CN105427096B - Payment security sandbox implementation method and system and application program monitoring method and system - Google Patents
Payment security sandbox implementation method and system and application program monitoring method and system Download PDFInfo
- Publication number
- CN105427096B CN105427096B CN201510996556.5A CN201510996556A CN105427096B CN 105427096 B CN105427096 B CN 105427096B CN 201510996556 A CN201510996556 A CN 201510996556A CN 105427096 B CN105427096 B CN 105427096B
- Authority
- CN
- China
- Prior art keywords
- application program
- module
- incubator
- payment
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 489
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 106
- 230000008569 process Effects 0.000 claims abstract description 416
- 238000012544 monitoring process Methods 0.000 claims abstract description 234
- 238000012545 processing Methods 0.000 claims abstract description 50
- 230000000694 effects Effects 0.000 claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 130
- 238000009826 distribution Methods 0.000 claims description 44
- 238000012986 modification Methods 0.000 claims description 27
- 230000004048 modification Effects 0.000 claims description 27
- 238000011534 incubation Methods 0.000 claims description 23
- 238000010276 construction Methods 0.000 claims description 18
- 238000005315 distribution function Methods 0.000 claims description 14
- 238000011112 process operation Methods 0.000 claims description 14
- 230000012447 hatching Effects 0.000 claims description 9
- 230000007613 environmental effect Effects 0.000 claims description 8
- 238000002513 implantation Methods 0.000 claims description 7
- 238000013508 migration Methods 0.000 abstract description 7
- 230000005012 migration Effects 0.000 abstract description 7
- 238000012546 transfer Methods 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 83
- 238000004891 communication Methods 0.000 description 17
- 230000003993 interaction Effects 0.000 description 16
- 230000007246 mechanism Effects 0.000 description 13
- 238000009434 installation Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 7
- 230000003068 static effect Effects 0.000 description 6
- 208000015181 infectious disease Diseases 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 230000009897 systematic effect Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 239000011230 binding agent Substances 0.000 description 3
- 239000007943 implant Substances 0.000 description 3
- 230000026676 system process Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000010420 art technique Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 231100001261 hazardous Toxicity 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3227—Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention relates to the technical field of computers, in particular to a method and a system for realizing a payment security sandbox and a method and a system for monitoring an application program process. The method comprises the following steps: in response to an operation instruction of an application program, constructing a virtual machine into a sandbox for operating the application program through an incubator; modifying the environment configuration information of the sandbox to enable the sandbox to be suitable for calling a monitoring module to monitor the process of the application program; and when the process calls a specific instruction, processing according to a security policy provided by the sandbox in advance, and returning to execute the process after processing. Therefore, the method has the effect of carrying out safety protection from the bottom layer to the application layer, realizes flexible transfer and control of the process, does not need to modify the application program to be operated and pack apk, and can realize monitoring interception even if indirect call is reflected; meanwhile, the mode process does not need to modify system source codes, and migration among versions can be better realized.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of computers, in particular to a method and a system for realizing a payment security sandbox and a method and a system for monitoring an application program process.
[ background of the invention ]
Sandboxing is an execution environment that restricts program behavior according to security policies and is currently widely used in various operating systems. For example, in Android applications, some applications apply for system permissions at will, for purposes other than the need to implement their inherent functions, particularly for business purposes, to obtain user privacy data, perform network access, keep the device active, send short messages, and so on. If the user privacy data is leaked, or system resources are occupied, otherwise the user is lost through malicious fee deduction, advertisement implantation, expense consumption, fraud and cheating. Therefore, through the execution environment provided by the sandbox technology, the sandbox manages the resources and the authority of the system, the application program is operated in the sandbox, the access of the application program is firstly checked through the sandbox according to the security policy, and therefore an isolation operation effect relative to the system is formed, and the security of the system can be effectively protected. The security policy used in the sandbox is adapted to different operating systems and has different details, and the basic knowledge of the implementation of these related technologies is already known by the technicians, and will not be repeated.
The prior art mainly includes two sandbox technology implementation manners, wherein the implementation process of one manner mainly includes: unpacking a sample apk (Android Package) file, analyzing a dex (Dalvik VMexecutables) file in the apk, patching a key api calling function table, namely replacing a pointer in the function table with a function of the function table, wherein the function of the function is to output a corresponding replaced function name and parameters; and then repackaging a new apk, verifying and removing the apk signature in the virtual machine, and allowing the apk to run in the virtual machine, so that the specific behavior function call of the sample can be monitored. The method can monitor the behaviors of partial samples, but if the samples need to be checked in the apk packing and unpacking process, the method cannot be implemented, for example, when the samples check the samples, the samples are modified, namely, the samples exit immediately; in addition, if the sample uses the reflection api to indirectly call the function, this method cannot realize the function of monitoring the sample behavior, because the function call of the sample uses the reflection api does not pass through the function table of dex, and therefore, this method cannot sense the function call, and cannot monitor the behavior of the sample.
Another implementation method in the prior art mainly includes: modifying the source code of the Android system and the java library function, and adding a code of a relevant output behavior into the real modern code; and recompiling the Android system, packaging the Android system into a ROM, and loading the ROM by using a virtual machine. The method can only run the sample in a customized Android system, and relevant behavior records can be output when the sample calls the function. When the problem is found to be corrected, the problem needs to be recompiled, the migration cost is high, the source code is corrected and dispersed in each place of the system, and the maintenance cost is high; additionally, version migration is more costly, and if modified based on android1.1, and later applied to android4.3, it essentially requires recompiling for each point.
Therefore, how to realize sandbox technology without modifying samples and packaging apks, indirect reflection calls can also realize monitoring interception without modifying system source codes, and migration among versions is convenient to solve by the technical personnel in the field.
[ summary of the invention ]
The invention aims to solve at least one problem and provides a method and a system for realizing a payment security sandbox and a method and a system for monitoring the progress of an application program.
In order to realize the purpose, the invention adopts the following technical scheme:
the invention provides a payment security sandbox implementation method, which comprises the following steps:
in response to an operation instruction of an application program, constructing a virtual machine into a sandbox for operating the application program through an incubator;
modifying the environment configuration information of the sandbox to enable the sandbox to be suitable for calling a monitoring module to monitor the process of the application program;
and when the process calls a specific instruction, processing according to a security policy provided by the sandbox in advance, and returning to execute the process after processing.
Specifically, the security policy includes a payment security policy, and the payment security policy includes:
judging whether the information of the payment request comprises payment security parameters; and if so, judging that the payment request is legal.
Specifically, the process of determining whether the information of the payment request includes the payment security parameter includes:
judging whether the interface elements of the popup notification comprise payment elements or not; if yes, determining that the popup notification comprises payment characteristics;
the payment element is used for matching whether an element corresponding to payment is included in the pop-up window notification.
Further, the payment security policy further includes:
judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal.
Specifically, the determining whether the information of the payment request calls the corresponding data and instruction for payment includes:
acquiring the class name of the class called in the popup notification;
judging whether the class name exists in a class name list stored in advance; and if so, judging that the popup notification calls a class for payment.
Further, in the process of determining whether the information of the payment request calls the corresponding data and instruction for payment, the method further includes:
when the popup notification calls a class for payment, determining that a payment feature is included in the popup notification.
Specifically, the setting item of the environmental configuration information of the sandbox includes an object attribute for guiding the execution of the monitoring module and pointing information guided to be executed corresponding to the object attribute.
Specifically, the object attribute is mainly used to support execution of a callback function table, and the direction information is mainly used to allocate a distribution function of the hook function.
Specifically, the step of modifying the environment configuration information of the sandbox to make the sandbox suitable for calling the monitoring module to monitor the process of the application program includes:
responding to an operation instruction of the application program, and applying a process operation environment for the incubator;
implanting a guide module into the process running environment and running the guide module;
modifying, by the boot module, environment configuration information in the virtual machine;
and calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Further, after the step of applying for a process execution environment to the incubator in response to the execution instruction of the application program, the method further includes:
and creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, the step of creating, by the incubator, a process execution environment suitable for the process execution of the application to be executed includes:
constructing the incubator used for the operation environment of the incubation process by using the original incubator of the system;
and hatching by the hatcher to establish the process running environment for the application program to be run.
Specifically, the step of constructing the incubator for an incubation process operating environment by using the system original incubator comprises:
operating the control module;
constructing the incubator by using the control module and taking the original incubator of the system as a basis;
and establishing connection between the control module and the incubator.
Specifically, the control module establishes a connection with the incubator based on a socket generated by the incubator.
Further, after the step of implanting and running a boot module into the process running environment, the method further includes:
and loading a distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
Specifically, when the process calls a specific instruction, the step of processing according to the security policy provided in advance by the sandbox and returning to execute the process after processing includes:
the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
Specifically, the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to monitor the activity of the application program.
Specifically, when the monitoring module monitors that the process of the application program needs to call the unmatched resource, the resource application of the related call instruction is redirected to provide correct resources for the running of the process of the application program.
Specifically, when the monitoring module monitors that the process of the application program performs unauthorized access, custom data is returned to the relevant call instruction.
Correspondingly, the invention also provides an application program process monitoring method, which comprises the following steps:
responding to the running instruction of the application program, modifying environment configuration information in the virtual machine, and enabling the virtual machine to be suitable for calling a monitoring module to monitor the running of the process of the application program to be run;
the monitoring module identifies a specific instruction of the process of the application program and guides to call a hook function corresponding to the specific instruction;
and finishing the execution of the hook function, and calling back to execute the application program process.
Specifically, the setting item of the environment configuration information of the virtual machine includes an object attribute for guiding execution of the monitoring module and pointing information guided for execution corresponding to the object attribute.
Specifically, the object attribute is mainly used to support execution of a callback function table, and the direction information is mainly used to allocate a distribution function of the hook function.
Specifically, the step of modifying the environment configuration information in the virtual machine in response to the operation instruction of the application program to make the virtual machine suitable for calling the monitoring module to monitor the operation of the process of the application program to be operated includes:
responding to an operation instruction of the application program, and applying a process operation environment for the incubator;
implanting a guide module into the process running environment and running the guide module;
modifying, by the boot module, environment configuration information in the virtual machine;
and calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Further, after the step of applying for a process execution environment to the incubator in response to the execution instruction of the application program, the method further includes:
and creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, the step of creating, by the incubator, a process execution environment suitable for the process execution of the application to be executed includes:
constructing the incubator used for the operation environment of the incubation process by using the original incubator of the system;
and hatching by the hatcher to establish the process running environment for the application program to be run.
Specifically, the step of constructing the incubator for an incubation process operating environment by using the system original incubator comprises:
operating the control module;
constructing the incubator by using the control module and taking the original incubator of the system as a basis;
and establishing connection between the control module and the incubator.
Specifically, the control module establishes a connection with the incubator based on a socket generated by the incubator.
Further, after the step of implanting and running a boot module into the process running environment, the method further includes:
and loading a distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
Specifically, the step of identifying a specific instruction of the process of the application program by the monitoring module and guiding to call the hook function corresponding to the specific instruction includes:
the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
Specifically, the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to monitor the activity of the application program.
Specifically, when the monitoring module monitors that the process of the application program needs to call the unmatched resource, the resource application of the related call instruction is redirected to provide correct resources for the running of the process of the application program.
Specifically, when the monitoring module monitors that the process of the application program performs unauthorized access, custom data is returned to the relevant call instruction.
Correspondingly, the invention also provides a system for realizing the payment safety sandbox, which comprises the following steps:
the response construction module is used for responding to the running instruction of the application program and constructing the virtual machine into a sandbox for running the application program through the incubator;
the modification calling module is used for modifying the environment configuration information of the sandbox so that the sandbox is suitable for calling the monitoring module to monitor the process of the application program;
and the calling execution module is used for processing according to the security policy provided by the sandbox in advance when the process calls the specific instruction, and returning to execute the process after processing.
Specifically, the security policy includes a payment security policy, and the payment security policy includes:
the first judgment unit is used for judging whether the information of the payment request comprises payment safety parameters; and if so, judging that the payment request is legal.
Specifically, the first determining unit includes:
the characteristic judgment subunit is used for judging whether the interface elements of the popup notification include payment elements or not; if yes, determining that the popup notification comprises payment characteristics;
the payment element is used for matching whether an element corresponding to payment is included in the pop-up window notification.
Further, the payment security policy further includes:
the second judgment unit is used for judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal.
Specifically, the second determination unit includes:
the system comprises a class name acquisition subunit, a popup notification unit and a display unit, wherein the class name acquisition subunit is used for acquiring the class name of the class called in the popup notification;
the class name judging subunit is used for judging whether the class name exists in a class name list stored in advance; and if so, judging that the popup notification calls a class for payment.
Specifically, the second determining unit further includes:
and the calling and judging subunit is used for judging that the popup notice comprises the payment characteristic when the popup notice calls the class for payment.
Specifically, the setting item of the environmental configuration information of the sandbox includes an object attribute for guiding the execution of the monitoring module and pointing information guided to be executed corresponding to the object attribute.
Specifically, the object attribute is mainly used to support execution of a callback function table, and the direction information is mainly used to allocate a distribution function of the hook function.
Specifically, the modification calling module includes:
the response application submodule is used for responding to the running instruction of the application program and applying a process running environment for the incubator;
the implantation operation sub-module is used for implanting and operating a guide module into the process operation environment;
the information modification submodule is used for modifying the environment configuration information in the virtual machine through the guide module;
and the calling and running submodule is used for calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Further, the modification calling module further comprises
And the environment creating submodule is used for creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, the environment creating sub-module includes:
a construction operation unit for constructing the incubator for an incubation process operation environment by using the system original incubator;
and the environment establishing unit is used for hatching through the hatcher to establish the process running environment for the application program to be run.
Specifically, the configuration operation unit includes:
a control operation subunit for operating the control module;
a configuration incubator subunit for configuring, with the control module, the incubator based on the system original incubator;
and the connection establishing subunit is used for establishing the connection between the control module and the incubator.
Specifically, the control module establishes a connection with the incubator based on a socket generated by the incubator.
Further, the modification calling module further includes:
and the loading starting submodule is used for loading the distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
Specifically, the call execution module includes:
and the identification and distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
Specifically, the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to monitor the activity of the application program.
Specifically, the monitoring module includes an identification redirection unit, and the identification redirection unit is configured to redirect the resource application of the relevant call instruction when the monitoring module monitors that the process of the application program needs to call the unmatched resource, so as to provide a correct resource for the running of the process of the application program.
Specifically, the monitoring module includes an identification returning unit, and the identification returning unit is configured to return custom data to a related call instruction when the monitoring module monitors that the process of the application program performs unauthorized access.
Correspondingly, the invention also provides an application program process monitoring system, which comprises:
the information modification module is used for responding to the running instruction of the application program, modifying the environment configuration information in the virtual machine, and enabling the virtual machine to be suitable for calling the monitoring module so as to monitor the running of the process of the application program to be run;
the identification guiding module is used for identifying a specific instruction of the process of the application program by the monitoring module and guiding to call a hook function corresponding to the specific instruction;
and the execution callback module is used for finishing the execution of the hook function and calling back to execute the application program process.
Specifically, the setting items of the environment configuration information of the virtual machine include object attributes and correspondences for guiding execution of the monitoring module
The object attribute is directed to the executed pointing information.
Specifically, the object attribute is mainly used to support execution of a callback function table, and the direction information is mainly used to allocate a distribution function of the hook function.
Specifically, the information modification module includes:
the application submodule is used for responding to the operation instruction of the application program and applying a process operation environment for the incubator;
the implantation submodule is used for implanting and operating a guide module into the process operating environment;
the modification submodule is used for modifying the environment configuration information in the virtual machine through the guide module;
and the calling submodule is used for calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Further, the information modification module further includes:
and the creating submodule is used for creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, the creating sub-module includes:
a construction unit for constructing the incubator for an incubation process operating environment using a system original incubator;
and the establishing unit is used for incubating through the incubator to establish the process running environment for the application program to be run.
Specifically, the construction unit includes:
the operation subunit is used for operating the control module;
an incubator construction subunit for constructing the incubator based on the system original incubator by using the control module;
and the connection establishing subunit is used for establishing the connection between the control module and the incubator.
Specifically, the control module establishes a connection with the incubator based on a socket generated by the incubator.
Further, the information modification module further includes:
and the loading submodule is used for loading the distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
Specifically, the identification guidance module includes:
and the distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
Specifically, the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to monitor the activity of the application program.
Specifically, the monitoring module includes a redirection unit, and the redirection unit is configured to redirect the resource application of the relevant call instruction when the monitoring module monitors that the process of the application program needs to call the unmatched resource, so as to provide a correct resource for the running of the process of the application program.
Specifically, the monitoring module includes a data returning unit, and the data returning unit is configured to return custom data to a related call instruction when the monitoring module monitors that the process of the application program performs unauthorized access.
Compared with the prior art, the invention has the following advantages:
the method can modify the environment configuration information in the virtual machine, so that the virtual machine is suitable for calling the monitoring module to monitor the running of the process of the application program to be run; the monitoring module identifies a specific instruction of the process of the application program and then guides and calls a hook function corresponding to the specific instruction; the process can directly control the distribution of the virtual machine and the calling of the original function, thereby realizing the monitoring of the process running of the application program to be run. And the mode process does not need to modify the application program to be run and pack apk, so that monitoring interception can be realized even if indirect call is reflected, and meanwhile, the mode process does not need to modify system source codes, so that the migration among versions is facilitated.
Meanwhile, the method constructs a new incubator by using the original incubator Zygote inherent to the Android system to make the new incubator independent of the original incubator of the system, and then realizes the operation of an application program in the incubator constructed by the method by controlling the turning of the request of the activity management service. Illegal intrusion is generally implemented based on the known mechanism of the system, and since the new hatcher is independent from the original hatcher of the system, and a malicious program cannot identify the internal mechanism of the new hatcher, even if the malicious program tries to damage the zygate deep into the system bottom layer under the condition that the system is Root or tries to implement virus propagation through a mode such as ELF file infection, the attempts can fail the new hatcher, and the running of the application loaded by the new hatcher derived process is safer.
Accordingly, the incubator of the present invention (a non-systematic original incubator, i.e. a new incubator) is constructed, and the control module of the present invention implements management of a request initiated by an activity management service, which essentially controls the source of the running process of an application program, and because the incubator has relative independence, the process space incubated by the incubator becomes a sandbox after the application program is loaded. After the monitoring module for monitoring the event behavior of the application program is used, a more excellent sandbox monitoring effect can be achieved naturally.
In addition, the invention further implants an external calling instruction in the construction process of the incubator, and the external calling instruction can realize the loading of the monitoring module, so that the loaded monitoring module is started before the application program, thereby ensuring the monitoring effect of the event behavior. Since the hatcher is essentially a copy of the system's original hatcher, calls to fork () functions are applicable, so the hatcher can only be used to hatch a new process space suitable for the application to run. The incubator of the invention has the external call instruction implanted in the construction process, and the modules loaded by the external call instruction can be copied along with the incubation of the incubator for responding to the request, thereby ensuring the function of the monitoring module in each new process generated by the incubator and obtaining better operation reliability.
Therefore, the method has the effect of carrying out safety protection from the bottom layer to the application layer, realizes flexible transfer and control of the process, does not need to modify the application program to be operated and pack apk, and can realize monitoring interception even if indirect call is reflected; meanwhile, the mode process does not need to modify system source codes, and migration among versions can be better realized.
[ description of the drawings ]
FIG. 1 is a flowchart of an application process monitoring method according to an embodiment of the present invention;
FIG. 2 is a flowchart of an embodiment of a method for monitoring application processes;
FIG. 3 is a process flow diagram of one embodiment of a method of implementing a payment security sandbox in accordance with the present invention;
FIG. 4 is a block diagram of an embodiment of an application process monitoring system according to the present invention;
FIG. 5 is a block diagram of an embodiment of an information modification module in an application process monitoring system according to the present invention;
FIG. 6 is a block diagram of an embodiment of an information modification module in an application process monitoring system according to the present invention;
FIG. 7 is a block diagram of an embodiment of a creation sub-module in the application process monitoring system of the present invention;
FIG. 8 is a block diagram of one embodiment of a building block in an application process monitoring system according to the present invention;
FIG. 9 is a block diagram of an embodiment of a system for implementing a payment security sandbox in accordance with the present invention.
[ detailed description ] embodiments
The invention is further described below in connection with the appended drawings and exemplary embodiments, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention. In addition, if a detailed description of the known art is not necessary to show the features of the present invention, it is omitted.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
As will be appreciated by those skilled in the art, "terminal" as used herein includes both devices that are wireless signal receivers, devices that have only wireless signal receivers without transmit capability, and devices that include receive and transmit hardware, devices that have receive and transmit hardware capable of performing two-way communication over a two-way communication link. Such a device may include: a cellular or other communication device having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data processing, facsimile and/or data communication capabilities; a PDA (Personal Digital Assistant), which may include a radio frequency receiver, a pager, internet/intranet access, a web browser, a notepad, a calendar and/or a GPS (Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal" or "terminal device" may be portable, transportable, installed in a vehicle (aeronautical, maritime, and/or land-based), or situated and/or configured to operate locally and/or in a distributed fashion at any other location(s) on earth and/or in space. As used herein, a "terminal Device" may also be a communication terminal, a web terminal, a music/video playing terminal, such as a PDA, an MID (Mobile Internet Device) and/or a Mobile phone with music/video playing function, or a smart tv, a set-top box, etc.
Those skilled in the art will appreciate that the concepts of server, cloud, remote network device, etc. used herein have equivalent effects, including but not limited to a computer, a network host, a single network server, a plurality of network server sets, or a cloud of multiple servers. Here, the Cloud is composed of a large number of computers or network servers based on Cloud Computing (Cloud Computing), which is a kind of distributed Computing, a super virtual computer composed of a group of loosely coupled computer sets. In the embodiment of the present invention, the remote network device, the terminal device and the WNS server may communicate with each other through any communication method, including but not limited to mobile communication based on 3GPP, LTE and WIMAX, computer network communication based on TCP/IP and UDP protocols, and short-range wireless transmission based on bluetooth and infrared transmission standards.
It will be appreciated by those skilled in the art that the terms "application," "application program," "application software," and the like, as used herein, are intended to refer to any computer software organically constructed from a series of computer instructions and associated data resources adapted for electronic operation, and are understood to represent similar concepts as those skilled in the art. Unless otherwise specified, such nomenclature is not itself limited by the programming language class, level, or operating system or platform upon which it depends. Of course, such concepts are not limited to any type of terminal.
The application scenario implemented by the method and system to be described below in the present invention is an operation environment based on an Android operating system installed on a mobile terminal.
Those skilled in the art can foresee that, since the technology disclosed by the present invention relates to the invocation of Android system level resources, it is necessary to acquire a Root right for the operation of the application program implemented by the present invention before implementing the present invention, but the acquisition of the Root right itself belongs to the existing and well-known prerequisite technology, and in reality, a mobile terminal user already has an operation capability and a conscious awareness of acquiring the Root right by itself. In addition, the partially opened mobile terminal already opens the Root authority of the system for the user when the machine of the mobile terminal leaves the factory, or intentionally provides a convenient means for acquiring the Root authority. Therefore, it should not be considered as an essential component affecting the practice of the present invention.
As is well known, Root rights refer to system Administrator rights of Unix-type operating systems (including Linux and Android), similar to administeror rights in Windows systems; root rights allow access to and modification of almost all files in the user's mobile device (Android system files and user files, not including ROM). However, at present, the management of the Root authority of the mobile terminal system is still strict, and most applications or programs do not have the Root authority in general, so that certain operations that need to have the Root authority cannot be executed, such as operations of installing or uninstalling applications, and the like. Based on this, the invention recommends and notifies the following mode to obtain Root authority: obtaining the Root authority by calling an SU (Super User) command built in the system, or obtaining the Root authority by obtaining a shell with the Root authority and starting a process in the shell, and then obtaining the authorization of the Root authority of the system, so that other subsequent calling processes do not need to repeatedly apply for the Root authority when needing to execute related operations; the specific Root authority obtaining process can refer to a Root authority calling function in the prior art, and the implementation of Root extraction belongs to the field of the prior art, so that the method is not repeated herein. After the Root authority is acquired, the bottom layer operation can be carried out on the system, including the ELF infection contact of the Zygote, the operation of the control module as the bottom layer service, even the established communication based on the Binder mechanism and the like, all realized based on the method.
The implementation of the invention depends on the inherent principle of the Android operating system, so in the same way, the following contents need to be introduced firstly:
android itself has been implemented using virtual machine principles for security reasons to minimize the potential for intrusion. The virtual machine is used to further run application processes. The virtual machine is started by a Zygote (called incubator in the industry) module of the system, and the Zygote is loaded by an init function realized by a Linux bottom layer. After the Zygote is loaded, the Zygote replicates the Zygote through the incubation function fork (), a new process is named as a SystemServer, the SystemServer is the first successfully-operated process of Zygote incubation, and the invention is named as a long subprocess for understanding convenience. Then, the SystemServer process realizes a series of initialization functions of the system service, including initializing the Native layer service, initializing the Java layer service, and finally entering the Binder communication system to monitor the request, and providing various service requests for the application layer and the system. In this process, a series of Java-layer services including activiymanagervice (ams) and packagemanageserviceservice (pms) are sequentially loaded, while zygate continues to listen for new hatching requests. Once the AMS initiates an incubation request to the zygate for running the application, the zygate will continue to incubate itself and then load the virtual machine with a new zygate process, so that the application runs in the virtual machine.
Android wants to use this mechanism to achieve a safer process protection effect, and on one hand, it is desirable to ensure that the crash of a single virtual machine does not affect the normal operation of other virtual machines, and on the other hand, it is desirable that each application process can be managed by taking the virtual machine as a unit. From this perspective, the virtual machine naturally has the traits of a sandbox, but such traits are transparent to the disclosure of the program developer. Therefore, in reality, many malicious applications utilize the features of the Android process loading principle, and under the premise of obtaining the Root authority of the system, various known virus means or hacker means are used to penetrate into the bottom layer of the Android, including zygate and SystemServer, which may be illegally utilized, so as to achieve the illegal purpose.
Firstly, Zygote starting process:
when the Android system is started, firstly, the Linux basic system is started, and then the Linux Kernel is booted and loaded and an initialization process (Init) is started. Then the Linux daemon is started. The Zygote process is started at the same time of starting the Linux daemon process.
Zygote is figuratively called incubator in the industry, after the Zygote process is started, a Dalvik VM (virtual machine) instance is initialized firstly, then a resource and system shared library is loaded for the Zygote process, Socket listening service is started, and when a Dalvik VM instance creating request is received, the Zygote process multiplexes the Zygote process and the resource and system shared library to the maximum extent through COW (copy on write) technology to generate a new Dalvik VM instance. The creation method of the Dalvik VM instance is based on the fork principle of the Linux system. During the running of the system, when a request for creating a virtual machine is received through a Socket monitoring port, a zygate process calls a fork function to hatch a Dalvik VM instance from the Zygote process, and the Dalvik VM instance can be understood as a process space for running a target application program.
After the Zygote process has been started, the Init process starts the Runtime process. The Runtime process first initializes a Service Manager (Service Manager) and registers it as a default context Manager of binding services (Binder services), which is responsible for registration and lookup of binding services. The Runtime process then sends a request to the Zygote process to start a System service component (System Server), and the Zygote process, upon receiving the request, "hatches" a new Dalvik VM instance and starts the System service process.
The SystemServer will first start two local services (native services written by C or C + +), surface Flinger and Audio Flinger, which register with the service manager as IPC service objects to be easily found when they are needed. Then the SystemServer will start some Android system management services, including hardware services and system framework core platform services, including activity management service (ActivityManagerService) (AMS), and register them as IPC service objects.
When the SystemServer loads all system services, meaning that the system is ready, it sends a system ready broadcast to all services. When an Android application needs to be started, the activityManagerservice sends a request to inform a Zygote process to create a new process for the application through a Socket inter-process communication mechanism.
Secondly, the AMS response application program starting process:
in the Android application framework layer, an activityManagerservice component is responsible for creating a new process for the Android application, and the new process is originally operated in an independent process, but is created in the process of starting the system. The activiymanagervice component will typically create a new process for an application under the following circumstances: when the system decides to start an Activity or Service in a new process, the AMS attempts to create a new process and then starts the Activity or Service in the new process.
When an application is started by activityManagerService, it communicates with Zygote process through Socket, requesting it fork a sub-process to come out as the process of the application to be started. In the foregoing description, it can be seen that the two important services in the system, package manager service and activity manager service, are both initiated by the SystemServer process, and the SystemServer process itself comes out of the zygate process during the initiation process for fork.
It can be seen that the Zygote and the AMS realize communication based on a socket. Socket files are created by init before the Zygote is started and stored under a system directory/dev/socket, and the file name of the created socket files is the same as the Zygote process name, so that whether the system creates a new incubator or not can be verified by checking the socket files at the system directory through the mechanism. The file stores setup data about the socket. It is by reading one such socket file that the AMS establishes its direct communication mechanism with zygate. The subsequent communication mechanism based on the socket, which is to be disclosed by the invention, is realized by the same process.
Thirdly, a reference technology for injecting a functional module into a system service process SystemServer:
as described above, after the zygate is started, the first thing is to leave the SystemServer from the fork itself to become a system service process, and load a service process such as AMS and PMS through the system service process. Therefore, in the prior art, an injection technique is widely used to inject a function that needs to realize a specific function into the SystemServer, so that the function can be executed, and the purpose is achieved.
For example, in the prior art, a process for implementing system service process code injection is as follows:
step 1: searching Process numbers (Process IDs), namely PID, of com.android.phone, system _ server,/system/bin/meidaserver three processes in the Android system;
step 2: modifying the running states of the three processes according to the PID respectively, executing a monitor module loading instruction, opening up a memory space and writing the instruction for loading the monitor module into the memory space;
and step 3: changing the register states of the three processes respectively to make the CPU jump and execute the instruction;
and 4, step 4: loading a monitor module into a memory space of an injector module according to the instruction, and starting initialization operation by the monitor module;
and 5: after the initialization is finished, the monitor module searches an initial address of a Table entry of a current process, and locates an address of a corresponding Table entry of an ioctl function in a Global object list Global object Table of the Table entry, namely an address of a corresponding Table entry in a GOT;
step 6: modifying the content of the GOT table entry corresponding to the ioctl, and replacing the GOT table entry by using the address of the hook function homed _ ioctl;
and 7: when software executes sensitive behaviors, communication and data exchange are carried out through ioctl and one or more of three processes of com.android.phone,/system/bin/media server, and hook function hooked _ ioctl reads and analyzes the type of the sensitive behaviors of the software;
and 8: the monitor module writes an initiator of the sensitive behavior and time into a log file to obtain a monitoring record of the software sensitive behavior;
and step 9: when the monitor module monitors the sensitive behavior, the monitor module sends a message to a user and simultaneously suspends the operation of the sensitive behavior;
step 10: the user determines whether to execute the sensitive behavior, and returns an approval or rejection command to the monitor module;
step 11: the monitor module obtains the result selected by the user, and if the user selects to agree, the sensitive behavior is continuously executed; and if the user chooses to reject, terminating the continuous execution of the sensitive behavior.
Fourth, infection contact principle based on Linux executable file ELF
An elf (executable Linking format) file is an executable file of Linux, and is used for storing executable codes. The ELF infectivity exposure principle is a prior art technique that achieves the purpose of modifying a program by copying the executable code of the program, inserting new code that implements some attempt therein, and then executing the modified executable code. The invention discloses that the method, the system and the sandbox example of the invention can be realized by using the principle to modify the original incubator Zygote of the system so as to construct a new incubator.
A further understanding of embodiments of the present invention may be facilitated after a review of the above-described system principles and associated knowledge.
It should be noted that the present invention is intended to be described in conjunction with two aspects, namely static and dynamic aspects of a computer program, where the static aspect refers to a storage object such as a program installation package, a file, a database, etc., which is stored in a medium; dynamic aspects refer to dynamic objects that are called into memory for execution, including but not limited to processes, threads, data used, and the like. In view of these features of computer software technology, the various methods, steps, sub-steps, systems, devices, units, sub-units, modules, sub-modules, etc. described herein should not be construed in isolation as merely static or dynamic aspects, as would be apparent to one of ordinary skill in the art. Therefore, those skilled in the art should be able to apply the static representation to the dynamic process activities according to the present invention, or establish the necessary association between the static representation and the dynamic representation according to the static representation corresponding to the dynamic process activities according to the present invention, and understand the present invention based on this.
Furthermore, the present invention is presented in conjunction with sandbox principles and, thus, one skilled in the art will appreciate the implementation of the present invention in conjunction with known sandbox implementation principles. The purpose of the sandbox is to provide a relatively closed operating environment for the target application program, so that the resource access of the application program to the system is limited within a specified range through the application of the sandbox security policy. Thus, one aspect of the invention that will be subsequently disclosed is to provide an example of a sandbox.
Referring to fig. 1, an exemplary embodiment of a method for monitoring an application program process according to the present invention includes the following steps:
s100, responding to the running instruction of the application program, modifying the environment configuration information in the virtual machine, and enabling the virtual machine to be suitable for calling a monitoring module to monitor the running of the process of the application program to be run.
Setting items of the environment configuration information of the virtual machine comprise object attributes used for guiding the execution of the monitoring module and pointing information guided to be executed corresponding to the object attributes; the object attribute is mainly used for supporting the execution of a callback function table, and the pointing information is mainly used for distributing the distribution function of the hook function.
Specifically, referring to fig. 2, the process of modifying the environment configuration information in the virtual machine in response to the operation instruction of the application program to make the virtual machine suitable for calling the monitoring module to monitor the operation of the process of the application program to be executed includes:
s200, responding to the operation instruction of the application program, and applying a process operation environment for the incubator.
Specifically, each new application program can apply for a new incubator from the system original incubator, that is, the process of the new application program runs in the running environment constructed by the corresponding incubator; the hatchers are mutually independent, and the hatchers and the original hatchers of the system are connected with the control module of the invention through corresponding sockets, so that the hatchers can be effectively maintained by the control module.
S210, creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, the process of creating, by the incubator, a process execution environment suitable for the process execution of the application to be executed includes: firstly, constructing an incubator for an incubation process operating environment by using an original incubator of a system; and then hatching is carried out through the hatcher so as to establish the process running environment for the application program to be run. Wherein the process of constructing the incubator for an incubation process operating environment using a system-wide incubator further comprises: operating the control module; then, the control module is utilized to construct the incubator on the basis of the original incubator of the system; and then establishing the connection between the control module and the incubator. Preferably, the control module establishes a connection with the incubator based on a socket generated by the incubator.
S220, implanting a guide module into the process running environment and running the guide module.
So, for example, the library file qihooload.so is injected into the zygate process by an injector.
S230, loading a distribution module into the incubator by using the guide module, so that the distribution module enters the process of the application program to be operated along with the starting of the process of the application program to be operated.
For example, code that calls qihooload. so, the library file qihooload. so loads the qihooobridge. jar file into zygate, and then the qihooobridge. jar file is launched into the application process with the new process. Jar file will load and run qihoonew. apk when new process is initialized.
S240, modifying the environment configuration information in the virtual machine through the guide module.
Preferably, the attribute of the Java Method structure in the virtual machine is changed to Native, and then the Native func (callback function table) member is written as its own distribution function.
And S250, calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
And the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to realize the activity monitoring of the application program. When the monitoring module monitors that the process of the application program needs to call the unmatched resource, the resource application of the related call instruction is redirected, so that correct resources are provided for the running of the process of the application program. And when the monitoring module monitors that the process of the application program carries out unauthorized access, returning custom data to the related calling instruction.
The monitoring module can monitor the event behaviors occurring in the process space constructed by the current incubator. It should be understood that after the hatcher calls the fork function to copy itself, these external calls and the self-checking code are all copied, that is, not only the hatcher process itself, but also the process hatched by it can load the monitoring module, so that the hatcher hatches a new process, that is, a sandbox environment is provided for the corresponding target application, and the sandbox example of the present invention is implemented.
Further, referring to fig. 1, the method of the present invention further includes the steps of: s110, the monitoring module identifies a specific instruction of the process of the application program and guides to call a hook function corresponding to the specific instruction.
Specifically, the monitoring module identifies a specific instruction of the process of the application program, and the process of guiding to call the hook function corresponding to the specific instruction includes: the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
Further, the method of the present invention further comprises the steps of: and S120, completing the execution of the hook function, and calling back to execute the application program process.
In addition, referring to fig. 3, the invention provides a method for implementing a payment security sandbox, which comprises the following steps:
and S300, responding to the running instruction of the application program, and constructing the virtual machine into a sandbox for running the application program through the incubator.
S310, the environmental configuration information of the sandbox is modified, so that the sandbox is suitable for calling a monitoring module to monitor the progress of the application program.
Specifically, the setting item of the environmental configuration information of the sandbox includes an object attribute for guiding execution of the monitoring module and pointing information guided to be executed corresponding to the object attribute; the object attribute is mainly used for supporting the execution of a callback function table, and the pointing information is mainly used for distributing the distribution function of the hook function.
The process of modifying the environmental configuration information of the sandbox to make the sandbox suitable for calling the monitoring module to monitor the process of the application program comprises the following steps: responding to an operation instruction of the application program, and applying a process operation environment for the incubator; creating a process running environment suitable for the process running of the application program to be run through the incubator; implanting a guide module into the process running environment and running the guide module; loading a distribution module into the incubator by using the guide module so that the distribution module enters the process of the application program to be operated along with the starting of the process of the application program to be operated; modifying, by the boot module, environment configuration information in the virtual machine; and calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Wherein, the process of creating a process running environment suitable for the process running of the application program to be run by the incubator comprises the following steps: constructing the incubator used for the operation environment of the incubation process by using the original incubator of the system; and hatching by the hatcher to establish the process running environment for the application program to be run. The process of constructing the incubator for an incubation process operating environment by using the systematic original incubator comprises the following steps: operating the control module; constructing the incubator by using the control module and taking the original incubator of the system as a basis; and establishing connection between the control module and the incubator. The control module establishes a connection with the incubator based on the sockets generated by the incubator.
It should be noted that the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an execution process of the application program to monitor the activity of the application program. When the monitoring module monitors that the process of the application program needs to call the unmatched resource, the resource application of the related call instruction is redirected to provide correct resource for the running of the process of the application program; and when the monitoring module monitors that the process of the application program carries out unauthorized access, returning custom data to the related calling instruction.
S320, when the process calls a specific instruction, processing according to the security policy provided by the sandbox in advance, and returning to execute the process after processing.
Specifically, the process of processing according to the security policy provided in advance by the sandbox when the process calls the specific instruction, and returning to execute the process after processing includes: the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
Wherein the security policy comprises a payment security policy comprising: judging whether the information of the payment request comprises payment security parameters; and if so, judging that the payment request is legal. Specifically, the process of determining whether the information of the payment request includes the payment security parameter includes: judging whether the interface elements of the popup notification comprise payment elements or not; if yes, determining that the popup notification comprises payment characteristics; the payment element is stored locally in the mobile terminal, and the payment element is used for matching whether the popup notice comprises an element corresponding to payment.
Optionally, the payment security policy further includes: judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal. Specifically, the determining whether the information of the payment request calls the corresponding data and instruction for payment includes: acquiring the class name of the class called in the popup notification, wherein the class name list is stored in the local mobile terminal and is pushed by a server to be acquired, and the class name list is used for storing the class provided by an operator and used for payment; judging whether the class name exists in a class name list stored in advance; and if so, judging that the popup notification calls a class for payment. When the popup notification calls a class for payment, determining that a payment feature is included in the popup notification.
The working process of the payment security policy comprises the following steps: injecting the data into the system process to obtain the condition of a process generation window; determining that a window to be detected appears on a display interface of the mobile terminal; extracting characteristic information of at least one element in a window to be detected; performing feature matching on the feature information by using a preset feature information base to obtain an element matching result; and determining the security type of the window to be detected according to the element matching result, wherein the feature information base pre-stores the element feature information of the payment software window and/or the element feature information of the window of the malicious sample.
The above window to be examined can thus be embodied as a window with an input box, in particular if the type of the input box is a password box. For another example, the text in the title bar of the newly appearing window includes the following keywords: the window needs to be used as a window to be checked, such as fast payment, precious payment, WeChat payment, mobile banking and the like.
For example, the element feature information of the payment software window pre-stored in the feature information base includes the following contents: the method comprises the following steps of obtaining element characteristic information of a login window of payment software, element characteristic information of an account binding window of the payment software and element characteristic information of a payment window of the payment software. The procedure of performing white sample feature matching may be: extracting payment keywords contained in the text content of the element in the window to be detected, and determining corresponding payment software according to the payment keywords; and comparing the characteristic information of the element of the window to be detected with the corresponding window element characteristic information of the payment software in the characteristic information base, and if the comparison result is consistent, determining that the window to be detected is a safety window. A specific example is that the word in the title bar of the window is 'WeChat Payment', the element characteristics of the window are matched with the element characteristics of the payment interface in the WeChat client, if the matching is successful, the window to be detected can be confirmed to be the WeChat Payment window, otherwise, the window to be detected can be considered to be a malicious window or further detection is required.
The payment environment white list is pre-stored with process information allowed to run in the payment environment, for example, processes allowed to be started, recorded in a cache, system processes, processes determined by the cloud check and kill server to be free of payment risk, and other processes that can run in the payment scene.
The method comprises the following steps that the authority, the characteristic information and other characteristics of a client are matched, information such as a package name, a signature and a version number of the client can be uploaded to a cloud for verification for the client which cannot be determined, if the verification result determines that the client contains Trojan or virus, a user is prompted to unload, and the following contents of the client can be sequentially analyzed for the client which does not contain the Trojan or the virus as the verification result: whether the software is legal or not, whether the software is packaged for the second time or not and whether fraud behaviors exist or not
After the mobile terminal enters a payment scene and the version of the payment client passes verification, enumerating all processes currently running by the mobile terminal, and then sequentially judging the processes as follows: the method comprises the steps of local cache query judgment, white signature judgment, system process judgment, cloud searching and killing judgment and cloud searching and killing result judgment.
Correspondingly, the invention also provides an application program process monitoring system, namely a server of the application program process monitoring method, according to the functional modular thinking of computer software. Referring to fig. 4, the modules included in the system and the specific functions implemented by the modules are specifically disclosed below. The system comprises:
and the information modification module 11 is used for responding to the running instruction of the application program, modifying the environment configuration information in the virtual machine, and enabling the virtual machine to be suitable for calling the monitoring module so as to monitor the running of the process of the application program to be run.
Setting items of the environment configuration information of the virtual machine comprise object attributes used for guiding the execution of the monitoring module and pointing information guided to be executed corresponding to the object attributes; the object attribute is mainly used for supporting the execution of a callback function table, and the pointing information is mainly used for distributing the distribution function of the hook function.
Specifically, referring to fig. 5, the information modification module 11 includes:
and the application submodule 111 is used for responding to the running instruction of the application program and applying a process running environment for the incubator.
Specifically, each new application program can apply for a new incubator from the system original incubator through the application submodule 111, that is, the process of the new application program runs in the running environment constructed by the corresponding incubator; the hatchers are mutually independent, and the hatchers and the original hatchers of the system are connected with the control module of the invention through corresponding sockets, so that the hatchers can be effectively maintained by the control module.
And an implanting submodule 112, configured to implant and operate a guiding module into the process running environment.
So, for example, the library file qihoooload.so is injected into the zygate process by the implantation submodule 112.
And a modification submodule 113, configured to modify, through the boot module, the environment configuration information in the virtual machine.
Preferably, the attribute of the Java Method structure in the virtual machine is changed to Native, and then the Native func (callback function table) member is written as its own distribution function.
And the calling submodule 114 is used for calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Specifically, the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an operation process of the application program to monitor the activity of the application program. The monitoring module comprises a redirection unit, and the redirection unit is used for redirecting the resource application of a related calling instruction when the monitoring module monitors that the process of the application program needs to call the unmatched resource, so as to provide correct resource for the running of the process of the application program; the monitoring module further comprises a data returning unit, and the data returning unit is used for returning custom data to a related calling instruction when the monitoring module monitors that the process of the application program carries out unauthorized access.
Further, referring to fig. 6, the information modification module 11 further includes:
a creating submodule 115 for creating a process running environment suitable for the process running of the application program to be run through the incubator.
Specifically, referring to fig. 7, the creating sub-module 115 includes:
a construction unit 101 for constructing said incubator for an incubation process operating environment using a system-wide incubator.
Referring to fig. 8, the constructing unit 101 includes: an operation subunit 102, configured to operate the control module; an incubator construction subunit 104 for constructing the incubator on the basis of the systematic original incubator by means of the control module; a connection establishing subunit 106, configured to establish a connection between the control module and the incubator. Preferably, the control module establishes a connection with the incubator based on a socket generated by the incubator.
As mentioned above, the incubator of the present invention, since the incubator is constructed by adopting the ELF infectious contact principle to duplicate zygate, in this case, the known and inherent operation mechanism of zygate itself is not changed, so the incubator generated under the control of the control module, which still follows the implementation mechanism of the original incubator of the system, is used to hatch a new process in response to a request transferred by the control module, and respond to the corresponding request with process PID. The AMS obtains the process PID, namely, the target application program to be operated is loaded into the corresponding process space, so that the target application program can be operated. It can be seen that a crash of an incubator, or the death of a process hatched by an incubator, does not affect the original system incubator and its associated processes, and vice versa.
The establishing unit 103 is configured to perform incubation through the incubator to establish the process running environment for the application to be run.
Further, referring to fig. 6, the information modification module 11 further includes:
the loading submodule 116 is configured to load a distribution module into the incubator by using the boot module, so that the distribution module enters the process of the application program to be executed along with the start of the process of the application program to be executed.
For example, with the load submodule 116 calling the code of qihooload. so, the library file qihooload. so loads the qihooobridge. jar file into zygate, and then the qihooobridge. jar file is launched into the application process with the new process. Jar file will load and run qihoonew. apk when new process is initialized.
And the identification guiding module 12 is used for identifying a specific instruction of the process of the application program by the monitoring module and guiding to call a hook function corresponding to the specific instruction.
Specifically, the identification guidance module 12 includes: and the distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
And the execution callback module 13 is used for finishing the execution of the hook function and calling back to execute the application program process.
Correspondingly, referring to fig. 9, the present invention further provides a system for implementing a payment security sandbox, which includes:
and the response construction module 21 is used for constructing the virtual machine into a sandbox for running the application program through the incubator in response to the running instruction of the application program.
And the modification calling module 22 is used for modifying the environment configuration information of the sandbox, so that the sandbox is suitable for calling the monitoring module to monitor the process of the application program.
Specifically, the setting item of the environmental configuration information of the sandbox includes an object attribute for guiding execution of the monitoring module and pointing information guided to be executed corresponding to the object attribute; the object attribute is mainly used for supporting the execution of a callback function table, and the pointing information is mainly used for distributing the distribution function of the hook function.
The modification calling module 22 includes: the response application submodule is used for responding to the running instruction of the application program and applying a process running environment for the incubator; an environment creating submodule for creating a process running environment suitable for the process running of the application program to be run through the incubator; the implantation operation sub-module is used for implanting and operating a guide module into the process operation environment; the loading starting submodule is used for loading a distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated; the information modification submodule is used for modifying the environment configuration information in the virtual machine through the guide module; and the calling and running submodule is used for calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run.
Wherein the environment creation sub-module comprises: a construction operation unit for constructing the incubator for an incubation process operation environment by using the system original incubator; and the environment establishing unit is used for hatching through the hatcher to establish the process running environment for the application program to be run. The configuration operation unit further includes: a control operation subunit for operating the control module; a configuration incubator subunit for configuring, with the control module, the incubator based on the system original incubator; and the connection establishing subunit is used for establishing the connection between the control module and the incubator. The control module establishes a connection with the incubator based on the sockets generated by the incubator.
It should be noted that the monitoring module is registered as a service process, and the hook function is associated with a call instruction of an execution process of the application program to monitor the activity of the application program. The monitoring module comprises an identification redirection unit, and the identification redirection unit is used for redirecting the resource application of a related calling instruction when the monitoring module monitors that the process of the application program needs to call the unmatched resource, so as to provide correct resource for the running of the process of the application program; the monitoring module further comprises an identification returning unit, and the identification returning unit is used for returning custom data to a related calling instruction when the monitoring module monitors that the process of the application program carries out unauthorized access.
And the calling execution module 23 is configured to, when the process calls a specific instruction, perform processing according to a security policy provided in advance by the sandbox, and return to execute the process after the processing.
Specifically, the call execution module 23 includes: and the identification and distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
Wherein the security policy comprises a payment security policy comprising: the first judgment unit is used for judging whether the information of the payment request comprises payment safety parameters; and if so, judging that the payment request is legal. The first judgment unit includes: the characteristic judgment subunit is used for judging whether the interface elements of the popup notification include payment elements or not; if yes, determining that the popup notification comprises payment characteristics; the payment element is used for matching whether an element corresponding to payment is included in the pop-up window notification.
Optionally, the payment security policy further includes: the second judgment unit is used for judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal. The second determination unit includes: the system comprises a class name acquisition subunit, a popup notification unit and a display unit, wherein the class name acquisition subunit is used for acquiring the class name of the class called in the popup notification; the class name judging subunit is used for judging whether the class name exists in a class name list stored in advance; if yes, judging that the popup notification calls a class for payment; and the calling and judging subunit is used for judging that the popup notice comprises the payment characteristic when the popup notice calls the class for payment.
In order to highlight the application process monitoring system example of the present invention, the following further discloses the related embodiments of the monitoring module loaded by the incubator according to the above-mentioned descriptions of the present invention.
By utilizing the monitoring module, stronger sandbox running environment can be constructed. The monitoring module may obtain a hooking plug-in (hooking function) corresponding to a specific event behavior from a background sandbox HOOK framework, and HOOK and monitor the specific event behavior of the target application by using one or more hooking plug-ins, thereby implementing the monitoring of the activity of the target application program process. And the HOOK plug-in of the background sandbox HOOK frame performs centralized management at the cloud end and distributes the HOOK plug-in to each terminal. The cloud end is mainly constructed with a Java hook plug-in library and a Native hook plug-in library. When the monitoring module needs to HOOK a specific event behavior, a request is sent to a background sandbox HOOK frame through a remote plug-in interface, a HOOK function aiming at the specific event behavior, namely the HOOK plug-in is obtained, and therefore monitoring capture and processing of the specific event behavior are established.
After the incubator loads the monitoring module, the target application that initiates a run request to the AMS will be loaded. The monitoring module is loaded before the target application program, and once the target application program runs, the monitoring module establishes monitoring by using the hook plug-in, so all event behaviors of the target application program are in the monitoring range of the monitoring module. The installation package of the target application program is complete and unmodified, and can be checked through the PackageManagerService, so that the target application program can be completely legally and normally operated after being loaded, and all functions which can be originally realized by the target application program are realized.
Because the monitoring module and the target application program are in the same process space, the running monitoring module establishes monitoring on all event behaviors of the target application program. And any event behavior generated in the running process of the target application program can be captured by the monitoring module and correspondingly processed.
The specific event behavior generated by the target application program is captured by the monitoring module, and when the specific event behavior is triggered, the generated event message is captured by a corresponding hook plug-in (hook function) in the monitoring module. Capturing the event message, the intent of the event can be known and subsequent processing can then proceed.
And processing a specific event behavior, wherein an event behavior processing strategy needs to be acquired. In this sub-step, the human-computer interaction function may be further implemented by means of a system service. In order to realize the human-computer interaction effect, the invention can register an interaction module as system service in advance by combining with security software, and the interaction module is communicated with the interaction module through an interaction interface established by the monitoring module, thereby realizing the acquisition of user instructions or preset instructions.
The acquisition mode of the event behavior strategy is very flexible and various, and can be executed by constructing a strategy generation device, and the following strategies are listed as one or any combination used by the invention:
(1) after capturing a specific event behavior, the monitoring module sends a request to the interaction module through the interaction interface, the interaction module inquires a user processing strategy from a user interface popup window of the security software, the popup window can directly inform a user about the content and the risk of the event behavior, and the user selects a corresponding option as the processing strategy. After the user selects and determines the corresponding option, the interaction module obtains the processing strategy for the specific event behavior and feeds the processing strategy back to the monitoring module, and the monitoring module can perform the next processing on the corresponding event behavior of the target application program according to the processing strategy generated by the user instruction.
(2) When some event behaviors which are recognized to be relatively low risk occur, such as read-only operation behaviors of contacts, or when a user sets a processing strategy which is self-retrieved and is adopted for a specific event behavior for the invention, the invention utilizes a local strategy database to retrieve the corresponding processing strategy for the specific event behavior. That is, the local policy database establishes the association between a specific event behavior and a corresponding processing policy, and stores the record data of the corresponding relationship between various event behaviors and corresponding processing policies, so that the record data can be retrieved and used by the invention. After the corresponding processing strategy is obtained from the local strategy database, the invention can process the corresponding event behavior in the next step.
(3) If the user sets an option for remotely acquiring the processing policy for the invention, or the user can acquire the processing policy remotely by default when the local policy database does not retrieve the specific policy of the specific event behavior, or the user cannot respond to the popup window within a specified time limit by interacting through the above (1) situation, and the like, the security software can send a request to the pre-configured cloud terminal through the built-in remote policy interface of the security software, so as to acquire the corresponding processing policy corresponding to the specific event behavior and use the processing policy for subsequent processing.
It should be noted that, the above three manners of acquiring the processing policy may be used in a cross-matching manner, for example, once the interaction module receives the characteristics of the event message transmitted by the monitoring module, the local policy database may be retrieved first according to the (2) th manner according to the default setting, and the processing policy recommended by the system is obtained (if the processing policy cannot be obtained from the local policy database, the processing policy may even be further obtained from the cloud policy database according to the (3) th manner). Then, referring to the method (1), the processing policy recommended by the system is set as the default option on the popup interface. If the user does not confirm the default option within the specified time limit, executing the subsequent instruction by taking the processing strategy recommended by the system as the standard; if the user changes the option to the new default option, the processing strategy set by the user is returned to the monitoring module. Therefore, the man-machine interaction process can be realized more flexibly and freely.
The local policy database may be a duplicate of the cloud policy database, and therefore, in the present invention, an updating step is provided for downloading the cloud policy database for updating the local policy database.
In general, a policy for a specific event behavior may be set as three common options of "reject", "run", and "ask", which are characterized by specific intentions:
rejection: sending a false message that the event behavior is executed to the target application program aiming at the specific event behavior so as to prohibit the event behavior from actually occurring;
operation: directly transmitting the corresponding event message to a system message mechanism without any change aiming at the specific event behavior, and allowing the target application program to continue the event behavior;
inquiring: independently or additionally to any one of the two options, the state of the specific event behavior is marked as an unknown state, and when the behavior repeatedly occurs subsequently, the user needs to be inquired by popup again.
In practice, the option "ask" may be ignored, only considering whether to deny or allow the current event behavior to occur.
The event behaviors are various and specifically include the following types:
(1) terminal, networking related operations:
acquiring operator information: the target application program can obtain the IMSI of the mobile terminal through a getSimOperatoraName () function, so that the name of the operator can be further judged, an appointment instruction can be further sent to the operator, and illegal purposes such as fee deduction can be achieved. The monitoring platform can capture the event behavior by hooking the related message.
Switching APN operation: similarly, the target application program realizes the operation of ANP switching control through the function related to APN switching, and can also be monitored by the monitoring module through calling the corresponding hook plug-in.
Similar operations also include the operation of acquiring the mobile phone identification code IME, which is also the same as the above.
(2) Notification bar advertisement operation: the notification bar advertisement is the means which is most easily utilized by malicious programs, and the monitoring module monitors the event message generated by the notify function by calling the corresponding hook plug-in, and can also monitor the event message.
(3) Communication operation:
for example, when a call is dialed, the event behavior of the dialing interface of the calling system can be monitored through the startActivity () function, and the event behavior monitoring can be established for the dialing operation by using the corresponding hook plug-in.
Short message operations correspond to functions such as sendTextMessage (), and similarly, event behavior monitoring can be established for such functions by means of a hook plug-in.
And (3) contact person operation: generally corresponding to query (), insert () functions, the monitoring module hooks such functions with a hooking plug-in to enable monitoring capture of such event behavior.
(4) And (4) command operation:
if the SU right-lifting operation or the command execution operation is performed, an execute () function is needed, and the monitoring module can monitor the event behavior by monitoring the return message of the function.
(5) Interface and access operation:
event behavior, such as creating a shortcut, corresponds to the sendbacast () function. Similarly, the operation of hiding the program icon can also correspond to the specific function monitoring.
Such as HTTP web access operations, correspond to sendto (), write (), etc. functions.
(6) The program operation:
for example, the application loading operation refers to an operation of loading a relevant application by a current target application program, and capturing of such event behaviors can be realized by performing hook monitoring on functions such as dexClassloader (), loadLibrary (), and the like.
If the sub-packet is mounted, it corresponds to the installPackage () function.
(7) Other hazardous operations:
such as a sub-process intrusion operation, a derivative operation, an activate device manager operation, etc.
The subprocess is established by the target application program, and when the subprocess is established by the target application program, the process space of the subprocess is also generated by the incubator structure, so that the subprocess is difficult to escape from the monitoring of the monitoring module. Therefore, no matter the self process of the target application program or the created sub process, the event behaviors directly or indirectly triggered by the self process or the created sub process can be monitored by the monitoring module, and the better active defense effect is realized.
The derivative refers to a file created by the target application program or a remotely downloaded file, and generally refers to a sensitive derivative, such as an installation package. This event can be captured by hooking the fcose () function. It should be noted that, after the event behavior is captured by the monitoring module, according to the method, a request is further sent to the cloud by using the remote rule base interface, and the cloud judges the security level of the derivative by using the black, white and gray security level behavior rules.
The above-mentioned event behaviors are only used for extraction and are not to be understood as a limitation of the event behaviors monitored by the present invention.
According to the processing strategy and the description about the event behaviors, the active defense method of the invention can process various event behaviors correspondingly. Several typical examples of applications are listed below:
(1) application of fine interception of target application:
after some malicious programs are installed, the programs are in a normal use state for a long time, and the safety awareness of users is paralyzed. However, after running for a long time, the target application tries to insert a short message from the background to attract the attention of the user, achieving the effect of advertising and fraud. After the sandbox example of the invention is applied to the target application program, the short message operation function is monitored through the corresponding hook plug-in the monitoring module, once the target application program generates the event behavior of the short message operation, the event behavior can be captured, then the monitoring module informs the interaction module which operates as the system service through the interaction interface, and the interaction module pops the window of the user interface for warning. After clicking the processing strategy of 'refusal', the user is fed back to the monitoring module, and the corresponding hook plug-in can block the actual occurrence of the event behavior, so that the purpose of preventing risks is achieved.
(2) And releasing the application of the malicious file to the target application program.
The target application program is game software, downloads and releases the malicious sub-packet by checking the updating mode, and calls the system function to install the sub-packet. After the active defense sandbox running environment is established for the target application program, the event behavior generated by the target application program after the target application program is downloaded can be monitored, and accordingly the pop-up window alarm is given through the interaction module. After the user instruction is rejected, the corresponding hook plug-in the monitoring module can directly delete the file or just reject the installation behavior of the file.
In the invention, the malicious sub-packets are regarded as sensitive derivatives, and whether the derivatives have malicious or not can be judged remotely by utilizing the predetermined security level. Specifically, when the generation of the derivative is detected, the corresponding file or the characteristic information such as the signature thereof is sent to the cloud end through a remote rule base interface, the security level of the file is obtained from the cloud end, and if the file is a black application or a gray application, the user is advised to refuse installation in a popup window; if a white application, it may be allowed to pass. In this way, a safe defense against sensitive derivatives can be achieved. If the cloud does not detect the relevant record of the derivative, the method may be required to upload the file, and the file is marked as an unknown application by the cloud, and correspondingly, the file is marked with a gray application for later use.
(3) Application to sub-process intrusion.
The monitored target application program creates a sub-process in the running process, and the sub-process further releases the malicious event behaviors. When the monitoring module monitors that the target application program creates the subprocess, the monitoring module obtains the entrance of the subprocess, and theoretically, the monitoring module can be loaded into the subprocess in an inline hook mode to monitor the event behavior of the subprocess. However, since the sub-process is also hatched by the incubator, the monitoring module is loaded by the new process hatched by the incubator before the sub-process, and the monitoring of the sub-process can be realized without using an inline hook. It can be seen that event behaviors triggered either directly by the target application process or indirectly by a child process created by the target application process can be successfully monitored by the monitoring module.
From the above analysis, it can be seen that the sandbox operating environment constructed by the present invention has higher efficiency feasibility.
In order to facilitate the implementation of the present invention, the following further discloses how the cloud server and the terminal device cooperate with each other to implement the related content of the security level judgment of the installation package:
as mentioned above, the feature information sent by the client to the cloud server through the remote rule base interface includes: the package name, and/or version number, and/or digital signature of the Android installation package, and/or the characteristics of the Android component receiver, and/or the characteristics of the Android component service, and/or the characteristics of the Android component activity, and/or the instruction or character string in the executable file, and/or the MD5 value (signature) of each file under the Android installation package directory.
The client side which realizes the method or the device of the invention uploads the specified characteristic information to the server (cloud side), and searches the characteristic record matched with the specified single characteristic information or the combination thereof in the rule base preset by the server; the rule base preset by the server comprises feature records and security levels corresponding to the feature records, and each feature record comprises single feature information or a combination of the feature information;
thousands of feature records are preset in the server side rule base, wherein the first feature record lists the Android installation package name of a certain virus, the second feature record lists the Android installation package version number of a certain normal application and the MD5 value of a digital signature, the third feature record lists the Android installation package name of a certain normal application and the reciver feature, and the fourth feature record lists the Android installation package name, the version number of a certain Trojan and a specific character string in an ELF file.
The identification of the security level, i.e. black, white (secure) or grey (unknown, suspicious) identification, can be further expressed as:
safety: the application is a normal application without any behavior threatening the safety of the mobile phone of the user;
danger: the application presents a security risk, and it is possible that the application itself is malware; the application is normal software originally published by a regular company, but the privacy of the user and the security of the mobile phone are threatened due to security holes;
prudent: the application is a normal application, but has some problems, such as allowing users to be deducted carelessly, or having unfriendly advertisements complained; when such an application is discovered, the user is prompted to use cautiously and advise the application of possible actions, but the user decides at his discretion whether to clear the application;
and (3) Trojan horse: the application is a virus, trojan, or other malware, collectively referred to herein for simplicity as a trojan, but does not mean that the application is simply a trojan.
It should be understood that the cooperation between the cloud and the client can be further expanded, transformed, augmented and deleted by those skilled in the art according to the disclosure of the present invention. Accordingly, the above disclosure should not be construed as limiting the manner in which the methods and apparatus of the present invention can be practiced.
Through tests, compared with the prior art, the invention has wider application range and application effect, which are briefly described as follows:
because the HOOK framework is made into a service platform and the monitoring module is configured for the terminal in a HOOK plug-in mode, the loading of the HOOK framework only depends on corresponding configuration files, the management is efficient and easy to realize, for technicians, the configuration of the HOOK plug-in can be realized by only compiling the configuration files through simple function calls, and the HOOK reentry and concurrency performance are high.
The host application program is adopted to successively realize the loading of the monitoring module and the target application program, and then the monitoring module is used for monitoring the event behavior of the target application program, so that the Java function and Native function can be hooked
In summary, the present invention can modify the environment configuration information in the virtual machine, so that the virtual machine is adapted to call the monitoring module to monitor the running of the process of the application program to be run; the monitoring module identifies a specific instruction of the process of the application program and then guides and calls a hook function corresponding to the specific instruction; the process can directly control the distribution of the virtual machine and the calling of the original function, thereby realizing the monitoring of the process running of the application program to be run. And the mode process does not need to modify the application program to be run and pack apk, so that monitoring interception can be realized even if indirect call is reflected, and meanwhile, the mode process does not need to modify system source codes, so that the migration among versions is facilitated.
Meanwhile, the method constructs a new incubator by using the original incubator Zygote inherent to the Android system to make the new incubator independent of the original incubator of the system, and then realizes the operation of an application program in the incubator constructed by the method by controlling the turning of the request of the activity management service. Illegal intrusion is generally implemented based on the known mechanism of the system, and since the new hatcher is independent from the original hatcher of the system, and a malicious program cannot identify the internal mechanism of the new hatcher, even if the malicious program tries to damage the zygate deep into the system bottom layer under the condition that the system is Root or tries to implement virus propagation through a mode such as ELF file infection, the attempts can fail the new hatcher, and the running of the application loaded by the new hatcher derived process is safer.
Accordingly, the incubator of the present invention (a non-systematic original incubator, i.e. a new incubator) is constructed, and the control module of the present invention implements management of a request initiated by an activity management service, which essentially controls the source of the running process of an application program, and because the incubator has relative independence, the process space incubated by the incubator becomes a sandbox after the application program is loaded. After the monitoring module for monitoring the event behavior of the application program is used, a more excellent sandbox monitoring effect can be achieved naturally.
In addition, the invention further implants an external calling instruction in the construction process of the incubator, and the external calling instruction can realize the loading of the monitoring module, so that the loaded monitoring module is started before the application program, thereby ensuring the monitoring effect of the event behavior. Since the hatcher is essentially a copy of the system's original hatcher, calls to fork () functions are applicable, so the hatcher can only be used to hatch a new process space suitable for the application to run. The incubator of the invention has the external call instruction implanted in the construction process, and the modules loaded by the external call instruction can be copied along with the incubation of the incubator for responding to the request, thereby ensuring the function of the monitoring module in each new process generated by the incubator and obtaining better operation reliability.
In the description provided herein, although numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some embodiments, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Although a few exemplary embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these exemplary embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents.
Claims (50)
1. A payment security sandbox implementation method is characterized by comprising the following steps:
in response to an execution instruction of an application program, constructing a virtual machine into a sandbox for executing the application program through an incubator;
modifying the environment configuration information of the sandbox to enable the sandbox to be suitable for calling a monitoring module to monitor the process of the application program; the method specifically comprises the following steps: responding to an operation instruction of the application program, and applying a process operation environment for the incubator; constructing the incubator used for the operation environment of the incubation process by using the original incubator of the system; hatching through the hatcher to establish the process running environment for the application program to be run; implanting a guide module into the process running environment and running the guide module; modifying, by the boot module, environment configuration information in the virtual machine; calling the monitoring module according to the environment configuration information to monitor the running of the process of the application program to be run;
and when the process calls a specific instruction, processing according to a security policy provided by the sandbox in advance, and returning to execute the process after processing.
2. The payment security sandbox implementation method of claim 1, wherein said security policy comprises a payment security policy comprising:
judging whether the information of the payment request comprises payment security parameters; and if so, judging that the payment request is legal.
3. The method as claimed in claim 2, wherein the step of determining whether the information of the payment request includes the payment security parameters comprises:
judging whether the interface elements of the popup notification comprise payment elements or not; if yes, determining that the popup notification comprises payment characteristics;
the payment element is used for matching whether an element corresponding to payment is included in the pop-up window notification.
4. The payment security sandbox implementation method of claim 2 or 3, wherein said payment security policy further comprises:
judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal.
5. The method as claimed in claim 4, wherein the step of determining whether the information of the payment request calls corresponding data and instructions for payment comprises:
acquiring the class name of the class called in the popup notification;
judging whether the class name exists in a class name list stored in advance; and if so, judging that the popup notification calls a class for payment.
6. The method as claimed in claim 5, wherein the step of determining whether the information of the payment request calls the corresponding data and command for payment further comprises:
when the popup notification calls a class for payment, determining that a payment feature is included in the popup notification.
7. The payment security sandbox implementing method of claim 1, wherein the setting item of the environmental configuration information of the sandbox comprises an object property for guiding the execution of the monitoring module and pointing information guided to be executed corresponding to the object property.
8. The payment security sandbox implementation method of claim 7, wherein said object attributes are primarily used to support execution of callback function tables and said pointing information is primarily used to distribute distribution functions of hook functions.
9. The payment security sandbox implementation method as claimed in claim 1, wherein said step of constructing said incubator for incubation progress operating environment using a system original incubator comprises:
operating the control module;
constructing the incubator by using the control module and taking the original incubator of the system as a basis;
and establishing connection between the control module and the incubator.
10. The payment security sandbox implementation method of claim 9, wherein said control module establishes a connection with said incubator based on a socket generated by said incubator.
11. The payment security sandbox implementation method of claim 1, wherein after said step of implanting and running a bootstrap module into said process runtime environment, further comprising:
and loading a distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
12. The method for implementing the payment security sandbox as recited in claim 11, wherein the step of processing the process according to the security policy provided in advance by the sandbox when the process calls the specific instruction and returning to execute the process after the processing comprises:
the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
13. The payment security sandbox implementation method of claim 1, wherein the monitoring module is registered as a service process, and the monitoring of the activity of the application is implemented with a hook function in association with a call instruction of a running process of the application.
14. The payment security sandbox implementation method of claim 13, wherein when the monitoring module monitors that the process of the application program needs to invoke the unmatched resource, the resource application of the associated invocation instruction is redirected to provide the correct resource for the running of the process of the application program.
15. The payment security sandbox implementation of claim 13, wherein custom data is returned to an associated call instruction when the monitoring module monitors unauthorized access to the process of the application.
16. A method for monitoring the process of an application program is characterized by comprising the following steps:
responding to the running instruction of the application program, modifying the environment configuration information in the virtual machine through the incubator, and enabling the virtual machine to be suitable for calling a monitoring module to monitor the running of the process of the application program to be run; the method specifically comprises the following steps: responding to an operation instruction of the application program, and applying a process operation environment for the incubator; constructing the incubator used for the operation environment of the incubation process by using the original incubator of the system; hatching through the hatcher to establish the process running environment for the application program to be run; implanting a guide module into the process running environment and running the guide module; modifying, by the boot module, environment configuration information in the virtual machine; calling the monitoring module according to the environment configuration information to monitor the running of the process of the application program to be run;
the monitoring module identifies a specific instruction of the process of the application program and guides to call a hook function corresponding to the specific instruction;
and finishing the execution of the hook function, and calling back to execute the application program process.
17. An application program process monitoring method according to claim 16, wherein the setting item of the environment configuration information of the virtual machine includes an object attribute for guiding execution of the monitoring module and pointing information guided to be executed corresponding to the object attribute.
18. The application program process monitoring method of claim 17, wherein the object attributes are mainly used to support execution of a callback function table, and the pointing information is mainly used to assign a distribution function of the hook function.
19. The application program process monitoring method of claim 16, wherein said step of constructing said incubator for incubating a process operating environment using a system-wide incubator comprises:
operating the control module;
constructing the incubator by using the control module and taking the original incubator of the system as a basis;
and establishing connection between the control module and the incubator.
20. The application process monitoring method of claim 19, wherein the control module establishes a connection with the incubator based on a socket generated by the incubator.
21. The method for monitoring application program process according to claim 16, further comprising, after the step of implanting and running a boot module into the process execution environment:
and loading a distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
22. The method for monitoring the progress of an application program according to claim 21, wherein the monitoring module recognizes a specific instruction of the progress of the application program, and the step of directing to call the hook function corresponding to the specific instruction comprises:
the monitoring module identifies a specific instruction of the process of the application program, and distributes a corresponding hook function to the related specific instruction through the distribution module.
23. The application process monitoring method of claim 16, wherein the monitoring module is registered as a service process, and the activity monitoring of the application is implemented with the hook function in association with a call instruction of a running process of the application.
24. The application program process monitoring method of claim 23, wherein when the monitoring module monitors that the process of the application program needs to call the unmatched resource, the resource application of the relevant call instruction is redirected to provide the correct resource for the running of the process of the application program.
25. An application program process monitoring method as recited in claim 23, wherein custom data is returned to an associated call instruction when the monitoring module monitors unauthorized access to the process of the application program.
26. A payment security sandbox implementation system, comprising:
the response construction module is used for responding to an operation instruction of the application program and constructing the virtual machine into a sandbox for operating the application program through the incubator;
the modification calling module is used for modifying the environment configuration information of the sandbox so that the sandbox is suitable for calling the monitoring module to monitor the process of the application program; the method comprises the following steps: the response application submodule is used for responding to the running instruction of the application program and applying a process running environment for the incubator; a construction operation unit for constructing the incubator for an incubation process operation environment by using the system original incubator; the environment establishing unit is used for incubating through the incubator to establish the process running environment for the application program to be run; the implantation operation sub-module is used for implanting and operating a guide module into the process operation environment; the information modification submodule is used for modifying the environment configuration information in the virtual machine through the guide module; the calling operation submodule is used for calling the monitoring module according to the environment configuration information so as to monitor the operation of the process of the application program to be operated;
and the calling execution module is used for processing according to the security policy provided by the sandbox in advance when the process calls the specific instruction, and returning to execute the process after processing.
27. The payment security sandbox implementation system of claim 26, wherein the security policy comprises a payment security policy comprising:
the first judgment unit is used for judging whether the information of the payment request comprises payment safety parameters; and if so, judging that the payment request is legal.
28. The payment security sandbox implementation system of claim 27, wherein said first determination unit comprises:
the characteristic judgment subunit is used for judging whether the interface elements of the popup notification include payment elements or not; if yes, determining that the popup notification comprises payment characteristics;
the payment element is used for matching whether an element corresponding to payment is included in the pop-up window notification.
29. The payment security sandbox implementation system of claim 27 or 28, wherein said payment security policy further comprises:
the second judgment unit is used for judging whether corresponding data and instructions for payment are called in the information of the payment request; and if so, judging that the payment request is legal.
30. The payment security sandbox implementation system of claim 29, wherein said second determination unit comprises:
the system comprises a class name acquisition subunit, a popup notification unit and a display unit, wherein the class name acquisition subunit is used for acquiring the class name of a class called in the popup notification;
the class name judging subunit is used for judging whether the class name exists in a class name list stored in advance; and if so, judging that the popup notification calls a class for payment.
31. The payment security sandbox implementation system of claim 30, wherein said second determination unit further comprises:
and the calling and judging subunit is used for judging that the popup notice comprises the payment characteristic when the popup notice calls the class for payment.
32. The payment security sandbox implementation system of claim 26, wherein the set items of environmental configuration information of said sandbox include object properties for directing execution of said monitoring module and pointing information directed execution corresponding to the object properties.
33. The payment security sandbox implementation system of claim 32, wherein said object attributes are primarily for supporting execution of callback function tables and said pointing information is primarily for distributing distribution functions of hook functions.
34. The payment security sandbox implementation system of claim 26, wherein said construct execution unit comprises:
a control operation subunit for operating the control module;
a configuration incubator subunit for configuring, with the control module, the incubator based on the system original incubator;
and the connection establishing subunit is used for establishing the connection between the control module and the incubator.
35. The payment security sandbox implementation system of claim 34, wherein said control module establishes a connection with said incubator based on a socket generated by said incubator.
36. The payment security sandbox implementation system of claim 26, wherein said modification invocation module further comprises:
and the loading starting submodule is used for loading the distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
37. The payment security sandbox implementation system of claim 36, wherein said invocation execution module comprises:
and the identification and distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
38. The payment security sandbox implementation system of claim 26, wherein the monitoring module is registered as a service process to implement activity monitoring of the application in association with a hook function to a call instruction of a running process of the application.
39. The payment security sandbox implementation system of claim 38, wherein the monitoring module includes an identification redirection unit, the identification redirection unit being configured to redirect the resource application of the associated invocation instruction to provide the correct resource for the execution of the process of the application when the monitoring module monitors that the process of the application requires invocation of the unmatched resource.
40. The payment security sandbox implementation system of claim 38, wherein the monitoring module includes an identification return unit for returning custom data to an associated call instruction when the monitoring module monitors unauthorized access to the process of the application.
41. An application process monitoring system, comprising:
the information modification module is used for responding to the running instruction of the application program, modifying the environment configuration information in the virtual machine through the incubator, and enabling the virtual machine to be suitable for calling the monitoring module so as to monitor the running of the process of the application program to be run; the method comprises the following steps: the application submodule is used for responding to the operation instruction of the application program and applying a process operation environment for the incubator; a construction unit for constructing the incubator for an incubation process operating environment using a system original incubator; the establishing unit is used for incubating through the incubator to establish the process running environment for the application program to be run; the implantation submodule is used for implanting and operating a guide module into the process operating environment; the modification submodule is used for modifying the environment configuration information in the virtual machine through the guide module; the calling submodule is used for calling the monitoring module according to the environment configuration information so as to monitor the running of the process of the application program to be run;
the identification guiding module is used for identifying a specific instruction of the process of the application program by the monitoring module and guiding to call a hook function corresponding to the specific instruction;
and the execution callback module is used for finishing the execution of the hook function and calling back to execute the application program process.
42. An application program process monitoring system as recited in claim 41, wherein the setting item of the environment configuration information of the virtual machine includes an object property for guiding the execution of the monitoring module and pointing information which is guided to be executed corresponding to the object property.
43. The application program process monitoring system of claim 42, wherein the object attributes are primarily used to support execution of callback function tables, and the pointing information is primarily used to assign distribution functions of the hook functions.
44. An application process monitoring system according to claim 41, wherein the construction unit comprises:
the operation subunit is used for operating the control module;
an incubator construction subunit for constructing the incubator based on the system original incubator by using the control module;
and the connection establishing subunit is used for establishing the connection between the control module and the incubator.
45. The application process monitoring system of claim 44, wherein the control module establishes a connection with the incubator based on a socket generated by the incubator.
46. The application process monitoring system of claim 41, wherein the information modification module further comprises:
and the loading submodule is used for loading the distribution module into the incubator by using the guide module so as to enable the distribution module to enter the process of the application program to be operated along with the starting of the process of the application program to be operated.
47. An application process monitoring system as defined in claim 46, wherein the identify boot module comprises:
and the distribution unit is used for identifying the specific instruction of the process of the application program by the monitoring module and distributing a corresponding hook function to the related specific instruction through the distribution module.
48. An application program process monitoring system according to claim 41, wherein the monitoring module is registered as a service process, the activity monitoring of the application program being implemented with the hook function in association with a call instruction of a running process of the application program.
49. An application program process monitoring system as defined in claim 48, wherein the monitoring module includes a redirection unit to redirect the resource application of the associated call instruction to provide correct resources for the execution of the process of the application program when the monitoring module monitors that the process of the application program requires a call to an unmatched resource.
50. An application program process monitoring system as defined in claim 48, wherein the monitoring module includes a data return unit to return custom data to an associated call instruction when the monitoring module monitors unauthorized access to the process of the application program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510996556.5A CN105427096B (en) | 2015-12-25 | 2015-12-25 | Payment security sandbox implementation method and system and application program monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510996556.5A CN105427096B (en) | 2015-12-25 | 2015-12-25 | Payment security sandbox implementation method and system and application program monitoring method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105427096A CN105427096A (en) | 2016-03-23 |
| CN105427096B true CN105427096B (en) | 2020-02-07 |
Family
ID=55505287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510996556.5A Active CN105427096B (en) | 2015-12-25 | 2015-12-25 | Payment security sandbox implementation method and system and application program monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105427096B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106681801B (en) * | 2016-05-09 | 2019-07-23 | 腾讯科技(深圳)有限公司 | The execution method and apparatus of event |
| CN105956474B (en) * | 2016-05-17 | 2018-12-25 | 武汉虹旭信息技术有限责任公司 | Android platform software unusual checking system |
| CN105893839B (en) * | 2016-06-20 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of proxy processing method and device of the broadcast of Android application |
| CN106055485A (en) * | 2016-07-08 | 2016-10-26 | 北京奇虎科技有限公司 | Method, device and system for testing application |
| CN106875184B (en) * | 2016-08-10 | 2020-07-24 | 阿里巴巴集团控股有限公司 | Abnormal scene simulation method, device and equipment |
| CN106330556B (en) * | 2016-08-30 | 2019-06-25 | 北京百度网讯科技有限公司 | A kind of method and apparatus calling related information for generating service module |
| CN106372509B (en) * | 2016-09-30 | 2019-08-23 | 北京奇虎科技有限公司 | A kind of method and device of the unknown suspect application programs of killing |
| CN108345496B (en) * | 2017-01-23 | 2020-12-15 | 华为技术有限公司 | Method and device for running application program |
| CN108399331B (en) * | 2017-02-06 | 2023-05-05 | 腾讯科技(深圳)有限公司 | Application process trial method and system |
| CN107292614A (en) * | 2017-06-28 | 2017-10-24 | 广东欧珀移动通信有限公司 | Pay class application management method, device and mobile terminal |
| US11062021B2 (en) * | 2017-08-29 | 2021-07-13 | NortonLifeLock Inc. | Systems and methods for preventing malicious applications from exploiting application services |
| CN108805541B (en) * | 2018-05-24 | 2022-05-13 | 陈明栋 | Payment method and system, and storage medium |
| CN108830590A (en) * | 2018-05-28 | 2018-11-16 | 银盒达信息技术(深圳)有限公司 | The acquisition device and terminal device of a kind of acquisition methods of information, information |
| CN109271792B (en) * | 2018-08-15 | 2022-02-18 | 中国人民解放军陆军工程大学 | Terminal peripheral control method and device based on Android local layer hook |
| CN109635523B (en) * | 2018-11-29 | 2024-04-16 | 北京奇虎科技有限公司 | Application program detection method and device and computer readable storage medium |
| CN109784055B (en) * | 2018-12-29 | 2021-01-08 | 上海高重信息科技有限公司 | Method and system for rapidly detecting and preventing malicious software |
| CN110428315B (en) * | 2019-07-15 | 2022-03-22 | 中国人民银行清算总中心 | Data transmission method and device in asynchronous calling process of summary check subsystem |
| CN110428314B (en) * | 2019-07-15 | 2022-03-18 | 中国人民银行清算总中心 | Asynchronous calling method and device for summary check subsystem and electronic equipment |
| CN110427752A (en) * | 2019-08-06 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of method, mobile terminal and the storage medium of sandbox monitoring application program |
| CN112148313B (en) * | 2020-09-21 | 2022-05-20 | 厦门芯鸽信息科技有限公司 | Method, medium and equipment for simultaneously running multiple same-name applications in sandbox |
| CN114706662B (en) * | 2022-06-08 | 2022-09-02 | 杭州比智科技有限公司 | Method and system for realizing dynamic simulation of business operation and data based on JVM sandbox |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103345604A (en) * | 2013-07-16 | 2013-10-09 | 湘潭大学 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
| CN103646211A (en) * | 2013-12-05 | 2014-03-19 | 北京奇虎科技有限公司 | Method and device for loading payment webpage in browser |
| CN104375494A (en) * | 2014-12-02 | 2015-02-25 | 北京奇虎科技有限公司 | Security sandbox construction method and security sandbox construction device |
| CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10742604B2 (en) * | 2013-04-08 | 2020-08-11 | Xilinx, Inc. | Locked down network interface |
-
2015
- 2015-12-25 CN CN201510996556.5A patent/CN105427096B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103345604A (en) * | 2013-07-16 | 2013-10-09 | 湘潭大学 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
| CN103646211A (en) * | 2013-12-05 | 2014-03-19 | 北京奇虎科技有限公司 | Method and device for loading payment webpage in browser |
| CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
| CN104375494A (en) * | 2014-12-02 | 2015-02-25 | 北京奇虎科技有限公司 | Security sandbox construction method and security sandbox construction device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105427096A (en) | 2016-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105427096B (en) | Payment security sandbox implementation method and system and application program monitoring method and system | |
| US11604878B2 (en) | Dynamic analysis techniques for applications | |
| US9846776B1 (en) | System and method for detecting file altering behaviors pertaining to a malicious attack | |
| US8099472B2 (en) | System and method for a mobile cross-platform software system | |
| US20210157920A1 (en) | Dynamic analysis techniques for applications | |
| US9208328B2 (en) | Security system and method for operating systems | |
| JP5957492B2 (en) | System and method for behavioral sandbox | |
| US9973531B1 (en) | Shellcode detection | |
| US20150332043A1 (en) | Application analysis system for electronic devices | |
| US20100031308A1 (en) | Safe and secure program execution framework | |
| Egners et al. | Messing with Android's permission model | |
| CN102332072A (en) | The system and method that is used for detection of malicious software and management Malware relevant information | |
| KR20140074252A (en) | Secure execution of unsecured apps on a device | |
| CN104392176A (en) | Mobile terminal and method for intercepting device manager authority thereof | |
| US11853425B2 (en) | Dynamic sandbox scarecrow for malware management | |
| CN105631312B (en) | The processing method and system of rogue program | |
| CN104376256A (en) | Application program process zygote control method and device | |
| US20160055344A1 (en) | Data loss prevention during app execution using e-mail enforcement on a mobile device | |
| CN104375494A (en) | Security sandbox construction method and security sandbox construction device | |
| Kandukuru et al. | Android malicious application detection using permission vector and network traffic analysis | |
| Zhou et al. | Demystifying diehard android apps | |
| Pecka et al. | Privilege escalation attack scenarios on the devops pipeline within a kubernetes environment | |
| Ju et al. | Research on android malware permission pattern using permission monitoring system | |
| Nazar et al. | Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service | |
| Acin Sanz | ANDRIK: Automated Android malware analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240104 Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |