计算机程序的载体。The embodiment of the invention also discloses a computer program, comprising program instructions, when the program instruction is executed by a computer, enabling the computer to perform the security control of any of the above Android systems. method. The embodiment of the invention also discloses a carrier carrying the computer program.
本发明实施例还公开了一种Android系统的安全管控装置,包括指令接收单元和处理单元,其中:The embodiment of the invention also discloses a security management device for an Android system, comprising an instruction receiving unit and a processing unit, wherein:
所述指令接收单元设置成:接收安全管控策略的调整指令或终端软件版本升级指令;The instruction receiving unit is configured to: receive an adjustment instruction of a security management policy or a terminal software version upgrade instruction;
所述处理单元设置成:依据所述安全管控策略的调整指令或终端软件版本升级指令动态地发送与指令相应的安全管控策略文件或终端软件版本升级文件至目标终端设备。The processing unit is configured to dynamically send the security management policy file or the terminal software version upgrade file corresponding to the instruction to the target terminal device according to the adjustment instruction of the security management policy or the terminal software version upgrade instruction.
可选地,所述安全管控策略是指对终端设备至少包括的Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
可选地,所述安全管控策略包括:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控终端设备非法破解行为并告警、扫描终端设备的外设是否有病毒、触发终端设备进行可信软件版本升级。Optionally, the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
本发明实施例还公开了一种服务器,包括上述任意的Android系统的安全管控装置。The embodiment of the invention also discloses a server, which comprises the security management device of any Android system described above.
本发明实施例还公开了一种Android系统的安全管控方法,包括:The embodiment of the invention also discloses a security management and control method for the Android system, including:
动态地接收安全管控策略文件或终端软件版本升级文件,并执行与文件相应的安全管控策略或终端软件版本升级;Dynamically receive the security management policy file or the terminal software version upgrade file, and perform the security management policy or terminal software version upgrade corresponding to the file;
实时上报当前的安全管控状态信息。The current security management status information is reported in real time.
可选地,所述安全管控策略是指对终端设备至少包括对Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to that the terminal device includes at least a trusted operation behavior applied to the Android system and the KERNEL kernel.
可选地,所述安全管控策略包括:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控终端设备非法破解行为并告警、扫描终端设备的外设是否有病毒、触发终端设备进行可信软件版本升级。Optionally, the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
可选地,在执行上述动态地接收安全管控策略文件或终端软件版本升级文件的步骤之前,该方法还包括: Optionally, before performing the foregoing step of dynamically receiving the security management policy file or the terminal software version upgrade file, the method further includes:
执行如下引导校验步骤:Perform the following boot verification steps:
终端设备上电后,硬件信任根对可信引导器BOOT进行数字摘要校验,可信引导器BOOT对KERNEL内核进行校验,KERNEL内核再对安全管控代理部分及Android常规框架进行定时或按需的文件完整性校验。After the terminal device is powered on, the hardware trust root performs digital digest verification on the trusted boot device BOOT, the trusted boot device BOOT verifies the KERNEL kernel, and the KERNEL kernel performs regular or on-demand security management agent and Android regular framework. File integrity check.
可选地,该方法还包括:Optionally, the method further includes:
在引导校验过程中确定发生异常时,硬件信任根控制常规硬件执行断电操作或在软件上阻止设备继续引导启动的操作。When it is determined during the boot verification process that an exception occurs, the hardware trust root controls the conventional hardware to perform a power down operation or to prevent the device from continuing to boot the boot operation.
本发明实施例还公开了一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行上述任意的Android系统的安全管控方法。本发明实施例还公开了一种载有所述计算机程序的载体。The embodiment of the invention further discloses a computer program, comprising program instructions, which when executed by the computer, enable the computer to execute the security management method of any of the above Android systems. The embodiment of the invention also discloses a carrier carrying the computer program.
本发明实施例还公开了一种Android系统的安全管控装置,包括文件接收单元和上报单元,其中,The embodiment of the invention further discloses a security management device for an Android system, comprising a file receiving unit and a reporting unit, wherein
所述文件接收单元设置成:动态地接收安全管控策略文件或终端软件版本升级文件,并执行与文件相应的安全管控策略或终端软件版本升级;The file receiving unit is configured to: dynamically receive a security management policy file or a terminal software version upgrade file, and perform a security management policy or a terminal software version upgrade corresponding to the file;
所述上报单元设置成:实时上报当前的安全管控状态信息。The reporting unit is configured to: report current security management status information in real time.
可选地,所述安全管控策略是指对终端设备至少包括的Android系统以及KERNEL内核而施加的可信操作行为。Optionally, the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel that are included in the terminal device.
可选地,所述安全管控策略包括:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控终端设备非法破解行为并告警、扫描终端设备的外设是否有病毒、触发终端设备进行可信软件版本升级。Optionally, the security management policy includes: installing a trusted application, forcibly uninstalling an illegal application, modifying the SELinux permission rule of the KERNEL kernel, and modifying the security rule of the iptables network firewall rule, monitoring the illegal cracking behavior of the terminal device, and alerting Scan the peripherals of the terminal device for viruses, trigger the terminal device to upgrade the trusted software version.
可选地,该装置还包括校验单元,其中,Optionally, the device further includes a verification unit, wherein
所述校验单元设置成:在终端设备上电后,硬件信任根对可信引导器BOOT进行数字摘要校验,可信引导器BOOT对KERNEL内核进行校验,KERNEL内核再对安全管控代理部分及Android常规框架进行定时或按需的文件完整性校验。The verification unit is configured to: after the terminal device is powered on, the hardware trust root performs digital digest verification on the trusted boot device BOOT, the trusted boot device BOOT verifies the KERNEL kernel, and the KERNEL kernel re-administers the security control proxy portion. And the Android regular framework for timing or on-demand file integrity verification.
可选地,该装置还包括安全执行单元,其中,Optionally, the device further includes a security execution unit, wherein
所述安全执行单元设置成:在引导校验过程中确定发生异常时,通知硬件信任根控制常规硬件执行断电操作。 The security execution unit is configured to notify the hardware trust root to control the conventional hardware to perform the power-off operation when it is determined that an abnormality occurs during the boot verification process.
本发明实施例还公开了一种终端设备,包括上述任意的Android系统的安全管控装置。The embodiment of the invention further discloses a terminal device, which comprises the security management device of any Android system described above.
本发明实施例还公开了一种Android系统的安全管控系统,包括服务器和终端设备,其中:The embodiment of the invention also discloses a security management system for an Android system, comprising a server and a terminal device, wherein:
所述服务器设置成:接收安全管控策略调整指令或终端软件版本升级指令,并依据所述安全管控策略调整指令或终端软件版本升级指令动态地发送与指令相应的安全管控策略文件或终端软件版本升级文件至目标终端设备;The server is configured to: receive a security management policy adjustment instruction or a terminal software version upgrade instruction, and dynamically send a security management policy file or a terminal software version upgrade corresponding to the instruction according to the security management policy adjustment instruction or the terminal software version upgrade instruction. File to target terminal device;
所述终端设备设置成:动态地接收安全管控策略文件或终端软件版本升级文件,并执行与文件相应的安全管控策略或终端软件版本升级,并实时上报当前的安全管控状态信息。The terminal device is configured to: dynamically receive the security management policy file or the terminal software version upgrade file, and perform the security management policy or the terminal software version upgrade corresponding to the file, and report the current security management state information in real time.
以上所述仅为本发明的可选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above is only an alternative embodiment of the present invention, and is not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the invention and the drawings are directly or indirectly applied to other related The technical fields are all included in the scope of patent protection of the present invention.
工业实用性Industrial applicability
本发明技术方案所述安全管控方法,从硬件信任根到安全管控服务器的数字证书中心之间,形成了完整牢固的信任链,通过各模块之间可信的交互过程,与相关技术相比,不仅达到了Android终端在软件上不可破解效果,同时取得了可以灵活调节终端安全策略、可信升级终端软件版本的进步,保证安全管控的同时提高了用户体验,减少了后续升级维护的成本。因此本发明具有很强的工业实用性。 The security management and control method of the technical solution of the present invention forms a complete and firm trust chain from the hardware trust root to the digital certificate center of the security management server, and through the trusted interaction process between the modules, compared with related technologies, It not only achieves the unbreakable effect of the Android terminal on the software, but also achieves the flexibility of flexibly adjusting the terminal security policy and the trusted upgrade terminal software version, ensuring the security management and control while improving the user experience and reducing the cost of subsequent upgrade maintenance. Therefore, the present invention has strong industrial applicability.

Claims (20)

  1. 一种Android系统的安全管控方法,用于安全管控服务器端,包括:A security management method for an Android system for security management of a server, including:
    接收安全管控策略调整指令;Receiving security management policy adjustment instructions;
    依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至目标Android终端。And dynamically sending the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction.
  2. 如权利要求1所述的Android系统的安全管控方法,其中,所述安全管控策略是指对所述Android终端至少包括的Android系统以及KERNEL内核而施加的可信操作行为。The security management and control method of the Android system according to claim 1, wherein the security management policy refers to a trusted operation behavior applied to the Android system and the KERNEL kernel included in the Android terminal.
  3. 如权利要求2所述的Android系统的安全管控方法,其中,所述安全管控策略包括如下策略中的一种或多种:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控Android终端非法破解行为并告警、扫描Android终端的外设是否有病毒、触发Android终端进行可信软件版本升级。The security management method of the Android system according to claim 2, wherein the security management policy comprises one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and SELinux permission rules for the KERNEL kernel. And the iptables network firewall rules to improve the security purpose of the beneficial modification, monitor the Android terminal illegal cracking behavior and alarm, scan the Android terminal peripherals for viruses, trigger Android terminals to upgrade the trusted software version.
  4. 如权利要求1所述的Android系统的安全管控方法,其中,所述依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至目标Android终端的步骤之前,该方法还包括:The security management method of the Android system of claim 1, wherein the method further comprises: before the step of dynamically transmitting the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction, the method further comprises:
    判断所述安全管控策略文件是否会修改到所述目标Android终端的可信内核或者Android系统受保护的文件;Determining whether the security management policy file is modified to a trusted kernel of the target Android terminal or a protected file of the Android system;
    所述依据所述安全管控策略调整指令动态地发送相应的安全管控策略文件至目标Android终端的步骤包括:The step of dynamically transmitting the corresponding security management policy file to the target Android terminal according to the security management policy adjustment instruction includes:
    如果所述安全管控策略文件并不会修改所述目标Android终端的可信内核,同时不需要修改Android系统受所述可信内核保护的关键文件,则会直接下发该安全管控策略文件给所述目标Android终端的安全管控代理模块。If the security management policy file does not modify the trusted kernel of the target Android terminal, and does not need to modify the key file protected by the trusted kernel in the Android system, the security management policy file is directly delivered to the security management policy file. The security management agent module of the target Android terminal.
  5. 如权利要求4所述的Android系统的安全管控方法,该方法还包括,如果所述安全管控策略文件会修改到所述目标Android终端的可信内核和/或者Android系统受保护部分,则计算出实施该安全管控策略之后的内核数字摘要以及Android系统文件监控凭据,并对新的内核数字摘要及Android系统文件监控凭据用私有的密码加密,同时用服务器证书的私钥进行数字签名,之后将加密签名后内核数字摘要及Android系统文件监控凭据下发给所述目 标Android终端的安全管控代理模块。The security management method of the Android system according to claim 4, further comprising calculating if the security management policy file is modified to a trusted kernel of the target Android terminal and/or a protected portion of the Android system Implement the kernel digital summary and Android system file monitoring credentials after implementing the security management policy, and encrypt the new kernel digital digest and Android system file monitoring credentials with a private password, and digitally sign the private key of the server certificate, and then encrypt it. After signing, the kernel digital summary and Android system file monitoring credentials are sent to the target. The security management agent module of the Android terminal.
  6. 一种Android系统的安全管控方法,用于安全管控服务器端,包括:A security management method for an Android system for security management of a server, including:
    接收终端软件版本升级指令;Receiving terminal software version upgrade instructions;
    依据所述终端软件版本升级指令动态地发送相应的终端软件版本升级文件至目标Android终端。And dynamically sending the corresponding terminal software version upgrade file to the target Android terminal according to the terminal software version upgrade instruction.
  7. 如权利要求6所述的Android系统的安全管控方法,其中,所述终端软件版本升级文件包括:新的可信内核,新的Android版本的IMA文件校验策略,及新的可信内核。The security management method of the Android system according to claim 6, wherein the terminal software version upgrade file comprises: a new trusted kernel, a new Android version of the IMA file verification policy, and a new trusted kernel.
  8. 如权利要求6所述的Android系统的安全管控方法,该方法还包括,The security management method of the Android system according to claim 6, further comprising:
    计算好新版本的可信内核的数字摘要信息,将该数字摘要信息用私有的密码加密,同时用所述安全管控服务器的证书进行签名,并通过SSL加密下发给Android终端的安全管控代理模块。Calculate the digital summary information of the new version of the trusted kernel, encrypt the digital summary information with a private password, sign the certificate with the security management server, and send the security management agent module to the Android terminal through SSL encryption. .
  9. 一种Android系统的安全管控方法,用于Android终端,包括:A security management method for an Android system for an Android terminal, including:
    动态地接收安全管控策略文件,并据此执行相应的安全管控策略;Dynamically receive security management policy files and implement corresponding security management policies accordingly;
    实时上报当前的安全管控状态信息。The current security management status information is reported in real time.
  10. 如权利要求9所述的Android系统的安全管控方法,其中,所述安全管控策略是指对Android终端至少包括的Android系统以及KERNEL内核而施加的可信操作行为。The security management method of the Android system according to claim 9, wherein the security management policy refers to a trusted operation behavior applied to an Android system and a KERNEL kernel that are at least included in the Android terminal.
  11. 如权利要求10所述的Android系统的安全管控方法,其中,所述安全管控策略包括如下策略中的一种或多种:安装可信应用、强制卸载非法应用程序、对KERNEL内核的SELinux权限规则和iptables网络防火墙规则进行提升安全目的的有益修改、监控Android终端非法破解行为并告警、扫描Android终端的外设是否有病毒、触发Android终端进行可信软件版本升级。The security management and control method of the Android system according to claim 10, wherein the security management policy comprises one or more of the following: installing a trusted application, forcibly uninstalling an illegal application, and SELinux permission rules for the KERNEL kernel. And the iptables network firewall rules to improve the security purpose of the beneficial modification, monitor the Android terminal illegal cracking behavior and alarm, scan the Android terminal peripherals for viruses, trigger Android terminals to upgrade the trusted software version.
  12. 如权利要求9所述的Android系统的安全管控方法,该方法还包括:The security management method for the Android system of claim 9, the method further comprising:
    接收到安全管控服务器端下发的所述安全管控策略文件后执行该文件。The file is executed after receiving the security management policy file delivered by the security management server.
  13. 如权利要求9所述的Android系统的安全管控方法,该方法还包括: The security management method for the Android system of claim 9, the method further comprising:
    接收到安全管控服务器端下发的加密签名后内核数字摘要及Android系统文件监控凭据后,将新的内核数字摘要注入到所述Android终端的可信BOOT中,将新的Android系统文件监控凭据注入到所述Android终端的可信内核中;After receiving the encrypted digital signature and the Android system file monitoring credential issued by the security management server, the new kernel digital digest is injected into the trusted BOOT of the Android terminal, and the new Android system file monitoring credentials are injected. Go to the trusted kernel of the Android terminal;
    所述Android终端的可信BOOT和可信内核通过私有的密码解密并信任该新的数字摘要和文件监控凭据。The trusted BOOT and trusted kernel of the Android terminal decrypt and trust the new digital digest and file monitoring credentials by a private password.
  14. 如权利要求9所述的Android系统的安全管控方法,其中,在执行上述步骤之前,还包括引导校验步骤:The security management method of the Android system according to claim 9, wherein before performing the above steps, the method further includes a boot verification step:
    所述Android终端上电后,硬件信任根对所述Android终端的可信BOOT进行数字摘要校验,所述Android终端的可信BOOT对可信内核进行校验,所述Android终端的可信内核再对安全管控代理部分及Android常规框架进行定时或按需的文件完整性校验。After the Android terminal is powered on, the hardware trust root performs digital digest verification on the trusted BOOT of the Android terminal, and the trusted BOOT of the Android terminal verifies the trusted kernel, and the trusted kernel of the Android terminal Timed or on-demand file integrity verification of the security management agent part and the Android regular framework.
  15. 如权利要求9所述的Android系统的安全管控方法,其中,在所述Android终端引导校验过程中发生异常时,硬件信任根控制常规硬件执行断电操作或在软件上阻止所述Android终端继续引导启动的操作。The security management method of the Android system according to claim 9, wherein the hardware trust root controls the conventional hardware to perform a power-off operation or prevents the Android terminal from continuing on the software when an abnormality occurs in the Android terminal boot verification process The boot-start operation.
  16. 一种Android系统的安全管控方法,用于Android终端,包括:A security management method for an Android system for an Android terminal, including:
    动态地接收终端软件版本升级文件,并据此执行相应的版本升级;Dynamically receiving the terminal software version upgrade file, and performing the corresponding version upgrade accordingly;
    实时上报当前的安全管控状态信息。The current security management status information is reported in real time.
  17. 如权利要求16所述的Android系统的安全管控方法,该方法还包括:The security management method of the Android system according to claim 16, further comprising:
    Android终端的安全管控代理模块接收到所述了软件版本升级文件后,获取所述Android终端的升级许可;After receiving the software version upgrade file, the security management agent module of the Android terminal acquires an upgrade license of the Android terminal;
    所述Android终端许可后,所述Android终端的安全管控代理模块将新的可信内核数字摘要注入给所述Android终端的可信BOOT,通过私有密码解密并从所述Android终端的硬件信任根里获取证书,验证新的内核;After the Android terminal is licensed, the security management agent module of the Android terminal injects a new trusted kernel digital digest into the trusted BOOT of the Android terminal, decrypts by a private password, and from the hardware trust root of the Android terminal. Obtain a certificate and verify the new kernel;
    所述Android终端通过网站下载的方式,将新的内核版本、Android版本,以及新的安全管控代理模块下载到所述Android终端的外设中,通过网站指导的刷机操作对所述Android终端进行系统升级;The Android terminal downloads a new kernel version, an Android version, and a new security management agent module to the peripheral device of the Android terminal through a website downloading manner, and performs a system on the Android terminal through a website-directed brush operation. upgrade;
    所述Android终端刷机后,新的可信内核被所述可信BOOT采信,正常 启动,同时所述Android终端也加载新的Android版本和新的终端的安全管控代理模块。After the Android terminal is flashed, the new trusted kernel is accepted by the trusted BOOT, which is normal. Booting, while the Android terminal also loads a new Android version and a new terminal security management agent module.
  18. 一种Android终端,包括:网管协议终端模块、安全管控代理模块、可信引导器BOOT和硬件信任根,其中,An Android terminal includes: a network management protocol terminal module, a security management agent module, a trusted boot device BOOT, and a hardware trust root, wherein
    所述网管协议终端模块设置成:采集所述终端信息并和安全管控服务器端进行通讯交互;The network management protocol terminal module is configured to: collect the terminal information and perform communication interaction with the security management server;
    所述安全管控代理模块设置成:接收并执行所述安全管控服务器端下发的安全管控策略,还将所述终端的安全管控状态反馈给所述安全管控服务器端;The security management agent module is configured to: receive and execute a security management policy issued by the security management server, and feed back the security control status of the terminal to the security management server;
    所述硬件信任根设置成:存储所述终端的唯一身份信息和所述安全管控服务器数字证书的签发根证书。The hardware trust root is configured to: store the unique identity information of the terminal and the issuing root certificate of the security management server digital certificate.
  19. 如权利要求18所述的Android终端,其中,可信引导器BOOT被确认安全的情况下,所述硬件信任根为所述可信BOOT。The Android terminal according to claim 18, wherein, in the case where the trusted director BOOT is confirmed to be secure, the hardware trust root is the trusted BOOT.
  20. 如权利要求18所述的Android终端,该终端还包括可信引导器BOOT和可信内核,其中,The Android terminal of claim 18, further comprising a trusted booter BOOT and a trusted kernel, wherein
    所述硬件信任根还设置成:存储所述可信BOOT的数字摘要信息;The hardware trust root is further configured to: store digital summary information of the trusted BOOT;
    所述可信BOOT设置成:存储可信内核的数字摘要信息;The trusted BOOT is configured to: store digital summary information of the trusted kernel;
    所述可信内核设置成:对Android系统文件的完整性以及所述安全管控代理模块的完整性进行校验。 The trusted kernel is configured to verify the integrity of the Android system file and the integrity of the security management agent module.
PCT/CN2015/074647 2014-11-20 2015-03-19 Security management and control method, apparatus, and system for android system WO2015184891A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410668359.6A CN105656860A (en) 2014-11-20 2014-11-20 Safety management and control method, apparatus and system for Android system
CN201410668359.6 2014-11-20

Publications (1)

Publication Number Publication Date
WO2015184891A1 true WO2015184891A1 (en) 2015-12-10

Family

ID=54766116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074647 WO2015184891A1 (en) 2014-11-20 2015-03-19 Security management and control method, apparatus, and system for android system

Country Status (2)

Country Link
CN (1) CN105656860A (en)
WO (1) WO2015184891A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540498A (en) * 2018-06-21 2018-09-14 咪付(广西)网络技术有限公司 The method and system that security strategy version issues in a kind of financial payment
CN110046497A (en) * 2018-01-16 2019-07-23 腾讯科技(深圳)有限公司 A kind of function hook implementation method, device and storage medium
CN110543769A (en) * 2019-08-29 2019-12-06 武汉大学 Trusted starting method based on encrypted TF card
CN110764827A (en) * 2018-07-27 2020-02-07 中标软件有限公司 Control system and method for computer peripheral equipment
CN113297121A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Interface management method, device, equipment and readable storage medium
CN113495504A (en) * 2020-03-18 2021-10-12 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method
CN113591075A (en) * 2021-07-26 2021-11-02 深信服科技股份有限公司 Terminal safety control method, device and storage medium
CN113923170A (en) * 2021-09-30 2022-01-11 深信服科技股份有限公司 Application identification management method and system
CN114065180A (en) * 2021-11-26 2022-02-18 国网宁夏电力有限公司信息通信公司 Perception equipment safety verification system based on trusted computing 3.0

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106384053A (en) * 2016-09-14 2017-02-08 江苏北弓智能科技有限公司 Trusted boot method and apparatus for mobile operation system
CN106845243A (en) * 2016-12-13 2017-06-13 北京元心科技有限公司 Improve the method and system for starting safety
CN106713030B (en) * 2016-12-21 2019-11-15 无锡江南计算技术研究所 Software source management method and software function management system based on security management and control
CN106775903B (en) * 2017-02-24 2021-02-09 北京小米移动软件有限公司 Security policy file updating method and device
CN107294962B (en) * 2017-06-14 2020-09-29 福州汇思博信息技术有限公司 Method and terminal for configuring firewall security policy
CN108241798B (en) * 2017-12-22 2021-04-02 北京车和家信息技术有限公司 Method, device and system for preventing machine refreshing
CN108710801B (en) * 2018-05-29 2019-03-22 北京迪诺益佳信息科技有限公司 A kind of behavior management-control method of mobile application dynamically load code
CN109241783B (en) * 2018-08-14 2021-04-06 中国科学院信息工程研究所 Implementation method and device for mobile terminal management and control strategy
CN109409032A (en) * 2018-10-24 2019-03-01 山东超越数控电子股份有限公司 A kind of system kernel analysis method of Safety-Critical System
CN112243226A (en) * 2020-10-14 2021-01-19 广东汉鼎蜂助手网络技术有限公司 Cloud SIM card wireless network remote control method, system and server device
CN113901473B (en) * 2021-09-10 2023-11-03 苏州浪潮智能科技有限公司 Method, device, equipment and readable medium for safely starting server
CN115134172B (en) * 2022-08-30 2022-11-25 北京亿赛通科技发展有限责任公司 Automatic configuration system and method for transparent encryption and decryption of terminal file

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067392A (en) * 2012-12-28 2013-04-24 中国人民解放军理工大学 Security access control method based on Android terminal
CN103646214A (en) * 2013-12-18 2014-03-19 国家电网公司 Method for establishing trusted environment in power distribution terminal
CN103729597A (en) * 2014-01-16 2014-04-16 宇龙计算机通信科技(深圳)有限公司 System starting verifying method and device and terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103020531B (en) * 2012-12-06 2015-05-27 中国科学院信息工程研究所 Method and system for trusted control of operating environment of Android intelligent terminal
CN103560902A (en) * 2013-10-10 2014-02-05 中兴通讯股份有限公司 Server, intelligent terminal and remote management method of intelligent terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067392A (en) * 2012-12-28 2013-04-24 中国人民解放军理工大学 Security access control method based on Android terminal
CN103646214A (en) * 2013-12-18 2014-03-19 国家电网公司 Method for establishing trusted environment in power distribution terminal
CN103729597A (en) * 2014-01-16 2014-04-16 宇龙计算机通信科技(深圳)有限公司 System starting verifying method and device and terminal

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046497A (en) * 2018-01-16 2019-07-23 腾讯科技(深圳)有限公司 A kind of function hook implementation method, device and storage medium
CN108540498A (en) * 2018-06-21 2018-09-14 咪付(广西)网络技术有限公司 The method and system that security strategy version issues in a kind of financial payment
CN108540498B (en) * 2018-06-21 2023-05-05 咪付(广西)网络技术有限公司 Method and system for issuing security policy version in financial payment
CN110764827A (en) * 2018-07-27 2020-02-07 中标软件有限公司 Control system and method for computer peripheral equipment
CN110764827B (en) * 2018-07-27 2023-05-30 中标软件有限公司 Control system and method for computer peripheral equipment
CN110543769A (en) * 2019-08-29 2019-12-06 武汉大学 Trusted starting method based on encrypted TF card
CN110543769B (en) * 2019-08-29 2023-09-15 武汉大学 Trusted starting method based on encrypted TF card
CN113495504B (en) * 2020-03-18 2023-01-31 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method
CN113495504A (en) * 2020-03-18 2021-10-12 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method
CN113297121A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Interface management method, device, equipment and readable storage medium
CN113297121B (en) * 2021-06-16 2024-02-23 深信服科技股份有限公司 Interface management method, device, equipment and readable storage medium
CN113591075A (en) * 2021-07-26 2021-11-02 深信服科技股份有限公司 Terminal safety control method, device and storage medium
CN113591075B (en) * 2021-07-26 2023-11-07 深信服科技股份有限公司 Terminal security management and control method, device and storage medium
CN113923170A (en) * 2021-09-30 2022-01-11 深信服科技股份有限公司 Application identification management method and system
CN114065180A (en) * 2021-11-26 2022-02-18 国网宁夏电力有限公司信息通信公司 Perception equipment safety verification system based on trusted computing 3.0

Also Published As

Publication number Publication date
CN105656860A (en) 2016-06-08

Similar Documents

Publication Publication Date Title
WO2015184891A1 (en) Security management and control method, apparatus, and system for android system
CN108810894B (en) Terminal authorization method, device, computer equipment and storage medium
US10153906B2 (en) Systems and methods for implementing computer security
CN112417379B (en) Cluster license management method and device, authorization server and storage medium
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
US8230222B2 (en) Method, system and computer program for deploying software packages with increased security
US10169589B2 (en) Securely booting a computer from a user trusted device
US8856544B2 (en) System and method for providing secure virtual machines
US8528062B1 (en) Method and service for securing a system networked to a cloud computing environment from malicious code attacks
US8789037B2 (en) Compatible trust in a computing device
KR101377359B1 (en) Secure software licensing and provisioning using hardware based security engine
US9154299B2 (en) Remote management of endpoint computing device with full disk encryption
CN111414612B (en) Security protection method and device for operating system mirror image and electronic equipment
CN109863475A (en) The upgrade method and relevant device of a kind of application in safety element
US11003435B2 (en) Manifest trialing techniques
US20060150246A1 (en) Program execution control device, OS, client terminal, server, program execution control system, program execution control method and computer program execution control program
US10771462B2 (en) User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal
WO2016165215A1 (en) Method and apparatus for loading code signing on applications
JP2009169841A (en) Information processor and portable telephone device
US20230119196A1 (en) Information processing apparatus, authenticity verification method, and program
CN111258615A (en) Industrial control host, method and device for upgrading software of industrial control host and mobile storage medium
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
KR20150030047A (en) Method and system for application authentication
US20240037216A1 (en) Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
CN112416759A (en) Safety management method, industrial control host, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15803017

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15803017

Country of ref document: EP

Kind code of ref document: A1