CN107038369A - The method and terminal of a kind of resources accessing control - Google Patents

The method and terminal of a kind of resources accessing control Download PDF

Info

Publication number
CN107038369A
CN107038369A CN201710169713.4A CN201710169713A CN107038369A CN 107038369 A CN107038369 A CN 107038369A CN 201710169713 A CN201710169713 A CN 201710169713A CN 107038369 A CN107038369 A CN 107038369A
Authority
CN
China
Prior art keywords
caller
information
specified resource
authentication
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201710169713.4A
Other languages
Chinese (zh)
Inventor
黄儒鸿
熊林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jinli Communication Equipment Co Ltd
Original Assignee
Shenzhen Jinli Communication Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jinli Communication Equipment Co Ltd filed Critical Shenzhen Jinli Communication Equipment Co Ltd
Priority to CN201710169713.4A priority Critical patent/CN107038369A/en
Publication of CN107038369A publication Critical patent/CN107038369A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Telephone Function (AREA)

Abstract

The embodiment of the present invention provides a kind of method and terminal of resources accessing control, and wherein method includes:Receive the request that caller calls the access interface of specified resource;Rights management interface is called to obtain the bag name of caller and send it to rights management service;Bag name is passed to bag management service by rights management service, bag management service is returned to the information related to caller according to bag name;Rights management service call operation system and the middle layer interface of credible performing environment interaction, the information related to caller is sent to the trusted application inside credible performing environment;Trusted application reads default white list information corresponding with specified resource, authentication is carried out to caller, and transmit the result to kernel-driven, kernel-driven is determined whether that caller calls access interface according to the result, and perform corresponding response operation.The embodiment of the present invention can be effectively protected to the specified resource in terminal, improve the security of terminal.

Description

The method and terminal of a kind of resources accessing control
Technical field
The present embodiments relate to the method and terminal of electronic technology field, more particularly to a kind of resources accessing control.
Background technology
Some hardware or software resource on mobile terminal, being intended that at the beginning of design are provided only to specific application and used, And do not want to allow third-party application and other unauthorized applications to have permission to access, if third-party application or other it is unauthorized should With the access mode for having got these hardware or software resource, then the safety of information of mobile terminal is possible to be related to wind Danger.
At present, it is general to be accessed using following several unauthorized applications of limitation in order to improve the security of information of mobile terminal Specify the mode of resource:
One kind is to redefine privately owned interface, i.e., carry out privatization to the interface of the specified resource on mobile terminal, only Exploitation know specify resource access interface, and third-party application and other unauthorized applications can not just learn it is privately owned Interface, also just can not access instruction resource, however, because development company internal staff is complicated, it is impossible to ensure privately owned interface letter The security of breath, privately owned interface then specify the access security of resource can not just be protected once revealing.
It is another to be, some safe encipherment protections are done before the access interface of specified resource is called, for example:Calling finger Determine to carry out authentication or unblock etc. before the access interface of resource, this mode can protect specified resource to a certain extent Access interface call authority, still, under some abnormal conditions, if third-party application or other unauthorized applications are bypassed Authentication mechanism, can also normally go to call the access interface of specified resource, there is also certain security risk.
To sum up, the existing unauthorized application of limitation, which is accessed, specifies the mode security of resource relatively low, it is impossible to mobile terminal On specified resource be effectively protected.
The content of the invention
The embodiment of the present invention provides a kind of method and terminal of resources accessing control, and the specified resource in terminal can be entered Row is effectively protected, and improves the security of terminal.
On the one hand the embodiment of the present invention provides a kind of method of resources accessing control, and this method includes:
If specifying the application service of resource to receive the request that caller calls the access interface of the specified resource, adjust The bag name of caller is obtained with rights management interface, and the bag name of the caller is sent to rights management service;
The bag name of the caller is passed to by bag management service by the rights management service, the reason of assuring is taken It is engaged in returning to the information related to the caller according to the bag name of the caller;
The centre for being responsible for realizing operating system and credible performing environment information exchange is called by the rights management service Layer interface, the information related to caller is sent to the trusted application inside the credible performing environment;
Default white list information corresponding with the specified resource is read by the trusted application, and according to it is described in vain List information and the information related to caller carry out authentication to the caller, obtain authentication result;
The authentication result is transmitted to kernel-driven by the trusted application, makes the kernel-driven according to institute State authentication result and determine whether that the caller calls the access interface of the specified resource, and perform corresponding ring It should operate.
On the other hand the embodiment of the present invention also provides a kind of terminal, and the terminal includes:
Rights management interface interchange unit, if calling described specify for specifying the application service of resource to receive caller The request of the access interface of resource, then call rights management interface to obtain the bag name of caller, and by the bag of caller name Send to rights management service;
Caller information acquisition unit, for the bag name of the caller to be passed into bag by the rights management service Management service, makes the bag management service return to the information related to the caller according to the bag name of the caller;
Intermediate layer interface interchange unit, for called by the rights management service be responsible for realizing operating system with it is credible The middle layer interface of performing environment information exchange, the information related to caller is sent to the credible performing environment The trusted application in portion;
Identity authenticating unit, for reading default white list corresponding with the specified resource by the trusted application Information, and authentication is carried out to the caller according to the white list information and the information related to caller, obtain To authentication result;
Operation execution unit is responded, is driven for being transmitted the authentication result to kernel by the trusted application It is dynamic, the kernel-driven is determined whether that the caller calls the specified resource according to the authentication result Access interface, and perform corresponding response operation.
If the embodiment of the present invention specifies the application service of resource to receive caller and calls the specified resource by setting Access interface request, then call rights management interface to obtain the bag name of caller, and the bag of caller name is sent To rights management service;The bag name of the caller is passed to by bag management service by the rights management service, made described Bag management service returns to the information related to the caller according to the bag name of the caller;Pass through the rights management service The middle layer interface for being responsible for realizing operating system and credible performing environment information exchange is called, by the letter related to caller Breath is sent to the trusted application inside the credible performing environment;The default and specified money is read by the trusted application The corresponding white list information in source, and the caller is entered according to the white list information and the information related to caller Row authentication, obtains authentication result;The authentication result is transmitted to kernel-driven by the trusted application, The kernel-driven is set to determine whether that the caller calls the visit of the specified resource according to the authentication result Interface is asked, and performs corresponding response operation, so as to be effectively protected to the specified resource in terminal, end is improved The security at end.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, makes required in being described below to embodiment Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the present invention, for ability For the those of ordinary skill of domain, on the premise of not paying creative work, it can also be obtained according to these accompanying drawings other attached Figure.
Fig. 1 is a kind of schematic flow diagram of the method for resources accessing control provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow diagram of the method for resources accessing control that another embodiment of the present invention is provided;
Fig. 3 is a kind of schematic block diagram of terminal provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic block diagram for terminal that another embodiment of the present invention is provided;
Fig. 5 is a kind of schematic block diagram for terminal that yet another embodiment of the invention is provided.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on this hair Embodiment in bright, the every other implementation that those of ordinary skill in the art are obtained under the premise of creative work is not made Example, belongs to the scope of protection of the invention.
It should be appreciated that ought be in this specification and in the appended claims in use, term " comprising " and "comprising" be indicated Described feature, entirety, step, operation, the presence of element and/or component, but be not precluded from one or more of the other feature, it is whole Body, step, operation, element, component and/or its presence or addition for gathering.
It is also understood that the term used in this description of the invention is merely for the sake of the mesh for describing specific embodiment And be not intended to limit the present invention.As used in description of the invention and appended claims, unless on Other situations are hereafter clearly indicated, otherwise " one " of singulative, " one " and "the" are intended to include plural form.
It will be further appreciated that, the term "and/or" used in description of the invention and appended claims is Refer to any combinations of one or more of the associated item listed and be possible to combination, and including these combinations.
As used in this specification and in the appended claims, term " if " can be according to context quilt Be construed to " when ... " or " once " or " in response to determining " or " in response to detecting ".Similarly, phrase " if it is determined that " or " if detecting [described condition or event] " can be interpreted to mean according to context " once it is determined that " or " in response to true It is fixed " or " once detecting [described condition or event] " or " in response to detecting [described condition or event] ".
In the specific implementation, the terminal described in the embodiment of the present invention is including but not limited to such as with touch sensitive surface The mobile phone, laptop computer or tablet PC of (for example, touch-screen display and/or touch pad) etc it is other just Portable device.It is to be further understood that in certain embodiments, the equipment not portable communication device, but with touching Touch the desktop computer of sensing surface (for example, touch-screen display and/or touch pad).
In discussion below, the terminal including display and touch sensitive surface is described.It is, however, to be understood that It is that terminal can include one or more of the other physical user-interface device of such as physical keyboard, mouse and/or control-rod.
Terminal supports various application programs, such as one or more of following:Drawing application program, demonstration application journey Sequence, word-processing application, website create application program, disk imprinting application program, spreadsheet applications, game application Program, telephony application, videoconference application, email application, instant messaging applications, exercise Support application program, photo management application program, digital camera application program, digital camera application program, web-browsing application Program, digital music player application and/or video frequency player application program.
The various application programs that can be performed in terminal can use such as touch sensitive surface at least one is public Physical user-interface device.It can adjust and/or change among applications and/or in corresponding application programs and touch sensitive table The corresponding information shown in the one or more functions and terminal in face.So, the public physical structure of terminal is (for example, touch Sensing surface) the various application programs with user interface directly perceived and transparent for a user can be supported.
Fig. 1 is a kind of schematic flow diagram of the method for resources accessing control provided in an embodiment of the present invention.Referring to Fig. 1 institutes Show, this method includes:
Step S101, if specifying the application service of resource to receive the access interface that caller calls the specified resource Request, then call rights management interface to obtain the bag name of caller, and bag name transmission to the rights management of the caller is taken Business.
In the present embodiment, the specified resource includes but is not limited to the hardware resource or software money of the terminal inner Source, for example:Security encryption chip, integer files of representative user identity of some secure storage section storage etc..
In the present embodiment, the application service of the specified resource is the application service added in terminal inner, main If in order to realize the access control to the specified resource, the application service is similar to the application pipe in terminal operating system Reason service, is to be served by the operating system running background of terminal, can timely respond to the request of caller.
In the present embodiment, the rights management interface is external interface, is mainly available to upper layer application service progress Call.Further, in the present embodiment, the application service is in the bag name for calling the rights management interface to obtain caller It can also include before:
The application service judges whether first the caller specifies the access interface of resource described in request call, if Call first, then the step of entering the bag name for obtaining caller;
If not call the access interface of the specified resource first, then directly according to being accessed before record successfully or mistake The information lost determines whether that the caller calls the access interface.
Step S102, passes to bag management service by the bag name of the caller by the rights management service, makes institute State bag management service and the information related to the caller is returned according to the bag name of the caller.
In the present embodiment, the bag management service is an intermediate layer HAL background application service, described to assure reason clothes The interface for being engaged in externally providing can get the relevant information of specified caller.
Further, in the present embodiment, the information related to caller includes but is not limited to the caller Bag name, certificate signature and user identity prove information.
Step S103, is called by the rights management service and is responsible for realizing that operating system is handed over credible performing environment information Mutual middle layer interface, the information related to caller is sent to the trusted application inside the credible performing environment.
In the present embodiment, the credible performing environment Tee and environment Ree where operating system is isolated, and it is one Individual safe operation area, the trusted application TA is the trusted application newly added on Tee, and it is mainly responsible for carrying out caller Authentication, judges whether caller has permission and accesses specified resource.
Step S104, default white list information corresponding with the specified resource is read by the trusted application, and Authentication is carried out to the caller according to the white list information and the information related to caller, identity is obtained and tests Demonstrate,prove result.
In the present embodiment, the terminal internal memory contains the white list corresponding with the specified resource being pre-configured with and believed Breath, the white list information corresponding with specified resource includes but is not limited to the caller for having permission to access the specified resource Bag name, certificate signature and user identity prove information.
Wherein, the specified resource can be preserved and the finger including one or more in the form of list Determine the corresponding white list information of resource, for example, with reference to table 1 below, one of the white list information of preset preservation for needed for the present invention Example:
Table 1
As shown in Table 1, A3 encrypts this resource and is provided only to this application of com.gionee.A3 to access, only Com.gionee.startB can just start B applications.
In the present embodiment, it is described to be called according to the white list information and the information related to caller to described Person carries out authentication, and obtaining authentication result includes:
Whether have and the information phase related with caller in inquiry white list information corresponding to the specified resource The information of matching;
If there is the information matched, authentication passes through;If the information not matched, authentication failure.
In the present embodiment, bag name, the certificate signature of the caller included in the only described information related to caller And user identity proves information UID and some caller included in the white list information bag name, certificate signature And user identity prove information it is identical when, authentication could pass through;Conversely, then authentication fails.
Step S105, the authentication result is transmitted to kernel-driven, make the kernel by the trusted application Driving determines whether that the caller calls the access interface of the specified resource according to the authentication result, and holds The corresponding response operation of row.
In embodiments of the present invention, step S105 is specifically included:
If the authentication result is authentication failed, the information of authentication failed is sent to the kernel-driven, makes institute State kernel-driven and the access interface of the specified resource is set to by down state according to the information of the authentication failed, forbid The caller calls the access interface of the specified resource;
If the authentication result is is verified, the information being verified is sent to the kernel-driven, makes institute State the information that kernel-driven is verified according to and the access interface of the specified resource is set to upstate, it is allowed to institute State the access interface that caller calls the specified resource.
Above as can be seen that a kind of method for resources accessing control that the present embodiment is provided causes the specified resource in terminal The application that can only be defined on white list is accessed, and other unauthorized applications can not be accessed, and be realized to the finger in terminal Determine resource to be effectively protected, improve the security of terminal.
Fig. 2 shows a kind of schematic flow diagram of the method for resources accessing control that another embodiment of the present invention is provided.Ginseng As shown in Figure 2, a kind of method for resources accessing control that the present embodiment is provided includes:
Step S201, is pre-configured with white list information corresponding with the specified resource, and will be with the specified resource pair The white list information answered stores to winding and protects memory block.
In the present embodiment, the winding protection memory block is one piece of secure storage areas on the EMMC of terminal, general to use In some key informations of preservation.EMMC mechanism is the legitimacy of meeting verification data when writing data to winding protection memory block, The main frame only specified can write data to the winding protection memory block;Simultaneously when reading data, signature is also provided Mechanism, it is ensured that the data that main frame is read are the data inside winding protection memory block, rather than the number that attacker forges According to.The white list information is stored in into the winding protection memory block can prevent that it is the end in advance illegally to distort exploitation side Hold the white list information set.
Step S202, if specifying the application service of resource to receive the access interface that caller calls the specified resource Request, then call rights management interface to obtain the bag name of caller, and bag name transmission to the rights management of the caller is taken Business.
Step S203, passes to bag management service by the bag name of the caller by the rights management service, makes institute State bag management service and the information related to the caller is returned according to the bag name of the caller.
Step S204, is called by the rights management service and is responsible for realizing that operating system is handed over credible performing environment information Mutual middle layer interface, the information related to caller is sent to the trusted application inside the credible performing environment.
Step S205, default white list information corresponding with the specified resource is read by the trusted application, and Authentication is carried out to the caller according to the white list information and the information related to caller, identity is obtained and tests Demonstrate,prove result.
Step S206, the authentication result is transmitted to kernel-driven, make the kernel by the trusted application Driving determines whether that the caller calls the access interface of the specified resource according to the authentication result, and holds The corresponding response operation of row.
Step S207, the credible performing environment returns to this verification ending message and referred into the operating system with described Determine the corresponding application service of resource.
In the present embodiment, the executable environment returns to information that this verification terminates to the application service, can be with So that the application service further handles other requests for the access interface for calling the specified resource.
It should be noted that in the present embodiment step S202~step S206 implementation due to in a upper embodiment Step S101~step S105 implementation is identical, therefore, will not be repeated here.
Above as can be seen that the present embodiment, which provides a kind of method of resources accessing control, can equally make specifying in terminal The application that resource can only be defined on white list is accessed, and other unauthorized applications can not access the specified resource, real Show and the specified resource in terminal has been effectively protected, improved the security of terminal;Also, implement relative to upper one Example, due to by white list information store to winding protect memory block so that can also mode criminal illegally distort the white name Single information, further increases the security of terminal.
Fig. 3 shows a kind of schematic block diagram of terminal provided in an embodiment of the present invention, only shows for convenience of description Part related to the present embodiment.
Shown in Figure 3, a kind of terminal 100 that the present embodiment is provided includes:
Rights management interface interchange unit 11, if calling the finger for specifying the application service of resource to receive caller Determine the request of the access interface of resource, then call rights management interface to obtain the bag name of caller, and by the bag of the caller Name is sent to rights management service;
Caller information acquisition unit 12, for being passed to the bag name of the caller by the rights management service Bag management service, makes the bag management service return to the information related to the caller according to the bag name of the caller;
Intermediate layer interface interchange unit 13, for called by the rights management service be responsible for realizing operating system with can Believe the middle layer interface of performing environment information exchange, the information related to caller is sent to the credible performing environment Internal trusted application;
Identity authenticating unit 14, for reading default white name corresponding with the specified resource by the trusted application Single information, and authentication is carried out to the caller according to the white list information and the information related to caller, Obtain authentication result;
Operation execution unit 15 is responded, is driven for being transmitted the authentication result to kernel by the trusted application It is dynamic, the kernel-driven is determined whether that the caller calls the specified resource according to the authentication result Access interface, and perform corresponding response operation.
Optionally, the identity authenticating unit 14 specifically for:
Whether have and the information phase related with caller in inquiry white list information corresponding to the specified resource The information of matching;
If there is the information matched, authentication passes through;If the information not matched, authentication failure;
Wherein, the information related to caller includes bag name, certificate signature and the user identity of the caller Prove information;The white list information corresponding with specified resource includes having permission to access the bag of the caller of the specified resource Name, certificate signature and user identity prove information.
Optionally, it is described response operation execution unit 15 specifically for:
If the authentication result is authentication failed, the information of authentication failed is sent to the kernel-driven, makes institute State kernel-driven and the access interface of the specified resource is set to by down state according to the information of the authentication failed, forbid The caller calls the access interface of the specified resource;
If the authentication result is is verified, the information being verified is sent to the kernel-driven, makes institute State the information that kernel-driven is verified according to and the access interface of the specified resource is set to upstate, it is allowed to institute State the access interface that caller calls the specified resource.
Optionally, shown in Figure 4, in another embodiment, the terminal 100 also includes:
White list dispensing unit 16, for being pre-configured with white list information corresponding with the specified resource, and will be with institute The corresponding white list information of specified resource is stated to store to winding protection memory block.
Optionally, the terminal 100 also includes:
Verification terminates Tip element 17, and this verification ending message is returned to the operation for the credible performing environment Application service corresponding with the specified resource in system.
It should be noted that the unit in above-mentioned terminal provided in an embodiment of the present invention, due to the inventive method Embodiment is based on same design, and its technique effect brought is identical with the inventive method embodiment, and particular content can be found in this hair Narration in bright embodiment of the method, here is omitted.
Thus, it will be seen that terminal provided in an embodiment of the present invention can equally make to specify resource to be defined white name Application on list is accessed, and other unauthorized applications can not access the specified resource, is realized to specifying in terminal Resource is effectively protected, and improves the security of terminal.
Fig. 5 is a kind of schematic block diagram for terminal that yet another embodiment of the invention is provided, and is only shown for convenience of description Part related to the present embodiment.Shown in Figure 5, a kind of terminal 100 that the present embodiment is provided includes:
Processor (processor) 110, communication interface (Communications Interface) 120, memory (memory) 130 and bus 140.
Processor 110, communication interface 120, memory 130 completes mutual communication by bus 140.
Communication interface 120, is used for and external device, for example, PC, smart mobile phone etc. communicate.
Processor 110, for configuration processor 131;
Specifically, program 131 can include program code, and described program code includes computer-managed instruction.
Processor 110 is probably a central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement one or more integrated electricity of the embodiment of the present invention Road.
Memory 130, for depositing program 131.Memory 130 may include high-speed RAM memory, it is also possible to also include Nonvolatile memory (non-volatile memory), for example, at least one magnetic disk storage.The processor 110 is specific For controlling described program 131 to perform following steps:
If specifying the application service of resource to receive the request that caller calls the access interface of the specified resource, adjust The bag name of caller is obtained with rights management interface, and the bag name of the caller is sent to rights management service;
The bag name of the caller is passed to by bag management service by the rights management service, the reason of assuring is taken It is engaged in returning to the information related to the caller according to the bag name of the caller;
The centre for being responsible for realizing operating system and credible performing environment information exchange is called by the rights management service Layer interface, the information related to caller is sent to the trusted application inside the credible performing environment;
Default white list information corresponding with the specified resource is read by the trusted application, and according to it is described in vain List information and the information related to caller carry out authentication to the caller, obtain authentication result;
The authentication result is transmitted to kernel-driven by the trusted application, makes the kernel-driven according to institute State authentication result and determine whether that the caller calls the access interface of the specified resource, and perform corresponding ring It should operate.
Optionally, the processor 110 is additionally operable to control described program 131 and performs following steps:
It is pre-configured with white list information corresponding with the specified resource, and will white list corresponding with the specified resource Information stores to winding and protects memory block.
Optionally, the information related to caller includes bag name, certificate signature and the user's body of the caller Part proves information;
The white list information corresponding with specified resource includes having permission to access the bag of the caller of the specified resource Name, certificate signature and user identity prove information;
It is described that caller progress identity is tested according to the white list information and the information related to caller Card, obtaining authentication result includes:
Whether have and the information phase related with caller in inquiry white list information corresponding to the specified resource The information of matching;
If there is the information matched, authentication passes through;If the information not matched, authentication failure.
Optionally, it is described to be transmitted the authentication result to kernel-driven by the trusted application, make in described Core driving determines whether that the caller calls the access interface of the specified resource according to the authentication result, and Performing corresponding response operation includes:
If the authentication result is authentication failed, the information of authentication failed is sent to the kernel-driven, makes institute State kernel-driven and the access interface of the specified resource is set to by down state according to the information of the authentication failed, forbid The caller calls the access interface of the specified resource;
If the authentication result is is verified, the information being verified is sent to the kernel-driven, makes institute State the information that kernel-driven is verified according to and the access interface of the specified resource is set to upstate, it is allowed to institute State the access interface that caller calls the specified resource.
Optionally, the processor 110 is additionally operable to control described program 131 and performs following steps:
The credible performing environment return this verification ending message into the operating system with the specified resource pair The application service answered.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the terminal of foregoing description The specific work process of middle unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed terminal and method can be by them Its mode is realized.For example, device embodiment described above is only schematical, for example, the division of the unit, only Only a kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can be tied Another system is closed or is desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed Coupling each other or direct-coupling or communication connection can be the INDIRECT COUPLINGs of device or unit by some communication interfaces Or communication connection, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On mixed-media network modules mixed-media.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing module, can also That unit is individually physically present, can also two or more units be integrated in a module.
Step in present invention method can be sequentially adjusted, merged and deleted according to actual needs.
Unit in terminal of the embodiment of the present invention can be combined, divided and deleted according to actual needs.
If the function is realized using in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a terminal read/write memory medium.Understood based on such, technical scheme is substantially right in other words The part or the part of the technical scheme that prior art contributes can be embodied in the form of software product, the software Product is stored in a storage medium, including some instructions are to cause a station terminal (can be terminal, IPAD etc.) to perform The all or part of step of each embodiment methods described of the invention.And foregoing storage medium includes:USB flash disk, mobile hard disk, only Read memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc Or CD etc. is various can be with the medium of store program codes.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description With the specific work process of unit, the corresponding process in preceding method embodiment is may be referred to, be will not be repeated here.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, various equivalent modifications can be readily occurred in or replaced Change, these modifications or substitutions should be all included within the scope of the present invention.Therefore, protection scope of the present invention should be with right It is required that protection domain be defined.

Claims (10)

1. a kind of method of resources accessing control, it is characterised in that including:
If specifying the application service of resource to receive the request that caller calls the access interface of the specified resource, power is called The bag name that management interface obtains caller is limited, and the bag name of the caller is sent to rights management service;
The bag name of the caller is passed to by bag management service by the rights management service, makes the bag management service root The information related to the caller is returned according to the bag name of the caller;
The intermediate layer for being responsible for realizing operating system and credible performing environment information exchange is called to connect by the rights management service Mouthful, the information related to caller is sent to the trusted application inside the credible performing environment;
Default white list information corresponding with the specified resource is read by the trusted application, and according to the white list Information and the information related to caller carry out authentication to the caller, obtain authentication result;
The authentication result is transmitted to kernel-driven by the trusted application, makes the kernel-driven according to the body Part the result determines whether that the caller calls the access interface of the specified resource, and performs corresponding response behaviour Make.
2. the method for resources accessing control as claimed in claim 1, it is characterised in that called if the operating system is received Person calls the request of the access interface of specified resource, then calls rights management interface to obtain the bag name of caller, and adjusted described The bag name of user, which is sent to before rights management service, also to be included:
It is pre-configured with white list information corresponding with the specified resource, and will white list information corresponding with the specified resource Store to winding and protect memory block.
3. the method for resources accessing control as claimed in claim 1, it is characterised in that
Bag name, certificate signature and the user identity that the information related to caller includes the caller prove information;
The white list information corresponding with specified resource includes having permission to access the bag name of the caller of the specified resource, card Bookmark name and user identity prove information;
It is described that authentication is carried out to the caller according to the white list information and the information related to caller, obtain Include to authentication result:
Whether have and the information match related with caller in inquiry white list information corresponding to the specified resource Information;
If there is the information matched, authentication passes through;If the information not matched, authentication failure.
4. the method for resources accessing control as claimed in claim 1, it is characterised in that it is described by the trusted application by institute State authentication result to transmit to kernel-driven, the kernel-driven is determined whether institute according to the authentication result Stating the access interface that caller calls the specified resource, and perform corresponding response operation includes:
If the authentication result is authentication failed, the information of authentication failed is sent to the kernel-driven, is made in described The access interface of the specified resource is set to down state by core driving according to the information of the authentication failed, is forbidden described Caller calls the access interface of the specified resource;
If the authentication result is is verified, the information being verified is sent to the kernel-driven, is made in described The access interface of the specified resource is set to upstate by the information that core driving is verified according to, it is allowed to the tune User calls the access interface of the specified resource.
5. the method for resources accessing control as claimed in claim 1, it is characterised in that it is described by the trusted application by institute State authentication result to transmit to kernel-driven, the kernel-driven is determined whether institute according to the authentication result State the access interface that caller calls the specified resource, and perform response accordingly also includes after operating:
It is corresponding with the specified resource into the operating system that the credible performing environment returns to this verification ending message Application service.
6. a kind of terminal, it is characterised in that including:
Rights management interface interchange unit, if the application service for the specified resource receives caller and calls described specify The request of the access interface of resource, then call rights management interface to obtain the bag name of caller, and by the bag of caller name Send to rights management service;
Caller information acquisition unit, reason is assured for passing to the bag name of the caller by the rights management service Service, makes the bag management service return to the information related to the caller according to the bag name of the caller;
Intermediate layer interface interchange unit, is responsible for realizing that operating system is performed with credible for calling by the rights management service The middle layer interface of environmental information interaction, the information related to caller is sent to the credible performing environment Trusted application;
Identity authenticating unit, for reading default white list letter corresponding with the specified resource by the trusted application Breath, and authentication is carried out to the caller according to the white list information and the information related to caller, obtain Authentication result;
Operation execution unit is responded, for being transmitted the authentication result to kernel-driven by the trusted application, is made The kernel-driven determines whether that the caller calls the access of the specified resource according to the authentication result Interface, and perform corresponding response operation.
7. terminal as claimed in claim 6, it is characterised in that also include:
White list dispensing unit, for being pre-configured with white list information corresponding with the specified resource, and will be specified with described The corresponding white list information of resource stores to winding and protects memory block.
8. terminal as claimed in claim 6, it is characterised in that the identity authenticating unit specifically for:
Whether have and the information match related with caller in inquiry white list information corresponding to the specified resource Information;
If there is the information matched, authentication passes through;If the information not matched, authentication failure;
Wherein, bag name, certificate signature and user identity of the information related to caller including the caller are proved Information;The bag name of caller of the white list information corresponding with specified resource including having permission to access the specified resource, Certificate signature and user identity prove information.
9. terminal as claimed in claim 6, it is characterised in that the response operation execution unit specifically for:
If the authentication result is authentication failed, the information of authentication failed is sent to the kernel-driven, is made in described The access interface of the specified resource is set to down state by core driving according to the information of the authentication failed, is forbidden described Caller calls the access interface of the specified resource;
If the authentication result is is verified, the information being verified is sent to the kernel-driven, is made in described The access interface of the specified resource is set to upstate by the information that core driving is verified according to, it is allowed to the tune User calls the access interface of the specified resource.
10. terminal as claimed in claim 6, it is characterised in that also include:
Verification terminates Tip element, and this verification ending message is returned into the operating system for the credible performing environment Application service corresponding with the specified resource.
CN201710169713.4A 2017-03-21 2017-03-21 The method and terminal of a kind of resources accessing control Withdrawn CN107038369A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710169713.4A CN107038369A (en) 2017-03-21 2017-03-21 The method and terminal of a kind of resources accessing control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710169713.4A CN107038369A (en) 2017-03-21 2017-03-21 The method and terminal of a kind of resources accessing control

Publications (1)

Publication Number Publication Date
CN107038369A true CN107038369A (en) 2017-08-11

Family

ID=59533846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710169713.4A Withdrawn CN107038369A (en) 2017-03-21 2017-03-21 The method and terminal of a kind of resources accessing control

Country Status (1)

Country Link
CN (1) CN107038369A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109324873A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 The equipment and storage medium for virtualizing method for managing security, running kernel-driven
CN109450888A (en) * 2018-11-01 2019-03-08 泰康保险集团股份有限公司 Service calling method and device
CN109815735A (en) * 2019-01-23 2019-05-28 浙江安点科技有限责任公司 To the management-control method and system of different user access same asset file permission
CN109933960A (en) * 2019-03-15 2019-06-25 Oppo广东移动通信有限公司 Service call control method, service calling method, device and terminal
CN109977676A (en) * 2017-12-28 2019-07-05 中移(杭州)信息技术有限公司 A kind of management-control method of application program, device and equipment
WO2019223687A1 (en) * 2018-05-22 2019-11-28 中兴通讯股份有限公司 Conference access control method and system, server, terminal, and storage medium
WO2020076492A1 (en) * 2018-10-08 2020-04-16 Microsoft Technology Licensing, Llc Controlling installation of unauthorized drivers on a computer system
CN111209561A (en) * 2018-11-21 2020-05-29 成都鼎桥通信技术有限公司 Application calling method and device of terminal equipment and terminal equipment
CN111859318A (en) * 2020-06-23 2020-10-30 天地融科技股份有限公司 Method and device for controlling safety display
CN111949977A (en) * 2019-05-14 2020-11-17 阿里巴巴集团控股有限公司 Credible application monitoring method, equipment, system and storage medium
CN112425134A (en) * 2018-07-24 2021-02-26 横河电机株式会社 Device, method, program, and recording medium
WO2022078069A1 (en) * 2020-10-14 2022-04-21 International Business Machines Corporation Secure data storage device access control and sharing
CN115098196A (en) * 2022-05-30 2022-09-23 北京丁牛科技有限公司 Verification method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462980A (en) * 2014-12-30 2015-03-25 北京奇虎科技有限公司 Authority management method, device and system of application programs and mobile terminal
CN106022102A (en) * 2016-05-18 2016-10-12 广东欧珀移动通信有限公司 Method and apparatus for preventing third-party pushing platform from starting application in background

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462980A (en) * 2014-12-30 2015-03-25 北京奇虎科技有限公司 Authority management method, device and system of application programs and mobile terminal
CN106022102A (en) * 2016-05-18 2016-10-12 广东欧珀移动通信有限公司 Method and apparatus for preventing third-party pushing platform from starting application in background

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977676B (en) * 2017-12-28 2021-02-26 中移(杭州)信息技术有限公司 Application program control method, device and equipment
CN109977676A (en) * 2017-12-28 2019-07-05 中移(杭州)信息技术有限公司 A kind of management-control method of application program, device and equipment
WO2019223687A1 (en) * 2018-05-22 2019-11-28 中兴通讯股份有限公司 Conference access control method and system, server, terminal, and storage medium
CN112425134A (en) * 2018-07-24 2021-02-26 横河电机株式会社 Device, method, program, and recording medium
CN109324873A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 The equipment and storage medium for virtualizing method for managing security, running kernel-driven
US11151273B2 (en) 2018-10-08 2021-10-19 Microsoft Technology Licensing, Llc Controlling installation of unauthorized drivers on a computer system
WO2020076492A1 (en) * 2018-10-08 2020-04-16 Microsoft Technology Licensing, Llc Controlling installation of unauthorized drivers on a computer system
CN109450888B (en) * 2018-11-01 2021-08-13 泰康保险集团股份有限公司 Service calling method and device, electronic equipment and storage medium
CN109450888A (en) * 2018-11-01 2019-03-08 泰康保险集团股份有限公司 Service calling method and device
CN111209561A (en) * 2018-11-21 2020-05-29 成都鼎桥通信技术有限公司 Application calling method and device of terminal equipment and terminal equipment
CN109815735A (en) * 2019-01-23 2019-05-28 浙江安点科技有限责任公司 To the management-control method and system of different user access same asset file permission
CN109933960A (en) * 2019-03-15 2019-06-25 Oppo广东移动通信有限公司 Service call control method, service calling method, device and terminal
CN109933960B (en) * 2019-03-15 2022-03-15 Oppo广东移动通信有限公司 Service calling control method, service calling method, device and terminal
CN111949977A (en) * 2019-05-14 2020-11-17 阿里巴巴集团控股有限公司 Credible application monitoring method, equipment, system and storage medium
CN111949977B (en) * 2019-05-14 2024-02-27 阿里巴巴集团控股有限公司 Application credibility monitoring method, device, system and storage medium
CN111859318A (en) * 2020-06-23 2020-10-30 天地融科技股份有限公司 Method and device for controlling safety display
WO2022078069A1 (en) * 2020-10-14 2022-04-21 International Business Machines Corporation Secure data storage device access control and sharing
US11907405B2 (en) 2020-10-14 2024-02-20 International Business Machines Corporation Secure data storage device access control and sharing
CN115098196A (en) * 2022-05-30 2022-09-23 北京丁牛科技有限公司 Verification method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107038369A (en) The method and terminal of a kind of resources accessing control
CN103353931B (en) Security-enhanced computer system and method
JP5981984B2 (en) Virtual computer system, confidential information protection method, and confidential information protection program
US9407642B2 (en) Application access control method and electronic apparatus implementing the same
CN107358114A (en) A kind of method and terminal for preventing user data loss
CN107480519A (en) A kind of method and server for identifying risk application
CN106778337B (en) Document protection method, device and terminal
CN105446713A (en) Safe storage method and equipment
CN106921799A (en) A kind of mobile terminal safety means of defence and mobile terminal
CN110096881A (en) Malice calls means of defence, device, equipment and computer-readable medium
CN101578608B (en) Methods and apparatuses for accessing content based on a session ticket
CN106096418B (en) SELinux-based startup security level selection method and device and terminal equipment
CN104463013A (en) Mobile terminal and data encryption method thereof
CN107169343A (en) A kind of method and terminal of control application program
CN107612901A (en) One kind applies encryption method and terminal
CN105975867A (en) Data processing method
CN107465730A (en) A kind of service request method and terminal
CN108335105A (en) Data processing method and relevant device
CN107395589A (en) Finger print information acquisition methods and terminal
CN107466031A (en) A kind of method and terminal for protecting data
KR102180529B1 (en) Application access control method and electronic device implementing the same
WO2021133478A1 (en) System and method for protecting software licensing information via a trusted platform module
CN106851613A (en) Service request method, the verification method of business handling number and its terminal
CN104955043B (en) A kind of intelligent terminal security protection system
CN106685945A (en) Service request processing method, verifying method of service handling number, and terminal thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20170811