Summary of the invention
At the problems referred to above, one object of the present invention is to provide a kind of right management method based on call chain.This method is attributed to the assembly that moves in the different tasks according to the difference of component call purpose; be that unit makes up call chain with the task; and based on call chain formulation resource access policies; implementation strategy is judged when calling system API component accesses system resource; to stop privilege-escalation to be attacked, protect terminal security.
Another object of the present invention is to provide a kind of effective Rights Management System that improves accordingly.This Rights Management System mainly is to the enhancing on a kind of function of Android authority mechanism, remedies it and can not resist the deficiency that privilege-escalation is attacked.For all system resource access requests, all can trace to its source, assurance has only all application components of the call chain of this request of access correspondence all to meet the demands could successfully obtain resource.
Technical scheme of the present invention the steps include: based on the Android right management method of call chain
1) application component is to Android terminal system resource request, and calling system API assembly carries out resource access;
1-1) when a system of calling system API component accesses resource, described calling system API assembly is set up call chain simultaneously as an operation task;
1-2) to described each bar call chain configuration attribute;
1-3) formulate the resource access policies of described Android terminal at system's API component call, with described call chain attribute as policy elements;
Locate call chain under the described application component when 2) calling described system API assembly, carry out strategy according to this call chain attribute and judge and enforcement;
3) if judge that described call chain attribute satisfies described strategy, then allow the success of application component calling system API component accesses system resource, otherwise denied access.
Further, it is as follows to set up the method for call chain:
2-1) in described four class application component activity, service, broadcast receiver and content provider, choose the activity assembly that triggers the application program launching operation;
2-2) system's resource of calling system API component accesses is that unit makes up call chain as an operation task with the task;
2-3) when making up described call chain, do not consider for the irrelevant assembly of system resource operation;
The call chain that 2-4) builds comprises uses activity assembly and those application components call relation each other.
Optionally, the application component that described call chain manually boots the user is as the initial assembly of call chain, with the API of system assembly as calling the end stopping of chain assembly.
Optionally, setting call chain is i and as follows to the call chain configuration attribute:
I.t, the expression call chain makes up time, the time of the API of component call system component accesses system resource in this call chain;
I.g, terminal geographic position of living in when the expression call chain makes up, the residing geographic position of terminal during the API of component call system component accesses system resource in this call chain;
I.l, expression call chain component call progression, related number of components before the calling system API component accesses system resource in this call chain;
I.n, the desired access rights of system's API assembly in the expression call chain.
Optionally, set described Android terminal resource access strategy as follows:
P represents the set of strategy, for
Can be expressed as a four-tuple (t, g, l, n),
P.t ∈ [t
1, t
2], the expression strategy requires to satisfy t
1≤ i.l≤t
2, require call chain to make up the time at moment t
1With t
2Between;
P.g ∈ g1, g2 ... }, expression strategy require to satisfy i.g ∈ g1, and g2 ... }, terminal geographic position of living in belongs to certain set when requiring call chain to make up;
P.l ∈ [l
1, l
2], the expression strategy requires to satisfy l
1≤ i.l≤l
2, require call chain component call progression to be in l
1With l
2Between;
P.n=n
1, the expression strategy requires the call chain all component all to have authority n
1, n
1=i.n, for
Require c to have authority i.n.
Further, the strategy of described call chain comprises in the above-mentioned four-tuple one or multinomial.
Further, the strategy of described call chain can expand to a n tuple, wherein n 〉=4.
Further, described strategy is judged with implementation method as follows:
1) based on the call chain of system constructing, according to the component call relation of call chain record, from the API of system assembly, its upper level caller of recursive lookup, until finding its initial invocation component, thereby navigate to call chain under the application component of the visit API of this system assembly;
2) find its corresponding operation task corresponding strategy according to described system API assembly name;
3) require the respective attributes of call chain is judged based on strategy, and provide the result of determination whether this call chain satisfies strategy;
4) advance to implement according to described tactful result of determination: if judgement call chain attribute satisfies the strategy requirement then allows the success of application component calling system API component accesses system resource, otherwise denied access.
