CN105138905A - Isolation operation method for Linux application program - Google Patents
Isolation operation method for Linux application program Download PDFInfo
- Publication number
- CN105138905A CN105138905A CN201510526555.4A CN201510526555A CN105138905A CN 105138905 A CN105138905 A CN 105138905A CN 201510526555 A CN201510526555 A CN 201510526555A CN 105138905 A CN105138905 A CN 105138905A
- Authority
- CN
- China
- Prior art keywords
- sandbox
- application program
- cpu
- linux application
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention provides an isolation operation method for a Linux application program. The method includes the following steps that a sandbox of sources needed by operation of the Linux application program is configured for the Linux application program, and an independent file system, the maximum percent of occupied CPU time, a bound CPU core and the maximum memory in use are configured for the sandbox; the independent file system is converted into a root directory of the Linux application program; the Linux application program is bound to the bound CPU core configured in the sandbox corresponding to the Linux application program; when an interruption happens, whether the access time of the current process on a CPU is longer than the maximum access time on the CPU in a time period corresponding to the maximum percent of the occupied CPU time is judged, and if yes, the process outside the sandbox is switched to; the memory used in operation of the Linux application program is detected in real time, and operation of the Linux application program is ended when the memory is larger than the maximum memory in use. According to the isolation operation method, isolation between application programs and isolation between application programs and an operation system are achieved, and it is ensured that malicious application programs cannot threaten the operation system.
Description
Technical field
The invention belongs to field of computer technology, more specifically relate to a kind of isolation operation method of Linux application program.
Background technology
When application program performs in linux operating system, need to use the various resources provided by linux operating system, mainly comprise CPU, internal memory, file system etc.Wherein CPU provides the function of the data in interpretive machine instruction and process computer software.The function of data that internal memory provides the operational data that stores CPU and exchanges with the external memory storage such as hard disk.File system provides establishment, opens, reads, revises, deletes the function of data file operation for application program.
User is when using (SuSE) Linux OS, some application programs used may carry out illegal operation, cause serious safety problem, such as some application program meeting malice occupying system resources, hinder the normal execution of other programs, even cause that system is seemingly-dead cannot be safeguarded; When the application program that user uses needs accesses network, likely can download rogue program from unsafe website, these rogue programs may steal the sensitive information etc. of user, interfere with the routine work of user, data security and individual privacy etc.
Summary of the invention
(1) technical matters that will solve
The technical problem to be solved in the present invention is the safety how preventing malware threat operating system.
(2) technical scheme
In order to solve the problems of the technologies described above, the invention provides a kind of isolation operation method of Linux application program, said method comprising the steps of:
For Linux application deployment, it runs the sandbox of resource requirement, the largest percentage that wherein said sandbox is configured with independently file system, shared CPU time, the CPU core bound and the maximum memory used;
Described independently filesystem conversion is the root directory of described Linux application program;
Described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it;
When interrupting occurring, judge current process to CPU access duration whether be greater than described shared by the longest access time to CPU in a time period corresponding to the largest percentage of CPU time, if be switched to the process outside described sandbox;
The described Linux application program of real-time detection runs the internal memory used, and terminates the operation of described Linux application program when it is greater than described used maximum memory.
Preferably, described sandbox is also configured with multiple spendable powers and functions;
When described sandbox carries out privileged operation, judge whether privilege that described sandbox operates belongs in described multiple spendable powers and functions one or more, if allow described sandbox to carry out privileged operation.
Preferably, configuration file, dynamic link library, the specific installation of needs when described independently file system comprises described Linux application program and performs.
Preferably, when interrupting occurring, by scheduler judge current process to CPU access duration whether be greater than described shared by the longest access time in a time period corresponding to the largest percentage of CPU time.
Preferably, described described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it before also comprise and judge that described Linux application program belongs to the step of which sandbox.
(3) beneficial effect
The invention provides the isolation operation method of Linux application program, by being sandbox allocating system resource, the Linux application program run in sandbox can only use the resource in sandbox, the i.e. running environment of an isolation that provides for application program of sandbox, all incredible application programs, can run in sandbox and the resource security that can not threaten in system outside sandbox, achieve the isolation between application program and between application program and operating system, ensure that malicious application can not produce operating system and threaten.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of the isolation operation method of the Linux application program of a preferred embodiment of the present invention;
Fig. 2 is the structural representation of independently file system in the present invention;
Fig. 3 is the method flow diagram of the operable internal memory of process of application program in the restriction sandbox of a preferred embodiment of the present invention;
Fig. 4 is the method flow diagram controlled the operable CPU time sheet of the process group in sandbox of a preferred embodiment of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.Following examples for illustration of the present invention, but can not be used for limiting the scope of the invention.
An isolation operation method for Linux application program, as shown in Figure 1, said method comprising the steps of:
S1, for Linux application deployment, it runs the sandbox of resource requirement, the largest percentage that wherein said sandbox is configured with independently file system, shared CPU time, the CPU core bound and the maximum memory used;
When S2, sandbox run, described independently filesystem conversion is the root directory of described Linux application program;
When S3, program are run, described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it;
S4, when interrupting occurring, judge current process to CPU access duration whether be greater than described shared by the longest access time to CPU in a time period corresponding to the largest percentage of CPU time, if be switched to the process outside described sandbox;
S5, the in real time described Linux application program of detection run the internal memory used, and terminate the operation of described Linux application program when it is greater than described used maximum memory.
Be understood that the label of said method does not represent execution sequence.
The present invention is that sandbox specifies one and main frame completely independently file system, and after program is run in sandbox, its working directory changes to sandbox catalogue, and program can't see the file beyond this catalogue, thus achieves the isolation of sandbox and host file system.If specify different catalogues to different sandbox, file system isolation completely so between sandbox, also can be realized.Sandbox is the running environment of the isolation that application program provides, and the incredible application program of all users, can run in sandbox, and said method of the present invention can effectively prevent malicious application from destroying operating system.
Further, described sandbox is also configured with multiple spendable powers and functions; When described sandbox carries out privileged operation, judge whether the privilege that described sandbox operates belongs to one or more in described multiple spendable powers and functions, if allow described sandbox to carry out privileged operation.Preferably, for the process in sandbox sets a least privilege collection, it is the set comprising spendable powers and functions, when the process in sandbox will carry out a certain privileged operation, checks whether sandbox possesses corresponding powers and functions.If possess, permission process carries out privileged operation, if do not possess, forbids that process carries out this privileged operation.
Further, as shown in Figure 2, the configuration file, dynamic link library, specific installation etc. that need when described independently file system comprises described Linux application program itself and executive utility thereof.When sandbox runs, the root directory of its process is converted to this independently file system, makes the process in sandbox cannot operate file beyond this separate file system.In Fig. 2, deposit under etc catalogue be program perform time need configuration file, deposit under lib catalogue be program perform time need library file, deposit under dev catalogue be program perform time need device file.
Further, when interrupting occurring, by scheduler judge current process to CPU access duration whether be greater than described shared by the longest access time in a time period corresponding to the largest percentage of CPU time.
Further, described described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it before also comprise and judge that described Linux application program belongs to the step of which sandbox.
Said method limits task (process of application program) the operable internal memory in sandbox, specifically can be realized by following steps, as shown in Figure 3:
S101: for the program run in sandbox specifies a spendable internal memory maximal value (namely above-mentioned used maximum memory);
S102: the internal memory use amount of monitoring sandbox Program when system cloud gray model in real time;
S103: judge in sandbox, whether internal memory use amount arrives setting value (namely above-mentioned used maximum memory);
S104: if the internal memory that the program in sandbox of monitoring uses exceedes this upper limit and continuation application internal memory again;
S105: give a warning, and the operation of terminator.
Said method controls the operable CPU time sheet of the process group in sandbox, the program in sandbox of limiting in certain time period to the longest connected reference time of cpu resource, i.e. the largest percentage of shared CPU time.Specifically can be realized by following steps, as shown in Figure 4:
S201: for sandbox arranges the longest connected reference time (i.e. the largest percentage of above-mentioned shared CPU time) to CPU in certain time period;
S202: the CPU access time of sandbox Program is monitored;
S203: when interrupting occurring, whether the program judged in sandbox by scheduler reaches the longest access time (i.e. the largest percentage of setting value or above-mentioned shared CPU time) to cpu resource;
S204: if reach, then interrupt the process switched to when returning beyond sandbox, if do not reach, program can continue to perform.
Said method is that the process in sandbox sets the CPU core that can bind.During process scheduling (or when program starts), judge that this process is the program in sandbox, if so, for it binds corresponding CPU core, the program in sandbox can only use the CPU core into its setting.
Above embodiment is only for illustration of the present invention, but not limitation of the present invention.Although with reference to embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that, various combination, amendment or equivalent replacement are carried out to technical scheme of the present invention, do not depart from the spirit and scope of technical solution of the present invention, all should be encompassed in the middle of right of the present invention.
Claims (5)
1. an isolation operation method for Linux application program, is characterized in that, said method comprising the steps of:
For Linux application deployment, it runs the sandbox of resource requirement, the largest percentage that wherein said sandbox is configured with independently file system, shared CPU time, the CPU core bound and the maximum memory used;
Described independently filesystem conversion is the root directory of described Linux application program;
Described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it;
When interrupting occurring, judge current process to CPU access duration whether be greater than described shared by the longest access time to CPU in a time period corresponding to the largest percentage of CPU time, if be switched to the process outside described sandbox;
The described Linux application program of real-time detection runs the internal memory used, and terminates the operation of described Linux application program when it is greater than described used maximum memory.
2. method according to claim 1, is characterized in that, described sandbox is also configured with multiple spendable powers and functions;
When described sandbox carries out privileged operation, judge whether privilege that described sandbox operates belongs to one in described multiple spendable powers and functions, if allow described sandbox to carry out privileged operation.
3. method according to claim 1, is characterized in that, configuration file, dynamic link library, the specific installation of needs when described independently file system comprises described Linux application program and performs.
4. method according to claim 1, is characterized in that, when interrupting occurring, by scheduler judge current process to CPU access duration whether be greater than described shared by the longest access time in a time period corresponding to the largest percentage of CPU time.
5. method according to claim 1, is characterized in that, described described Linux application program is tied to the CPU core bound configured in the sandbox corresponding with it before also comprise and judge that described Linux application program belongs to the step of which sandbox.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510526555.4A CN105138905A (en) | 2015-08-25 | 2015-08-25 | Isolation operation method for Linux application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510526555.4A CN105138905A (en) | 2015-08-25 | 2015-08-25 | Isolation operation method for Linux application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105138905A true CN105138905A (en) | 2015-12-09 |
Family
ID=54724250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510526555.4A Pending CN105138905A (en) | 2015-08-25 | 2015-08-25 | Isolation operation method for Linux application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105138905A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106354564A (en) * | 2016-08-31 | 2017-01-25 | 深圳天珑无线科技有限公司 | System resource distribution method and system |
| CN106682501A (en) * | 2016-12-20 | 2017-05-17 | 深圳市九洲电器有限公司 | Set-top-box application program management method and system |
| CN106919840A (en) * | 2017-03-03 | 2017-07-04 | 努比亚技术有限公司 | The detection method and device of a kind of Malware |
| US10025619B1 (en) | 2017-09-22 | 2018-07-17 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software transmitting data over a network |
| CN108491716A (en) * | 2018-01-29 | 2018-09-04 | 中国电子科技网络信息安全有限公司 | A kind of virutal machine memory isolation detection method based on physical page address analysis |
| CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
| CN109196505A (en) * | 2016-06-02 | 2019-01-11 | 微软技术许可有限责任公司 | Hardware based virtualization security isolation |
| CN110187963A (en) * | 2019-04-29 | 2019-08-30 | 杨百涛 | The method that real-time and Non real-time processing in real-time Android operation system is strictly isolated |
| CN110928601A (en) * | 2019-12-04 | 2020-03-27 | 锐捷网络股份有限公司 | Method and device for isolating CPU and storage medium |
| CN110955886A (en) * | 2019-11-08 | 2020-04-03 | 广州供电局有限公司 | Sandbox-based data security fusion service device and method thereof |
| US10810038B2 (en) | 2017-09-22 | 2020-10-20 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software receiving data over a network |
| WO2022150966A1 (en) * | 2021-01-12 | 2022-07-21 | 王志平 | Processor memory management method for achieving process isolation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289616A (en) * | 2011-06-30 | 2011-12-21 | 北京邮电大学 | Method and system for guarding against malicious system resource invasion in mobile intelligent terminal |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN102968352A (en) * | 2012-12-14 | 2013-03-13 | 杨晓松 | System and method for process monitoring and multi-stage recovery |
| CN103324500A (en) * | 2013-05-06 | 2013-09-25 | 广州市动景计算机科技有限公司 | Method and device for recycling internal memory |
| US8893129B1 (en) * | 2009-04-10 | 2014-11-18 | Open Invention Network, Llc | System and method for application isolation with live migration |
-
2015
- 2015-08-25 CN CN201510526555.4A patent/CN105138905A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8893129B1 (en) * | 2009-04-10 | 2014-11-18 | Open Invention Network, Llc | System and method for application isolation with live migration |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN102289616A (en) * | 2011-06-30 | 2011-12-21 | 北京邮电大学 | Method and system for guarding against malicious system resource invasion in mobile intelligent terminal |
| CN102968352A (en) * | 2012-12-14 | 2013-03-13 | 杨晓松 | System and method for process monitoring and multi-stage recovery |
| CN103324500A (en) * | 2013-05-06 | 2013-09-25 | 广州市动景计算机科技有限公司 | Method and device for recycling internal memory |
Non-Patent Citations (1)
| Title |
|---|
| 李晨等: "基于多安全机制的Linux应用沙箱的设计与实现", 《集成技术》 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109196505A (en) * | 2016-06-02 | 2019-01-11 | 微软技术许可有限责任公司 | Hardware based virtualization security isolation |
| CN106354564A (en) * | 2016-08-31 | 2017-01-25 | 深圳天珑无线科技有限公司 | System resource distribution method and system |
| CN106682501A (en) * | 2016-12-20 | 2017-05-17 | 深圳市九洲电器有限公司 | Set-top-box application program management method and system |
| CN106919840A (en) * | 2017-03-03 | 2017-07-04 | 努比亚技术有限公司 | The detection method and device of a kind of Malware |
| US10545786B2 (en) | 2017-09-22 | 2020-01-28 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software transmitting data over a network |
| US10025619B1 (en) | 2017-09-22 | 2018-07-17 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software transmitting data over a network |
| US10810038B2 (en) | 2017-09-22 | 2020-10-20 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software receiving data over a network |
| US10223153B1 (en) | 2017-09-22 | 2019-03-05 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software transmitting data over a network |
| US10241827B1 (en) | 2017-09-22 | 2019-03-26 | International Business Machines Corporation | Accounting and enforcing non-process execution by container-based software transmitting data over a network |
| CN108491716A (en) * | 2018-01-29 | 2018-09-04 | 中国电子科技网络信息安全有限公司 | A kind of virutal machine memory isolation detection method based on physical page address analysis |
| CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
| CN108985086B (en) * | 2018-07-18 | 2022-04-19 | 中软信息系统工程有限公司 | Application program authority control method and device and electronic equipment |
| CN110187963A (en) * | 2019-04-29 | 2019-08-30 | 杨百涛 | The method that real-time and Non real-time processing in real-time Android operation system is strictly isolated |
| CN110187963B (en) * | 2019-04-29 | 2023-06-20 | 杨百涛 | Method for strictly isolating real-time processing and non-real-time processing in real-time android operating system |
| CN110955886A (en) * | 2019-11-08 | 2020-04-03 | 广州供电局有限公司 | Sandbox-based data security fusion service device and method thereof |
| CN110928601A (en) * | 2019-12-04 | 2020-03-27 | 锐捷网络股份有限公司 | Method and device for isolating CPU and storage medium |
| CN110928601B (en) * | 2019-12-04 | 2022-05-20 | 锐捷网络股份有限公司 | Method and device for isolating CPU and storage medium |
| WO2022150966A1 (en) * | 2021-01-12 | 2022-07-21 | 王志平 | Processor memory management method for achieving process isolation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105138905A (en) | Isolation operation method for Linux application program | |
| US10489187B2 (en) | Systems and methods for auditing a virtual machine | |
| US10740456B1 (en) | Threat-aware architecture | |
| US9503475B2 (en) | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment | |
| JP4406627B2 (en) | Computer security management, such as in virtual machines or hardened operating systems | |
| CN102542187B (en) | Based on the method that safe sandbox improves computer security performance | |
| JP2018538633A (en) | Dual memory introspection to secure multiple network endpoints | |
| CN108959916B (en) | Method, device and system for accessing secure world | |
| JP2007220086A (en) | Input/output controller, input/output control system, and input/output control method | |
| CN110175457B (en) | Trusted operating system and method of dual-architecture | |
| EP2750069B1 (en) | Method and system for detecting malware using isolated environment | |
| Weisberg et al. | Enhancing Transportation System Networks Reliability by Securer Operating System | |
| CN103345604A (en) | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system | |
| WO2014044165A1 (en) | Method for safely running third-party code in java virtual machine | |
| CN108388793B (en) | Virtual machine escape protection method based on active defense | |
| CN104063303A (en) | Method for acquiring and freeing root permissions | |
| CN102737198B (en) | Object protection method and device | |
| CN104751026A (en) | Software protection method and software application method of android system, and related devices | |
| Umar et al. | A Comparative Study of Modern Operating Systems in terms of Memory and Security: A Case Study of Windows, iOS, and Android | |
| KR101957991B1 (en) | Security program and computing device for providing security function per each user session and method thereof | |
| Van Eyck et al. | Mr-TEE: Practical Trusted Execution of Mixed-Criticality Code | |
| KR102263945B1 (en) | Security program and computing device for providing security function per each user session and method thereof | |
| Huang et al. | vKernel: Enhancing Container Isolation via Private Code and Data | |
| JP2012022466A (en) | Information processing apparatus and malware handling method | |
| KR101439207B1 (en) | Method and apparatus for detecting hacking process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151209 |