CN106203080B - System calling method and device - Google Patents
System calling method and device Download PDFInfo
- Publication number
- CN106203080B CN106203080B CN201610555203.6A CN201610555203A CN106203080B CN 106203080 B CN106203080 B CN 106203080B CN 201610555203 A CN201610555203 A CN 201610555203A CN 106203080 B CN106203080 B CN 106203080B
- Authority
- CN
- China
- Prior art keywords
- system call
- call request
- permission
- kernel
- safety check
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims description 19
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000006854 communication Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides a system calling method and a system calling device, wherein the method comprises the following steps: after receiving a system calling request of an application, carrying out permission check on the system calling request; after the permission check is passed, taking the permission and a preset safety identification of the safety check module as a sender identification to be carried in a system calling request to be sent to the kernel; and after the kernel receives the system call request, if the sender identification of the received system call request is consistent with the pre-stored safety identification, carrying out corresponding system call. In the embodiment of the invention, the permission check of the applied system call request is carried out in an application layer outside the kernel, and the permission and the preset safety identification of the safety check module are set in the system call request for the kernel to identify, and the part of codes which do not belong to open source codes can not be disclosed, thereby greatly enhancing the safety of system call.
Description
Technical field
The present invention relates to field of terminal technology, specifically, the present invention relates to a kind of system call method and devices.
Background technique
With the development of science and technology, the intelligent terminals such as smart phone, tablet computer and electronic reader are widely available.Greatly
The operating system based on linux kernel, such as Android, Tizen, Ubuntu and FireFox are mounted in the intelligent terminal of amount
Etc..These operating systems are usually all to increase the ccf layer respectively designed on the basis of linux kernel and realize.
In operating system (hereinafter operating system) based on linux kernel, linux kernel system for unified management money
The method in source, application program (hereinafter applying) carry out system calling of application layer generally includes: calling using transmission system
Request the system call interfaces in kernel;Pair respective security mechanism is executed by a variety of security modules built-in in kernel, i.e.,
The a variety of safety of system call request progress or scope check, for example, DAC (Discretionary Access Control, independently
Access control), MAC (Mandatory Access Control, forced symmetric centralization) and powers and functions detection etc.;Later, by interior
Core executes system according to system call request and calls.
However, kernel code is typically required disclosed it was found by the inventors of the present invention that Linux is open source projects.And
The existing security module for executing various security mechanisms is built in linux kernel, even if improving security module to change
Into its security mechanism, however the source code of improved security module still needs to follow agreement and carries out disclosure, leads to hacker etc.
The security mechanism of the still available improved security module of attacker, so that existing system call method be caused still to hold
Vulnerable to attack, safety is low, is easy to bring loss to user, reduces user experience.
Summary of the invention
The present invention is directed to the shortcomings that existing way, a kind of system call method and device is proposed, to solve the prior art
The safety that there is a problem of that system is called is low.
The embodiment of the present invention provides a kind of system call method according on one side, comprising:
After the system call request for receiving application, scope check is carried out to the system call request;
After the scope check passes through, marked the preset security identifier of this permission and safety check module as sender
Knowledge is carried in system call request to kernel and sends;
After the kernel receives system call request, however, it is determined that the transmitting side marking of the system call request received out
It is consistent with the security identifier prestored, then carry out corresponding system calling.
The embodiment of the present invention additionally provides a kind of system calling device according on the other hand, comprising:
Permission and safety check module, are set to application layer, after the system call request for receiving application, to described
System call request carries out scope check;After the scope check passes through, by the preset of the permission and safety check module
Security identifier is carried in system call request to kernel as transmitting side marking and sends;
System call interface module is set to the kernel, after receiving system call request, however, it is determined that receive out
To system call request transmitting side marking it is consistent with the security identifier prestored, then carry out corresponding system calling.
In the embodiment of the present invention, to the scope check of the system call request of application in the application layer except kernel into
Row, and the preset security identifier of permission and safety check module is set for kernel identification, this part in system call request
Code, which is not belonging to Open Source Code, to be disclosed, and the safety of system calling is greatly strengthened.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 a and 1b are the flow diagram of the system call method of the embodiment of the present invention;
Fig. 2 is the block schematic illustration of the internal structure of the system calling device of the embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one
It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention
Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange
Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific term), there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also
Understand, those terms such as defined in the general dictionary, it should be understood that have in the context of the prior art
The consistent meaning of meaning, and unless idealization or meaning too formal otherwise will not be used by specific definitions as here
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication
The equipment of number receiver, only has the equipment of the wireless signal receiver of non-emissive ability, and including receiving and emitting hardware
Equipment, have on bidirectional communication link, can carry out two-way communication reception and emit hardware equipment.This equipment
It may include: honeycomb or other communication equipments, shown with single line display or multi-line display or without multi-line
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), can
With combine voice, data processing, fax and/or communication ability;PDA (Personal Digital Assistant, it is personal
Digital assistants), it may include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
It goes through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm
Type computer or other equipment, have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its
His equipment." terminal " used herein above, " terminal device " can be it is portable, can transport, be mounted on the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on
Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or mobile phone with music/video playing function, it is also possible to the equipment such as smart television, set-top box.
In the embodiment of the present invention, permission and safety check module are set in application layer;Permission and safety check module connect
After the system call request for receiving application, scope check is carried out to system call request;After scope check passes through, by this permission and
The preset security identifier of safety check module is carried in system call request to kernel as transmitting side marking and sends;Kernel
After receiving system call request, however, it is determined that the transmitting side marking of the system call request received out and the security identifier prestored
It is consistent, then carry out corresponding system calling.As it can be seen that being examined in the embodiment of the present invention to the permission of the system call request of application
It looks into and is carried out in the application layer except kernel, and the preset peace of permission and safety check module is set in system call request
Full mark identifies that this partial code, which is not belonging to Open Source Code, to be disclosed for kernel, greatly strengthens the safety of system calling
Property.
Moreover, in the embodiment of the present invention, kernel is if it is determined that the transmitting side marking of the system call request received and pre-
The security identifier of the permission and safety check module deposited is inconsistent, then refuses to execute the system call request received.As it can be seen that this
In invention example, the system call request that existing application is directly sent to kernel, because without the peace safe to carry for checking module
Full mark, will all be executed by kernel rejection;It can prevent the illegal applications such as virus, wooden horse, rogue program from utilizing existing Linux
Security mechanism invasion, greatly strengthen system calling safety.
Further, present inventor has further discovered that, in existing system call method, the peace of various security mechanisms is executed
Full module is built in the kernel of operating system, since kernel code amount is huge and the specification of open source community, leads to modification safety
The work of module and its security mechanism is extremely difficult, and causing to customize new security mechanism becomes extremely difficult.
Based on above-mentioned discovery, in the embodiment of the present invention, can be convenient will be customized for user security strategy setting
Into application layer, allow permission and safety check module according to the security strategy of customization more flexible, more personalizedly
Scope check is carried out to the call request of application, on the basis of guaranteeing that system calls safety, can satisfy various users not
Same demand promotes user experience.Moreover, code revision amount substantially reduces compared with the security module in modification kernel, it is compatible
More preferably, applicable surface is wider for property.
The technical solution of the embodiment of the present invention is specifically introduced with reference to the accompanying drawing.
The intelligent terminal of the embodiment of the present invention can be the terminal devices such as smart phone, tablet computer.
The application scenarios of the embodiment of the present invention, for the operating system based on linux kernel, such as android system,
Tizen system, Ubuntu system and FireFox system etc..
The embodiment of the invention provides a kind of system call method of application, the flow diagram of this method such as Fig. 1 a institutes
Show, includes the following steps:
S101: application sends system call request to permission and safety check module.
In the embodiment of the present invention, permission and safety check module and its peace are pre-set in the application layer of operating system
Full mark.The security identifier of permission and safety check module includes: identity information and/or the address of permission and safety check module
Information.
Under client-server mode, a reality can be used as using as client, permission and safety check module
Body independent operating (being similar to an application) is used as server.Under this mode, fixed UID (User can be preset
IDentification, user identifier), PID (Process IDentification, identity informations such as process identification (PID) and/or defeated
The address informations such as address out, as permission and the dedicated identity information of safety check module and/or address information, belong to permission and
The security identifier of safety check module.
Under resident mode, permission and safety check module in the form of library with application link together with, when operation is applied
Automatic running permission and safety check module.
Specifically, if setting static library for permission and safety check module, it is compiled into and can be transported altogether with application
Capable program;When the application operation, permission and safety check module are arranged to the address space to preset fixation automatically.
If setting dynamic base for permission and safety check module, is linked and be compiled into the program of application run;This is answered
When with operation, obtain permission and safety check module automatically according to link, and the address space for arriving preset fixation is set.
The address space of the preset fixation belongs to permission and safety inspection as permission and the dedicated address information of safety check module
The security identifier of module.
Using by its system call request, sent to permission and safety check module.System call request can be in form
It is instructed similar to falling into.The content of system call request may include at least one of following: access database, access input and output
File, access system service etc..
It is appreciated that typically directly the system call interfaces by its system call request into kernel are sent out for existing application
It send, and the application in the embodiment of the present invention is improved, so that being called using system is sent to permission and safety check module
Request.
S102: after permission and safety check module receive the system call request of application, system call request is carried out
Scope check;If scope check passes through, S103 is thened follow the steps;If scope check fails, ignores received system calling and ask
It asks.
After permission and safety check module receive the system call request of application, according to each in preset security strategy
Using corresponding every permission, scope check is carried out to the system call request of application.
Specifically, it is determined that the permission that the application has in permission and security strategy that the system call request of application is related to
Whether match;If so, the inspection that defines the competence passes through, step S103 is executed;Otherwise define the competence inspection failure, ignores reception
System call request.
It is readily appreciated that, the Access Options incompatible with its function have been preset in many applications at present.A such as flashlight
Using other than the Access Options for presetting camera, it is also provided with (intelligent terminal) location information, WLAN (Wireless
Local Area Network, WLAN) and the Access Options of list of application have been installed, it is therefore apparent that flashlight application
The light compensating lamp of camera is modeled to flashlight to the realization for the function of illuminating, and location information, WLAN and has been installed using column
These information of table are unrelated.Therefore, it may be predetermined that go out application function need the permission used, and/or with application function not phase
Permission corresponding to the Access Options of adaptation, is recorded in security strategy, is filtered out according to security strategy and is not fitted mutually with application function
Permission corresponding to the Access Options answered reduces the probability of leakage user information.
Preferably, can be according to the demand of user that the customized security strategy setting of user is examined to permission and safety
It looks into module;For example, customizing security strategy A for company A, security strategy B is customized for B company, security strategy A, B is respectively set
Into the permission and safety check module of the intelligent terminal of A, B company.
Permission and safety check module can be according to the security strategies of customization more flexible, more personalizedly to application
Call request carries out scope check, on the basis of guaranteeing that system calls safety, can satisfy the different demand of various users,
Promote user experience.Moreover, code revision amount substantially reduces compared with the security module in modification kernel, compatibility more preferably, is fitted
It is wider with face.
S103: the preset security identifier of this permission and safety check module is carried on system tune as transmitting side marking
It is sent in request to kernel.
The security identifier of permission and safety check module includes: the identity information and/or ground of permission and safety check module
Location information;Identity information may include at least one of following: fixed UID, PID etc.;Address information may include it is following at least
One: fixed output address, address space etc..
Permission and safety check module mark the preset security identifier of this permission and safety check module as sender
Knowledge is carried in system call request, is sent to kernel.
S104: after kernel receives system call request, determine the transmitting side marking of system call request that receives with
Whether the security identifier prestored is consistent, if unanimously, thening follow the steps S105;If inconsistent, S106 is thened follow the steps.
After kernel receives system call request, in the transmitting side marking and kernel of the determining system call request received
Whether the security identifier of the permission and safety check module that prestore is consistent, if unanimously, thening follow the steps S105;If inconsistent,
Then follow the steps S106.
S105: kernel carries out corresponding system calling.
Kernel determines the transmitting side marking and the permission prestored and safety of system call request in above-mentioned steps S104
After checking that the security identifier of module is consistent, in this step, received system call request is executed, carry out corresponding system tune
With.
S106: kernel refusal executes the system call request received, and returns to the application for sending the system call request
Return denied access message.
Kernel determines the transmitting side marking and the permission prestored and safety of system call request in above-mentioned steps S104
After checking that the security identifier of module is inconsistent, in this step, refusal executes the system call request received, and should to sending
The application of system call request returns to denied access message.
Preferably, the return path that kernel is called by traditional system, is directly to this is sent by denied access message
The application of system call request returns.Denied access message, which carries, refuses the corresponding return value of system call request, the return
Value is usually integer (such as integer 13), meets POSIX (Portable Operating System Interface, portable
Operating system interface) standard.
It is appreciated that for still sending system call request using traditional Linux security mechanism, directly to kernel
It is often illegal applications such as Virus, trojan horse program or rogue program or without company or related using, these applications
The system call request of these applications is refused in the application for partially allowing to be installed privately by the user of intelligent terminal, can be significantly
It reduces intelligent terminal and is broken into, reveals the probability of information, to force the safety of the information in intelligent terminal.
Preferably, the embodiment of the invention provides the system call method of another kind application, the flow diagram of this method
As shown in Figure 1 b, include the following steps:
S111: application sends system call request to permission and safety check module.
The specific method of this step is consistent with the specific method in above-mentioned steps S101, and details are not described herein again.
S112: after permission and safety check module receive the system call request of application, system call request is carried out
Scope check;If scope check passes through, S113 is thened follow the steps;If scope check fails, ignores received system calling and ask
It asks.
The specific method of this step is consistent with the specific method in above-mentioned steps S102, and details are not described herein again.
S113: the preset security identifier of this permission and safety check module is carried on system tune as transmitting side marking
It is sent in request to kernel.
The specific method of this step is consistent with the specific method in above-mentioned steps S103, and details are not described herein again.
S114: after kernel receives system call request, determine the transmitting side marking of system call request that receives with
Whether the security identifier prestored is consistent, if unanimously, thening follow the steps S115;If inconsistent, S117 is thened follow the steps.
After kernel receives system call request, in the transmitting side marking and kernel of the determining system call request received
Whether the security identifier of the permission and safety check module that prestore is consistent, if unanimously, thening follow the steps S115;If inconsistent,
Then follow the steps S117.
S115: kernel carries out legitimate verification according to relevant information of the security identifier to permission and safety check module;If
Verification result be it is legal, then follow the steps S116;If verification result be it is illegal, then follow the steps S117.
Preferably, being provided with its relevant information and number label in permission and safety check module in the embodiment of the present invention
Name.The relevant information of permission and safety check module can be source code (all or part of source of permission and safety check module
Code) or other contents that may indicate that permission and safety check module information.It can be according to scheduled algorithm, to power
The summary info for the uniqueness that the relevant information of limit and safety check module is calculated, according to scheduled private key pair
Summary info obtains digital signature into being encrypted.
Scheduled algorithm and public key corresponding with scheduled private key are prestored in kernel.Kernel according to the permission of acquisition and
The digital signature of safety check module relevant information, permission and safety check module relevant information to acquisition carry out legitimacy and test
Card.
Specifically, kernel is obtained from permission and safety check module according to the security identifier of permission and safety check module
Take the relevant information and its digital signature of preset permission and safety check module;Kernel is according to the scheduled algorithm prestored, meter
Calculate the summary info of the permission and safety check module relevant information that obtain;Kernel is according to the public key prestored, to digital signature
It is decrypted to obtain summary info;Determine whether calculated summary info and the summary info decrypted are consistent;If so,
Determine that verification result is legal, execution step S116;Otherwise determine that verification result is illegal, execution step S117.
Further, corresponded in permission and safety check module digital signature be stored with scheduled algorithm and with it is above-mentioned pre-
The corresponding public key of fixed private key.
And kernel is obtained from permission and safety check module according to the security identifier of permission and safety check module
The relevant information and its digital signature and public key and algorithm of preset permission and safety check module;Kernel is according to acquisition
Algorithm calculates the permission of acquisition and the summary info of safety check module relevant information;Kernel is according to the public key logarithm of acquisition
Word signature is decrypted to obtain summary info;Determine whether calculated summary info and the summary info decrypted are consistent;
If so, determining that verification result is legal, execution step S116;Otherwise determine that verification result is illegal, execution step S117.
It is appreciated that carry out legitimate verification to the relevant information of permission and safety check module, can prevent permission and
Safety check module is illegally distorted, and enhances the safety of permission and safety check module, to further enhance on the whole
The safety of the embodiment of the present invention.
S116: kernel carries out corresponding system calling.
Kernel determines the legitimate verification knot of the relevant information of permission and safety check module in above-mentioned steps S115
After fruit is legal, in this step, received system call request is executed, carry out corresponding system calling.
S117: kernel refusal executes the system call request received, and returns to the application for sending the system call request
Return denied access message.
Kernel determines the transmitting side marking and the permission prestored and safety of system call request in above-mentioned steps S114
Check after the security identifier of module is inconsistent or determine in above-mentioned steps S115 the related letter of permission and safety check module
After the legitimate verification result of breath is illegal, in this step, refusal executes the system call request that receives, and to transmission
The application of the system call request returns to denied access message.
Preferably, the return path that kernel is called by traditional system, is directly to this is sent by denied access message
The application of system call request returns.Denied access message, which carries, refuses the corresponding return value of system call request, the return
Value is usually integer (such as integer 13), meets POSIX standard.
Based on above system call method, a kind of system calling device is additionally provided in the embodiment of the present invention, which sets
It is placed in the intelligent terminal of the embodiment of the present invention, the block schematic illustration of the internal structure of the device is as shown in Figure 2, comprising: permission
And safety check module 201 and system call interface module 202 are set.
Wherein, permission and safety check module 201 are set to the application layer in the intelligent terminal of the embodiment of the present invention, are used for
After the system call request for receiving application, scope check is carried out to system call request;After scope check passes through, by permission and
The preset security identifier of safety check module 201 is carried in system call request to kernel as transmitting side marking and sends.
System call interface module 202 is set to the kernel in the intelligent terminal of the embodiment of the present invention, is for receiving
After system call request, however, it is determined that the transmitting side marking of the system call request received out and the permission and safety inspection mould that prestore
The security identifier of block 201 is consistent, then carries out corresponding system calling.
Preferably, system call interface module 202 is also used to the sender if it is determined that the system call request received
The security identifier for identifying and prestoring is inconsistent, then refuses to execute the system call request received, and call to the system is sent
The application of request returns to denied access message.
Specifically, permission and safety check module 201 are used for the security strategy according to customization, carry out to system call request
Scope check.
Preferably, system call interface module 202 is also used to the sender in the system call request for determining to receive
Identify it is consistent with the security identifier prestored after, according to security identifier to the relevant information of permission and safety check module 201 into
Row legitimate verification;If verification result be it is legal, carry out corresponding system calling;If verification result be it is illegal, refuse
The system call request received is executed, and returns to denied access message to the application for sending the system call request.
Further, system call interface module 202 is specifically used for the safety post according to permission and safety check module 201
Know, obtains the relevant information and its digital signature of preset permission and safety check module 201;Calculate the permission and peace of acquisition
The summary info of the relevant information of total inspection module 201, and decrypt the corresponding summary info of digital signature;It determines calculated
Whether summary info and the summary info decrypted are consistent;If so, determining that verification result is legal;Otherwise verifying knot is determined
Fruit is illegal.
The implementation method of above-mentioned permission and safety check module 201 and 202 function of system call interface module, can refer to
The particular content of process step shown in FIG. 1 as above, details are not described herein again.
In the embodiment of the present invention, to the scope check of the system call request of application in the application layer except kernel into
Row, and the preset security identifier of permission and safety check module is set for kernel identification, this part in system call request
Code, which is not belonging to Open Source Code, to be disclosed, and the safety of system calling is greatly strengthened.
Moreover, the illegal application of existing application or the existing application that disguises oneself as is directly to kernel in the embodiment of the present invention
The system call request of transmission, because will all be executed by kernel rejection without the security identifier safe to carry for checking module;It can prevent
Only the illegal applications such as virus, wooden horse, rogue program are invaded using the security mechanism of existing Linux, greatly strengthen system tune
Safety.
Further, in the embodiment of the present invention, will be arranged for the customized security strategy of user to application with can be convenient
In layer, allow permission and safety check module according to the security strategy of customization more flexible, more personalizedly to application
Call request carry out scope check, guarantee system call safety on the basis of, can satisfy the different need of various users
It asks, promotes user experience.Moreover, code revision amount substantially reduces compared with the security module in modification kernel, compatibility is more
Good, applicable surface is wider.
Those skilled in the art of the present technique are appreciated that the present invention includes being related to for executing in operation described herein
One or more equipment.These equipment can specially design and manufacture for required purpose, or also may include general
Known device in computer.These equipment have the computer program being stored in it, these computer programs are selectively
Activation or reconstruct.Such computer program can be stored in equipment (for example, computer) readable medium or be stored in
It e-command and is coupled in any kind of medium of bus respectively suitable for storage, the computer-readable medium includes but not
Be limited to any kind of disk (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, only
Read memory), RAM (Random Access Memory, immediately memory), EPROM (Erasable Programmable
Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically Erasable
Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory), flash memory, magnetic card or light card
Piece.It is, readable medium includes by equipment (for example, computer) with any Jie for the form storage or transmission information that can be read
Matter.
Those skilled in the art of the present technique be appreciated that can be realized with computer program instructions these structure charts and/or
The combination of each frame and these structure charts and/or the frame in block diagram and/or flow graph in block diagram and/or flow graph.This technology neck
Field technique personnel be appreciated that these computer program instructions can be supplied to general purpose computer, special purpose computer or other
The processor of programmable data processing method is realized, to pass through the processing of computer or other programmable data processing methods
The scheme specified in frame or multiple frames of the device to execute structure chart and/or block diagram and/or flow graph disclosed by the invention.
Those skilled in the art of the present technique have been appreciated that in the present invention the various operations crossed by discussion, method, in process
Steps, measures, and schemes can be replaced, changed, combined or be deleted.Further, each with having been crossed by discussion in the present invention
Kind of operation, method, other steps, measures, and schemes in process may also be alternated, changed, rearranged, decomposed, combined or deleted.
Further, in the prior art to have and the step in various operations, method disclosed in the present invention, process, measure, scheme
It may also be alternated, changed, rearranged, decomposed, combined or deleted.
The above is only some embodiments of the invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of system call method characterized by comprising
After the system call request for receiving application, scope check is carried out to the system call request;
After the scope check passes through, the preset security identifier of this permission and safety check module is taken as transmitting side marking
Band is sent in system call request to kernel;
After the kernel receives system call request, however, it is determined that the transmitting side marking of the system call request received out and pre-
The security identifier deposited is consistent, then carries out corresponding system calling.
2. the method according to claim 1, wherein further include: the kernel is if it is determined that the system received
The transmitting side marking of call request and the security identifier prestored are inconsistent, then refuse to execute the system call request received, and
Denied access message is returned to the application for sending the system call request.
3. the method according to claim 1, wherein it is described to the system call request carry out scope check,
It specifically includes:
According to the security strategy of customization, scope check is carried out to the system call request.
4. the method according to claim 1, wherein the security identifier packet of the permission and safety check module
It includes: the identity information and/or address information of the permission and safety check module.
5. the method according to claim 1, wherein in the hair of the system call request for determining to receive
After the side's of sending mark is consistent with the security identifier prestored, further includes:
The kernel carries out legitimate verification according to relevant information of the security identifier to the permission and safety check module;
And
It is described to carry out corresponding system calling, comprising:
If verification result be it is legal, carry out corresponding system calling.
6. according to the method described in claim 5, it is characterized in that, it is described according to the security identifier to the permission and safety
It checks that the relevant information of module carries out legitimate verification, specifically includes:
The kernel obtains the relevant information and its number of the preset permission and safety check module according to the security identifier
Word signature;
It is legal that the kernel carries out the permission and safety check module relevant information of acquisition according to the digital signature of acquisition
Property verifying.
7. a kind of system calling device characterized by comprising
Permission and safety check module, are set to application layer, after the system call request for receiving application, to the system
Call request carries out scope check;After the scope check passes through, by the permission and the preset safety of safety check module
Mark is carried in system call request to kernel as transmitting side marking and sends;
System call interface module is set to the kernel, after receiving system call request, however, it is determined that receive out
The transmitting side marking of system call request is consistent with the security identifier prestored, then carries out corresponding system calling.
8. device according to claim 7, which is characterized in that
The system call interface module be also used to if it is determined that the transmitting side marking of the system call request received with prestore
Security identifier it is inconsistent, then refuse to execute the system call request that receives, and to the application for sending the system call request
Return to denied access message.
9. device according to claim 7, which is characterized in that
The permission and safety check module are specifically used for the security strategy according to customization, weigh to the system call request
Limit checks.
10. device according to claim 7, which is characterized in that
The system call interface module be also used to transmitting side marking in the system call request for determining to receive with
After the security identifier prestored is consistent, carried out according to relevant information of the security identifier to the permission and safety check module
Legitimate verification;If verification result be it is legal, carry out corresponding system calling.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555203.6A CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555203.6A CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106203080A CN106203080A (en) | 2016-12-07 |
| CN106203080B true CN106203080B (en) | 2019-02-15 |
Family
ID=57475678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610555203.6A Active CN106203080B (en) | 2016-07-14 | 2016-07-14 | System calling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106203080B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108170543B (en) * | 2017-12-26 | 2021-06-01 | 上海展扬通信技术有限公司 | Kernel code and synchronization processing method and device of upper layer code of Kernel code |
| CN114579254A (en) * | 2022-03-02 | 2022-06-03 | 科东(广州)软件科技有限公司 | System calling method and device of microkernel virtualization operating system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1808325A (en) * | 2004-10-01 | 2006-07-26 | 微软公司 | API for access authorization |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102737193A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Equipment shielding method and device for data security prevention and control |
-
2016
- 2016-07-14 CN CN201610555203.6A patent/CN106203080B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1808325A (en) * | 2004-10-01 | 2006-07-26 | 微软公司 | API for access authorization |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102737193A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Equipment shielding method and device for data security prevention and control |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106203080A (en) | 2016-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108200050B (en) | Single sign-on server, method and computer readable storage medium | |
| KR101086574B1 (en) | Location based licensing | |
| US8868907B2 (en) | Device, method, and system for processing communications for secure operation of industrial control system field devices | |
| EP1776799B1 (en) | Enhanced security using service provider authentication | |
| US9025769B2 (en) | Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone | |
| EP1766847B1 (en) | Method for generating and verifying an electronic signature | |
| US8005458B2 (en) | Device and method for detecting and preventing sensitive information leakage from portable terminal | |
| US20040266395A1 (en) | Process for securing a mobile terminal and applications of the process for executing applications requiring a high degree of security | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| CN103339975A (en) | Method for exporting on a secure server data comprised on a UlCC comprised in a terminal | |
| CN106330984A (en) | Dynamic updating method and device of access control strategy | |
| CN102457766B (en) | Method for checking access authority of Internet protocol television | |
| US20090158028A1 (en) | Drm method and drm system using trusted platform module | |
| CN107623907B (en) | eSIM card network locking method, terminal and network locking authentication server | |
| CN109245902A (en) | The guard method of instant messaging message authentication codes and device | |
| CN106713315B (en) | Login method and device of plug-in application program | |
| US20030059049A1 (en) | Method and apparatus for secure mobile transaction | |
| US7437563B2 (en) | Software integrity test | |
| US20120144470A1 (en) | User authentication method using location information | |
| CN106203080B (en) | System calling method and device | |
| CN109743306B (en) | Account security evaluation method, system, device and medium | |
| JP5004635B2 (en) | Authentication device, authentication system, broadcast device, authentication method, and broadcast method | |
| CN107835172A (en) | Billing information verification method and system, server and computer-readable recording medium | |
| CN113709729B (en) | Data processing method, device, network equipment and terminal | |
| CN205864753U (en) | A kind of encryption guard system of terminal unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210129 Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20161207 Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd. Assignor: Yuanxin Information Technology Group Co.,Ltd. Contract record no.: X2021110000018 Denomination of invention: System call method and device Granted publication date: 20190215 License type: Common License Record date: 20210531 |
|
| EE01 | Entry into force of recordation of patent licensing contract |