CN103281339A - Safety controlling system of mobile terminal - Google Patents
Safety controlling system of mobile terminal Download PDFInfo
- Publication number
- CN103281339A CN103281339A CN2013102519884A CN201310251988A CN103281339A CN 103281339 A CN103281339 A CN 103281339A CN 2013102519884 A CN2013102519884 A CN 2013102519884A CN 201310251988 A CN201310251988 A CN 201310251988A CN 103281339 A CN103281339 A CN 103281339A
- Authority
- CN
- China
- Prior art keywords
- module
- safety
- portable terminal
- avc
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a safety controlling system of a mobile terminal. The safety controlling system of the mobile terminal comprises a resource management module, a double strategy library module, an AVC module, a safety server module and a foreground/background communication module. The source management module is used for accomplishing safety contexts of all object resources of the safety controlling system and implementing practical visiting to the resource objects of a progress main body according to the judgment of the safety server module, the double strategy library module is used for maintaining a local strategy library and a remote strategy library, the AVC module is used for accelerating visiting controlling decisions, and the safety server module obtains a visiting controlling vector from the AVC module or the double strategy library module, then judges an access request, and finally delivers the judging result to the resource management module. The foreground/background communication module is responsible for the communication between a foreground and a background and is used for assisting the issuing and response of a safety strategy. The safety controlling system of the mobile terminal ensures that the communication between a mobile intelligent terminal and a background industrial service is unobstructed, and the mobile intelligent terminal and background business are safe.
Description
Technical field
The present invention relates to intelligent mobile terminal control technology field, relate in particular to a kind of safety control system of portable terminal.
Background technology
Computer security receives everybody concern always.Network security problem is the emphasis that the researcher inquires into, and many mature technique also are born such as network intercepting, Packet Filtering etc. thereupon.At present, often the (SuSE) Linux OS as server has had safe reinforcement version SELinux(Security Enhanced Linux) operating system, it has adopted based on the FLASK framework of forcing access control, has realized the mechanism that multistage strategy and different security models mix.
But in portable terminal, owing to the computing capability of these terminal equipments own is weak, the machine-processed introducing of security hardening causes reasons such as user's operating experience variation, thereby be difficult to realize deeper security hardening in these terminals, simultaneously because its mobility, with and used mobile network's opening, also brought than the bigger potential safety hazard of conventional P C working environment.Usually, the application layer protection software of " 360 bodyguard " and so on only has been installed on the portable terminal, and these protection softwares are far from being enough for the mobile service based on mobile intelligent terminal particularly for specific industry application.In addition, because mobile network's hysteresis, and chain rupture easily, also caused the reciprocal process between the service of portable terminal and backstage more complicated than conventional P C.
Summary of the invention
The safety control system that the purpose of this invention is to provide a kind of portable terminal, to realize security hardening comparatively profound on the mobile terminal device, fundamentally stop authorities such as utilizing root to be attacked in the OS inner nuclear layer, to guarantee unobstructed and portable terminal itself and the backstage service security of portable terminal and backstage industry communication for service.
Particularly, one object of the present invention is to provide a kind of safety control system of portable terminal, comprise resource management module, two policy library modules, the AVC module, security server module and front/rear communication module, described resource management module is used for finishing the safe context of all object resources of system, and according to the judgement implementation process main body of the described security server module actual access to resource object, described pair of policy library module is in order to safeguard local policy storehouse and remote policy storehouse, described AVC module is in order to accelerate the access control decision-making, described security server module is made judgement to access request obtain the access control vector from described AVC module or the described pair of policy library module after, at last court verdict is paid described resource management module, described front/rear communication module is responsible for the communication between the AM/BAM, issuing and responding in order to the auxiliary security strategy.
The safety control system of above-mentioned portable terminal, wherein, described resource management module comprises management of process subsystem, file managemnent subsystem, network management subsystem and interprocess communication subsystem.
The safety control system of above-mentioned portable terminal, wherein, described resource management module also comprises the remote resource agent subsystem, is used to the safe context of the long-range backstage of described portable terminal mark resource, realizes the pressure access control to long-range backstage resource.
The safety control system of above-mentioned portable terminal, wherein, described AVC module forms secondary AVC structure based on the CPU of described portable terminal.
The safety control system of above-mentioned portable terminal, wherein, the priority that described remote policy storehouse is divided the access rights of master, object will be higher than the priority that the local policy storehouse is divided the access rights of master, object.
Compared with the prior art, beneficial effect of the present invention is:
Based on being subjected to the extensively Flask Mandatory Access Control Model of approval, characteristics in conjunction with mobile intelligent terminal and industry user, introduce long-range, local two policy librarys, realized long-range analog subscriber, customized AVC and SS to accelerate forcing access decision, created novel foreground/backstage interactive communication agreement, to have formulated the dull mechanism that strengthens of access strategy, fundamentally stop authorities such as utilizing root to be attacked in the OS inner nuclear layer, can be theoretically the harm of bad program be dropped to minimum.
Description of drawings
Fig. 1 shows the structured flowchart of the safety control system of portable terminal of the present invention;
Fig. 2 shows the schematic process flow diagram of the file access method of portable terminal of the present invention.
Embodiment
The invention will be further described below in conjunction with schematic diagram and concrete operations embodiment.
As shown in Figure 1, the safety control system of portable terminal of the present invention comprises resource management module, two policy library module, AVC module, security server module and front/rear communication module.Resource management module is mainly realized two functions: the one, finish the safe context of all object resources in the system; The 2nd, according to the judgement of security server module SS, the implementation process main body is to the actual access of resource object.Resource management module involves management of process subsystem among the OS, file managemnent subsystem, network management subsystem, IPC interprocess communication subsystem (IPC, Inter-Process Communication) etc. transformation, access rights to the resource object in these subsystems have been carried out meticulousr division, give the main body least privilege for the security strategy database management module and lay a solid foundation.Comprise also in the resource management module that remote resource acts on behalf of sub-piece, be the safe context of the long-range backstage of mobile intelligent terminal mark resource, realize the pressure access control to long-range backstage resource.
Two policy library administration modules mainly are exactly to safeguard long-range and local two policy librarys, in this policy library, exactly main object are visited the division of having made least privilege.Wherein in the remote policy storehouse, have long-range backstage resource object safe context and the description of giving the main body corresponding authority, also there be long-range description and authority to resource object safe context on the mobile intelligent terminal to give description.
In a preferred embodiment of the invention, the remote policy storehouse will be higher than the local policy storehouse to the priority of the access rights division of master, object.Issuing and responding of security strategy then can be used front/rear communication mechanism, also can be applicable to front/rear otherwise mutual at the communication protocol of the special use of sector application characteristics customizations.In addition, for issuing of telesecurity strategy, also realize long-distance user's ASM front/rear communication module, come receiving remote keeper's security strategy, and be injected into the remote policy storehouse on the portable terminal.This long-distance user's ASM can also the aided remote keeper be finished other the management and control task at mobile intelligent terminal.Based on this pair policy library mechanism, be convenient to that the backstage can solve the not smooth situation of mobile network again to the control of terminal in the industry application, can guarantee that still mobile intelligent terminal has enough security controls.
AVC(Access Vector Cache) module is exactly the high-speed cache at the access control vector, be used for to accelerate the access control decision-making, principle is exactly that access control vector with up-to-date use remains in the internal memory, like this, when using this access control vector next time, obtained quickly.Here take full advantage of in the intelligent terminal SRAM on the CPU sheet, increased one-level AVC, form secondary AVC, based on CPU Multi-Level Cache principle, realize that security server obtains quickly to AV.
Security server module SS is according to visiting demand, generates visit ID, so according to ID from AVC or policy library, obtain the access control vector, access request is made is judged and determine, at last with court verdict commit resources administration module.Equally, in order to accelerate access control judgement, preferably the core algorithm of this module has been put into RAM on the sheet of CPU, to keep user's good experience.
Front/rear communication module is responsible for the communication between the AM/BAM, issuing and responding in order to the auxiliary security strategy.In order to accelerate front/rear mutual, the problem of normal off when adapting to the mobile network simultaneously, the present invention customizes proprietary communication protocol.This agreement does not encapsulate existing communication protocols such as xml, soap based on http, and is based on the characteristics of sector application and intelligent movable security hardening system, basic definition one the cover naked communication protocol.This agreement has reduced the cost of client and server-side protocol parsing, has improved front/rear mutual efficient greatly.In this agreement, according to resource content, resource security attribute and secure access policy library, defined the three major types communications protocol format, deposit and transmit this three classes interaction content in the mode of linear array, be example with the security attribute:
[{ object 1 security attribute }, { object 2 security attributes } ..., { object m security attribute }], wherein n is natural number.
, comprise the following steps: referring to shown in Figure 2 based on the file access method of the portable terminal of above-mentioned control system
At first, accept external command, namely enter the OS kernel spacing from the application process of user's space after, call file system, the locating file node then carries out error checking if find mistake.
Then, carry out the autonomous access control of traditional file (DAC) inspection.Autonomous access control DAC is an access control service, and it is carried out based on system entity identity and their insertion authority to system resource, and this is included in file, in file and the shared resource permission is set.
Then, call the LSM Hook Function, inquiry local policy storehouse; Linux security module (LSM) provides two classes calling the safety door hook subfunction: the security domain of class management kernel objects, another kind of arbitration is to the visit of these kernel objects.Calling by hook of safety door hook subfunction realized, hook is the function pointer among the global table security_ops, the type of this global table is the security_operations structure, this organization definition is in this header file of include/linux/security.h, comprised the minor structure of forming according to the hook of kernel objects or kernel subsystems grouping in this structure, and some are used for the top layer hook of system's operation.Be easy to find calling Hook Function in kernel source code: its prefix is security_ops-〉.
Then, judge whether the visit process is permitted corresponding visit by this locality, the words inquiry remote policy storehouse that is, the words of denying are returned corresponding refusal sign indicating number;
At last, whether judge the visit process by the corresponding visit of long-range permission, the words access file that is, the words of denying are returned corresponding refusal sign indicating number.
Safety control system of the present invention mainly applies to the industry field mobile intelligent terminal, guarantees unobstructed and mobile intelligent terminal itself and the backstage service security of mobile intelligent terminal and backstage industry communication for service.
More than specific embodiments of the invention are described in detail, but the present invention is not restricted to specific embodiment described above, it is just as example.To those skilled in the art, any equivalent modifications and alternative also all among category of the present invention.Therefore, not breaking away from impartial conversion and the modification of having done under the spirit and scope of the present invention, all should contain within the scope of the invention.
Claims (5)
1. the safety control system of a portable terminal, it is characterized in that, comprise resource management module, two policy library modules, the AVC module, security server module and front/rear communication module, described resource management module is used for finishing the safe context of all object resources of system, and according to the judgement implementation process main body of the described security server module actual access to resource object, described pair of policy library module is in order to safeguard local policy storehouse and remote policy storehouse, described AVC module is in order to accelerate the access control decision-making, described security server module is made judgement to access request obtain the access control vector from described AVC module or the described pair of policy library module after, at last court verdict is paid described resource management module, described front/rear communication module is responsible for the communication between the AM/BAM, issuing and responding in order to the auxiliary security strategy.
2. according to the safety control system of the described portable terminal of claim 1, it is characterized in that described resource management module comprises management of process subsystem, file managemnent subsystem, network management subsystem and interprocess communication subsystem.
3. according to the safety control system of the described portable terminal of claim 2, it is characterized in that, described resource management module also comprises the remote resource agent subsystem, is used to the safe context of the long-range backstage of described portable terminal mark resource, realizes the pressure access control to long-range backstage resource.
4. according to the safety control system of the described portable terminal of claim 1, it is characterized in that described AVC module forms secondary AVC structure based on the CPU of described portable terminal.
5. according to the safety control system of the described portable terminal of claim 1, it is characterized in that the priority that described remote policy storehouse is divided the access rights of master, object will be higher than the priority that the local policy storehouse is divided the access rights of master, object.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310251988.4A CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310251988.4A CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103281339A true CN103281339A (en) | 2013-09-04 |
| CN103281339B CN103281339B (en) | 2017-01-25 |
Family
ID=49063786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310251988.4A Active CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103281339B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457780A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Method for managing server host reinforcing product in non-application-proxy mode |
| CN103648090A (en) * | 2013-12-12 | 2014-03-19 | 北京利云技术开发公司 | Method for realizing security and credibility of intelligent mobile terminal and system thereof |
| CN107547520A (en) * | 2017-07-31 | 2018-01-05 | 中国科学院信息工程研究所 | Flask security modules, construction method and mobile Web system |
| CN110597629A (en) * | 2019-08-30 | 2019-12-20 | 上海辰锐信息科技公司 | Resource scheduling method based on resource preposed atomization and cloud pooling |
| CN111147292A (en) * | 2019-12-18 | 2020-05-12 | 深圳市任子行科技开发有限公司 | Policy cluster distribution matching method, system and computer readable storage medium |
| CN111400723A (en) * | 2020-04-01 | 2020-07-10 | 中国人民解放军国防科技大学 | TEE extension-based operating system kernel mandatory access control method and system |
| CN112000968A (en) * | 2020-08-13 | 2020-11-27 | 青岛海尔科技有限公司 | Access control method and device, storage medium and electronic device |
| CN114124429A (en) * | 2021-08-23 | 2022-03-01 | 阿里巴巴新加坡控股有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
-
2013
- 2013-06-21 CN CN201310251988.4A patent/CN103281339B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457780A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Method for managing server host reinforcing product in non-application-proxy mode |
| CN103648090A (en) * | 2013-12-12 | 2014-03-19 | 北京利云技术开发公司 | Method for realizing security and credibility of intelligent mobile terminal and system thereof |
| CN107547520A (en) * | 2017-07-31 | 2018-01-05 | 中国科学院信息工程研究所 | Flask security modules, construction method and mobile Web system |
| CN107547520B (en) * | 2017-07-31 | 2020-07-07 | 中国科学院信息工程研究所 | Method for constructing flash security module |
| CN110597629A (en) * | 2019-08-30 | 2019-12-20 | 上海辰锐信息科技公司 | Resource scheduling method based on resource preposed atomization and cloud pooling |
| CN111147292A (en) * | 2019-12-18 | 2020-05-12 | 深圳市任子行科技开发有限公司 | Policy cluster distribution matching method, system and computer readable storage medium |
| CN111147292B (en) * | 2019-12-18 | 2022-12-02 | 深圳市任子行科技开发有限公司 | Policy cluster distribution matching method, system and computer readable storage medium |
| CN111400723A (en) * | 2020-04-01 | 2020-07-10 | 中国人民解放军国防科技大学 | TEE extension-based operating system kernel mandatory access control method and system |
| CN112000968A (en) * | 2020-08-13 | 2020-11-27 | 青岛海尔科技有限公司 | Access control method and device, storage medium and electronic device |
| CN114124429A (en) * | 2021-08-23 | 2022-03-01 | 阿里巴巴新加坡控股有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103281339B (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103281339A (en) | Safety controlling system of mobile terminal | |
| CN102915375B (en) | A kind of webpage loading method based on layout subregion | |
| CN102904889B (en) | Support the forced symmetric centralization system and method for cross-platform unified management | |
| CN106354833A (en) | Platform for achieving data management and sharing exchange on basis of B/S framework | |
| CN105186690B (en) | Relay protection device constant value remote operation method | |
| CN109189509B (en) | Interface calling method, interface calling response method and server | |
| CN104680075A (en) | Framework for fine-grain access control from high-level application permissions | |
| CN106572116A (en) | Role-and-attribute-based cross-domain secure switch access control method of integrated network | |
| CN102882834A (en) | Access control method and device | |
| CN109614204A (en) | Memory insulation blocking method, isolation check hardware, SOC chip and storage medium | |
| CN102222191A (en) | Loose coupling role authorized-type implementation access control method and system thereof | |
| CN108037978A (en) | A kind of managing computing resources method based on virtualization technology | |
| CN103685564A (en) | Plug-in application ability layer introduced industry application online operation cloud platform architecture | |
| CN111310230B (en) | Spatial data processing method, device, equipment and medium | |
| CN108924086A (en) | A kind of host information acquisition method based on TSM Security Agent | |
| CN107566375A (en) | Access control method and device | |
| CN103248485B (en) | A kind of electric power secondary system access control method based on safety label and system | |
| EP4113901A1 (en) | Method and apparatus for authorizing service function, device and storage medium | |
| CN100461966C (en) | Integrated platform based on the embedded mobile terminal device and supporting mobile cooperation service | |
| CN101834902A (en) | Front-end processor system and method for comprehensive management of remote power distribution room | |
| CN103745025A (en) | EMTDC integrated application platform of high-voltage direct current system | |
| CN114282591A (en) | Dynamic security level real-time division method, terminal equipment and storage medium | |
| CN110759191B (en) | Elevator control method based on 5G smart park | |
| WO2021147652A1 (en) | Permission management method, and device | |
| CN103297438B (en) | A kind of cache access control method for mobile terminal safety mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Yin Xinming Inventor after: Request for anonymity Inventor after: Gu Liu Inventor after: Pan Chengda Inventor after: Hu Zhengliang Inventor after: Hu Jun Inventor before: Liu Yang Inventor before: Request for anonymity Inventor before: Huang Ming Inventor before: Gu Liu Inventor before: Pan Chengda Inventor before: Hu Zhengliang |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No.76 Yueyang Road, Xuhui District, Shanghai 200030 Patentee after: Shanghai Chen Rui Mdt InfoTech Ltd. Address before: 201204 No. 76, Yueyang Road, Xuhui District, Shanghai Patentee before: SHANGHAI CHENRUI INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address |