CN111428241A - Multi-security access policy control method and computing device - Google Patents

Multi-security access policy control method and computing device Download PDF

Info

Publication number
CN111428241A
CN111428241A CN201911206473.6A CN201911206473A CN111428241A CN 111428241 A CN111428241 A CN 111428241A CN 201911206473 A CN201911206473 A CN 201911206473A CN 111428241 A CN111428241 A CN 111428241A
Authority
CN
China
Prior art keywords
function
hook
kernel
linked list
hook function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911206473.6A
Other languages
Chinese (zh)
Other versions
CN111428241B (en
Inventor
洪浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shenzhidu Technology Co ltd
Original Assignee
Beijing Shenzhidu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shenzhidu Technology Co ltd filed Critical Beijing Shenzhidu Technology Co ltd
Publication of CN111428241A publication Critical patent/CN111428241A/en
Application granted granted Critical
Publication of CN111428241B publication Critical patent/CN111428241B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a multi-security access policy control method, which is executed in computing equipment and comprises the following steps: in the target security access policy module, a hook function is set for a target kernel function; acquiring the address of a hook function linked list of a target kernel function, and inserting the address of the hook function into the tail part of the hook function linked list; and adding callback information of the target kernel function into a callback information array of the target security access policy module, wherein each element in the callback information array corresponds to the callback information of one kernel function, and the callback information comprises a hook function linked list address of the kernel function, a position of the hook function in the hook function linked list and an address of the hook function. The invention also discloses a corresponding security access method and a corresponding computing device.

Description

Multi-security access policy control method and computing device
Technical Field
The invention relates to the technical field of L inux security access policy control, in particular to a multi-security access policy control method, a security access method and computing equipment.
Background
L inux operating system is widely used in server, mobile phone and embedded type, the safety of operating system is the base of the whole computer system, without the support of safe operating system, the safety of computer system and various application software running on operating system can not be guaranteed.
In the L inux operating system, the mandatory access policy is implemented by a Security access policy Subsystem (SAP) of a kernel, the SAP subsystem is an access control framework which provides a series of interfaces, so that developers can bury key path functions of the kernel in a kernel module (called a mandatory access policy module for short) corresponding to the mandatory access policy, set hook (hook) functions for the kernel functions and then dock to the SAP subsystem.
Due to the limitation of an operating system, at most one mandatory access policy module can exist in a kernel, and correspondingly, at most one hook function can be called, so that the system security is difficult to ensure under certain conditions.
Disclosure of Invention
To this end, the present invention provides a multiple security access policy control method, a security access method and a computing device in an attempt to solve or at least alleviate the above-presented problems.
According to a first aspect of the present invention, there is provided a multiple security access policy control method, executed in a computing device, comprising the steps of: in the target security access policy module, a hook function is set for a target kernel function; acquiring the address of a hook function linked list of the target kernel function, and inserting the address of the hook function into the tail part of the hook function linked list; and adding callback information of the target kernel function to a callback information array of the target security access policy module, wherein each element in the callback information array corresponds to the callback information of one kernel function, and the callback information comprises a hook function linked list address of the kernel function, a position of the hook function in the hook function linked list and an address of the hook function.
Optionally, in the multiple security access policy control method according to the present invention, before the step of setting a hook function for the target function, the method further includes the steps of detecting whether a value of a kernel configuration parameter CONFIG _ KA LL SYMS _ a LL is y, if not, setting a value of a kernel configuration parameter CONFIG _ KA LL SYMS _ a LL to y, and recompiling the kernel.
Optionally, in the multiple SECURITY access policy control method according to the present invention, before the step of setting a hooking function for the target function, the method further includes the steps of detecting whether a value of a kernel configuration parameter CONFIG _ SECURITY _ write ab L E _ HOOKS is y, and if not, setting a value of a kernel configuration parameter CONFIG _ SECURITY _ write ab L E _ HOOKS to y, and recompiling the kernel.
Optionally, in the multiple security access policy control method according to the present invention, the step of obtaining the address of the hook function linked list of the target kernel function includes: searching the address of a hook function total linked list from a kernel symbol table, wherein elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and searching the hook function linked list address of the target kernel function from the hook function total linked list.
Optionally, in the multiple security access policy control method according to the present invention, the elements in the callback information array are structure data types, and the structure includes a structure pointer variable for storing an address of the hook function linked list, a structure variable for storing a position of the hook function in the hook function linked list, and a complex variable for storing an address of the hook function.
Optionally, in the multiple security access policy control method according to the present invention, the structure variable includes a back pointer variable pointing to a next element in the hook function chain table, and a front pointer variable pointing to a previous element in the hook function chain table.
Optionally, in the multiple security access policy control method according to the present invention, the hooking function is adapted to be called when the kernel receives a target kernel function call request, and the hooking function is adapted to determine security of the call request.
Optionally, in the multiple security access policy control method according to the present invention, the hooking function includes at least one security rule, and the hooking function is adapted to determine whether the call request is secure by determining whether the call request complies with the security rule.
Optionally, in the multiple security access policy control method according to the present invention, further comprising: determining the address of a hook function linked list of a target kernel function and the position of the hook function in the hook function linked list according to a callback information array of a target security access policy module; deleting the hook function in the hook function linked list; and deleting the callback information of the target kernel function in the callback information array.
According to a second aspect of the present invention, there is provided a secure access method, executed in a computing device, comprising the steps of: receiving a kernel function calling request sent by an upper layer application; acquiring a hook function linked list address of the kernel function, wherein the hook function linked list comprises hook functions of the kernel function under at least one security access policy; sequentially calling each hook function in the hook function linked list to judge the safety of the calling request; and calling the kernel function when all the hook functions judge that the calling request is safe.
Optionally, in the secure access method according to the present invention, the step of obtaining the address of the hook function linked list of the kernel function includes: searching the address of a hook function total linked list from a kernel symbol table, wherein elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and searching the hook function linked list address of the kernel function from the hook function total linked list.
Optionally, in the secure access method according to the present invention, the hooking function includes at least one security rule, and the hooking function is adapted to determine whether the call request is secure by determining whether the call request complies with the security rule.
According to a third aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions that, when read and executed by the processor, cause the computing device to perform the multiple security access policy control method and the security access method described above.
According to a fourth aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the above-described multiple security access policy control method and security access method.
According to the multi-security access policy control method, the hook function can be set for the target kernel function in the target security access policy module, and the address of the set hook function is inserted into the hook function linked list corresponding to the target kernel function. In the multi-security access strategy control method, the hook function linked list of the target kernel function uniformly stores the hook functions of the target kernel function in each security access strategy module, and each security access strategy module can insert the self-defined hook functions into the hook function linked list, thereby realizing the dynamic addition of the security access strategies and enabling the kernel to simultaneously support a plurality of security access strategies.
Furthermore, each security access policy module can delete the self-defined hook function from the hook function linked list, thereby realizing the dynamic deletion of the security access policy.
Based on the multi-security access strategy control method, the invention further provides a security access method. When the kernel receives a call request aiming at a kernel function from an upper layer application, the kernel obtains the address of a hook function linked list of the kernel function, wherein the hook function linked list comprises the hook function of the kernel function under at least one safety access strategy. And then, sequentially calling each hook function in the hook function linked list to judge the safety of the calling request. When the hook functions of all the security access policies judge that the call request is safe, the kernel function is allowed to be called, so that multiple protection on the kernel function is realized, and the security of the kernel function is ensured.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a multiple security access policy control method 200 according to one embodiment of the invention;
fig. 3A and 3B are schematic diagrams illustrating a process of inserting a hook function hook _ a1 of a target kernel function func1 into a hook function linked list security _ hook _ heads. func1 in a target security access policy module a according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an implementation of multiple security access policy control, according to one embodiment of the invention;
FIG. 5 illustrates example code for adding a hooking function according to one embodiment of the invention;
FIG. 6 illustrates a flow diagram of a method 600 of secure access according to one embodiment of the invention;
FIG. 7 is a diagram illustrating a kernel function call procedure when the method 200, 600 of the present invention is not employed; and
fig. 8 shows a schematic diagram of a kernel function call procedure after applying the method 200, 600 of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The computing device of the present invention is a device installed with L inux operating system, which may be, for example, a personal configured computer such as desktop computer, notebook computer, etc., or a terminal device such as a mobile phone, tablet computer, multimedia player, smart wearable device, Internet of Things (IoT) device, etc., but is not limited thereto.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention. It should be noted that the computing device 100 shown in fig. 1 is only an example, and in practice, the computing device for implementing the multiple security access policy control method and the security access method of the present invention may be any type of device, and the hardware configuration thereof may be the same as the computing device 100 shown in fig. 1 or different from the computing device 100 shown in fig. 1. In practice, the computing device for implementing the multiple security access policy control method and the security access method of the present invention may add or delete hardware components of the computing device 100 shown in fig. 1, and the present invention does not limit the specific hardware configuration of the computing device.
As shown in FIG. 1, in a basic configuration 102, a computing device 100 typically includes a system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing, including but not limited to a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof the processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116 the example processor core 114 may include an arithmetic logic unit (A L U), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof the example memory controller 118 may be used with the processor 104 or, in some implementations, the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof physical memory in a computing device generally refers to volatile memory RAM into which data in a disk needs to be loaded to be readable by processor 104. System memory 106 may include an operating system 120, one or more applications 122, and program data 124. in some embodiments, applications 122 may be arranged to execute instructions on the operating system with program data 124 by one or more processors 104. in embodiments of the present invention, operating system 120 is an L inux operating system that includes program instructions for handling basic system services and performing hardware-dependent tasks. applications 122 include program instructions for implementing various user-desired functions. applications 122 may be, for example, browsers, instant messaging software, software development tools (e.g., integrated development environment IDE, compilers, etc.), etc. without limitation, when applications 122 are installed into computing device 100, driver modules may be added to operating system 120.
When the computing device 100 is started, the processor 104 reads program instructions of the operating system 120 from the memory 106 and executes them. The application 122 runs on top of the operating system 120, utilizing the operating system 120 and interfaces provided by the underlying hardware to implement various user-desired functions. When the user starts the application 122, the application 122 is loaded into the memory 106, and the processor 104 reads the program instructions of the application 122 from the memory 106 and executes the program instructions.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the embodiment of the present invention, the operating system 120 is an L inux operating system, and the L inux operating system includes a plurality of kernel modules, such as a process scheduling module, an inter-process communication module, a memory management module, a file system module, a network interface module, and the like, for implementing corresponding basic functions.
In the embodiment of the present invention, in order to ensure the security of the operating system, the operating system further includes a security access policy framework module (i.e., SAP framework) and a plurality of security access policy modules (e.g., Se L inux module, AppArmor module, Grsecurity module, package module, etc.). the security access policy modules run on the SAP framework, and different security protection methods may be used by different security access policy modules to protect the security of the operating system from different angles.
Due to the limitation of an operating system, only one security access policy module can be implemented on the existing SAP framework, and accordingly, at most one hook function can be called for a certain kernel function, which is difficult to ensure system security in some cases. Therefore, the present invention provides a multi-security access policy control method 200 and a security access method 600 to implement coexistence of multiple security access policies and perform multiple protections on a key kernel function, thereby ensuring security of an operating system.
The multiple security access policy control method 200 is performed by a security access policy module in the kernel. The method can dynamically identify the hook function linked list of each key kernel function in the kernel SAP frame, and add or remove the self-defined hook function of the security access strategy module into or out of the SAP frame through dynamically adding and deleting the linked list items, so as to solve the problems that the SAP frame cannot simultaneously support various security access strategies and cannot dynamically mount and unload the security access strategy module.
The secure access method 600 is performed by the SAP framework in the kernel. Based on the hook function linked list set by the multiple security access policy control method 200, after the kernel receives a call request for a certain kernel function sent by an upper layer application, the SAP framework obtains the address of the hook function linked list of the kernel function, and then calls each hook function in the hook function linked list in sequence to judge the security of the call request. When the hook functions of all the security access policies judge that the call request is safe, the kernel function is allowed to be called, so that multiple protection on the kernel function is realized, and the security of the kernel function is ensured.
Fig. 2 shows a flow diagram of a multiple security access policy control method 200 according to one embodiment of the invention. The method 200 is performed in a computing device (e.g., the aforementioned computing device 100), and in particular, the method 200 is performed by a kernel module, a security access policy module, in the computing device. As shown in fig. 2, the method 200 begins at step S210.
In step S210, in the target security access policy module, a hook function is set for the target kernel function.
The target security access policy module is a security access policy module selected by a user, and may be implemented as, for example, a security access policy kernel module such as a Se L inux module, an AppArmor module, a Grsecurity module, and a package module, but is not limited thereto.
The target kernel function is a kernel function which is protected by adopting a target security access strategy module. One skilled in the art can choose to set a certain kernel function or some kernel functions as target kernel functions according to actual requirements, and use a target security access policy module to protect the security of these kernel functions. The invention does not limit the selection condition of the target kernel function.
According to an embodiment, before the hook function is set for the target kernel function in step S210, the method further includes the steps of detecting whether the value of the kernel configuration parameter CONFIG _ KA LL SYMS _ a LL is y, if not, setting the value of the kernel configuration parameter CONFIG _ KA LL SYMS _ a LL to be y, and recompiling the kernel, setting the kernel configuration parameter CONFIG _ KA LL SYMS _ a LL to be y, so that the kernel symbol table includes information of all symbols (symbols include functions, non-stack data variables and the like) in the kernel code, including addresses and function names of the functions, and addresses and variable names of the variables, and the like, thereby facilitating acquisition of a hook function linked list address in subsequent step S220.
According to an embodiment, before the step S210, the method further includes the steps of detecting whether the value of the kernel configuration parameter CONFIG _ SECURITY _ write ab L E _ HOOKS is y, and if not, setting the value of the kernel configuration parameter CONFIG _ SECURITY _ write ab L E _ HOOKS to y and recompiling the kernel, and setting the value of the kernel configuration parameter CONFIG _ SECURITY _ write ab L E _ HOOKS to y, so that the system can dynamically add the hook function in the SECURITY access policy at runtime, thereby facilitating the addition of the hook function to the corresponding hook function chain table in the subsequent step S220.
A hook function of the target kernel function is adapted to be called when the kernel receives the target kernel function call request for determining the security of the call request. If the hook function judges that the call request is safe, the kernel can further call the target kernel function. Specifically, at least one safety rule is set in the hooking function, and the hooking function determines whether the call request is safe by judging whether the call request meets the safety rules. The security rules include, but are not limited to, host-object permission rules, for example, the security rules may be set such that the subject s1 has read-write permission for the object o1, the subject s2 has read-only permission for the object o2, the subject s3 has read permission for all objects, and so on.
In the embodiment of the invention, each security access policy module corresponds to a callback information array, and the callback information array stores the callback information of each kernel function protected by the security access policy module. That is, the callback information array of the target security access policy module stores the callback information of each target kernel function.
According to one embodiment, the elements in the callback information array are structure (struct) data types, and the structure comprises a structure pointer variable for storing the address of the hook function linked list, a structure variable for storing the position of the hook function in the hook function linked list, and a complex variable for storing the address of the hook function. The structure variables for storing the location of the hook function in the hook function linked list further include a back pointer variable pointing to the next element in the hook function linked list and a front pointer variable pointing to the previous element in the hook function linked list. And the hook function linked list of the kernel function stores the hook functions of the kernel function in each security access policy module.
According to one embodiment, the structure of the elements in the callback information array of the target secure access policy module is defined as follows:
struct security_hook_list{
struct list_head list;
struct list_head *head;
union security_list_options hook;
};
the definition of this structure can be cured in L inux cores, for example, in the include/linux/lsm _ hooks.h document for L inux cores.
1. The list _ head is a bidirectional circular linked list structure provided by the L inux kernel and defined as follows:
struct list_head{
struct list_head*next,*prev;
};
where next is a back pointer variable pointing to the next element in the linked list of hook functions, and prev is a front pointer variable pointing to the previous element in the linked list of hook functions.
2. Head is a pointer variable to the list head data type, which is used to store the hook function linked list address.
3. hook is a security _ list _ options type of complex variable that is a complex of all hook function prototype addresses, i.e., hook is used to store the addresses of the hook functions.
According to an embodiment, step S210 further comprises: and initializing the array variable of the struct security _ hook _ list type in a target security access policy module, wherein the array variable corresponds to the target kernel function and is used for storing callback information of the target kernel function.
Subsequently, in step S220, the address of the hook function linked list of the target kernel function is obtained, and the address of the hook function set in step S210 is inserted into the tail of the hook function linked list.
According to one embodiment, the hook function linked list address of the target kernel function is obtained according to the following steps: searching the address of a hook function total linked list from the kernel symbol table, wherein the elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and searching the address of the hook function linked list of the target kernel function from the hook function total linked list.
In the L inux kernel, the variable name of the total linked list of the hooking function is security _ hook _ heads, and the address of the linked list can be found out according to the kernel symbol table.
For example, the hook function global list security _ hook _ headers is defined as follows:
struct security_hook_heads{
struct list_head func1;
struct list_head func2;
struct list_head func3;
//...
};
extern struct security_hook_heads security_hook_heads;
the func1, func2 and func3 variables in the security _ hook _ headers respectively represent the addresses (the head addresses of the chain tables) of the linked lists of the hook functions corresponding to the kernel functions func1, func2 and func 3.
After the address of the hook function linked list of the target kernel function is obtained, the address of the hook function set in the step S210 is inserted into the tail of the hook function linked list.
For example, in step S210, in the target secure access policy module a, a hook function hook _ a1 is set for the target kernel function func 1. In step S220, a hook function linked list address security _ hook _ headers.func 1 of the target kernel function func1 is obtained, and the hook function hook _ a1 is inserted into the tail of the linked list security _ hook _ headers.func 1.
Fig. 3A and 3B are schematic diagrams illustrating a process of inserting the hook function hook _ a1 into the hook function linked list security _ hook _ headers.
As shown in fig. 3A, when the hook function hook _ a1 in the target security access policy module a is not inserted, the hook function hook _ B1 set by the security access policy module B for the kernel function func1 and the hook function hook _ C1 set by the security access policy module C for the kernel function func1 already exist in the hook function linked list security _ hook _ heads. The head node of the hook function linked list security _ hook _ headers.func 1 is the node where hook _ B1 is located.
In order for the target security access policy module a to protect the kernel function func1, the hook function hook _ a1 set by the module a needs to be inserted into the tail of the hook function linked list security _ hook _ heads, func1 shown in fig. 3A. For example, the hook function hook _ a1 is inserted into the tail of the hook function linked list security _ hook _ heads. func1 through the interface function security _ add _ hooks provided by the SAP framework. The inserted hook function chain table is shown in fig. 3B.
In the chain table of hook functions shown in fig. 3B, the last element of the hook function hook _ a1 is hook _ C1, and the next element is hook _ B1, i.e., the front pointer prev of the hook function hook _ a1 points to hook _ C1, and the back pointer next points to hook _ C1. The pre-pointer prev and the post-pointer next may determine the location of the hook function hook _ a1 in the hook function chain table.
According to an embodiment, in order to ensure data consistency, when the address of the hook function is inserted into the linked list of the hook function in step S220, the RCU (Read-Copy Update) lock protection provided by the kernel needs to be opened.
The above embodiments describe the process of inserting a hook function of a target kernel function into a linked list of hook functions. It should be noted that, in step S220, the address of the hook function linked list of the target kernel function cannot be obtained. If the address of the hook function linked list of the target kernel function cannot be obtained based on the kernel symbol table, the hook function set by the target security access policy module cannot be added to the hook function linked list, that is, the target security access policy module cannot protect the target kernel function.
After the address of the hook function set in step S210 is inserted into the hook function linked list of the target kernel function in step S220, step S230 is performed.
In step S230, the callback information of the target kernel function is added to the callback information array of the target security access policy module, where each element in the callback information array corresponds to the callback information of one kernel function, and the callback information includes the address of the hook function linked list of the kernel function, the position of the hook function in the hook function linked list, and the address of the hook function.
According to an embodiment, referring to the embodiment in the foregoing step S210, the element structure in the callback information array is as follows, and the following structure variables corresponding to the target kernel function have been initialized:
struct security_hook_list{
struct list_head list;
struct list_head *head;
union security_list_options hook;
};
in step S230, the address of the linked list of the hooking function of the target kernel function, the position of the hooking function in the linked list of the hooking function (the address of the next element, the address of the previous element), and the address of the hooking function are assigned to the head, list (next, prev), and hook member variables in the security _ hook _ list structure.
It should be noted that, in step S210, the target security access policy module may set a hook function for a plurality of target kernel functions, and for each target kernel function, steps S220 and S230 need to be executed to add the set hook functions to the hook function linked list of the corresponding target kernel function one by one. That is, when the hooking functions of the plurality of target kernel functions are set at step S210, steps S220, S230 will be executed circularly a plurality of times.
According to an embodiment, the method 200 further comprises step S240 (step S240 is not shown in fig. 2).
In step S240, according to the callback information array of the target security access policy module, determining the address of the hook function linked list of the target kernel function and the position of the hook function in the hook function linked list; deleting the hook function in the hook function linked list; and deleting the callback information of the target kernel function in the callback information array. Step S240 may delete the hook function defined by the target security access policy module from the hook function linked list, thereby implementing dynamic deletion of the security access policy.
Fig. 4 shows a schematic diagram of a specific embodiment of a multiple security access policy control method 200 employing the present invention. This embodiment comprises the following 8 steps:
and S1, detecting whether a kernel configuration parameter CONFIG _ KA LL SYMS _ A LL currently running on the ARM hardware platform is y, if not, jumping to the step S3, and if so, continuing to execute the step S2.
And S2, detecting whether a kernel configuration parameter CONFIG _ SECURITY _ WRITAB L E _ HOOKS of an operating system currently running on an ARM hardware platform is y, if not, jumping to the step S3, and if so, jumping to the step S4.
Step S3, using make menuconfig command to set the kernel configuration parameters CONFIG _ KA LL SYMS _ A LL as y and CONFIG _ SECURITY _ WRITAB L E _ HOOKS as y, recompiling the kernel.
Step S4, defining and initializing an array variable of structure security _ hook _ list type in the target security access policy module, and preparing a hook function of the target kernel function, wherein the structural definition of security _ hook _ list is solidified in include/linux/lsm _ hooks.h of L inux kernel, and the definition of kernel version 4.4 is as follows:
struct security_hook_list{
struct list_head list;
struct list_head *head;
union security_list_options hook;
};
the members of the structure are illustrated below:
the head is a chain table head, and the value of the head is the address of a hook function chain table corresponding to the target kernel function in security _ hook _ heads;
list is a linked list, prev member is a pointer, the value of which is the address of the last original element in the linked list of the hook function, next member is also a pointer, the value of which is the address of the first element in the linked list of the hook function, and hook value is the address of the hook function aiming at the target kernel function, which is realized by a certain target security access strategy module;
the type of hook is a complex (unit security _ list _ options), which is a complex of all kernel hooking function prototypes, thus facilitating the developer to hook any function of interest.
Generally, each security access policy will focus on more than one kernel function, so the target security access policy module corresponds to an array of type security _ hook _ list, and each element in the array corresponds to a target kernel function protected by the target security access policy module. Examples are as follows:
the array a _ hooks is a kernel function array of the hook in the security access policy a, each element in the array is a security _ hook _ list structure, corresponds to a target kernel function of the hook, and is used for storing callback information of the target kernel function of the hook. At this time, the value of the head in the structure is the address of the hook function linked list corresponding to security _ hook _ heads, the prev member of the list is a pointer, the value of the prev member of the list is the address of the original last element in the hook function linked list, the next member of the list is also a pointer, the value of the next member of the list is the address of the first element in the hook function linked list, and the value of the hook is the address of the hook function hook _ a1 provided for func1 and realized by the security access policy a.
And step S5, searching the address of the hook function general linked list security _ hook _ heads of the SAP frame from the kernel symbol table by using the kallsyms _ lookup _ name. The hook function global list security _ hook _ headers is a structure in which each element is a hook function linked list of kernel functions.
S6, if the hook function linked list of the target kernel function can be obtained, jumping to S7; if the hook function linked list of the target kernel function cannot be obtained, the variable cannot be hooked (irrelevant to the current security access policy), and usually, the symbol and the address of the variable are not derived from the kernel, the target security access policy module cannot protect the target kernel function, and the process fails and ends.
Step S7, adding callback information of the target kernel function to the callback information array of the target security access policy module one by one through the hook function linked list address and the struct security _ hook _ list type array variable defined in the program, and calling security _ add _ hooks to add the hook function to the corresponding hook function linked list.
As described above, the security _ hook _ headers includes the hook function linked list corresponding to each kernel function, and the security _ add _ hooks function is used to add the list member in each security _ hook _ list as a linked list element to the corresponding linked list in the security _ hook _ headers. For example, if the security access policy module a wants to protect the binder _ set _ context _ mgr kernel function, it needs to call the security _ add _ hooks function, and add the list member in the security _ hook _ list structure, which correspondingly hooks the kernel function, as an element into the security _ hook _ headers. FIG. 5 illustrates example code for adding a hooking function according to one embodiment of the invention.
Subsequently, step S8 is executed.
And step S8, judging whether all the target kernel functions to be protected are set completely. If not, jumping to the step S7 to continue the setting; and if all the target kernel functions are set, the setting is successful, and the process is finished.
The technical scheme of the invention realizes the dynamic addition and deletion of the security access policy, and integrates the security access policy with the original security access policy in the L inux kernel to form a chain security rule.
Based on the multiple security access policy control method 200 of the present invention, the present invention further provides a security access method 600. The method 600 is performed in a computing device (e.g., the aforementioned computing device 100), in particular, the method 600 is performed by an SAP framework in the computing device. As shown in fig. 6, the method 600 begins at step S610.
In step S610, a kernel function call request from an upper application is received.
Subsequently, in step S620, a hook function linked list address of the kernel function is obtained, where the hook function linked list includes a hook function of the kernel function under at least one security access policy.
According to one embodiment, the hook function linked list address of the kernel function may be determined according to the following steps: searching the address of a hook function total linked list from the kernel symbol table, wherein the elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and searching the address of the hook function linked list of the kernel function from the hook function total linked list.
Subsequently, in step S630, each hook function in the hook function linked list is called in sequence to determine the security of the call request.
According to one embodiment, each hooking function includes at least one security rule therein, and the hooking function is adapted to determine whether the call request is secure by determining whether the call request complies with the security rules.
Subsequently, in step S640, when all the hook functions determine that the call request is safe, the kernel function is called. And if one hook function judges that the call request is unsafe, the kernel function is not allowed to be called.
The secure access method 600 of the present invention achieves multiple protections for kernel functions, thereby ensuring the security of key kernel functions.
The effect of the method 200 and the method 600 according to the present invention will be described below with reference to fig. 7 and 8.
As shown in fig. 7, when the method 200 and the method 600 of the present invention are not used, when an application initiates a system call, the system call calls a corresponding kernel function to complete a corresponding function. If the kernel function is the kernel function of the key path protected by the hook of the security access policy module, the SAP framework obtains and calls the hook function of the kernel function to implement the security access policy, judges whether the kernel function is safe to call, and allows the kernel function to be called when the hook function judges that the call request of the current kernel function is safe. It should be noted that due to the limitations of existing systems, there can only be one security access policy module in the kernel at most, and therefore only one hook function is called.
As shown in fig. 8, after the method 200 and the method 600 of the present invention are adopted, a plurality of security access policy modules may exist in the kernel at the same time, and accordingly, one kernel function may correspond to a plurality of hooking functions, thereby implementing multiple protections for the kernel function. When the application program initiates a system call, the system call can complete the corresponding function through the processing of the kernel function. If the kernel function is the kernel function of the key path protected by the hook of the security access policy module, the SAP framework obtains the hook function linked list of the kernel function and calls each hook function in the hook function linked list in sequence to judge the security of the kernel function call request. As shown in fig. 8, the hook function linked list of the kernel function includes two hook functions, namely a hook function 1 and a hook function 2, which indicate that the kernel function is protected by two security access policy modules. The SAP framework will call the hook function 1 and the hook function 2 in sequence to determine the security of the current kernel function call request. When the hook function 1 and the hook function 2 both judge that the call request is safe, the kernel function is allowed to be called. If one hook function judges that the call request is unsafe, the kernel function is refused to be called.
The multi-security access policy control method 200 and the multi-security access policy control method 600 of the invention realize coexistence of multiple security access policies in the kernel, and can perform multiple protection on key kernel functions, thereby ensuring the security of the operating system.
The multi-security access policy control method 200 can dynamically identify the hook function linked list of each key kernel function in the kernel SAP framework, and add or remove the self-defined hook function of the security access policy module to or from the SAP framework by dynamically adding and deleting the linked list items, so as to overcome the problems that the SAP framework cannot simultaneously support multiple security access policies and cannot dynamically mount and unload the security access policy module.
In addition, the multi-security access strategy control method supports the interface with the existing security access strategy module, and ensures good backward compatibility. The method is realized by automatic detection and dynamic loading of the kernel module, is transparent to a user, does not need to add additional operation, has no influence on other functions in an operating system, and can flexibly and efficiently implement various security access strategies.
The security access method 600 is based on the hook function linked list set by the multiple security access policy control method 200, and after the kernel receives a call request for a certain kernel function sent by an upper layer application, the SAP framework obtains the address of the hook function linked list of the kernel function, and then calls each hook function in the hook function linked list in sequence to determine the security of the call request. When the hook functions of all the security access policies judge that the call request is safe, the kernel function is allowed to be called, so that multiple protection on the kernel function is realized, and the security of the kernel function is ensured.
A10, a secure access method, executed in a computing device, comprising the steps of:
receiving a kernel function calling request sent by an upper layer application;
acquiring a hook function linked list address of the kernel function, wherein the hook function linked list comprises hook functions of the kernel function under at least one security access policy;
sequentially calling each hook function in the hook function linked list to judge the safety of the calling request;
and calling the kernel function when all the hook functions judge that the calling request is safe.
A11, the method of claim 10, wherein the step of obtaining the address of the hook function linked list of the kernel function includes:
searching the address of a hook function total linked list from a kernel symbol table, wherein elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and
and searching the hook function linked list address of the kernel function from the hook function total linked list.
A12, the method of claim 10 or 11, wherein the hooking function includes at least one security rule, the hooking function being adapted to determine whether the call request is secure by determining whether the call request complies with the security rule.
A14, a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the multiple security access policy control method of any one of claims 1-9 and the security access method of any one of claims 10-12.
Although the present invention has been described with reference to the preferred embodiments, it is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the multiple security access policy control method and the security access method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense with respect to the scope of the invention, as defined in the appended claims.

Claims (10)

1. A multiple security access policy control method, implemented in a computing device, comprising the steps of:
in the target security access policy module, a hook function is set for a target kernel function;
acquiring the address of a hook function linked list of the target kernel function, and inserting the address of the hook function into the tail part of the hook function linked list; and
and adding the callback information of the target kernel function into a callback information array of the target security access policy module, wherein each element in the callback information array corresponds to the callback information of one kernel function, and the callback information comprises a hook function linked list address of the kernel function, the position of the hook function in the hook function linked list and the address of the hook function.
2. The method of claim 1, wherein before the step of setting a hooking function for the objective function, further comprising the step of:
detecting whether the value of a kernel configuration parameter CONFIG _ KA LL SYMS _ A LL is y;
if not, setting the value of the kernel configuration parameter CONFIG _ KA LL SYMS _ A LL as y, and recompiling the kernel.
3. The method of claim 1 or 2, wherein before the step of setting the hooking function for the objective function, further comprising the step of:
detecting whether the value of a kernel configuration parameter CONFIG _ SECURITY _ WRITAB L E _ HOOKS is y;
if not, the value of the kernel configuration parameter CONFIG _ SECURITY _ WRITAB L E _ HOOKS is set to y and the kernel is recompiled.
4. The method of any of claims 1-3, wherein the obtaining the hook function linked list address of the target kernel function comprises:
searching the address of a hook function total linked list from a kernel symbol table, wherein elements in the hook function total linked list are the hook function linked list addresses of all kernel functions; and
and searching the hook function linked list address of the target kernel function from the hook function total linked list.
5. The method of any of claims 1-4, wherein the elements in the callback information array are structure data types, the structure comprising a structure pointer variable to store a hook function linked list address, a structure variable to store a location of a hook function in a hook function linked list, and a complex variable to store an address of a hook function.
6. The method of claim 5, wherein the structure variables comprise a back pointer variable that points to a next element in the linked-hook function list, and a front pointer variable that points to a previous element in the linked-hook function list.
7. The method of any one of claims 1-6, wherein the hooking function is adapted to be called when a kernel receives a target kernel function call request, the hooking function being adapted to determine the security of the call request.
8. The method of claim 7, wherein the hooking function includes at least one security rule, the hooking function adapted to determine whether the call request is secure by determining whether the call request complies with the security rule.
9. The method of any one of claims 1-8, further comprising the step of:
determining the address of a hook function linked list of a target kernel function and the position of the hook function in the hook function linked list according to a callback information array of a target security access policy module;
deleting the hook function in the hook function linked list; and
and deleting the callback information of the target kernel function in the callback information array.
10. A computing device, comprising:
at least one processor; and
a memory storing program instructions;
the program instructions, when read and executed by the processor, cause the computing device to perform the multiple security access policy control method of any one of claims 1-9.
CN201911206473.6A 2019-10-31 2019-11-29 Multi-security access policy control method and computing device Active CN111428241B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911055310 2019-10-31
CN2019110553102 2019-10-31

Publications (2)

Publication Number Publication Date
CN111428241A true CN111428241A (en) 2020-07-17
CN111428241B CN111428241B (en) 2023-12-29

Family

ID=71545861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911206473.6A Active CN111428241B (en) 2019-10-31 2019-11-29 Multi-security access policy control method and computing device

Country Status (1)

Country Link
CN (1) CN111428241B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797408A (en) * 2020-09-09 2020-10-20 北京志翔科技股份有限公司 Linux system-based trusted computing method and device
CN112668008A (en) * 2021-01-06 2021-04-16 上海湖顶大数据科技有限公司 Method for realizing dynamic system call hijacking based on LSM
CN112860267A (en) * 2021-04-23 2021-05-28 武汉深之度科技有限公司 Kernel cutting method and computing device
CN112988544A (en) * 2021-04-20 2021-06-18 北京国科环宇科技股份有限公司 Method, system, device and storage medium for analyzing performance bottleneck of operating system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120204193A1 (en) * 2011-02-08 2012-08-09 Nethercutt Glenn T Methods and computer program products for monitoring system calls using safely removable system function table chaining
CN104598809A (en) * 2015-02-13 2015-05-06 北京奇虎科技有限公司 Program monitoring method and defending method thereof, as well as relevant device
CN105740028A (en) * 2016-03-03 2016-07-06 北京金山安全软件有限公司 Access control method and device
CN106096400A (en) * 2016-06-06 2016-11-09 中国科学院信息工程研究所 A kind of linux kernel parallel LSM framework implementation method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120204193A1 (en) * 2011-02-08 2012-08-09 Nethercutt Glenn T Methods and computer program products for monitoring system calls using safely removable system function table chaining
CN104598809A (en) * 2015-02-13 2015-05-06 北京奇虎科技有限公司 Program monitoring method and defending method thereof, as well as relevant device
CN105740028A (en) * 2016-03-03 2016-07-06 北京金山安全软件有限公司 Access control method and device
CN106096400A (en) * 2016-06-06 2016-11-09 中国科学院信息工程研究所 A kind of linux kernel parallel LSM framework implementation method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴勇杰;: "Linux内核防火墙Netfilter架构实现与应用研究", 电脑编程技巧与维护 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797408A (en) * 2020-09-09 2020-10-20 北京志翔科技股份有限公司 Linux system-based trusted computing method and device
CN112668008A (en) * 2021-01-06 2021-04-16 上海湖顶大数据科技有限公司 Method for realizing dynamic system call hijacking based on LSM
CN112988544A (en) * 2021-04-20 2021-06-18 北京国科环宇科技股份有限公司 Method, system, device and storage medium for analyzing performance bottleneck of operating system
CN112988544B (en) * 2021-04-20 2021-08-27 北京国科环宇科技股份有限公司 Method, system, device and storage medium for analyzing performance bottleneck of operating system
CN112860267A (en) * 2021-04-23 2021-05-28 武汉深之度科技有限公司 Kernel cutting method and computing device

Also Published As

Publication number Publication date
CN111428241B (en) 2023-12-29

Similar Documents

Publication Publication Date Title
CN111428241B (en) Multi-security access policy control method and computing device
US10528735B2 (en) Malicious code protection for computer systems based on process modification
KR101880375B1 (en) Segregating executable files exhibiting network activity
US20160232374A1 (en) Permission control method and apparatus
US8850573B1 (en) Computing device with untrusted user execution mode
US10019598B2 (en) Dynamic service discovery
US9311126B2 (en) System and method for virtual partition monitoring
US8015450B1 (en) Systems and methods for detecting and automatically installing missing software components
US8799928B1 (en) System services for native code modules
US9111096B2 (en) System and method for preserving and subsequently restoring emulator state
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN113204385A (en) Plug-in loading method and device, computing equipment and readable storage medium
CN114461404B (en) Process migration method, computing device and readable storage medium
US20120331489A1 (en) Bypassing user mode redirection
CN110442380B (en) Data preheating method and computing equipment
US7281271B1 (en) Exception handling validation system and method
US11847222B2 (en) System and method for preventing unwanted bundled software installation
US9684660B2 (en) File processing method and system
US9804932B2 (en) Method and device for processing data and electronic apparatus
US8788785B1 (en) Systems and methods for preventing heap-spray attacks
CN111859403B (en) Dependency vulnerability determination method and device, electronic equipment and storage medium
CN114510706A (en) Permission control method and device based on physical interface and computing equipment
CN112231761A (en) Device mounting method, computing device and readable storage medium
CN113254917A (en) Recording permission management method, computing device and storage medium
CN113722715B (en) Imported file checking method, checking system and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 17th Floor, Building 12, Yard 10, Kegu 1st Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing 100176 (Beijing Pilot Free Trade Zone High-end Industry Zone Yizhuang Group)

Applicant after: Beijing Tongxin Software Technology Co.,Ltd.

Address before: 603, block B, Putian Desheng, No.28, xinjiekouwei street, Xicheng District, Beijing 100032

Applicant before: BEIJING SHENZHIDU TECHNOLOGY CO.,LTD.

GR01 Patent grant
GR01 Patent grant