CN103281339B - Safety controlling system of mobile terminal - Google Patents
Safety controlling system of mobile terminal Download PDFInfo
- Publication number
- CN103281339B CN103281339B CN201310251988.4A CN201310251988A CN103281339B CN 103281339 B CN103281339 B CN 103281339B CN 201310251988 A CN201310251988 A CN 201310251988A CN 103281339 B CN103281339 B CN 103281339B
- Authority
- CN
- China
- Prior art keywords
- module
- mobile terminal
- safety
- avc
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a safety controlling system of a mobile terminal. The safety controlling system of the mobile terminal comprises a resource management module, a double strategy library module, an AVC module, a safety server module and a foreground/background communication module. The source management module is used for accomplishing safety contexts of all object resources of the safety controlling system and implementing practical visiting to the resource objects of a progress main body according to the judgment of the safety server module, the double strategy library module is used for maintaining a local strategy library and a remote strategy library, the AVC module is used for accelerating visiting controlling decisions, and the safety server module obtains a visiting controlling vector from the AVC module or the double strategy library module, then judges an access request, and finally delivers the judging result to the resource management module. The foreground/background communication module is responsible for the communication between a foreground and a background and is used for assisting the issuing and response of a safety strategy. The safety controlling system of the mobile terminal ensures that the communication between a mobile intelligent terminal and a background industrial service is unobstructed, and the mobile intelligent terminal and background business are safe.
Description
Technical field
The present invention relates to intelligent mobile terminal control technology field, the security control system of more particularly, to a kind of mobile terminal
System.
Background technology
Computer security is constantly subjected to everybody concern.Network security problem is the emphasis that research worker is inquired into, many one-tenth
Ripe technology, such as network intercepting, Packet Filtering etc. are also born therewith.At present, through the linux behaviour frequently as server
Making system has had safe strengthening version selinux(security enhanced linux) operating system, it employs and is based on
The flask framework of forced symmetric centralization is it is achieved that the mechanism of multistage strategy and different security models mixing.
But in the terminal, because these terminal units computing capability itself is weaker, security hardening mechanism introduces and leads to
The reasons such as user operation experience variation, thus being difficult to realize deeper security hardening on these terminals, simultaneously because its
Mobility and the opening of mobile network used by it, also bring the potential safety hazard bigger than traditional pc working environment.Logical
Often, mobile terminal is only mounted with the application layer protection software of " 360 bodyguard " etc, and these protection softwares are for specific
Industry application, especially for being far from being enough based on the mobile service of mobile intelligent terminal.Further, since mobile network
Hysteresis, and easy chain rupture, the interaction also resulting between mobile terminal and background service is more more complicated than traditional pc.
Content of the invention
It is an object of the invention to provide a kind of safety control system of mobile terminal, to realize on mobile terminal device more
Profound security hardening, is fundamentally stoped in os inner nuclear layer and is attacked using authorities such as root, with guarantee mobile terminal with after
The safety of unobstructed and mobile terminal itself and the Batch Processing of the communication of platform profession service.
Specifically, it is an object of the present invention to provide a kind of safety control system of mobile terminal, including resource pipe
Reason module, double strategy library module, avc module, security server module and front/rear communication module, described resource management module
For the safe context of object resources all in completion system, and the judgement implementation process according to described security server module
The actual access to resource object for the main body, described double strategy library modules are in order to safeguard local policy storehouse and remote policy storehouse, described
, in order to accelerate access control decision, described security server module is from described avc module or described double strategy library module for avc module
After middle acquisition access control vector, judgement is made to access request, finally court verdict is paid described resource management module, institute
State the communication that front/rear communication module is responsible between AM/BAM, issuing and responding in order to auxiliary security strategy.
The safety control system of above-mentioned mobile terminal, wherein, described resource management module includes management of process subsystem, literary composition
Part management subsystem, network management subsystem and interprocess communication subsystem.
The safety control system of above-mentioned mobile terminal, wherein, described resource management module also includes remote resource agency's
System, for the safe context for described mobile terminal labelling remote back-office resource, realizes the pressure to remote back-office resource
Access control.
The safety control system of above-mentioned mobile terminal, wherein, described avc module is formed based on the cpu of described mobile terminal
Two grades of avc structures.
The safety control system of above-mentioned mobile terminal, wherein, described remote policy storehouse divides to the access rights of master, object
Priority be higher than the priority that local policy storehouse divides to the access rights of master, object.
Compared with the prior art, the beneficial effects of the present invention is:
Based on the flask Mandatory Access Control Model being widely recognized as, in conjunction with mobile intelligent terminal and industry user
Feature, introduce long-range, locally double policy librarys, achieve remote analog user, customized avc and ss to accelerate to force access to be determined
Plan, create new foreground/backstage interactive communication agreement, formulated access strategy dullness mechanism and enhancement mechanism, in os inner nuclear layer from root
Stop in basis and attacked using authorities such as root, can theoretically the harm of bad program be minimized.
Brief description
Fig. 1 shows the structured flowchart of the safety control system of mobile terminal of the present invention;
Fig. 2 shows the schematic process flow diagram of the file access method of mobile terminal of the present invention.
Specific embodiment
With reference to schematic diagram and concrete operations embodiment, the invention will be further described.
As shown in figure 1, the safety control system of mobile terminal of the present invention include resource management module, double strategy library module,
Avc module, security server module and front/rear communication module.Resource management module mainly realizes two functions: one is to complete
The safe context of all object resources in system;Two is the judgement according to security server module ss, implementation process main body pair
The actual access of resource object.Resource management module involves management of process subsystem in os, file managemnent subsystem, network pipe
The transformation of reason subsystem, ipc interprocess communication subsystem (ipc, inter-process communication) etc., to these
The access rights of the resource object in subsystem have carried out finer division, are that security strategy database management module gives main body
Little authority is laid a solid foundation.Also include remote resource in resource management module and act on behalf of sub-block, be mobile intelligent terminal labelling
The safe context of remote back-office resource, realizes the forced symmetric centralization to remote back-office resource.
Double strategy database management module be exactly mainly safeguard long-range with local two policy librarys, in this policy library it is simply that
Main object is accessed with the division being made that least privilege.Wherein in remote policy storehouse, have to remote back-office resource object
Safe context and the description giving main body corresponding authority, also have remotely in resource object safety on mobile intelligent terminal
Following description and authority give description.
In a preferred embodiment of the invention, the priority that remote policy storehouse divides to the access rights of master, object will height
In local policy storehouse.Issuing and responding of security strategy, can use the communication mechanism of front/rear, fixed for sector application feature
The special communication protocol of system also apply be applicable to front/rear otherwise interaction.In addition, issuing for telesecurity strategy,
Platform communication module also achieves long-distance user's ASM in a front/back, to receive the security strategy of remote administrator, and
It is injected into the remote policy storehouse on mobile terminal.This long-distance user's ASM can complete other with aided remote manager
The management and control task for mobile intelligent terminal.Based on this pair of policy library mechanism, it is easy to the control to terminal for the backstage in industry application
System, also solves the problem that the not smooth situation of mobile network, still ensures that mobile intelligent terminal has enough security controls.
Avc(access vector cache) module be aiming at access control vector cache, for accelerate visit
Ask control decision, principle is exactly that the access control vector of up-to-date use is maintained in internal memory, so, next time uses this access control
During system vector, quickly obtained.Here make full use of sram on cpu piece in intelligent terminal, increased one-level avc, formed
Two grades of avc, based on cpu multistage cache principle, realize security server and av are quickly obtained.
Security server module ss, according to visiting demand, generates and accesses id, and then according to id from avc or policy library, obtain
Take access control vector, access request is judged certainly, finally court verdict is paid resource management module.Equally, in order to
Accelerate access control judgement, preferably the core algorithm of this module is put into ram on the piece of cpu, to maintain the good body of user
Test.
Front/rear communication module is responsible for the communication between AM/BAM, issuing and responding in order to auxiliary security strategy.In order to
Accelerate the interaction of front/rear, simultaneously in order to adapt to the problem of normal off during mobile network, the proprietary communication protocol of present invention customization.
This agreement is based on http, does not encapsulate the existing communication protocol such as xml, soap, but is based on sector application and intelligent movable
The feature of security hardening system, a set of naked communication protocol of basic definition.This agreement decreases client and server agreement
The cost of parsing, substantially increases the efficiency of front/rear interaction.In this agreement, according to resource content, resource security attribute, with
And secure access policy library, define three major types communications protocol format, deposit and transmit this three class in the way of linear array and hand over
Mutually content, taking security attribute as a example:
[{ object 1 security attribute }, { object 2 security attribute } ..., { object m security attribute }], wherein n is natural number.
The file access method of the mobile terminal based on above-mentioned control system, referring to shown in Fig. 2, comprises the following steps:
First, accept external command, that is, after the application process of user's space enters os kernel spacing, call file system
System, locating file node, if finding mistake, carry out error checking.
Then, execution traditional file self contained navigation (dac) checks.Self contained navigation dac is an Access Control
Service, it executes based on system entity identity and their insertion authority to system resource, and this includes in file, file and
Setting license in shared resource.
Then, call lsm Hook Function, inquire about local policy storehouse;Linux security module (lsm) provides two classes to peace
The calling of full Hook Function a: class manages the security domain of kernel objects, the access to these kernel objects for the another kind of arbitration.To peace
Complete calling of Hook Function is realized by hook, and hook is the function pointer in global table security_ops, this overall situation
The type of table is security_operations structure, this structure be defined on include/linux/security.h this
In header file, in this structure, contain the molecular minor structure of hook according to kernel objects or kernel subsystems packet, and
Some are used for the top layer hook of system operatio.Kernel source code is easily found Hook Function is called: its prefix is
security_ops->.
Then, judge access process whether by local permit corresponding access, inquire about remote policy storehouse if being, no if return
Return corresponding refusal code;
Finally, judge access process whether by long-range permit corresponding access, access file if being, no if return corresponding
Refusal code.
Safety control system of the present invention mainly apply to industry field mobile intelligent terminal it is ensured that mobile intelligent terminal with after
The safety of unobstructed and mobile intelligent terminal itself and the Batch Processing of the communication of platform profession service.
Above the specific embodiment of the present invention is described in detail, but the present invention has been not restricted to tool described above
Body embodiment, it is intended only as example.To those skilled in the art, any equivalent modifications and replacement are also all in the present invention
Category among.Therefore, impartial conversion done without departing from the spirit and scope of the invention and modification, all should cover
In the scope of the present invention.
Claims (5)
1. a kind of safety control system of mobile terminal is it is characterised in that include resource management module, double strategy library module, avc
Module, security server module and front/rear communication module, described resource management module is used for all object moneys in completion system
The safe context in source, and the judgement actual visit to resource object for the implementation process main body according to described security server module
Ask, in order to safeguard local policy storehouse and remote policy storehouse, described avc module is in order to accelerate access control for described double strategy library modules
Decision-making, described security server module is right after acquisition access control vector from described avc module or described double strategy library module
Access request makes judgement, finally court verdict is paid described resource management module, before described front/rear communication module is responsible for
Communication between backstage, issuing and responding in order to auxiliary security strategy.
2. according to claim 1 the safety control system of mobile terminal it is characterised in that described resource management module includes
Management of process subsystem, file managemnent subsystem, network management subsystem and interprocess communication subsystem.
3. according to claim 2 the safety control system of mobile terminal it is characterised in that described resource management module also wraps
Include remote resource agent subsystem, for the safe context for described mobile terminal labelling remote back-office resource, realize to remote
The forced symmetric centralization of Cheng backstage resource.
4. according to claim 1 mobile terminal safety control system it is characterised in that described avc module be based on described
The cpu of mobile terminal forms two grades of avc structures.
5. according to claim 1 mobile terminal safety control system it is characterised in that described remote policy storehouse to master,
The priority that the access rights of object divide is higher than the priority that local policy storehouse divides to the access rights of master, object.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310251988.4A CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310251988.4A CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103281339A CN103281339A (en) | 2013-09-04 |
| CN103281339B true CN103281339B (en) | 2017-01-25 |
Family
ID=49063786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310251988.4A Active CN103281339B (en) | 2013-06-21 | 2013-06-21 | Safety controlling system of mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103281339B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457780A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Method for managing server host reinforcing product in non-application-proxy mode |
| CN103648090A (en) * | 2013-12-12 | 2014-03-19 | 北京利云技术开发公司 | Method for realizing security and credibility of intelligent mobile terminal and system thereof |
| CN107547520B (en) * | 2017-07-31 | 2020-07-07 | 中国科学院信息工程研究所 | Method for constructing flash security module |
| CN110597629A (en) * | 2019-08-30 | 2019-12-20 | 上海辰锐信息科技公司 | Resource scheduling method based on resource preposed atomization and cloud pooling |
| CN111147292B (en) * | 2019-12-18 | 2022-12-02 | 深圳市任子行科技开发有限公司 | Policy cluster distribution matching method, system and computer readable storage medium |
| CN111400723A (en) * | 2020-04-01 | 2020-07-10 | 中国人民解放军国防科技大学 | TEE extension-based operating system kernel mandatory access control method and system |
| CN112000968A (en) * | 2020-08-13 | 2020-11-27 | 青岛海尔科技有限公司 | Access control method and device, storage medium and electronic device |
| CN114124429A (en) * | 2021-08-23 | 2022-03-01 | 阿里巴巴新加坡控股有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
-
2013
- 2013-06-21 CN CN201310251988.4A patent/CN103281339B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103281339A (en) | 2013-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103281339B (en) | Safety controlling system of mobile terminal | |
| CN105094799A (en) | Hybrid applications operating between on-premise and cloud platforms | |
| CN105022628B (en) | A kind of expansible software application platform | |
| CN101997912A (en) | Mandatory access control device based on Android platform and control method thereof | |
| CN107480509A (en) | O&M safety auditing system logs in vessel process, system, equipment and storage medium | |
| CN105186690A (en) | Remote operation method for constant value of relay protection device | |
| CN108037978A (en) | A kind of managing computing resources method based on virtualization technology | |
| WO2024060956A1 (en) | Hybrid database management method and apparatus, hybrid database, and electronic device | |
| CN106452835A (en) | Method and device for updating software to terminal with specific hardware configurations | |
| CN111651121A (en) | Data logic calculation method and device, electronic equipment and storage medium | |
| CN107566375A (en) | Access control method and device | |
| CN108924086A (en) | A kind of host information acquisition method based on TSM Security Agent | |
| CN111310230A (en) | Spatial data processing method, device, equipment and medium | |
| CN102137162A (en) | CAD (Computer Aided Design) integrated system based on mode of software used as service | |
| CN105959404A (en) | GPU virtualization platform based on cloud computing | |
| CN110287089B (en) | Microkernel IPC (inter-processor communication protocol) verification method based on intermediate format and SMT (surface mount technology) | |
| CN111596962B (en) | Real-time microkernel system based on high-speed protocol channel and initialization method thereof | |
| CN110457667A (en) | The good sheet disposal method and system based on B/S framework of safety | |
| CN101247309B (en) | System for universal accesses to multi-cell platform | |
| CN101834902A (en) | Front-end processor system and method for comprehensive management of remote power distribution room | |
| KR102538324B1 (en) | Data Intergration And Linkage Service Method For Linkage Between Power Systems | |
| CN110759191B (en) | Elevator control method based on 5G smart park | |
| CN103745025A (en) | EMTDC integrated application platform of high-voltage direct current system | |
| CN113050927A (en) | Permission control method and device based on user-defined instruction and computer equipment | |
| CN102999518B (en) | A kind of Graphics Device Interface method for managing resource and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Yin Xinming Inventor after: Request for anonymity Inventor after: Gu Liu Inventor after: Pan Chengda Inventor after: Hu Zhengliang Inventor after: Hu Jun Inventor before: Liu Yang Inventor before: Request for anonymity Inventor before: Huang Ming Inventor before: Gu Liu Inventor before: Pan Chengda Inventor before: Hu Zhengliang |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No.76 Yueyang Road, Xuhui District, Shanghai 200030 Patentee after: Shanghai Chen Rui Mdt InfoTech Ltd. Address before: 201204 No. 76, Yueyang Road, Xuhui District, Shanghai Patentee before: SHANGHAI CHENRUI INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address |