The invention allows for the Android Rights Management System based on call chain, comprising:
Call chain makes up module, is used to the component construction call chain of access system resources conseravtion; The call chain storehouse, all call chain that storage makes up;
The strategy customized module is used for the access strategy that system formulates resources conseravtion; Policy library, the all-access strategy that storage is formulated;
Described tactful customized module arranges the strategy of access system resources according to customer requirements, and the policy elements that can arrange is corresponding to the call chain attribute, and the policy store of formation is in described policy library;
The strategy determination module is when call chain component requests access system resource, by relatively call chain property value and policy elements value provide the result of determination that whether allows this component accesses system resource;
Strategy is implemented module, carries out according to the result of determination of tactful determination module, implements resource access operations corresponding to the result of determination that allows visit, then tackles its visit corresponding to the result of determination of denied access.
Further, the Android Rights Management System based on call chain also has following characteristic:
Described module all is positioned at Android system applies layer, and the interface that utilizes the Android system to provide is realized application component protection to system resource when access system resources;
Described policy library is the strategy file that is stored on the hard disk, can read corresponding strategy file to internal memory when described tactful determination module is operated;
Described call chain storehouse be Android system maintenance in the data structure of internal memory, can be along with the operation dynamic change of assembly, except record call chain structure self, also record every property values such as structure time, present position, component call progression of call chain.
Beneficial effect of the present invention:
The present invention is directed to the Android system and proposed right management method based on call chain, can under the prerequisite that does not influence the normal operation of system, effectively resist the Android privilege-escalation with this Rights Management System that makes up and attack, guarantee the terminal personal secrets.The present invention with access system resources as a task, be that unit becomes call chain with the component construction that it relates to the task, safeguard the call relation between the assembly, the attribute of call chain is set simultaneously, and formulate the strategy of access system resources with these attributes as policy elements, control according to these strategies at last and implement assembly to the visit of system resource.Call chain building mode of the present invention has avoided being the caused redundancy of each component construction call chain, alleviated system burden, the context environmental of call chain, the authority requirement of call chain all component have been considered in the diversification of its policy elements, have avoided the privilege-escalation attack.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, be understandable that described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those skilled in the art belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
As shown in Figure 2, be right management method schematic flow sheet in the embodiment of the invention.Now exemplify embodiment, method of the present invention is described in detail, right management method of the present invention relates generally to following three links:
(1) call chain makes up.In the operational process of application component, can there be certain call relation between the assembly.Call chain has characterized the sequence call relation of inter-module, makes up call chain, can be used as the foundation of securing component other module informations of related association when access resources.
(2) policy development.The strategy that existing Android authority mechanism is taked is that the assembly of calling system API component accesses system resource must satisfy its authority requirement, this strategy requires more single, can not take precautions against privilege-escalation and attack, can formulate abundant more strategy based on call chain and prevent from attacking.
(3) strategy is judged and is implemented.Choose the efficient strategy decision-point in the path of component accesses system resource and implement point, require component call chain etc. is judged based on strategy, and implement assembly to the visit of system resource according to result of determination, be to take precautions against the basic assurance that privilege-escalation is attacked.
Make up in the link in above-mentioned call chain, call chain be Android system maintenance in the data structure of internal memory, be that the operation of progressively calling along with application component makes up gradually and finishes.Call chain comprise to as if application component and these application components call relation each other, set up but call chain is unit with the operation task, rather than at single component, namely be not that each single component can correspondingly be safeguarded a call chain.For each assembly that moves in the system, its existence can not be to isolate, and perhaps can call other application components, perhaps can the calling system assembly.From certain angle, the operation purpose of assembly is direct or indirect pointing system resource all.Not at the assembly of system resource, it does not have influence to the system privacy terminal security, does not consider these assemblies when making up call chain for those operation intentions.As an operation task, the call chain that makes up for this task has just comprised all component relevant with this task with system's resource of calling system API component accesses.The relation of call chain and assembly can be expressed as:
C represents the set of all operating components;
T represents the set of all operation tasks;
I represents the call chain set,
Be expressed as two tuples (C, R), wherein i.C represents the assembly set that call chain comprises, i.R represents the call relation set of assembly in the call chain;
F (t:T) → I representative task is to the mapping function of call chain, and t refers to an element among the set T.
Then above-mentioned set, function satisfy following relation:
The relation of T and C satisfies
T is equal to the set of the API of system assembly;
The relation of I and C satisfies
For
Namely show assembly c
iAnd the call relation between the cj satisfies assembly c
iCall c
j
The f mapping function satisfies
Call chain is made up by systematic unity and safeguards.For an application program, its four class component makes up among piece activity, service, broadcast receiver and the content provider, the window screen of the representative of activity assembly and user interface, be the assembly for man-machine interaction, the startup of an application program often all is to trigger by starting its relevant activity assembly with operation.Therefore, the structure of call chain can carry out around the activity assembly that starts operation.The startup of activity assembly has dual mode usually: a kind of is to be called by other application components, and this mode is the Starting mode that all component all has, and the activity assembly that starts in this mode can be considered in the call chain constituent components; Another kind is to be started by user's manual triggers, and the activity assembly that starts in this mode can be considered the initial assembly of call chain.Owing to all component on the call chain finally is to visit system resource by calling system API assembly, therefore system's API assembly can be considered as calling the end stopping of chain assembly.The assembly that the user manually boots is as the head of call chain, and what other modes were called is the middle part, and the API of system assembly is afterbody then.Suppose that the activity assembly that the user manually boots is c
0, c
0By calling the last calling system API of a series of assemblies assembly c, i.e. c
0Call c
1, c
1Call c
2..., c
iCall c, the call chain i that then visits the operation task correspondence of this system resource can be expressed as follows:
i.C={c
0,c
1,c
2,…,c
i,c};
i.R={<c
0,c
1>,<c
1,c
2>,…,<c
i,c>}。
In the call chain building process, initial assembly is unique, can the mark location call chain according to initial assembly.Except initial assembly, same assembly is probably appeared in the different call chain by other a plurality of component call.For avoiding these component identification conflicts, the mode of employing component instanceization is come the assembly in the record identification call chain.Assembly for non-user's manual triggers startup, when this assembly was activated for the first time, first instance identification of this assembly of record in its respective calls chain was when this assembly is started by another different assemblies, second instance identification of this assembly of record in its corresponding call chain, by that analogy.Remember that this assembly is c
x, the example successively is designated c successively
x 1, c
x 2, c
x 3... suppose that this assembly is successively by three different initial assembly c
1, c
2, c
3Call, then c
xRespectively at c
1The call chain i at place
1, c
2The call chain i at place
2, c
3The call chain i at place
3In the form of expression as follows:
i
1.C={c
1,c
x 1,…},i
1.R={<c
1,c
x 1>,…};
i
2.C={c
2,c
x 2,…},i
2.R={<c
2,c
x 2>,…};
i
3.C={c
3,c
x 3,…},i
3.R={<c
3,c
x 3>,…}。
Can locate call chain under this assembly according to the instance identification of current operating component, thus related associated component can infer this component accesses system resource the time.
In the policy development link, policy elements is not simple only at the application component of calling system API assembly, and must define in conjunction with the context context.Only the strategy at the application component of calling system API assembly has significant limitation, can only judge according to the authority of single component, can not reflect the historical call relation of assembly, thereby may be utilized by the lack of competence assembly of malice, implement privilege-escalation and attack.For preventing the generation of such attack, when generating strategy, introduce the call chain element, above-mentioned call chain is judged based on call chain as policy elements.All dispose corresponding attribute for every call chain, in strategy, these attributes are carried out requirement.The attribute of call chain i can be expressed as follows:
I.t, the expression call chain makes up time, the i.e. time of the API of component call system component accesses system resource in this call chain;
I.g, terminal geographic position of living in when the expression call chain makes up, the i.e. residing geographic position of terminal during the API of component call system component accesses system resource in this call chain;
I.l, expression call chain component call progression, i.e. related number of components before the calling system API component accesses system resource in this call chain, many assemblies mean the many one-levels of component call progression in the call chain, i.l is equal to the number of element in the i.R set;
I.n, the desired access rights of system's API assembly in the expression call chain, namely during other application component calling systems API component accesses system resource the authority that must have.
In case strategy is determined, no matter contain several elements in the strategy, just must be according to policy elements when reality is judged.
Based on the strategy that the call chain attribute is formulated, every strategy namely is illustrated in and must satisfies its strategy accordingly when calling a system of the API of system component accesses resource all corresponding to an operation task, and strategy can be expressed as follows:
P represents the set of strategy, for
Can be expressed as a four-tuple (t, g, l, n), wherein:
P.t ∈ [t
1, t
2], the expression strategy requires call chain to make up the time at moment t
1With t
2Between, i.e. t
1≤ i.l≤t
2
P.g ∈ g1, g2 ... }, terminal geographic position of living in belonged to certain set when the expression strategy required call chain to make up, namely i.g ∈ g1, and g2 ... };
P.l ∈ [l
1, l
2], the expression strategy requires call chain component call progression to be in l
1With l
2Between, i.e. l
1≤ i.l≤l
2
P.n=n
1, the expression strategy requires the call chain all component all to have authority n
1, n
1=i.n, namely for
C requires to have authority i.n.
The above-mentioned strategy that calls system's resource of the API of a system component accesses namely is used for judging whether access task can carry out or denied access.
Based on the strategy of call chain, its policy elements can only comprise in the above-mentioned four-tuple one or multinomial.
Based on the strategy of call chain, its call chain attribute is extendible, and corresponding policy elements also can be expanded, and namely its strategy can expand to a n tuple, wherein n 〉=4.
Judge and implement in the link that policy decision point is the same position that is positioned at system with implementing point, all is to implement application component sends calling system API components request after before the visit at strategy, the result that strategy is judged is as the foundation of strategy enforcement.System is after receiving the calling system API components request that application component sends, and call chain under this application component of location is carried out the strategy judgement and implemented based on this call chain then earlier.
Call chain make up be from initial assembly to stopping assembly, realize according to the relation of calling successively from the beginning to the end, and the described call chain of positioning component is to find initial assembly to realize according to the call relation backstepping in the call chain.
When carrying out the strategy judgement, be the strategy of formulating according at that time, wherein whether the call chain property value of Yao Qiuing to match according to the property value of its actual call chain
The step operation of carrying out is as follows:
1) based on the call chain of system constructing, according to the component call relation of call chain record, from the API of system assembly, continuous its upper level caller of recursive lookup, until finding its initial invocation component, thereby navigate to call chain under the application component of the visit API of this system assembly;
2) find its corresponding operation task corresponding strategy according to the API of this system assembly name;
3) based on tactful requirement, the respective attributes of call chain is judged, and provided the result of determination whether this call chain satisfies strategy;
4) further implement according to tactful result of determination, if judgement call chain attribute satisfies the strategy requirement then allows application component calling system API assembly, be i.e. access system resources success, otherwise denied access.
Based on above-mentioned right management method, Rights Management System of the present invention comprises:
Call chain makes up module, is the component construction call chain of access system resources conseravtion;
The call chain storehouse, all call chain that storage makes up;
The strategy customized module is for the system protection resource is formulated access strategy;
Policy library, the all-access strategy that storage is formulated;
The strategy determination module is based on the accordance of call chain judgement with corresponding strategy;
Strategy is implemented module, implementation strategy result of determination.
As shown in Figure 1, it is the basis in call chain storehouse that call chain makes up module, and tactful customized module is the basis of policy library, and tactful determination module depends on call chain storehouse and policy library, and last strategy is implemented module and depended on tactful determination module again.
Described module all is positioned at the application layer of Android system, and the interface that utilizes the Android system to provide is realized application component protection to system resource when access system resources.
The call chain that described call chain structure module is component construction is to begin with the assembly that user's manual triggers starts, and with the system API assembly end of access system resources, the call chain of its formation is stored in the described call chain storehouse.
Described call chain storehouse be Android system maintenance in the data structure of internal memory, can be along with the operation dynamic change of assembly, except record call chain structure self, also record every property values such as structure time, present position, component call progression of call chain.
Described tactful customized module can arrange the strategy of access system resources according to customer requirements, and the policy elements that can arrange is corresponding to the call chain attribute, and the policy store of formation is in described policy library.
Described policy library is the strategy file that is stored on the hard disk, can read corresponding strategy file to internal memory when described tactful determination module is operated.
Described tactful determination module is when call chain component requests access system resource, by relatively call chain property value and policy elements value provide the result of determination that whether allows this component accesses system resource.
It is to rely on the result of determination of tactful determination module to carry out that described strategy is implemented module, implements resource access operations corresponding to the result of determination that allows visit, then tackles its visit corresponding to the result of determination of denied access.
The strategy customization is before assembly operating, and it is in assembly operating that call chain makes up, and strategy judges that with enforcement be before the assembly operating access system resources.
Present embodiment is realized in the expansion of Android authority mechanism basis, judge that with the original permission system of Android is simple when the component requests access resource single component authority is different, present embodiment has been introduced concepts such as call chain, strategy customization, by making up the component call chain of access resources, safeguard the call relation between the assembly, and formulate the access strategy of resource based on call chain, judge whether allow the component accesses resource according to strategy.
The structure of call chain depends on the activity management service of Android.In four class application component activity, service, broadcast receiver, content provider, the startup of activity and application operation is closely related.The activity management service is responsible for dispatching the activity that each is used, and its process and internal memory are managed.For the activity of all operations, the activity management service has been safeguarded a tabulation for it, wherein to finish task stack of activity formation that a certain purpose of user is task.Because the user in fact can start launcher activity earlier when starting activity, and then start the actual activity that will start by launcher activity again, therefore for each task stack, the activity at the bottom of its stack is launcher activity.System provides a series of API assemblies with the visit resources conseravtion, and has stated the authority of its requirement.Suppose that the user need use a by the recursive call accessing address list associated person information of a series of activity
1, a
2, a
3, a
4The activity that expression is called successively, c
1The content provider that is used for accessing address list that the expression system provides, it is as follows then to finish this call relation of visiting related assembly:
launcher?activity→a
1→a
2→a
3→a
4→c
1
The call chain i of this task is at a
4Request call c
1In time, make up to form, wherein
i.C={a
1,a
2,a
3,a
4,c
1};
i.R={<a
1,a
2>,<a
2,a
3>,<a
3,a
4>,<a
4,c>}。
Record its every property value when forming call chain i, wherein the value of i.l, i.n can be obtained according to call chain assembly self, and the value of i.t is equal to the time value of current system, and the value of i.g is equal to current terminal present position value.
The strategy of formulating for access resources exists with the form of XML file, a resource is the corresponding tactful p of the API of a system assembly, the user can independently define its policy elements as requested, comprise component accesses time period, terminal geographic position of living in, call chain component call progression, and the call chain all component requires the authority have.When the components request calling system API assembly in the call chain, then intercept and capture this request, and from strategy file, find the API of this system assembly corresponding strategy, meanwhile check that by continuous recurrence the mode of its upper level invocation component comes positioning component place call chain, the attribute of the requirement of comparison strategy element and call chain provides result of determination and implements visit then.
In the present embodiment, dissimilar according to the API of system assembly, policy decision point is with to implement point also different.
1) if system's API assembly belongs to activity, because the startup of activity is to be handled by the startActivityLocked function of ActivityStack class, then directly in this function, introduce the policy decision function code, if result of determination is to allow then directly call success, otherwise returns miscue.
2) if system's API assembly belongs to service, the startup of service is to be handled by the retrieveServiceLocked function of ActivityManagerService class, directly in this function, introduce the policy decision function code, if result of determination is to allow then directly call success, otherwise returns miscue.
3) if system's API assembly belongs to broadcast, the startup of broadcast is to be handled by the processNextBroadcast function of ActivityManagerService class, directly in this function, introduce the policy decision function code, if result of determination is to allow then directly call success, otherwise returns miscue.
4) if system's API assembly belongs to content provider, because content provider can locally preserve after calling, when starting content provider, judge by the acquireProvider function of ActivityThread class whether this locality has preserved content provider earlier, if the direct backward reference result of preservation is arranged, otherwise search the corresponding content provider of coupling and startup by the ActivityManagerService class.For preventing owing to the local content provider that has preserved causes strategy to be bypassed, therefore at the system API assembly of content provider type, in the acquireProvider of ActivityThread class function, introduce the policy decision function code, if result of determination is to allow then the local content provider that has preserved of direct visit, perhaps call ActivityManagerService by the binder communication mechanism and call corresponding content provider, otherwise return miscue.
More than by simple explanation Android Rights Management System and the scheme based on call chain provided by the invention described, it should be appreciated by those skilled in the art, under the situation that does not exceed essence of the present invention and scope, can make amendment.