CN102663318B - Browser Process Privilege control method - Google Patents
Browser Process Privilege control method Download PDFInfo
- Publication number
- CN102663318B CN102663318B CN201210078482.3A CN201210078482A CN102663318B CN 102663318 B CN102663318 B CN 102663318B CN 201210078482 A CN201210078482 A CN 201210078482A CN 102663318 B CN102663318 B CN 102663318B
- Authority
- CN
- China
- Prior art keywords
- subprocess
- browser
- authority
- host process
- play
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention provides a browser and a client. The browser comprises a main process and a plurality of sub-processes. The sub-processes are established by the main process and have different permissions. The browser is based on multi-process browser architecture, and the permissions of the processes with different functions are controlled, so that safety in surfing the Internet with the browser by users is improved. Scheduling and controlling of the sub-processes by the main process are closely bound to the internal mechanism and logic of the browser, so that operating efficiency of a program, user experience and user efficiency are improved.
Description
Technical field
The present invention relates to technical field of the computer network, particularly a kind of browser and client.
Background technology
At present, multi-process browser architecture system of the prior art be by host process with present process and be separated design with improving stability.The multi-process browser that such as Google company proposes, this multi-process browser comprises unique browser host process and presents process at least one of the rendering content region of each browser instances.Wherein, host process can communicate with one or more engine process that presents.In this way, browser can avoid error procedure to affect the result of other browser process, thus while enhancing Consumer's Experience, improves user's efficiency.But, this multithreading browser architectures or the risk of secure browser aspect cannot be solved, otherwise the restriction increased causes compatible problem that browser plug-in can not normally be run.
Summary of the invention
The present invention is intended at least to solve one of technical matters existed in prior art.
For this reason, one object of the present invention is to propose a kind ofly have higher security and the browser of robustness.Another object of the present invention is to propose a kind of client.
To achieve these goals, first aspect present invention example proposes a kind of browser: this browser can be divided into host process and subprocess structure, wherein, host process can be the process that user starts, and also can be that the process that user starts exits and constructs the host process of another safety.Other processes are all created by this host process, are referred to as subprocess in this application, and wherein, subprocess also can create Sun Jincheng.In one embodiment of the invention, host process has not higher than the default privilege of explorer, and subprocess generally has not higher than the authority of host process, and the controlled strategy configuration of the authority of main and sub process.Specifically this browser comprises host process and multiple subprocess, and wherein, described multiple subprocess is created by described host process, and described multiple subprocess has different authorities, and the authority of described multiple subprocess is not higher than the authority of described host process.
According to the browser of the embodiment of the present invention based on multi-process browser architectures, by the control of authority to difference in functionality process, enhance the security that user uses browser to surf the Net.And by the scheduling and controlling of host process between subprocess, be combined closely with the internal mechanism of browser itself and logic, improve the operational efficiency of program, Consumer's Experience and user's efficiency.
The present invention's embodiment on the other hand proposes a kind of client, and it comprises Windows operating system; And the browser described in above-mentioned first aspect embodiment.
According to the client of the embodiment of the present invention, based on existing multi-process browser architectures, and in conjunction with the Secure isolation technology of sandbox, very large intensity enhance the security that user uses browser to surf the Net.And what the internal mechanism of multi-process and sandbox and browser itself and logic are combined is very tight, therefore greatly can improve the operational efficiency of program, Consumer's Experience and user's efficiency.
Additional aspect of the present invention and advantage will part provide in the following description, and part will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
Above-mentioned and/or additional aspect of the present invention and advantage will become obvious and easy understand from accompanying drawing below combining to the description of embodiment, wherein:
Fig. 1 is the Organization Chart of the browser of the embodiment of the present invention;
Fig. 2 is the Organization Chart of the browser of one embodiment of the invention;
Fig. 3 is the schematic diagram playing up subprocess of the browser of one embodiment of the invention; And
Fig. 4 is the virtualized process flow diagram of file in the browser of the embodiment of the present invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
In describing the invention, it will be appreciated that, term " longitudinal direction ", " transverse direction ", " on ", D score, "front", "rear", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", the orientation of the instruction such as " outward " or position relationship be based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, instead of indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore can not be interpreted as limitation of the present invention.
In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance.
In describing the invention, unless otherwise prescribed and limit, it should be noted that, term " installation ", " being connected ", " connection " should be interpreted broadly, such as, can be mechanical connection or electrical connection, also can be the connection of two element internals, can be directly be connected, also indirectly can be connected by intermediary, for the ordinary skill in the art, the concrete meaning of above-mentioned term can be understood as the case may be.
Below in conjunction with accompanying drawing, first the browser according to the embodiment of the present invention is described, this browser can be divided into host process and subprocess structure, wherein, host process can be the process that user starts, and also can be that the process that user starts exits and constructs the host process of another safety.Other processes are all created by this host process, are referred to as subprocess in this application, and wherein, subprocess also can create Sun Jincheng.In one embodiment of the invention, host process has not higher than the default privilege of explorer, and subprocess has not higher than the authority of host process, and the controlled strategy configuration of the authority of main and sub process.
Specifically, with reference to figure 1 or Fig. 2, the browser 100 of the embodiment of the present invention comprises host process 110 and intercoms with host process 110 phase and the multiple subprocesss controlled by host process 110.Wherein, multiple subprocess is created by host process 110, and multiple subprocess has different authorities.As shown in Figure 1 or 2, multiple subprocess comprises high power and acts on behalf of subprocess 120, browser application expansion subprocess 130 and play up subprocess 140, wherein, high power is acted on behalf of subprocess 120, browser application expansion subprocess 130, is played up between subprocess 140 and host process 110 and have different authorities.And in one embodiment of the invention, browser application expansion subprocess 130 comprises Webkit core and/or IE core, plays up subprocess 140 and comprise Webkit core and/or IE core (Webkit kernel and/or IE kernel).Certainly in other embodiments of the invention, this plays up subprocess 140 can also comprise other current existing browser kernels, or the browser kernel of Future Development.In an embodiment of the present invention, first program when host process 110 is browser program startups, the function of this host process 110 is overall appearance and the data of display and managing and browsing device.Particularly, the authority of this host process 110 is consistent with general Windows program authority.High power is acted on behalf of subprocess 120 and is started by host process 110, and high power acts on behalf of the authority of authority higher than host process 110 of subprocess 120, but high power acts on behalf of subprocess 120 needs user agreement when starting.High power acts on behalf of the operation of subprocess 120 for helping other subprocesss to carry out some high authorities, such as, install plug-in unit etc.Browser application is expanded subprocess 130 and is played up subprocess 140 and also starts by host process 110.In an embodiment of the present invention, in order to limit with the authority playing up subprocess 140 browser application expansion subprocess 130, the present invention is browser application expansion subprocess 130 and plays up Token and Job that subprocess 140 is provided with restriction, and has carried out corresponding API (can introduce in detail after a while).The function of this plug-in unit for running expansion plugin and corresponding JS code, and is supplied to the use of other subprocesss by browser application expansion subprocess 130.Play up subprocess 140 for when the kernel (such as Webkit core and/or IE core) of browser opens a Website page, host process 110 will create one this play up subprocess 140, and the management of playing up of this webpage is waited to operate and is all placed in this process and carries out.Because the application divides concrete browser process, thus the Role Dilemma of each subprocess is more prone to, and browser application is expanded subprocess 130 and play up subprocess 140 and put into different limiting process respectively, therefore strengthen the sharpness of browser architectures and the convenience of management widely.In an embodiment of the present invention, multiple subprocess is by the control of host process 110, and such as, host process 110 controls the opening and closing that high power is acted on behalf of subprocess 120, browser application expansion subprocess 130 and played up subprocess 140.Playing up subprocess 140 and comprise one or more, as shown in Figure 1, playing up subprocess 140 for N number of (playing up subprocess 1 to playing up subprocess N).In addition, host process 110 is also for proposing power operation to the subprocess of in multiple subprocess.Particularly, proposing power operation has two kinds of modes, and a kind of mode is: host process 110 receives power of the proposing request of a subprocess in multiple subprocess, is operated according to carrying power request broker subprocess by host process 110.Another kind of mode is: the authority temporarily being adjusted subprocess by host process 110, and after subprocess performs corresponding operating, recovers the authority of subprocess to original authority.
Further, subprocess can carry out read-write operation, start grandson's process operation or the operation of access SSL certificate after host process 110 puies forward power.Namely act on behalf of subprocess when host process 110 and carry out various operation, as read-write operation, start grandson's process operation or the operation of access SSL certificate.Wherein, Sun Jincheng is the process that above-mentioned subprocess creates.
For the subprocess of host process 110 establishment and for the Sun Jincheng that subprocess creates, all need the restriction of the authority of the process of carrying out, in example of the present invention, by arranging the authority of Token/Job siding stopping process or Sun Jincheng, namely subprocess or Sun Jincheng tool conditional token Token/Job, Token/Job are used for limiting the authority of subprocess or Sun Jincheng.
Furthermore, for the authority of subprocess and Sun Jincheng, also comprise the restriction putting forward weight function by hook Hook to limit, namely also comprising hook Hook technology among subprocess or described Sun Jincheng provides power or virtualized function to tackle Windows API.Such as when subprocess creates Sun Jincheng, described Hook puies forward power function for obtaining the context of described subprocess or described Sun Jincheng, and proposes power request according to described context to described host process transmission; For another example, when subprocess establishment and writing in files, Hook virtualization is by virtual for this file catalogue to a safety; When and for example accessing SSL certificate, Hook puies forward power function for the Token of this thread being switched to the Token of high authority.
See Fig. 2, play up subprocess and comprise Webkit further and play up kernel and/or IE plays up kernel, Webkit plays up kernel and/or IE and to play up in kernel at least one and have Token/Job and Hook and put forward weight function.As shown in Figure 2, play up in subprocess each, illustrate only comprise a kind of play up kernel play up subprocess, play up subprocess as some and comprise Webkit and play up kernel, other are played up subprocess and comprise IE and play up kernel.But embodiments of the invention are not limited to this, play up in subprocess at one, also can comprise Webkit simultaneously and play up kernel and IE plays up kernel.Certainly, embodiments of the invention are not limited to browser, and other clients are as IM, and reader, player also can be adopted and realize in this way.
The browser of the embodiment of the present invention, based on multi-process browser architectures, by the control of authority to difference in functionality process, enhances the security that user uses browser to surf the Net.And by the scheduling and controlling of host process between process, be combined closely with the internal mechanism of browser itself and logic, improve the operational efficiency of program, Consumer's Experience and user's efficiency.
Specifically, first program when host process 110 is program startups, its function is overall appearance and the data of display and managing and browsing device 100.The authority that host process 110 has usually be configured to not higher than explorer default privilege and be configured by control strategy.
High power is acted on behalf of subprocess 120 and is created by host process 110 and start, and its authority is configured to not higher than the authority of host process 110, and high power acts on behalf of subprocess 120 when startup, needs the confirmation of user.In addition, this height is weighed other processes (expand subprocess 130 as browser application and play up subprocess 140) that the function acting on behalf of subprocess 120 is assistant browsing device 100 and is carried out some operations needing high authority, and such as Help Viewer application extension subprocess 130 installs plug-in unit.
The function of browser application expansion subprocess 130 is expansion plugin in running browser 100 and corresponding Javascript (js) code, and other processes function of this plug-in unit being supplied to browser 100 use.The authority of this browser application expansion subprocess 130 is limited accordingly, such as, as shown in Figure 2, in browser application expansion subprocess 130 tool conditional token Token/Job and some API Hook.
See Fig. 3, play up subprocess 140 to comprise Webkit and play up subprocess 141 and/or IE plays up subprocess 142, that is, play up subprocess 140 at least to comprise Webkit and play up subprocess 141 and IE and play up one of them of subprocess 142, certainly also can comprise multiple Webkit simultaneously and play up subprocess 141 and/or multiple IE plays up subprocess 142.As in Fig. 3, show comprise that 1 Webkit plays up that subprocess 141 and 1 IE play up subprocess 142 play up subprocess 140.And each play up in process to comprise multiplely play up kernel, as shown in show in Fig. 3, Webkit plays up subprocess 141 and comprises N number of Webkit and play up kernel, and IE plays up subprocess 142 and comprises N number of IE and play up kernel.Wherein, the function that Webkit plays up subprocess is when user uses the Webkit kernel of browser 100 to open a Website page, the Webkit that host process 110 will create a Webkit core type plays up subprocess, and the management of playing up of this webpage is waited to operate and be all placed on Webkit and play up subprocess and carry out.The authority that this Webkit plays up subprocess is limited accordingly, again composition graphs 2, and such as, Webkit plays up subprocess and has restriction token Token/Job and some API Hook.Certainly, play up for subprocess 140 for one, it can comprise Webkit simultaneously and play up kernel and IE plays up kernel.
The function that IE plays up subprocess is when user uses the IE kernel of browser 100 to open a Website page, the IE that host process 110 will create an IE core type plays up subprocess, and the management of playing up of this webpage is waited to operate and be all placed in this process and carry out.Similarly, as shown in Figure 2, the authority that this IE plays up subprocess is limited accordingly, and such as, IE plays up subprocess and has restriction token Token/Job and some API Hook.
To sum up, process is divided into host process 110 by the browser of the embodiment of the present invention, high power acts on behalf of subprocess 120, browser application expansion subprocess 130 and play up type in subprocess 140 etc. 4, respectively control of authority is carried out to each process, can clearly find out from Fig. 2, browser application expansion subprocess 130, play up subprocess and IE and play up in subprocess the token Token respectively with corresponding restriction and be arranged in corresponding restriction Job, and be provided with relevant Hook, embody the feature that different processes has different level of securitys.Like this, strengthen the sharpness of the framework of above-mentioned browser completely simultaneously at raising network and the management of the framework of browser is offered convenience.
In the various processes of browser 100 above-mentioned, be not carry out work separately separately, but mutually cooperation is finished the work.Particularly, host process 110 and high power are acted on behalf of subprocess 120, browser application expands subprocess 130 and are played up mutual communication between subprocess 140, jointly finish the work.As a concrete example, its communication modes is as follows:
1, host process 110 and height weigh the communication acted on behalf of between subprocess 120.Such as when host process 110 wants installation procedure or plug-in unit, host process 110 is acted on behalf of subprocess 120 to high power and is sent notice, and high power is acted on behalf of subprocess 120 and whether agreed to installation procedure or plug-in unit to user's prompting upon receipt of a notification.This is because the authority of host process 110 does not allow installation procedure or plug-in unit, needs startup high power to act on behalf of subprocess 120 and weighs by high the prompting acted on behalf of subprocess 120 and initiate to user to ask.
2, when browser application expansion subprocess 130 with when playing up operation that subprocess 140 (also can be referred to as Webkit play up subprocess and/or IE plays up subprocess) processes outside corresponding authority, browser application is expanded subprocess 130 and is played up subprocess 140 and proposes power request to host process 110 transmission, and host process 110 expands subprocess 130 according to browser application and the authority played up corresponding to subprocess 140 judges whether permission aforesaid operations.Such as, when browser application expansion subprocess 130 asks high power to act on behalf of subprocess 120 installation procedure or plug-in unit, request is sent to master routine 110 by browser application expansion subprocess 130, host process 110 judges whether to allow, if be judged as allowing, paramount for this request forward power is acted on behalf of subprocess 120, otherwise host process 110 cancels this request.This is because browser application expansion subprocess 130 is by token Token/Job and some API Hook own, therefore the operation of browser application expansion subprocess 130 will be restricted, therefore, by judging operation before the operation requests of master routine 110 pairs of browser application expansion subprocesss 130, thus allow or limit the generation of this operation, further ensure the security of system.
In another example of the present invention, when browser application expansion subprocess 130 writes the file operation of certain catalogue, but due to restricted and when can not write, therefore notice host process 110 is needed to go help to write this file, now, host process 110 judges this operation, learns that whether allowing this browser application to expand subprocess 130 makes such operation, thus avoids system under attack.
Playing up the communication modes that communication between subprocess 140 and host process 110 and browser application described above expand between subprocess 130 and host process 110 similar, in order to reduce redundancy, not repeating.
To sum up, can learn from the communication between host process 110 and the process (height is weighed and acted on behalf of subprocess 120, browser application expands subprocess 130 and play up subprocess 140) of various different role, role residing for different processes is different and the authority of correspondence is also different, so when these processes carry out interprocess communication, when needing to do some agent operation, host process 110 can do corresponding scope check to these processes, judge whether to allow these processes to carry out above-mentioned operation, thus improve the security of system.
As shown in Figure 4, browser application expansion subprocess 130 and play up subprocess 140 to have the virtual function of at least one hook Hook virtual to realize file.Such as, when playing up subprocess 140 pairs of webpages and carrying out document creation or write operation, web storage to the virtual catalogue that can write, and is notified the catalogue that web page files is copied to user and specifies by host process 110 by the virtual function of Hook.Thus, solve and comprising the incompatibility problem caused in the system of authority restriction, namely minimum authority principle do not followed by some software, cannot normally work, such as I/O operation when system call is unaccepted time.Therefore, adopt file virtual mode by under being redirected to non-key virtual directory to the rewriting operation of key position, make software can continue normally operation.In addition, in order to strengthen existing software compatibility, in an object lesson of the present invention, by virtual for the catalogue originally can not the write virtual catalogue to writing, realized by hook Hook function (file manipulation function).It is virtual that the embodiment of the present invention realizes file by hook Hook function, be different from and traditional sense use Hook technology to carry out restriction system call the problem caused, thus, if virus walks around Hook, the browser application expansion subprocess 130 of the embodiment of the present invention will be stoped in system kernel aspect with the security descriptor ACL safety inspection mechanism and Job mechanism playing up the uses such as subprocess 140.
Further, when playing up subprocess 140 pairs of webpages and saving as operation, web storage to the virtual catalogue that can write as web page files, and is notified the catalogue that web page files is copied to user and specifies by host process 110 by the virtual function of Hook.Specifically, the normal function of browser also can be realized according to the logic of browser 100.Such as, need webpage to be saved as a file if play up subprocess, so this file will be deposited to a virtual catalogue that can write by the virtual function of Hook, and notifies the catalogue that this file is copied to user and specifies by host process 110.This is a wherein basic function of the browser 100 of the embodiment of the present invention, the realization of this function and the logic of browser 100 combine closely, compared to general sandbox, above-mentioned webpage is saved as operation to be compared by virtual mode, solve the problem that user cannot find corresponding file below the catalogue originally selected, and find under the catalogue can specified user.
In one embodiment of the invention, play up subprocess 140 and there is Hook process initiation function, when playing up subprocess 140 and creating or start Sun Jincheng, Hook process initiation function checks subprocess file, if judge the white list that described Sun Jincheng belongs to default, for described Sun Jincheng is arranged at identical Token and Job of described host process.Specifically, when limited plays up subprocess 140 promoter process, if started according to normal path, due to the Job mechanism used, limit the startup of subprocess, and subprocess start after Token in the authority that has identical with playing up subprocess 140, cause a lot of operation to carry out.Therefore the path of subprocess startup is changed by the Hook process initiation function of the embodiment of the present invention, then judge whether the subprocess started is arranged in default white list, the company that the white list institute inspection item preset such as comprises belonging to program signs and program name, if the company that is checked through signs and program name is present in default white list, then use host process 110 to inherit the relatively high Token of a next authority, and start this subprocess with the CreateProcessAsUser in system.Thus, solving user a lot of normal function or plug-in unit (subprocess) when using browser can not enable, and affects the problem of Consumer's Experience, improves Consumer's Experience.
In another example of the present invention, when playing up subprocess 140 and starting com component, if judge the white list that com component belongs to default, then play up subprocess 140 and notify that host process 110 creates this com component, after host process 110 creates com component, com interface corresponding for com component is sent to and plays up subprocess 140 accordingly.Particularly, because limited plays up the com component that subprocess 140 cannot create some higher-rights, and these com components need to use.The mode being similar to the subprocess startup described in above-described embodiment 2 is so used to do corresponding inspection, check by afterwards, notice host process 110 helps to create com component, then successful for establishment com interface is sent to and plays up accordingly in subprocess 140 by host process 110, thus realizes the privilege-escalation creating com component.As a concrete example, in general sandbox, a lot of com component cannot start, as the plug-in unit that a sudden peal of thunder is looked at, the normal use of user will be have impact on to a great extent, create the normal use that com component also can not have influence on user while promoting security by the way, more rationally.
Further, when playing up subprocess 140 and opening the handle of limited object, play up subprocess 140 and notify host process 110, after host process 110 opens handle, the handle opened is copied to and plays up subprocess 140.Specifically, play up in subprocess 140 limited, because the function logic of browser 110 itself needs, need the handle of some objects sometimes, and these objects cannot be opened in current playing up in the authority of subprocess 140, embodiments of the invention are by needing the information of the destination object opened to store, and be sent to host process 110 by the mechanism of interprocess communication, helped to open this handle by host process 110, the handle of host process 110 copies to and plays up in subprocess 140 accordingly by the DuplicateHandle in then use system, thus realize playing up the function that subprocess 140 opens object handle.Which and Hook cooperatively interact, thus realize the breakthrough of authority in the specific logic of browser 100, and at other time, keep the restriction of authority.As a concrete example, such as certain is played up subprocess 140 and wants to open file and save as dialog box, some data is saved as file, and the restriction of authority is subject to owing to playing up subprocess 140, can not be opened file in this catalogue (not limited host process 110 to open this file), then save as dialog box function by Hook, record the file path that user selects, then in the function opened file, this path is checked, handle Transfer Technology between use process after being checked through, this process handle is opened by host process 110, then be delivered to and play up in subprocess 140, thus realize the normal work of this logic.
Mode as above solves sandbox compatibility issue compact with browser 100 logic, certainly, also has other much relevant process.By carrying out special processing to the mechanism of browser 100 and logic, the efficiency that calling program is run and Consumer's Experience get a promotion, and hook Hook function is always in running order, thereby reduces wrongheaded risk, can better improve security.
Further embodiment of the present invention proposes a kind of client, comprise Windows operating system and according to above-mentioned first aspect to the browser 100 described in embodiment.In one embodiment of the invention.
Composition graphs 2, Windows operating system is host process 110, high power acts on behalf of subprocess 120, browser application expands subprocess 130 and each playing up in subprocess 140 sets up corresponding sandbox, and sandbox has different Permission Levels, as shown in Figure 2, dissimilar process is arranged in the sandbox with different rights rank.Specifically:
Windows operating system by security descriptor ACL safety inspection mechanism according to host process 110, high power acts on behalf of subprocess 120, browser application expansion subprocess 130 and the Token played up corresponding to subprocess 140 acts on behalf of subprocess 120, browser application expansion subprocess 130 and plays up subprocess 140 carry out control of authority to host process 110, high power.Specifically, the Token that Windows operating system is acted on behalf of subprocess 120, browser application expansion subprocess 130 by security descriptor ACL safety inspection mechanism according to host process 110, high power and played up corresponding to subprocess 140, acts on behalf of subprocess 120, browser application expansion subprocess 130 and plays up subprocess 140 carry out control of authority to host process 110, high power.In windows operating system, security descriptor ACL safety inspection mechanism is border with process, a process has a Token, Token stores the authority that corresponding process has, when process carries out some Dynamic System, such as file operation, whether registry operations etc., then can the Token of detecting process and the authority corresponding to destination object (file or registration table etc. have the object of security attribute) possess.And the realization of this mode is as follows:
Windows operating system is obtained by CreateRestrictedToken api function has the Token of binding authority, and sets up corresponding browser application expansion subprocess 130 by CreateProcessAsUser function according to the Token that this has binding authority and play up subprocess 140.That is, use CreateRestrictedToken API to obtain the Token of a reduction authority, and then use CreateProcessAsUser to create out a process with this Token.It should be noted that, as much as possiblely the authority had in Token should be removed by which, only leave basic authority, the process creating out thus will not possess the resource of Windows operating system, or the authority of most users resource, thus the security improving system further.
Due to the function that often kind of process has oneself role and needs to complete, we are according to the Token of the role assignments different rights of process, thus the process realizing different role has different authorities.Specifically, the authority of often kind of course allocation is as follows:
1, host process 110: this process is the host process of browser 100, clicks startup by user, has general access rights, can access the resource of this user of the overwhelming majority.
2, high power acts on behalf of subprocess 120: the obtainable highest weight limit of distributing user, is started by host process 110, and need user agree to after start.This process has the authority except the authority relevant to Dynamic System except some, and authority is relatively high.
3, browser application expansion subprocess 130: this process is started by host process 110, run some plug-in units and JS code, because this process relative risk is less, the less-restrictive therefore done on Token, and add in the middle of a restriction Job, be provided with relevant Hook simultaneously.
4, subprocess is played up: this process is started by host process 110, use Webkit and/or IE kernel display web page, this process needs to strengthen protection, the Token reducing most of user right by one gives this process, only stay the substantially available normal operation to ensure program, then this process is put into a restriction Job, the authority of restriction is process initiation etc., be provided with relevant Hook simultaneously, to improve compatibility and to carry out part restriction, thus reach the object of lifting operating system security.
Furthermore, the above-mentioned Token with binding authority not only comprises the conditional ACL of tool, also can have restriction privilege.Namely the part about ACL in restricted T oken is carried out by use CreateRestrictedToken API, in fact CreateRestrictedToken API can also privilege in restricted T oken, such as limit the debugging privilege of process, load driver privilege etc., these privileges are all some higher privileges, can operate considerable system resource, if obtained by viral wooden horse, will be very dangerous.Therefore, by the restriction to privilege, the security performance of system can be improved further.
For above-mentioned several mechanism that Windows provides, be all border with process, therefore multi-process browser architectures is applied to sandbox excellent benefit.This is because each class process of the embodiment of the present invention is only responsible for a basic function, there is role very clearly, when corresponding sandbox is applied to this process, different controls of authority can be carried out according to the role of this process, thus allow process can be better, more efficient operation.
According to the client of the embodiment of the present invention, based on existing multi-process browser architectures, and in conjunction with the Secure isolation technology of sandbox, very large intensity enhance the security that user uses browser to surf the Net.And what the internal mechanism of multi-process and sandbox and browser itself and logic are combined is very tight, therefore greatly can improve the operational efficiency of program, Consumer's Experience and user's efficiency.
Embodiments of the invention tool has the following advantages:
The first, embodiments of the invention can before user be to destination object executable operations, and the execution of automatic decision destination object is the need of importing sandbox, and which risky program needs to run in sandbox to help user to determine thus.
The second, the multi-process browser architectures that the browser of the embodiment of the present invention uses, strengthens the application of framework in sandbox while ensureing security of system and robustness.
3rd, the sandbox of browser is a direct-open, thus decreases wrongheaded risk, can better improve security.And the process putting into sandbox has role-security step control, namely the process of every type puts into the sandbox with different rights, improves the execution efficiency of system thus.
Describe and can be understood in process flow diagram or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.
In flow charts represent or in this logic otherwise described and/or step, such as, the sequencing list of the executable instruction for realizing logic function can be considered to, may be embodied in any computer-readable medium, for instruction execution system, device or equipment (as computer based system, comprise the system of processor or other can from instruction execution system, device or equipment instruction fetch and perform the system of instruction) use, or to use in conjunction with these instruction execution systems, device or equipment.With regard to this instructions, " computer-readable medium " can be anyly can to comprise, store, communicate, propagate or transmission procedure for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically (non-exhaustive list) of computer-readable medium comprises following: the electrical connection section (electronic installation) with one or more wiring, portable computer diskette box (magnetic device), random access memory (RAM), ROM (read-only memory) (ROM), erasablely edit ROM (read-only memory) (EPROM or flash memory), fiber device, and portable optic disk ROM (read-only memory) (CDROM).In addition, computer-readable medium can be even paper or other suitable media that can print described program thereon, because can such as by carrying out optical scanning to paper or other media, then carry out editing, decipher or carry out process with other suitable methods if desired and electronically obtain described program, be then stored in computer memory.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium mentioned can be ROM (read-only memory), disk or CD etc.
In the description of this instructions, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, identical embodiment or example are not necessarily referred to the schematic representation of above-mentioned term.And the specific features of description, structure, material or feature can combine in an appropriate manner in any one or more embodiment or example.
Although illustrate and describe embodiments of the invention, for the ordinary skill in the art, be appreciated that and can carry out multiple change, amendment, replacement and modification to these embodiments without departing from the principles and spirit of the present invention, scope of the present invention is by claims and equivalency thereof.
Claims (16)
1. the control method of a browser process authority, it is characterized in that, described browser comprises host process and multiple subprocess, wherein, described multiple subprocess is created by described host process, and described multiple subprocess comprise high power act on behalf of subprocess, browser application expansion subprocess and at least one play up subprocess, wherein, described high power acts on behalf of subprocess, browser application expansion subprocess, at least one is played up between subprocess and described host process has different authorities, and described method comprises:
When described host process installation procedure or plug-in unit, described host process is acted on behalf of subprocess to described high power and is sent notice;
Whether described high power is acted on behalf of subprocess and is agreed to install described program or plug-in unit to user's prompting according to described notice, the request that described user agrees to install described program or plug-in unit if receive, then notify described browser application expansion subprocess and described at least one play up subprocess and send to described host process and propose power request;
Described host process proposes power request described in judging whether to allow according to described browser application expansion subprocess and at least one authority playing up subprocess described, if described host process judge to allow described in propose power request, then described host process is proposed power request and is sent to described high power by described and acts on behalf of subprocess.
2. the control method of browser process authority as claimed in claim 1, it is characterized in that, the authority of described host process is not higher than the default privilege of explorer.
3. the control method of browser process authority as claimed in claim 1, it is characterized in that, the authority of described host process and described multiple subprocess is configured by control strategy.
4. the control method of browser process authority as claimed in claim 1, is characterized in that, described host process is also for proposing power operation to a subprocess in described multiple subprocess.
5. the control method of browser process authority as claimed in claim 4, it is characterized in that, described host process receives power of the proposing request of a subprocess in described multiple subprocess, by described host process according to described in carry power request broker described in subprocess operate, or, adjusted the authority of described subprocess by described host process temporarily, and recover the authority of described subprocess after described subprocess performs corresponding operating.
6. the control method of browser process authority as claimed in claim 5, is characterized in that, described subprocess carries out read-write operation, starts grandson's process operation or the operation of access SSL certificate after described host process puies forward power.
7. the control method of browser process authority as claimed in claim 6, is characterized in that, described subprocess or the conditional token Token/Job of described Sun Jincheng tool, described Token/Job are used for limiting the authority of described subprocess or described Sun Jincheng.
8. the control method of browser process authority as claimed in claims 6 or 7, is characterized in that, also comprising hook Hook among described subprocess or described Sun Jincheng provides power or virtualized function to tackle Windows API, wherein,
Described Hook puies forward power function for obtaining the context of described subprocess or described Sun Jincheng when subprocess creates Sun Jincheng, and the Token of described subprocess is switched to the Token of high authority when putting forward power request or described subprocess access SSL certificate according to described context to described host process transmission;
Described Hook virtualization is used for when subprocess establishment and writing in files, by virtual for the described file catalogue to safety.
9. the control method of browser process authority as claimed in claim 1, it is characterized in that, described at least one play up subprocess and comprise Webkit and play up kernel and/or IE plays up kernel, described Webkit plays up kernel and/or IE and to play up in kernel at least one and have Token/Job and Hook and put forward weight function.
10. the control method of browser process authority as claimed in claim 1, it is characterized in that, when described browser application expansion subprocess plays up the operation outside the corresponding authority of subprocess process with at least one, described browser application expansion subprocess is played up subprocess with at least one and is proposed power request to described host process transmission, and described host process judges whether to allow described operation with at least one authority played up corresponding to subprocess according to described browser application expansion subprocess.
The control method of 11. browser process authorities as claimed in claim 1, it is characterized in that, when described host process wants installation procedure or plug-in unit, described host process is acted on behalf of subprocess to described high power and is sent notice, and whether described high power is acted on behalf of subprocess and agreed to install described program or plug-in unit to user's prompting.
The control method of 12. browser process authorities as claimed in claim 1, is characterized in that, described browser application expansion subprocess and at least one play up subprocess to have the virtual function of at least one Hook virtual to realize file.
The control method of 13. browser process authorities as claimed in claim 12, it is characterized in that, when described at least one play up subprocess document creation or write operation are carried out to webpage time, described web storage to the virtual catalogue that can write, and is notified the catalogue that described web page files is copied to user and specifies by described host process by the virtual function of described Hook.
The control method of 14. browser process authorities as claimed in claim 1, it is characterized in that, described at least one play up subprocess there is Hook process initiation function, when described at least one play up subprocess start Sun Jincheng time, described Hook process initiation function checks subprocess file, if judge the white list that described Sun Jincheng belongs to default, for described Sun Jincheng is arranged at identical Token and Job of described host process.
The control method of 15. browser process authorities as claimed in claim 1, it is characterized in that, when described at least one play up subprocess start com component time, if judge the white list that described com component belongs to default, then, at least one is played up subprocess and notifies that described host process creates described com component, after described host process creates described com component, described in being sent to by com interface corresponding for described com component, at least one plays up subprocess.
The control method of 16. browser process authorities as claimed in claim 1, it is characterized in that, when described at least one play up subprocess open the handle of limited object time, described at least one play up subprocess and notify described host process, after described host process opens described handle, the handle opened is copied to described at least one play up subprocess.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210078482.3A CN102663318B (en) | 2012-03-22 | 2012-03-22 | Browser Process Privilege control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210078482.3A CN102663318B (en) | 2012-03-22 | 2012-03-22 | Browser Process Privilege control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102663318A CN102663318A (en) | 2012-09-12 |
| CN102663318B true CN102663318B (en) | 2015-04-08 |
Family
ID=46772804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210078482.3A Active CN102663318B (en) | 2012-03-22 | 2012-03-22 | Browser Process Privilege control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102663318B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793282B (en) * | 2012-11-02 | 2017-08-18 | 阿里巴巴集团控股有限公司 | A kind of method of browser and its end-tag page |
| CN103034535B (en) * | 2012-12-10 | 2016-09-28 | 北京奇虎科技有限公司 | Process multiplexing method and IE browser for IE browser |
| CN103034532B (en) * | 2012-12-10 | 2016-09-28 | 北京奇虎科技有限公司 | A kind of IE browser realizes method and the browser of process multiplexing |
| CN103927151B (en) * | 2013-01-11 | 2018-04-27 | 联想(北京)有限公司 | The method and apparatus that local operation is realized on web page |
| CN103345405B (en) * | 2013-06-09 | 2016-09-28 | 贝壳网际(北京)安全技术有限公司 | Application program starting method and device and client |
| CN103561417A (en) * | 2013-11-08 | 2014-02-05 | 五八同城信息技术有限公司 | Method for improving response quality of mobile client products to user request |
| CN104239514A (en) * | 2014-09-16 | 2014-12-24 | 可牛网络技术(北京)有限公司 | Webpage rendering method, device and mobile terminal |
| CN104461636B (en) * | 2014-12-11 | 2018-04-06 | 北京搜狗科技发展有限公司 | A kind of skin resource loading method and electronic equipment |
| CN105809026B (en) * | 2014-12-29 | 2019-02-01 | 北京奇虎科技有限公司 | The authority configuring method and device of process |
| RU2635271C2 (en) * | 2015-03-31 | 2017-11-09 | Закрытое акционерное общество "Лаборатория Касперского" | Method of categorizing assemblies and dependent images |
| CN104866373B (en) * | 2015-05-20 | 2019-01-18 | 南京国电南自电网自动化有限公司 | Real time operating system emulation mode based on Cross Platform Technology |
| US9367686B1 (en) * | 2015-07-21 | 2016-06-14 | AO Kaspersky Lab | System and method for antivirus checking of native images of software assemblies |
| CN106485159B (en) * | 2015-08-28 | 2020-05-29 | 腾讯科技(深圳)有限公司 | Network security storage method and device |
| CN105760755B (en) * | 2016-02-24 | 2018-06-19 | 浪潮通用软件有限公司 | Isolation method of Visual Studio extension packet |
| CN105791998A (en) * | 2016-02-25 | 2016-07-20 | 四川长虹电器股份有限公司 | Method and system for coexistence of DVB application and browser application |
| CN106020960B (en) * | 2016-05-30 | 2020-02-18 | 北京奇艺世纪科技有限公司 | Calling method and device |
| CN106446684B (en) * | 2016-09-22 | 2019-12-03 | 武汉斗鱼网络科技有限公司 | A kind of network account guard method and system based on password control |
| CN109408133B (en) * | 2017-08-16 | 2021-12-14 | 阿里巴巴集团控股有限公司 | Method and equipment for starting assembly |
| CN108446211B (en) * | 2018-03-05 | 2021-08-17 | Oppo广东移动通信有限公司 | Browser exception collection method and device, mobile terminal and storage medium |
| CN108683652A (en) * | 2018-05-04 | 2018-10-19 | 北京奇安信科技有限公司 | A kind of method and device of the processing attack of Behavior-based control permission |
| CN109409080B (en) * | 2018-10-09 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Auditing method and device for HTTPS of browser |
| CN109783154A (en) * | 2018-12-13 | 2019-05-21 | 上海二三四五网络科技有限公司 | A kind of control method and control device of automatic load browser plug-in |
| CN113791789B (en) * | 2021-08-13 | 2023-08-04 | 成都中鱼互动科技有限公司 | Method for detecting webgl context on general browser |
| CN114020490A (en) * | 2021-08-30 | 2022-02-08 | 统信软件技术有限公司 | Inter-process communication system and method and computing device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1400832A (en) * | 2001-08-03 | 2003-03-05 | 北京嘉盛联侨信息工程技术有限公司 | Multiprocess program-controlled handset testing method |
| CN102027454A (en) * | 2008-05-13 | 2011-04-20 | 谷歌公司 | Multi-process browser architecture |
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7712132B1 (en) * | 2005-10-06 | 2010-05-04 | Ogilvie John W | Detecting surreptitious spyware |
-
2012
- 2012-03-22 CN CN201210078482.3A patent/CN102663318B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1400832A (en) * | 2001-08-03 | 2003-03-05 | 北京嘉盛联侨信息工程技术有限公司 | Multiprocess program-controlled handset testing method |
| CN102027454A (en) * | 2008-05-13 | 2011-04-20 | 谷歌公司 | Multi-process browser architecture |
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
Non-Patent Citations (1)
| Title |
|---|
| BUILDING A MORE SECURE WEB BROWSER;Chris Grier等;《USENIX》;20080831;第33卷(第4期);第14-21页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102663318A (en) | 2012-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102663318B (en) | Browser Process Privilege control method | |
| US10540159B2 (en) | Model-based virtual system provisioning | |
| EP1628214B1 (en) | Systems and methods for implementing an operating system in a virtual machine environment | |
| EP2513789B1 (en) | A secure virtualization environment bootable from an external media device | |
| RU2432605C1 (en) | Method of extending server-based desktop virtual machine architecture to client machines and machine-readable medium | |
| US9710297B2 (en) | Dynamic allocation and assignment of virtual environment | |
| JP4950438B2 (en) | VEX-virtual extension framework | |
| US7788669B2 (en) | System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory | |
| US7735081B2 (en) | Method, apparatus and system for transparent unification of virtual machines | |
| US20080250493A1 (en) | Method, System and Computer Program for Automating Configuration of Software Applications | |
| US8909946B2 (en) | Efficient power management of a system with virtual machines | |
| Williams | Virtualization with Xen (tm): Including XenEnterprise, XenServer, and XenExpress | |
| JP5097200B2 (en) | Security policy extraction and transformation from the native representation of the access check mechanism | |
| CN101650660B (en) | Booting a computer system from central storage | |
| CN100454278C (en) | Control method for accessing computer system and I/0 ports | |
| JP2020523685A (en) | Use hardware to secure operating system configurations | |
| US8799898B2 (en) | Methods and apparatus for binding applications to a cloud computing environment | |
| US8132167B2 (en) | Context based virtualization | |
| US9244705B1 (en) | Intelligent micro-virtual machine scheduling | |
| US8250666B2 (en) | Method and apparatus for improving security in an application level virtual machine environment | |
| JP2006018815A (en) | System and method for collecting operating system license revenue using emulated computing environment | |
| WO2014044165A1 (en) | Method for safely running third-party code in java virtual machine | |
| JP6042454B2 (en) | User-generated data center power saving | |
| US20220171846A1 (en) | Labeled security for control flow inside executable program code | |
| WO2007022686A1 (en) | System and method for isolating operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |