CN115470479A - Authority control method of application program, electronic device and storage medium - Google Patents

Authority control method of application program, electronic device and storage medium Download PDF

Info

Publication number
CN115470479A
CN115470479A CN202211111483.3A CN202211111483A CN115470479A CN 115470479 A CN115470479 A CN 115470479A CN 202211111483 A CN202211111483 A CN 202211111483A CN 115470479 A CN115470479 A CN 115470479A
Authority
CN
China
Prior art keywords
application program
authority
program
identifier
operation request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211111483.3A
Other languages
Chinese (zh)
Inventor
黄应周
马绍龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211111483.3A priority Critical patent/CN115470479A/en
Publication of CN115470479A publication Critical patent/CN115470479A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides an authority control method of an application program, an electronic device and a storage medium. The method comprises the following steps: acquiring an operation request of an application program, wherein the operation request comprises an identifier of the application program; under the condition that the program authority control directory does not include the identifier, the application program is subjected to simulated operation in a regular sandbox; and determining the authority of the application program by monitoring whether the application program has dangerous operation in the simulation operation. Therefore, the method can control the authority of the application program, thereby reducing information leakage and protecting the equipment safety of the terminal.

Description

Authority control method of application program, electronic device and storage medium
Technical Field
The present application relates to the field of computer security technologies, and in particular, to an authority control method for an application program, an electronic device, and a storage medium.
Background
With the continuous development of technologies, terminals such as mobile phones and tablets are used more and more widely, applications (applications) are usually installed on the terminals, and generally, in order to prevent information leakage and protect the device security of the terminals, the authority of the applications needs to be controlled.
Disclosure of Invention
The embodiment of the application aims to provide an authority control method of an application program, an electronic device and a storage medium, which are used for controlling the authority of the application program.
A first aspect of an embodiment of the present application provides a method for controlling an authority of an application program, including:
acquiring an operation request of an application program, wherein the operation request comprises an identifier of the application program;
under the condition that the program authority control directory does not comprise the identification, the application program is simulated to run in a regular sandbox;
and determining the authority of the application program by monitoring whether the application program has a dangerous operation in the simulation operation.
In one embodiment, the method further comprises: and generating the rule sandbox in advance.
In an embodiment, the program authority control directory specifically includes a black list and/or a white list; and, the method further comprises:
rejecting the operation request if the blacklist includes the identification; or, determining the authority of the application program according to the authority recorded by the white list under the condition that the white list comprises the identifier.
In an embodiment, the obtaining the operation request of the application program specifically includes: and acquiring the operation request screened by the XDP.
In one embodiment, the method further comprises:
and obtaining the operation request to be screened from the request receiving queue through the XDP, and screening the operation request to be screened.
In one embodiment, the method further comprises:
and recording the identifier of the application program and the determined authority to the program authority control directory.
In an embodiment, determining the authority of the application program by monitoring whether a hazard operation exists in the simulation operation of the application program specifically includes:
determining the type and the times of the dangerous operation of the application program in the simulation operation through monitoring;
and determining the authority of the application program according to the type and the times of the harm operation.
In an embodiment, when the program authority control directory does not include the identifier, performing simulation operation on the application program in a regular sandbox specifically includes: and under the condition that the program authority control directory does not comprise the identifier and the information abstract library does not comprise the information abstract of the operation request, performing simulated operation on the application program in a regular sandbox.
A second aspect of embodiments of the present application provides an electronic device, including:
a processor;
a memory for storing processor-executable instructions; wherein the processor is configured to perform the method of any one of the first aspects of the embodiments of the present application.
A third aspect of embodiments of the present application provides a storage medium storing a computer program, where the computer program is executable by a processor to perform the method according to any one of the first aspects of the embodiments of the present application.
The method for controlling the permission of the application program comprises the steps of firstly obtaining an operation request of the application program, wherein the operation request comprises an identifier of the application program, carrying out simulated operation on the application program in a rule sandbox under the condition that a program permission control directory does not comprise the identifier, and then determining the permission of the application program by monitoring whether hazardous operation exists in the simulated operation of the application program. Therefore, the method can control the authority of the application program, thereby reducing information leakage and protecting the equipment safety of the terminal.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a specific process of an authority control method of an application according to an embodiment of the present application;
fig. 3 is a schematic specific flowchart of an authority control method of an application according to another embodiment of the present application;
fig. 4 is a schematic structural diagram of an authority control device of an application according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, terms such as "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying a relative importance or order.
As described above, in order to prevent information leakage and secure a device of a terminal, it is generally necessary to control the authority of an application.
Based on this, the embodiment of the application provides an application program authority control method, an application program authority control device, an electronic device and a storage medium, which can be used for controlling the authority of an application program. As shown in fig. 1, the present embodiment provides an electronic apparatus 1, the electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 may be connected by a bus 10, and the memory 12 stores instructions executable by the processor 11, the instructions being executed by the processor 11 to cause the electronic device 1 to perform all or part of the flow of the method in the embodiments described below.
In practical applications, the electronic device 1 may be a mobile phone, a notebook computer, a desktop computer, or a large server or a server cluster formed by the mobile phone, the notebook computer, the desktop computer, or the like. For example, in combination with a specific application scenario, in the process of detecting or testing an application program to determine its authority, the electronic device 1 may be a server or a server cluster for detection or testing; alternatively, the electronic device may be a terminal such as a mobile phone or a notebook computer of the user in order to prevent information leakage from the terminal such as the mobile phone or the notebook computer of the user and to protect the security of the terminal.
The embodiment of the application provides an authority control method of an application program, which can be used for controlling the authority of the application program, wherein the method can be executed by the electronic device 1 shown in fig. 1. Fig. 2 is a specific flow diagram of the method, which includes the following steps:
step S21: and acquiring an operation request of the application program, wherein the operation request comprises the identification of the application program.
The identifier of the application can be used to uniquely indicate the corresponding application, and may be, for example, a name, a version number, a download address, a storage address, or the like of the application.
In one embodiment, a rule sandbox may be first generated in the electronic device, which may be a rule sandbox based on rules for identifying malicious files and applications. In practical applications, the rule sandbox can be composed of a program monitor and a rule analysis engine, and can use eBPF (Extended kernel Packet Filter) as the program monitor through hook points of LSM (Linux Security Module), and the Linux Security Module provides hundreds of hooks, and creates a new file system under a Security file (each hook corresponds to a Security file) by allowing an appropriate user to mount a BPF program to a hook in the Linux Security Module system. The BPF () can be used to make a system call to the BPF program, and when a rule-based sandbox environment is passed in through XDP data filtering, if an operation triggers a mounted security hook, the system call is made to all mounted BPF programs at once, as long as any one BPF program returns an error state.
And directly transmitting the state returned by the BPF program to the rule analysis engine after monitoring and analyzing by the program monitor. And a large number of DSL rules are stored in the database, and BPF program states transmitted by the program monitor are filtered. And if the error state is returned, the DSL rule carries out discriminant analysis through the identifier, the MD5 code is generated for the brand new rule, and the encoded MD5 code and the identifier are stored in an information abstract library.
After the rule sandbox is generated in the electronic device, an operation request of the application program may be obtained, specifically, a manner of obtaining the operation request of the application program may be, for example, a user may input the operation request in a manner of touch control, mouse click, or the like on a page displayed by the electronic device itself; or, the electronic device may also monitor an application installed on itself or another electronic device, and when it is monitored that an application generates an operation request, may obtain the operation request of the application, for example, the application a is set with a timing task, and when a certain time point is reached according to the timing task, generate a corresponding operation request to execute the task, and at this time, when it is monitored that the application a generates the operation request, may obtain the operation request; or, when detecting or testing the application program, the application program may be monitored, and when an operation request of the application program is monitored, the operation request may be obtained.
It should be further noted that, the operation request for obtaining the application may also be to obtain an operation request filtered by the XDP, for example, after the application generates the operation request, the XDP is used to filter the operation request, and if the filtering condition is met, the operation request is filtered, so that the operation request filtered by the XDP can be obtained, or if the filtering condition is not met, the operation request is filtered. The XDP is specifically an exxpress Data Path (fast Data Path), and is an eBPF (Extended legacy Packet Filter) hook in the Linux network processing flow, and can mount an eBPF program, and the XDP can process a network Data Packet when the network Data Packet reaches the network card driver layer, and has very excellent Data plane processing performance.
Using the filtering condition for XDP, for example, the operation requests may be filtered according to the frequency of the operation requests generated or sent by the application, when the frequency of the operation requests generated or sent by the application is greater than the preset threshold, it indicates that the application frequently generates or sends the operation requests, and the operation requests of the application may be completely filtered (or only one or a few of the operation requests may be filtered, and the other operation requests may be filtered); of course, the filtering condition may be other types of filtering conditions, for example, the specified time interval is used as the filtering condition, that is, the operation request generated or sent by the application program in the specified time interval is filtered, and the operation request generated or sent by the application program except for the specified time interval is filtered.
In addition, the operation request of the application program can be obtained from a request receiving queue. For example, when the number of the applications installed in the electronic device is large, each application may generate a plurality of operation requests in a short time, and in order to reduce the operation pressure when the electronic device obtains the operation requests, the operation requests may be added to the request receiving queue according to the sequence of the generation or reception time points, and then the operation requests are sequentially obtained according to the sequence in the request receiving queue, so as to reduce the operation pressure.
Of course, the above various manners of obtaining the operation requests may also be combined, for example, the operation requests are first added to the request receiving queue according to the sequence of the generation or receiving time points, then the operation requests are sequentially obtained from the request receiving queue through the XDP as the operation requests to be screened, and the operation requests to be screened are screened, so as to obtain the operation requests screened by the XDP.
Step S22: and judging whether the program authority control directory comprises the identifier, if so, executing step S23, or otherwise, executing step S24 and step S25.
Step S23: and determining the authority of the application program according to the program authority control directory.
Step S24: and performing simulation operation on the application program in a regular sandbox.
Step S25: and determining the authority of the application program by monitoring whether the application program has a dangerous operation in the simulation operation.
Here, the above-described steps S22 to S25 can be collectively described.
The program authority control directory records the identifications of a plurality of application programs and the authorities corresponding to the application programs respectively. Therefore, in the step S22, it may be determined whether the program authority control directory includes the identifier of the application program in the step S21, and in the case that the program authority control directory includes the identifier, the authority of the application program may be determined according to the program authority control directory; alternatively, when the program authority control directory does not include the identifier, the authority of the application program is further determined in steps S24 to S25.
In practical applications, the program authority control directory may be a blacklist and/or a white list, for example, when the program authority control directory is a blacklist, if the blacklist includes the identifier of the application program in step S21, it indicates that the application program has no authority, at this time, the operation request of the application program may be rejected, and if the blacklist does not include the identifier, step S24 to step S25 may be further performed; or, when the program authority control directory is a white list, if the white list includes the identifier of the application program in step S21, it indicates that the application program has some authority or authorities, at this time, the authority of the application program may be determined according to the authority recorded in the white list, and if the white list does not include the identifier, step S24 to step S25 may be further performed; or, when the program authority control directory is the black list and the white list, whether the black list and the white list include the identifier of the application program in step S21 may be sequentially determined, and if neither the black list nor the white list includes the identifier, step S24 to step S25 may be further performed.
For the above step S24 and step S25, in the case that the program authority control directory does not include the identifier of the application program in step S21, the application program may be subjected to simulation operation in a regular sandbox, and whether the application program has a dangerous operation in the simulation operation is further monitored, so that the authority of the application program is determined by monitoring whether the application program has a dangerous operation in the simulation operation.
Wherein the hazardous operation may be an operation that causes information leakage, compromises equipment safety, or otherwise may potentially compromise a user or equipment. Usually, a hazard operation directory can be preset for recording various hazard operations, so that whether the hazard operations recorded in the hazard operation directory exist in the simulation operation of the application program can be monitored according to the hazard operation directory, and the authority of the application program can be further determined. Of course, after determining the authority of the application program, the identifier of the application program and the determined authority may be further recorded in the program authority control directory.
It should be noted that, by monitoring whether a dangerous operation exists in the application program in the simulation operation and determining the specific manner of the authority of the application program, the monitoring may first determine the type of the dangerous operation of the application program in the simulation operation, for example, when the dangerous operation is mainly an illegal access to a user personal information file, it indicates that the dangerous operation may cause information leakage, and when the authority of the application program is determined, the application program needs to be restricted from accessing the user personal information file; for example, when the dangerous operation is mainly illegal access and modification of a system file, a registry, or other resource files, it is indicated that the dangerous operation may jeopardize the security of the device, and when the right of the application is determined, the application needs to be restricted from accessing and modifying the system file, the registry, and other resource files.
In addition, besides determining the type of the operation endangered by the application program in the simulated operation, the number of times of the operation endangered by the application program in the simulated operation can be monitored and determined, for example, when the number of times of the operation endangered by the application program in the simulated operation exceeds a threshold (the threshold can be 1 or 2 or other values), the identifier of the application program can be directly added to the blacklist, so that the authority of the application program can be determined according to the authority corresponding to the blacklist; or, when it is monitored that the application program does not have the hazardous operation in the simulation running process (that is, the number of times of the hazardous operation is 0), the identifier of the application program may be added to the white list, so that the authority of the application program is determined according to the authority corresponding to the white list.
Therefore, the authority of the application program may be determined by monitoring whether the application program has a dangerous operation in the simulated operation, and specifically, the type and the number of times of the dangerous operation of the application program in the simulated operation are determined by monitoring, and if the number of times of the dangerous operation exceeds a threshold, the identifier of the application program is directly added to a blacklist, or if the number of times of the dangerous operation of the application program in the simulated operation is monitored to be 0, the identifier of the application program is added to a whitelist, or if the number of times of the dangerous operation of the application program in the simulated operation is monitored to be greater than 0 and less than the threshold, the application program is further limited from the type of the dangerous operation, for example, if the dangerous operation is mainly an illegal access to a personal information file of a user, when the authority of the application program is determined, the application program is limited from accessing a personal information file of the user, or if the dangerous operation is mainly an illegal access to and modification of a system file, a registry, or other resource file, and if the authority of the application program is determined, the application program is limited from accessing and modifying the system file, the registry, or other resource file.
In practice, the rule sandbox may generally include a program monitor capable of monitoring whether a dangerous operation (including monitoring and determining the type and number of dangerous operations) exists in a simulation run of the application program, and an access control engine for determining the authority of the application program according to the monitoring result of the program monitor.
The method for controlling the permission of the application program comprises the steps of firstly obtaining an operation request of the application program, wherein the operation request comprises an identifier of the application program, carrying out simulated operation on the application program in a rule sandbox under the condition that a program permission control directory does not comprise the identifier, and then determining the permission of the application program by monitoring whether hazardous operation exists in the simulated operation of the application program. Therefore, the method can control the authority of the application program, thereby reducing information leakage and protecting the equipment safety of the terminal.
It should be further noted that, in practical applications, before the application program is subjected to the simulation operation in the rule sandbox in step S24, the method may further include updating the rule sandbox, for example, it may be determined whether the version of the rule sandbox is the latest version, including determining whether a preset determination rule in the rule sandbox is the latest version, and the like, and if the version of the rule sandbox is determined to be the latest version, the step S24 is executed; or, in a case that it is determined that the version of the rule sandbox is not the latest version, the rule sandbox may be updated first, and then the step S24 may specifically be to perform simulation operation on the application program in the updated rule sandbox.
In step S22, it is determined whether or not the program authority control directory includes the identifier, and if so, step S23 is executed, or if not, step S24 and step S25 are executed. According to the principle of the method, in step S22, it is mainly determined whether the application program is required to be subsequently determined through the rule sandbox according to whether the identification of the application program is recorded in the program authority control directory. In practical applications, the angle of the operation request itself may also be combined, for example, the information summary of the operation request is calculated first, and then it is determined whether the information summary library includes the information summary of the operation request, where the information summary library records information summaries of a plurality of different operation requests and permissions corresponding to the operation requests respectively. Only under the conditions that the program authority control directory does not comprise the identification of the application program and the information abstract library does not comprise the information abstract of the operation request, the application program is simulated and operated in the regular sandbox, and the authority of the application program is determined by monitoring whether the application program has harmful operation in the simulated operation; or, if the program authority control directory includes the identifier of the application program, the authority of the application program can be determined according to the program authority control directory; or, if the information digest library includes the information digest of the operation request, the authority of the application program may be determined according to the information digest library.
The Message Digest may be an MD5 code, for example, the Message Digest of the operation request may be the MD5 code of the operation request, and the MD5 code of the operation request may be calculated by an MD5Message Digest Algorithm (MD 5Message-Digest Algorithm).
Thus, in one embodiment, as shown in fig. 3, the method may include the steps of:
step S31: and acquiring an operation request of the application program, wherein the operation request comprises the identification of the application program.
Step S32: and judging whether the program authority control directory comprises the identifier, if so, executing step S33, or otherwise, executing step S34.
Step S33: and determining the authority of the application program according to the program authority control directory.
Step S34: and judging whether the information summary library comprises the information summary of the operation request, if so, executing step S35, or otherwise, executing step S36 and step S37.
Step S35: and determining the authority of the application program according to the information abstract library.
Step S36: and performing simulation operation on the application program in a regular sandbox.
Step S37: and determining the authority of the application program by monitoring whether the application program has a dangerous operation in the simulation operation.
In the method shown in fig. 3, the difference from the method shown in fig. 2 is that in the case where it is determined in step S32 that the program authority control directory does not include the identifier, it is further determined in step S34 whether the information digest library includes the information digest of the operation request, and in the case where it is further determined in step S34 that the information digest library does not include the information digest of the operation request, the authority of the application program is determined by executing step S36 and step S37; in the case where it is determined in step S32 that the program authority control directory includes the identifier, the authority of the application program can be determined in step S33; alternatively, in the case where it is judged through step S34 that the digest information library includes the digest information of the operation request, the authority of the application program may be determined through step S35.
Obviously, the problem in the prior art can also be solved by using the method shown in fig. 3 in the embodiment of the present application, and details are not described here again.
Based on the same inventive concept as the method for controlling the authority of the application program provided by the embodiment of the present application, the embodiment of the present application also provides an apparatus for controlling the authority of the application program, and for the embodiment of the apparatus, if there is ambiguity, reference may be made to the corresponding contents of the method embodiment. As shown in fig. 4, which is a specific structural diagram of the apparatus 40, the apparatus 40 includes: an operation request acquisition unit 401, a simulation execution unit 402, and a permission determination unit 403, wherein:
an operation request obtaining unit 401, configured to obtain an operation request of an application program, where the operation request includes an identifier of the application program;
a simulation running unit 402, configured to perform simulation running on the application program in a regular sandbox if the program authority control directory does not include the identifier;
an authority determining unit 403, configured to determine the authority of the application program by monitoring whether a hazardous operation exists in the simulation running of the application program.
By adopting the device 40 provided in the embodiment of the present application, since the device 40 adopts the same inventive concept as the method for controlling the authority of the application program provided in the embodiment of the present application, on the premise that the method can solve the technical problem, the device 40 can also solve the technical problem, and details thereof are not repeated here.
In addition, in practical applications, the technical effect obtained by combining the apparatus 40 with specific hardware devices, cloud technologies, and the like is also within the protection scope of the present application, for example, different units in the apparatus 40 are arranged in different nodes in a distributed cluster by using a distributed cluster manner, so as to improve efficiency and the like; or, some units in the device 40 are arranged in the cloud, so as to reduce the cost.
In practical applications, the apparatus 40 may further include a rule sandbox generating unit, configured to generate the rule sandbox in advance.
The program authority control directory specifically comprises a blacklist and/or a white list; and the apparatus may further include an operation response unit configured to reject the operation request if the blacklist includes the identifier; or, determining the authority of the application program according to the authority recorded by the white list under the condition that the white list comprises the identifier.
The operation request obtaining unit 401 may specifically include an operation request obtaining subunit, configured to obtain the operation request screened by the XDP.
The apparatus 40 may further include a screening unit, configured to obtain, through XDP, the operation request to be screened from the request receiving queue, and screen the operation request to be screened.
The apparatus 40 may further comprise a recording unit for recording the identification of the application and the determined rights to the program rights control directory.
The permission determination unit 403 may further include a permission determination subunit, configured to determine, through monitoring, a type and a number of times that the application program jeopardizes operations in the simulation run; and determining the authority of the application program according to the type and the number of the harmful operations.
Simulation running unit 402 may further include a simulation running subunit configured to perform simulation running on the application in the rule sandbox if the program authority control directory does not include the identifier, and the information digest library does not include the information digest of the operation request.
Embodiments of the present invention further provide a storage medium, where a computer program is stored, and the computer program may be executed by a processor to complete all or part of the process of the method in the embodiments of the present application. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. A method for controlling the authority of an application program, the method comprising:
acquiring an operation request of an application program, wherein the operation request comprises an identifier of the application program;
under the condition that the program authority control directory does not include the identifier, the application program is subjected to simulated operation in a regular sandbox;
and determining the authority of the application program by monitoring whether the application program has a dangerous operation in the simulation operation.
2. The method of claim 1, further comprising: and generating the rule sandbox in advance.
3. The method according to claim 1, wherein the program right control directory specifically comprises a black list and/or a white list; and, the method further comprises:
rejecting the operation request if the blacklist includes the identification; or the like, or, alternatively,
and determining the authority of the application program according to the authority recorded by the white list under the condition that the white list comprises the identifier.
4. The method according to claim 1, wherein obtaining the operation request of the application program specifically comprises: and acquiring the operation request screened by the XDP.
5. The method of claim 4, further comprising:
and obtaining the operation request to be screened from the request receiving queue through the XDP, and screening the operation request to be screened.
6. The method of claim 1, further comprising:
and recording the identification of the application program and the determined authority to the program authority control directory.
7. The method according to claim 1, wherein determining the permission of the application by monitoring whether a hazardous operation exists in the simulation operation of the application specifically comprises:
determining the type and the times of the dangerous operation of the application program in the simulation operation through monitoring;
and determining the authority of the application program according to the type and the times of the harm operation.
8. The method according to claim 1, wherein, in a case that the program authority control directory does not include the identifier, performing simulation operation on the application program in a regular sandbox specifically includes:
and under the condition that the program authority control directory does not comprise the identifier and the information abstract library does not comprise the information abstract of the operation request, performing simulation operation on the application program in a regular sandbox.
9. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions; wherein the processor is configured to perform the method of any one of claims 1-8.
10. A storage medium, characterized in that the storage medium stores a computer program executable by a processor to perform the method of any one of claims 1-8.
CN202211111483.3A 2022-09-13 2022-09-13 Authority control method of application program, electronic device and storage medium Pending CN115470479A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211111483.3A CN115470479A (en) 2022-09-13 2022-09-13 Authority control method of application program, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211111483.3A CN115470479A (en) 2022-09-13 2022-09-13 Authority control method of application program, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN115470479A true CN115470479A (en) 2022-12-13

Family

ID=84334029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211111483.3A Pending CN115470479A (en) 2022-09-13 2022-09-13 Authority control method of application program, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN115470479A (en)

Similar Documents

Publication Publication Date Title
US11687653B2 (en) Methods and apparatus for identifying and removing malicious applications
US10691792B2 (en) System and method for process hollowing detection
US10893068B1 (en) Ransomware file modification prevention technique
CN109831420B (en) Method and device for determining kernel process permission
CN109155774B (en) System and method for detecting security threats
CN104662517A (en) Techniques for detecting a security vulnerability
WO2012173906A2 (en) Threat level assessment of applications
CN111191226A (en) Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability
CN109783316B (en) Method and device for identifying tampering behavior of system security log, storage medium and computer equipment
CN112035843A (en) Vulnerability processing method and device, electronic equipment and storage medium
CN109784051B (en) Information security protection method, device and equipment
CN117032894A (en) Container security state detection method and device, electronic equipment and storage medium
CN111783087A (en) Method and device for detecting malicious execution of executable file, terminal and storage medium
CN111428240A (en) Method and device for detecting illegal access of memory of software
CN116595523A (en) Multi-engine file detection method, system, equipment and medium based on dynamic arrangement
US11983272B2 (en) Method and system for detecting and preventing application privilege escalation attacks
CN115470479A (en) Authority control method of application program, electronic device and storage medium
US11763004B1 (en) System and method for bootkit detection
Sharma et al. Malware analysis for android operating
CN113518055A (en) Data security protection processing method and device, storage medium and terminal
CN110633568B (en) Monitoring system for host and method thereof
CN113836542B (en) Trusted white list matching method, system and device
JP7255681B2 (en) Execution control system, execution control method, and program
CN117272298A (en) File-free attack detection method, device, equipment and storage medium
CN114692157A (en) Method and system for judging malicious execution of shellcode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination