CN107180202A - A kind of Web user intimacy protection system and method based on information stream label - Google Patents

A kind of Web user intimacy protection system and method based on information stream label Download PDF

Info

Publication number
CN107180202A
CN107180202A CN201710323578.4A CN201710323578A CN107180202A CN 107180202 A CN107180202 A CN 107180202A CN 201710323578 A CN201710323578 A CN 201710323578A CN 107180202 A CN107180202 A CN 107180202A
Authority
CN
China
Prior art keywords
label
component
message
information
web
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710323578.4A
Other languages
Chinese (zh)
Other versions
CN107180202B (en
Inventor
金海�
羌卫中
郭佳祯
邹德清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201710323578.4A priority Critical patent/CN107180202B/en
Publication of CN107180202A publication Critical patent/CN107180202A/en
Application granted granted Critical
Publication of CN107180202B publication Critical patent/CN107180202B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of Web user intimacy protection system and method based on information stream label, belong to internet security field, present system includes label add module and label detection module, a kind of new access control label model applied to Web environment is designed in label add module, for the message addition label transmitted between Web components and Web components, when Web components include third party code, design a kind of Lightweight Process isolation third party's dangerous code, a kind of message transmission rule is designed for label follow the trail of user's private information message simultaneously, follow the trail of user's private information message.The invention also achieves a kind of Web user method for secret protection based on information stream label.Technical solution of the present invention is applicable to improve level of security and the sensitive Web applications of user profile, it can be ensured that Web applies the destruction from third party code and the private information of protection user.

Description

A kind of Web user intimacy protection system and method based on information stream label
Technical field
The invention belongs to internet security field, more particularly, to a kind of Web user privacy based on information stream label Protect system and method.
Background technology
In order to provide a user abundant service, including digital map navigation, on-line payment etc., Web application integratings instantly are big Measure third party code.But it is due to the private information that these services require contact user often, so developer and user are necessary Private information will not be leaked out by trusting them completely.Many these third party codes of studies have shown that, which can trigger, recently one is The serious harm of row, such as follow the trail of user and browse record, obtain user's list input data, steal cookie and private data, Session information is even kidnapped, user's request is forged.
Browser relies on origin policy (SOP) now, and cross-domain resource shares (CORS), the peace such as content safety strategy (CSP) Full mechanism takes precautions against third party code and steals privacy.It is however noted that, all these mechanism are maintained in application operation Static constant access control policy, otherwise authorize certain component complete access rights, otherwise prevent completely, so can not Prevent from having received the component of information to be leaked out private information is obtained.
In the existing prevention method based on Informationflow Control, typically there are two methods of fine granularity and coarseness.Fine granularity The general user's private information to object granularity of method adds high sensitivity level distinguishing label, follows the trail of each order of JavaScript, Ensure that the data for associating high sensitivity level distinguishing label will not leak out browser, so as to protect privacy of user.Coarseness method and sheet Method has similitude, and each homologous component can clearly associate an information stream label, this label strict difinition this The access control right of individual component, whenever occurring across the information transmission of module boundaries, the related label of systems inspection, according to Rule determines whether current transmission succeeds.
However, all there is certain deficiency and limitation in above two method.Fine granularity method is followed the trail of due to needing Each order of JavaScript, so they usually require to carry out JavaScript engine substantial amounts of change, or directly The JavaScript interpreter that a security is improved is realized, so as to cause performance too poor bad with compatibility.In addition fine granularity Method can not support strategy more flexible than origin policy.And existing coarseness method is not to being likely to result in privacy leakage The close privilege of drop is limited.Additionally due to lacking the isolation mech isolation test effective to third party code storehouse, to importing third party code storehouse The strick precautions of Web applications support inadequate.
In summary, it is existing to protect the system schema of privacy of user to there is following deficiency based on Informationflow Control:
One side fine granularity method operates in object rank, effective to support to import the Web applications in third party code storehouse Take precautions against, but be due to need largely to change present JavaScript engine, cause its performance and poor compatibility.The opposing party Face, coarseness method is due to without the effective mechanism provided to the dangerous close privilege limitation of drop, causing it to be likely to result in privacy and letting out Dew, and the strick precaution of the Web applications to importing third party code storehouse supports inadequate.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of Web based on information stream label Privacy of user protects system and method, and its object is to propose a kind of new access control applied to Web-browser environment Label model, it is ensured that the integrality and privacy of Web application datas;Propose the tracking user secret letter based on information stream label Message transmission rule is ceased there is provided flexible practical Informationflow Control strategy, prevents privacy of user from revealing, it is ensured that the peace of user profile Quan Xing;Thus the limitation and deficiency occurred in the existing protection web privacy of user methods for third party code is solved, it is ensured that user The privacy and integrality of information, and system dynamic and high efficiency.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of Web user based on information stream label Intimacy protection system, the system includes:
Label add module, is marked for being added for the communication information between Web components and Web components according to label model Label;The label model includes labelled component and message label, and the labelled component is used for associated component, including:
Private label, for representing the privacy information that this component is included;
Integrality label, for representing the resource access authority information that this component possesses;
Franchise label, for being updated to private label and integrality label, including authorizing information, information drop it is close and Information is changed;
The message label is used for the message transmitted between associated component, represents that the message package of association contains privacy information;
Label detection module, for when message transmission, whether detection Web labelled components or communication messages tab to meet and disappear Delivery rules are ceased, is then message transmission success, otherwise protects message to forbid transmission.
Further, message transmission rule is in the label detection module,
Information flow, which is delivered successfully, must to be fulfilled for:Private label in sending assembly label is less than or equal to receive labelled component In private label;Integrality label in sending assembly label is more than or equal to the integrality label received in labelled component; Send message label to be necessarily less than equal to the private label received in labelled component, and receive component and receive after message, nothing Method influences to be equal to the subset of message label in its private label using its franchise label.
Further, the label add module includes:
Label adding device based on API, for the DOM rank API provided by system, by label model in advance to be non- Static component or communication information addition label;
Label adding device based on security strategy, if for when non-static component or communication information without adding in advance It is that non-static component or communication information add label automatically according to security strategy and label model during label;
Automatic imitation tag unit, for being static component automatic imitation labelled component, privacy mark according to label model Sign as the source belonging to static component, integrality label is the authority of static component, franchise label is sky.
Further, when the component introduces third party code, Lightweight Process, the process and parent process fortune are created Row shares the same event loop in same thread, and the process can be accessed directly in the DOM of the parent process page, placing modules Trusted code isolates third party code to Lightweight Process.
Further, the label detection module includes:
Browser inner passage detection unit, for when carrying out message transmission between Web components, being advised according to message transmission Then whether detection message transmission succeeds;
Network channel detection unit, for when Web components send network request, new according to labelled component automatic customization Whether security strategy, succeeded by security strategy detection message transmission;
Browser memory channel detection unit, for when the access browser storage of Web components, according to message transmission rule Whether detection message transmission succeeds.
It is another aspect of this invention to provide that there is provided a kind of Web user method for secret protection based on information stream label, should Method comprises the following steps:
(1) label is added according to label model for the communication information between Web components and Web components;The label model Including labelled component and message label, the labelled component associated component, including:
Private label, represents the privacy information that this component is included;
Integrality label, represents the resource access authority information that this component possesses;
Franchise label, is updated to private label and integrality label, including close and information drops in authorizing information, information Conversion;
The message transmitted between the message label associated component, represents that the message package of association contains privacy information;
(2) when message transmission, whether detection Web labelled components or communication messages tab meet message transmission rule, are Then message transmission success, otherwise protects message to forbid transmission.
Further, in the step (2) message transmission rule to be that information flow is delivered successfully must be fulfilled for:Sending assembly Private label in label is less than or equal to receive the private label in labelled component;Integrality mark in sending assembly label Label are more than or equal to the integrality label received in labelled component;Send message label and be necessarily less than to be equal to and receive in labelled component Private label, and receive component and receive after message, it is impossible to influence to be equal in its private label using its franchise label and disappear Cease the subset of label.
Further, the step (1) includes:
(11) the label addition based on API:The DOM rank API provided by system, by label model in advance to be non-static Component or communication information addition label;
(12) the label addition based on security strategy:If when non-static component or communication information are without the label added in advance When, it is that non-static component or communication information add label automatically according to security strategy and label model;
(13) automatic imitation label:It is static component automatic imitation labelled component according to label model, private label is Source belonging to static component, integrality label is the authority of static component, and franchise label is sky.
Further, when the component introduces third party code, Lightweight Process, the process and parent process fortune are created Row shares the same event loop in same thread, and the process can be accessed directly in the DOM of the parent process page, placing modules Trusted code isolates third party code to Lightweight Process.
Further, the step (2) includes:
Detect browser inner passage:When carrying out message transmission between Web components, disappeared according to message transmission rule detection Whether breath transmission succeeds;
Network channel is detected:When Web components send network request, according to the new safe plan of labelled component automatic customization Slightly, whether succeeded by security strategy detection message transmission;
Browser memory channel is detected:When the access browser storage of Web components, according to message transmission rule detection message Whether transmission succeeds.
In general, by the contemplated above technical scheme of the present invention compared with prior art, it is special with following technology Levy and beneficial effect:
(1) technical solution of the present invention is directed to the message transmitted between Web components and component and proposes that a kind of to be applied to Web clear Look at the new access control label model of device environment, it is not necessary to which any change is made to JavaScript engine in existing browser, JavaScript partial function is not disabled, it is ensured that its compatibility and integrality yet;
(2) technical solution of the present invention introduces message transmission rule for label model, only to the letter across module boundaries The detection of respective labels is implemented in breath transmission, and introduces effective, and the message label of lightweight is used for following the trail of the secret letter of user Breath, and limit the close privilege of drop of danger, it is ensured that the security of system;
(3) technical solution of the present invention introduces the Lightweight Process isolation strange code of third party of superior performance, improves pair The strick precaution dynamics of the Web applications in third party code storehouse is imported, does not influence browser to extend, the application of integrated third party's service.
Brief description of the drawings
Fig. 1 is the Structure and Process schematic diagram that browser expanded application (cloud notes) is taken precautions against using technical solution of the present invention;
Fig. 2 is that the Structure and Process schematic diagram applied comprising third party code storehouse is taken precautions against using technical solution of the present invention;
Fig. 3 is the structural representation of present system.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, not For limiting the present invention.As long as in addition, technical characteristic involved in each embodiment of invention described below that Not constituting conflict between this can just be mutually combined.
Include as shown in figure 1, taking precautions against the notes of browser expanded application cloud using technical solution of the present invention and stealing user cipher Following steps:
In this illustration, component is represented with rectangle, and traffic operation is indicated by an arrow, and the execution sequence of event is compiled successively Number, because the mark that message label is locked is represented with symbol " lock ";
Third party's expanded application cloud notes (cloudnote.com) can obtain page a.com document and be uploaded to cloud End, the malicious code that cloud notes are included in addition tries to page a.com user cipher, and leaks out.Initial developer The API that calling system is provided distributes label for each component, and wherein third party's expanded application cloud is taken down notes (cloudnote.com) Initial component label is:
Secret label Sevil={ cloudnote.com };
Integrality label Ievil={ };
Franchise label Oevil={ network+, a.com+, a.com- };
Page a.com initial component label is:
Secret label Sa={ a.com };
Integrality label Ia={ };
Franchise label Oa={ };
While the privacy information in page a.com, i.e. user cipher is associated with message label Sm={ a.com }.
S1:Cloud notes extend its private label S using a.com+ marksevil, Sevil=cloudnote.com, a.com};Make Sevil≧SaSo as to obtain a.com document.
S2:Cloud notes attempt the document of acquisition reaching high in the clouds, and the label of this network channel of system automatic imitation is Snet= { cloudnote.com }, Inet={ network };
Cloud notes make S using a.com- marks and network+ marksevil={ cloudnote.com };Ievil= {network};So as to Sevil≦Snet, Ievil≧Inet, the document of acquisition is uploaded into high in the clouds;
S3:Malicious code in cloud notes attempts to obtain a.com code data;Cloud notes reuse a.com+ marks Know and extend its private label Sevil={ cloudnote.com, a.com }, makes Sevil≧SaSo as to obtain code data, Then the code data for being associated with message label Sm is transferred into cloud notes;
S4:Cloud notes attempts the user cipher of acquisition leaking out browser because the a.com comprising code data be by Message label is sent to cloud notes, though so cloud notes possess a.com- marks, can not will mark a.com from SevilIn Remove, so as to be label detection failure, also can not just be leaked out user cipher by network.
As shown in Fig. 2 the application for including third party code using technical solution of the present invention strick precaution comprises the following steps:
In this illustration, component is represented with rectangle, and traffic operation is indicated by an arrow, and the execution sequence of event is compiled successively Number, because the mark that message label is locked is represented with symbol " lock ";
Homepage a.com imports incredible third party code storehouse jQuery, the API that initial developer calling system is provided Distribute label for each component, when homepage a.com is loaded, it is necessary to download jQuery codes from jquery.com, so its Initial component label is:
Secret label Sa={ a.com };
Integrality label Ia={ };
Franchise label Oa={ network+, a.com → jquery.com, a.com+, jquery.com- };
S1:Trusted code is put into the Lightweight Process LWorker newly created by homepage a.com, and allows LWorker's first Beginning labelled component (Sworker,Iworker,Oworker) consistent with homepage a.com labelled component;
S2:LWorker uses OworkerIn a.com → jquery.com mark and network+ mark make Sworker= { jquery.com }, Iworker={ network }, and jQuery codes are downloaded by network request jquery.com, due to network The labelled component of passage is modeled Snet={ jquery.com }, Inet={ network }, so Sworker≦Snet, Iworker≧ Inet, so this time network request is allowed to;
S3:LWorker makes S using a.com+ marks and jquery.com- marksworKer={ a.com }, Iworker= { network }, Sworker≦Sa, Iworker≧Ia, so that jQuery codes are sent to homepage a.com;Simultaneously comprising jQuery The communication information of code is associated with message label Sm={ a.com };
S4:Homepage a.com is changed into unsafe due to un-trusted third party jQuery codes.Even if but main Page a.com possesses a.com → jquery.com marks, can not be by a.com from SaIt is middle to remove, also cannot be logical by network Information is revealed to un-trusted third party's far-end server in road;At the same time LWorker trusty can be with free access master Page DOM, sends network request.
As shown in figure 3, a kind of Web user intimacy protection system based on information stream label of the present invention includes:
Label add module, is marked for being added for the communication information between Web components and Web components according to label model Label;The label model includes labelled component and message label, and the labelled component is used for associated component, including:Privacy mark Label, for representing the privacy information that this component is included;Integrality label, for representing the resource access rights that this component possesses Information;Franchise label, for being updated to private label and integrality label, including authorizing information, information drop are close and believe Breath conversion;The message label is used for the message transmitted between associated component, represents that the message package of association contains privacy information;
Label detection module, for when message transmission, whether detection Web labelled components or communication messages tab to meet and disappear Delivery rules are ceased, is then message transmission success, otherwise protects message to forbid transmission;Message is passed in wherein described label detection module Passing rule is, information flow, which is delivered successfully, must to be fulfilled for:Private label in sending assembly label is less than or equal to receive component mark Private label in label;Integrality label in sending assembly label is more than or equal to the integrality mark received in labelled component Label;Send message label to be necessarily less than equal to the private label received in labelled component, and receive component and receive after message, Its franchise label can not be used to influence to be equal to the subset of message label in its private label.
The label add module includes:
Label adding device based on API, for the DOM rank API provided by system, by label model in advance to be non- Static component or communication information addition label;
Label adding device based on security strategy, if for when non-static component or communication information without adding in advance It is that non-static component or communication information add label automatically according to security strategy and label model during label;
Automatic imitation tag unit, for being static component automatic imitation labelled component, privacy mark according to label model Sign as the source belonging to static component, integrality label is the authority of static component, franchise label is sky.
When the component introduces third party code, Lightweight Process is created, the process and parent process operate in same Thread, and the same event loop is shared, the process can directly access trusted code in the DOM of the parent process page, placing modules To Lightweight Process, isolate third party code.
The label detection module includes:
Browser inner passage detection unit, for when carrying out message transmission between Web components, being advised according to message transmission Then whether detection message transmission succeeds;
Network channel detection unit, for when Web components send network request, new according to labelled component automatic customization Whether security strategy, succeeded by security strategy detection message transmission;
Browser memory channel detection unit, for when the access browser storage of Web components, according to message transmission rule Whether detection message transmission succeeds.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, it is not used to The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the invention etc., it all should include Within protection scope of the present invention.

Claims (10)

1. a kind of Web user intimacy protection system based on information stream label, it is characterised in that the system is added including label Module and label detection module, wherein:
Label add module, for adding label according to label model for the communication information between Web components and Web components;Institute Stating label model includes labelled component and message label, and the labelled component is used for associated component, including:
Private label, for representing the privacy information that this component is included;
Integrality label, for representing the resource access authority information that this component possesses;
Franchise label, for being updated to private label and integrality label, including close and information drops in authorizing information, information Conversion;
The message label is used for the message transmitted between associated component, represents that the message package of association contains privacy information;
Label detection module, for when message transmission, whether detection Web labelled components or communication messages tab to meet message biography Rule is passed, is then message transmission success, otherwise protects message to forbid transmission.
2. a kind of Web user intimacy protection system based on information stream label according to claim 1, it is characterised in that Message transmission rule is in the label detection module, and information flow, which is delivered successfully, must to be fulfilled for:Secret in sending assembly label Property label be less than or equal to receive private label in labelled component;Integrality label in sending assembly label, which is more than or equal to, to be connect By the integrality label in labelled component;Message label is sent to be necessarily less than equal to the private label received in labelled component, And receive component and receive after message, it is impossible to influence to be equal to the son of message label in its private label using its franchise label Collection.
3. a kind of Web user intimacy protection system based on information stream label according to claim 1, it is characterised in that The label add module includes:
Label adding device based on API, for the DOM rank API provided by system, by label model in advance to be non-static Component or communication information addition label;
Label adding device based on security strategy, if for when non-static component or communication information are without the label added in advance When, it is that non-static component or communication information add label automatically according to security strategy and label model;
Automatic imitation tag unit, for being static component automatic imitation labelled component according to label model, private label is Source belonging to static component, integrality label is the authority of static component, and franchise label is sky.
4. a kind of Web user intimacy protection system based on information stream label according to claim 3, it is characterised in that When the component introduces third party code, Lightweight Process is created, the process and parent process operate in same thread, and altogether The same event loop is enjoyed, it is grading to light weight that the process can directly access trusted code in the DOM of the parent process page, placing modules Journey, isolates third party code.
5. a kind of Web user intimacy protection system based on information stream label according to claim 1, it is characterised in that The label detection module includes:
Browser inner passage detection unit, for when carrying out message transmission between Web components, being examined according to message transmission rule Survey whether message transmission succeeds;
Network channel detection unit, for when Web components send network request, according to the new safety of labelled component automatic customization Whether strategy, succeeded by security strategy detection message transmission;
Browser memory channel detection unit, for when the access browser storage of Web components, according to message transmission rule detection Whether message transmission succeeds.
6. a kind of Web user method for secret protection based on information stream label, it is characterised in that methods described includes following step Suddenly:
(1) label is added according to label model for the communication information between Web components and Web components;The label model includes Labelled component and message label, the labelled component associated component, including:
Private label, represents the privacy information that this component is included;
Integrality label, represents the resource access authority information that this component possesses;
Franchise label, is updated to private label and integrality label, including authorizing information, information drop close and information and turned Change;
The message transmitted between the message label associated component, represents that the message package of association contains privacy information;
(2) when message transmission, whether detection Web labelled components or communication messages tab meet message transmission rule, are to disappear Breath is transmitted successfully, otherwise protects message to forbid transmission.
7. a kind of Web user method for secret protection based on information stream label according to claim 6, it is characterised in that To be that information flow is delivered successfully must be fulfilled for message transmission rule in the step (2):Private label in sending assembly label Less than or equal to the private label received in labelled component;Integrality label in sending assembly label, which is more than or equal to, receives component Integrality label in label;Send message label to be necessarily less than equal to the private label received in labelled component, and receive Component is received after message, it is impossible to influence to be equal to the subset of message label in its private label using its franchise label.
8. a kind of Web user method for secret protection based on information stream label according to claim 6, it is characterised in that The step (1) includes:
(11) the label addition based on API:The DOM rank API provided by system, are non-static component in advance by label model Or communication information addition label;
(12) the label addition based on security strategy:When if non-static component or communication information are without the label added in advance, It is that non-static component or communication information add label automatically according to security strategy and label model;
(13) automatic imitation label:It is static component automatic imitation labelled component according to label model, private label is static state Source belonging to component, integrality label is the authority of static component, and franchise label is sky.
9. a kind of Web user method for secret protection based on information stream label according to claim 8, it is characterised in that When the component introduces third party code, Lightweight Process is created, the process and parent process operate in same thread, and altogether The same event loop is enjoyed, it is grading to light weight that the process can directly access trusted code in the DOM of the parent process page, placing modules Journey, isolates third party code.
10. a kind of Web user method for secret protection based on information stream label according to claim 8, it is characterised in that The step (2) includes:
Detect browser inner passage:When carrying out message transmission between Web components, passed according to message transmission rule detection message Pass and whether succeed;
Network channel is detected:When Web components send network request, according to the new security strategy of labelled component automatic customization, by Whether security strategy detection message transmission succeeds;
Browser memory channel is detected:When the access browser storage of Web components, according to message transmission rule detection message transmission Whether succeed.
CN201710323578.4A 2017-05-10 2017-05-10 A kind of Web user intimacy protection system and method based on information stream label Active CN107180202B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710323578.4A CN107180202B (en) 2017-05-10 2017-05-10 A kind of Web user intimacy protection system and method based on information stream label

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710323578.4A CN107180202B (en) 2017-05-10 2017-05-10 A kind of Web user intimacy protection system and method based on information stream label

Publications (2)

Publication Number Publication Date
CN107180202A true CN107180202A (en) 2017-09-19
CN107180202B CN107180202B (en) 2019-11-22

Family

ID=59832427

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710323578.4A Active CN107180202B (en) 2017-05-10 2017-05-10 A kind of Web user intimacy protection system and method based on information stream label

Country Status (1)

Country Link
CN (1) CN107180202B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378134A (en) * 2019-07-08 2019-10-25 紫光云技术有限公司 A kind of mixed cloud information protection and stream compression tracking based on label
CN111404890A (en) * 2020-03-05 2020-07-10 北京字节跳动网络技术有限公司 Flow data detection method, system, storage medium and electronic device
CN113569231A (en) * 2021-09-27 2021-10-29 北京智芯微电子科技有限公司 Multiprocess MPU protection method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327183A (en) * 2013-06-13 2013-09-25 中国科学院信息工程研究所 Black box protecting method and system for private data of Android user based on tag
CN103729595A (en) * 2014-01-02 2014-04-16 东南大学 Method for offline detecting private data leakage of Android application program
CN105069374A (en) * 2015-08-06 2015-11-18 上海斐讯数据通信技术有限公司 Private data intercepting protection method and system
CN105678187A (en) * 2016-01-06 2016-06-15 上海斐讯数据通信技术有限公司 Intelligent terminal privacy data protection method and system based on Android system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327183A (en) * 2013-06-13 2013-09-25 中国科学院信息工程研究所 Black box protecting method and system for private data of Android user based on tag
CN103729595A (en) * 2014-01-02 2014-04-16 东南大学 Method for offline detecting private data leakage of Android application program
CN105069374A (en) * 2015-08-06 2015-11-18 上海斐讯数据通信技术有限公司 Private data intercepting protection method and system
CN105678187A (en) * 2016-01-06 2016-06-15 上海斐讯数据通信技术有限公司 Intelligent terminal privacy data protection method and system based on Android system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
VISILIS PAPPAS,ETAL: ""CloudFence: Data Flow Tracking as a Cloud Service"", 《SPRINGER》 *
周启惠: ""智能移动终端敏感资源保护技术研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378134A (en) * 2019-07-08 2019-10-25 紫光云技术有限公司 A kind of mixed cloud information protection and stream compression tracking based on label
CN111404890A (en) * 2020-03-05 2020-07-10 北京字节跳动网络技术有限公司 Flow data detection method, system, storage medium and electronic device
CN111404890B (en) * 2020-03-05 2022-07-05 北京字节跳动网络技术有限公司 Flow data detection method, system, storage medium and electronic device
CN113569231A (en) * 2021-09-27 2021-10-29 北京智芯微电子科技有限公司 Multiprocess MPU protection method and device and electronic equipment
CN113569231B (en) * 2021-09-27 2022-01-25 北京智芯微电子科技有限公司 Multiprocess MPU protection method and device and electronic equipment

Also Published As

Publication number Publication date
CN107180202B (en) 2019-11-22

Similar Documents

Publication Publication Date Title
Son et al. What Mobile Ads Know About Mobile Users.
CN101356535B (en) A method and apparatus for detecting and preventing unsafe behavior of javascript programs
US20190037406A1 (en) Method, system and application programmable interface within a mobile device for indicating a confidence level of the integrity of sources of information
Lekies et al. The Unexpected Dangers of Dynamic {JavaScript}
US20200313882A1 (en) Method for realizing network electronic identity identification information protection based on key dispersion calculation
US20170026393A1 (en) Methods, systems and application programmable interface for verifying the security level of universal resource identifiers embedded within a mobile application
CN112333198A (en) Secure cross-domain login method, system and server
CN107180202B (en) A kind of Web user intimacy protection system and method based on information stream label
CN106897586B (en) Application Programming Interface (API) authority management method and device
US11403633B2 (en) Method for sending digital information
CN107689951A (en) Web data crawling method, device, user terminal and readable storage medium storing program for executing
CN105844150A (en) Application program data protection method and device
Brooks Introduction to computer and network security: navigating shades of gray
CN106850517A (en) A kind of method, apparatus and system for solving intranet and extranet repeat logon
Park et al. An enhanced smartphone security model based on information security management system (ISMS)
US8650214B1 (en) Dynamic frame buster injection
CN106529222A (en) Protection method and protection system for preventing secondary packaging and cracking of application program
CN105141642A (en) Method of preventing illegal user behavior and device
CN109886011A (en) A kind of safety protecting method and device
Rauti Man-in-the-browser attack: a case study on malicious browser extensions
KR20100115182A (en) Apparatus and method for web security management to monitoring communication between web-server and client
WO2020228564A1 (en) Application service method and device
CN106846099A (en) A kind of acquisition methods of electronic evidence, curing, relevant apparatus and system
Asan Data security
CN113709136A (en) Access request verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant