CN104281803A - System permission management method and equipment - Google Patents
System permission management method and equipment Download PDFInfo
- Publication number
- CN104281803A CN104281803A CN201410473038.0A CN201410473038A CN104281803A CN 104281803 A CN104281803 A CN 104281803A CN 201410473038 A CN201410473038 A CN 201410473038A CN 104281803 A CN104281803 A CN 104281803A
- Authority
- CN
- China
- Prior art keywords
- hardware
- application program
- result
- right management
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a system permission management method and system permission management equipment. The method comprises the following steps: in the initializing process of a system, establishing system attributes and carrying out value assignment, wherein the system attributes correspond to attributes of hardware in the system one by one; when an application calls the hardware, reading the system attribute corresponding to the hardware, carrying out permission validation on the application and returning a validation result; enabling the application to operate the hardware according to the validation result. According to the invention, starting from the basement design, a framework layer and an application layer of an existing Android system are modified and expanded, so that the hardware is controlled and authorized, a new hardware permission management mechanism is constructed, and the original safety of the Android system is promoted.
Description
Technical field
The present invention relates to areas of information technology, particularly relate to a kind of System right management method and apparatus.
Background technology
At present, smart mobile phone becomes the carrier of the various information of user, stores a large amount of important informations, therefore also becomes the preferred object of malicious attack.The very major part of smart mobile phone security threat comes from divulging a secret of individual privacy and various malice and to deduct fees software, these Malwares utilize the leak of authority mechanism in the past to abuse authority opponent machine and attack, and What is more also can at Background scheduling hardware to spy upon privacy.
In prior art, the method solving the defect of Android authority mechanism can comprise:
1. pair existing Android operation system is expanded, and sets up the fine granularity application rights management model of lightweight, make user can under certain restrictive condition on demand to android system in the application program authority of installing distribute.But because this method uses SQLite database, it is inherently safe relatively not to the data of protection of usage right.
2. between application program installation period, carry out the self identity of authority.In the method, the authority of application requests and system strategy are connected, to realize the only having compatible application program of strategy just can be installed on mobile phone.
3. pair Android authority skeleton code makes amendment.This method proposes a kind of tactful implementation framework for different application, and such cellphone subscriber just can application programs granted rights or cancel authority selectively.
But although above various method is studied from the authority of different aspect application programs, the authority being all confined to application program judges, the security threat scope that can tackle is narrow.In addition, all agreeing to or all refusal can be selected owing to only having the judgement of authority, therefore only by judging that the mode of authority selects whether set up applications, and cannot to arrange a certain item of some authorities or mobile phone or function manages.There is very large drawback in this traditional authorization policy pattern, and the rights management policy of this extensive style cannot meet our demand in a lot of scene.
Summary of the invention
The invention provides a kind of System right management method and apparatus, cannot the technical matters of privileges of management system effectively flexibly to solve in prior art.
First a kind of System right management method of the present invention, comprising:
System property is created and assignment, the attribute one_to_one corresponding of hardware in described system property and described system in system initialization process;
When there is application call hardware, reading the system property corresponding to described hardware, Authority Verification being carried out to described application program and returns the result;
Described application program is made to operate described hardware according to described the result.
Further, described method also comprises:
Described system property is modified.
Further, describedly make described application program carry out operation according to described the result to described hardware comprising:
When described the result is true time, described application program is made to call described hardware;
When described the result is not true time, described application program is not made to call described hardware.
Further, described method also comprises:
The hardware management strategy of described system is set, utilizes described hardware management strategy to carry out Authority Verification to described application program.
Further, described hardware management strategy comprises:
One or more in the black and white lists of the usage time interval of described hardware, the place to use of described hardware, described application program, network remote Managed Solution.
On the other hand, the present invention also provides a kind of System right management equipment, and described equipment comprises:
System property configuration module, for creating system property and assignment in system initialization process, the attribute one_to_one corresponding of hardware in described system property and described system;
Authority Verification module, for when application call hardware, reads the system property corresponding to described hardware, carries out Authority Verification and return the result to described application program;
Operational module, operates described hardware according to described the result for making described application program.
Further, described equipment also comprises:
Modified module, is connected with described system property configuration module, for modifying to described system property.
Further, described operational module also for:
Be true time at described the result, make described application program call described hardware;
Be not true time at described the result, do not make described application program call described hardware.
Further, described equipment also comprises:
Strategy setting module, is connected with described Authority Verification module, for arranging the hardware management strategy of described system, makes described Authority Verification module utilize described hardware management strategy to carry out Authority Verification to described application program.
Further, described strategy setting module comprises for the hardware management strategy of the described system arranged:
One or more in the black and white lists of the usage time interval of described hardware, the place to use of described hardware, described application program, network remote Managed Solution.
The present invention can from bottom-layer design, modifies and expands, thus carry out controlling to hardware and authorize, build new hardware rights management mechanism, make the original security lifting of android system the ccf layer of existing android system and application layer.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the step schematic diagram of a kind of System right management method of the embodiment of the present invention;
Fig. 2 is the rights management mechanism service chart of a kind of System right management method of the embodiment of the present invention;
Fig. 3 is the structural representation of a kind of System right management equipment of the embodiment of the present invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Hardware due to android system generally all uses singleton pattern to call, therefore, if need increase a novel authentication mechanism in various hardware (hardware) class of system framework layer carries out auditing with when authorizing, so, owing to only having for upper strata provides application programming interface (the Application Programming Interface of exploitation in system framework layer, api), then can use establishment operational static overall variable always, and only have the local variable of various hardware class.Clearly this is the effect that cannot reach storage data, and is exactly unsafe from the overall static variable of the angle of security.Therefore the system property of choice for use Android data can be preserved.When carrying out the assignment of system property when system initialization, the amendment of simultaneity factor attribute is sightless with reading for application layer, so also has stronger security.Simultaneously; the equipment authority of a supervisory routine to us is also needed to manage; for the protection of the security to mechanism; also must consider that program is to needing calling the api that system is hidden; need application program to be put forward power for " android.uid.system " at this, become system-level application.
Therefore, first the embodiment of the present invention provides a kind of System right management method, and see Fig. 1, the concrete steps of the present embodiment method comprise:
Step 101: create system property and assignment in system initialization process, the attribute one_to_one corresponding of hardware in described system property and described system.
See the rights management mechanism service chart of Fig. 2, in an application scenarios of the present embodiment, first can in the process starting initialization init.c, setprop be used to create attribute and reading system attribute " persist.sys.hardware_prop ".
In addition, amendment can also be made to the system property of preserving authority.When some hardware authority of needs amendment system, by calling getSystemProperty () function setup particular system attribute.And the prefix of these system propertys must be persist.sys.
Step 102: when there is application call hardware, reads the system property corresponding to described hardware, carries out Authority Verification and return the result to described application program.
What can illustrate is, the present embodiment can add one deck review mechanism inside ccf layer, in having application requests to obtain various hardware instance, all need to audit, can effectively security application program illegally call hardware thus prevent privacy leakage like this.Meanwhile, various suitable protection of usage right strategy can also be arranged to prevent from illegally calling to the hardware managing oneself.
Wherein, the interface that can be provided by the application call ccf layer of application layer obtains the instance variable of a hardware.The hardware classes of android system all belongs to single routine Design Mode, and similar on the obtain manner of the example of each hardware.Each hardware all can have certain function of a specific class be used as returning example and comprise the function of operational hardware wherein.When application call ccf layer obtains the function of example, directly do not return example, but send request to this self defined class of PermissionCHK in Fig. 2, and wait for that it returns authority the result.When not obtaining the Authority Verification result of feedback, function will be in waiting status.
When receiving Authority Verification request, this class of PermissionCHK can be opened, calling the value of getSystemProperty () function reading system attribute wherein, and judging its true value, then returning to ccf layer hardware classes.
In addition, in an application scenarios of the present embodiment, also need to arrange the hardware management strategy of system, and utilize hardware management strategy application programs to carry out Authority Verification.Such as, the switch of the authority of hardware can be set, or according to the place to use of hardware as set-point according to the usage time interval of hardware, or the black and white lists built by the bag name of application program or network remote Managed Solution are as standard etc.
When android system initial start-up time, initialization can be carried out by the hardware permissions list of the setprop in init.c wherein to system, again will be automatically imported setting after start up system later, very convenient.The file placement location of system property is sightless for application layer, and the reading of system property is same for application layer with modification process is sightless.So just can ensure the security of the hardware rights management mechanism of system, especially data security.Can not adopt as SQLite database or file, store data by modification of program sharedPreference can be employed, the security of system cannot be ensured.
Step 103: make described application program operate described hardware according to described the result.
When waiting for Authority Verification result, if when the stand-by period, the result that is overtime or that obtain was false, the function obtaining example will return sky, and application program cannot be called hardware; And only have when at the appointed time obtaining the result of true in scope, application program just can obtain the example returned, and calls hardware.
See Fig. 3, the embodiment of the present invention also provides a kind of System right management equipment, comprising:
System property configuration module 301, for creating system property and assignment in system initialization process, the attribute one_to_one corresponding of hardware in described system property and described system;
Authority Verification module 302, for when application call hardware, reads the system property corresponding to described hardware, carries out Authority Verification and return the result to described application program;
Operational module 303, operates described hardware according to described the result for making described application program.
Alternatively, equipment can also comprise: modified module (not shown), is connected with system property configuration module 301, for modifying to system property.
Alternatively, operational module 303 can also be used for: be true time at described the result, makes described application program call described hardware; Be not true time at described the result, do not make described application program call described hardware.
Alternatively, equipment can also comprise: strategy setting module (not shown), be connected with Authority Verification module 302, for arranging the hardware management strategy of described system, described Authority Verification module 302 is made to utilize described hardware management strategy to carry out Authority Verification to described application program.
Alternatively, described strategy setting module can comprise for the hardware management strategy of the described system arranged: one or more in the black and white lists of the usage time interval of described hardware, the place to use of described hardware, described application program, network remote Managed Solution.
Visible, in the System right management method and apparatus that the embodiment of the present invention provides, can from bottom-layer design, the ccf layer of existing android system and application layer are modified and expanded, thus carry out controlling to hardware and authorize, build new hardware rights management mechanism, the original security of android system is promoted.Embodiment in the present invention adds the new protection of one deck and hardware authority can be used to carry out controlling (as time controling, network control etc.), the security threat of this platform is reduced from system level, effectively prevent Android wooden horse and the invasion of virus, prevent from divulging a secret.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a System right management method, is characterized in that, comprising:
System property is created and assignment, the attribute one_to_one corresponding of hardware in described system property and described system in system initialization process;
When there is application call hardware, reading the system property corresponding to described hardware, Authority Verification being carried out to described application program and returns the result;
Described application program is made to operate described hardware according to described the result.
2. System right management method according to claim 1, is characterized in that, described method also comprises:
Described system property is modified.
3. System right management method according to claim 1, is characterized in that, describedly makes described application program carry out operation according to described the result to described hardware comprising:
When described the result is true time, described application program is made to call described hardware;
When described the result is not true time, described application program is not made to call described hardware.
4. System right management method according to any one of claim 1 to 3, is characterized in that, described method also comprises:
The hardware management strategy of described system is set, utilizes described hardware management strategy to carry out Authority Verification to described application program.
5. System right management method according to claim 4, is characterized in that, described hardware management strategy comprises:
One or more in the black and white lists of the usage time interval of described hardware, the place to use of described hardware, described application program, network remote Managed Solution.
6. a System right management equipment, is characterized in that, described equipment comprises:
System property configuration module, for creating system property and assignment in system initialization process, the attribute one_to_one corresponding of hardware in described system property and described system;
Authority Verification module, for when application call hardware, reads the system property corresponding to described hardware, carries out Authority Verification and return the result to described application program;
Operational module, operates described hardware according to described the result for making described application program.
7. System right management equipment according to claim 6, is characterized in that, described equipment also comprises:
Modified module, is connected with described system property configuration module, for modifying to described system property.
8. System right management equipment according to claim 6, is characterized in that, described operational module also for:
Be true time at described the result, make described application program call described hardware;
Be not true time at described the result, do not make described application program call described hardware.
9. the System right management equipment according to any one of claim 6 to 8, is characterized in that, described equipment also comprises:
Strategy setting module, is connected with described Authority Verification module, for arranging the hardware management strategy of described system, makes described Authority Verification module utilize described hardware management strategy to carry out Authority Verification to described application program.
10. System right management equipment according to claim 9, is characterized in that, described strategy setting module comprises for the hardware management strategy of the described system arranged:
One or more in the black and white lists of the usage time interval of described hardware, the place to use of described hardware, described application program, network remote Managed Solution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410473038.0A CN104281803A (en) | 2014-09-16 | 2014-09-16 | System permission management method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410473038.0A CN104281803A (en) | 2014-09-16 | 2014-09-16 | System permission management method and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104281803A true CN104281803A (en) | 2015-01-14 |
Family
ID=52256665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410473038.0A Pending CN104281803A (en) | 2014-09-16 | 2014-09-16 | System permission management method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104281803A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104768147A (en) * | 2015-03-09 | 2015-07-08 | 中国科学院信息工程研究所 | WLAN device and data channel real-time control method and system |
| CN104822127A (en) * | 2015-03-09 | 2015-08-05 | 中国科学院信息工程研究所 | Bluetooth device, data channel real-time management and control method and system thereof |
| CN104820792A (en) * | 2015-03-09 | 2015-08-05 | 中国科学院信息工程研究所 | Method and apparatus for managing Android device and data channel system authority |
| CN105550587A (en) * | 2015-12-11 | 2016-05-04 | 北京元心科技有限公司 | Method and device for controlling system resource access in multi-system terminal equipment |
| CN106778123A (en) * | 2016-11-24 | 2017-05-31 | 努比亚技术有限公司 | Mobile terminal and its hardware device right management method |
| CN111601038A (en) * | 2020-05-28 | 2020-08-28 | 无锡睿勤科技有限公司 | Camera control method and device, electronic terminal and storage medium |
| CN112667311A (en) * | 2020-12-23 | 2021-04-16 | 四川长虹电器股份有限公司 | Software state switching method applied to android system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102063299A (en) * | 2010-12-21 | 2011-05-18 | 东莞宇龙通信科技有限公司 | Method and device for assessing application running condition of mobile terminal, mobile terminal |
| CN103067911A (en) * | 2012-12-17 | 2013-04-24 | 中国联合网络通信集团有限公司 | Method and equipment used for controlling hardware module |
| CN103607253A (en) * | 2013-09-27 | 2014-02-26 | 西安酷派软件科技有限公司 | Method and system for controlling mobile terminals |
-
2014
- 2014-09-16 CN CN201410473038.0A patent/CN104281803A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102063299A (en) * | 2010-12-21 | 2011-05-18 | 东莞宇龙通信科技有限公司 | Method and device for assessing application running condition of mobile terminal, mobile terminal |
| CN103067911A (en) * | 2012-12-17 | 2013-04-24 | 中国联合网络通信集团有限公司 | Method and equipment used for controlling hardware module |
| CN103607253A (en) * | 2013-09-27 | 2014-02-26 | 西安酷派软件科技有限公司 | Method and system for controlling mobile terminals |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104768147A (en) * | 2015-03-09 | 2015-07-08 | 中国科学院信息工程研究所 | WLAN device and data channel real-time control method and system |
| CN104822127A (en) * | 2015-03-09 | 2015-08-05 | 中国科学院信息工程研究所 | Bluetooth device, data channel real-time management and control method and system thereof |
| CN104820792A (en) * | 2015-03-09 | 2015-08-05 | 中国科学院信息工程研究所 | Method and apparatus for managing Android device and data channel system authority |
| CN104820792B (en) * | 2015-03-09 | 2019-04-26 | 中国科学院信息工程研究所 | Android device and data channel System right management method and apparatus |
| CN105550587A (en) * | 2015-12-11 | 2016-05-04 | 北京元心科技有限公司 | Method and device for controlling system resource access in multi-system terminal equipment |
| CN106778123A (en) * | 2016-11-24 | 2017-05-31 | 努比亚技术有限公司 | Mobile terminal and its hardware device right management method |
| CN111601038A (en) * | 2020-05-28 | 2020-08-28 | 无锡睿勤科技有限公司 | Camera control method and device, electronic terminal and storage medium |
| CN111601038B (en) * | 2020-05-28 | 2021-10-01 | 无锡睿勤科技有限公司 | Camera control method and device, electronic terminal and storage medium |
| CN112667311A (en) * | 2020-12-23 | 2021-04-16 | 四川长虹电器股份有限公司 | Software state switching method applied to android system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104281803A (en) | System permission management method and equipment | |
| CN104268463A (en) | Method and device for managing calling authority of camera | |
| CN109510849B (en) | Cloud-storage account authentication method and device | |
| CN102981835B (en) | Android application program permanent Root permission acquiring method | |
| US9075955B2 (en) | Managing permission settings applied to applications | |
| US9065771B2 (en) | Managing application execution and data access on a device | |
| CN105830477A (en) | Operating system integrated domain management | |
| CN103548320A (en) | Secure execution of unsecured apps on a device | |
| CN104050401A (en) | User permission management method and system | |
| CN104156662A (en) | Process monitoring method and device and intelligent terminal | |
| CN104822127A (en) | Bluetooth device, data channel real-time management and control method and system thereof | |
| CN106203162B (en) | A kind of method for secret protection and system of combining the two ways of dredging and plugging | |
| US9619222B2 (en) | System, method and apparatus for automatic device registration and secure application activation | |
| CN103455520A (en) | Method and device for accessing Android database | |
| CN105224832A (en) | License authorization centralized management method | |
| US20140317704A1 (en) | Method and system for enabling the federation of unrelated applications | |
| CN104036202A (en) | Method and equipment for isolating enterprise applications | |
| US20140282876A1 (en) | Method and system for restricting the operation of applications to authorized domains | |
| CN105094996A (en) | Security-enhancing method and system of Android system based on dynamic authority verification | |
| CN106169042A (en) | The method and device of administration authority | |
| CN107566375B (en) | Access control method and device | |
| EP2725511B1 (en) | Managing application execution and data access on a device | |
| CN103763370B (en) | A kind of method, system and device for changing mobile terminal workspace screen-lock password | |
| CN105786551A (en) | Application program operation access control method and system | |
| CN104270754A (en) | SIM authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150114 |
|
| RJ01 | Rejection of invention patent application after publication |