CN117668822A - Application program starting control method and device and electronic equipment - Google Patents
Application program starting control method and device and electronic equipment Download PDFInfo
- Publication number
- CN117668822A CN117668822A CN202311695104.4A CN202311695104A CN117668822A CN 117668822 A CN117668822 A CN 117668822A CN 202311695104 A CN202311695104 A CN 202311695104A CN 117668822 A CN117668822 A CN 117668822A
- Authority
- CN
- China
- Prior art keywords
- program
- application
- application program
- execution
- fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 112
- 230000008569 process Effects 0.000 claims abstract description 68
- 230000003068 static effect Effects 0.000 claims abstract description 61
- 238000012795 verification Methods 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims abstract description 11
- 238000012544 monitoring process Methods 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000007123 defense Effects 0.000 description 8
- 230000009471 action Effects 0.000 description 7
- 230000001419 dependent effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The application discloses a method and a device for controlling the starting of an application program and electronic equipment, wherein the method comprises the following steps: extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are obtained by combining a first hash algorithm based on program files of the application programs; respectively executing sample programs of each application program, and determining an execution track in a memory in the starting process of the sample programs; in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on an execution track corresponding to the application program; processing the execution data stream based on a first hash algorithm to obtain a dynamic fingerprint of the application program; and controlling whether the application program is started or not based on a matching result of the dynamic fingerprint and the program white list. The scheme is based on the static fingerprint and dynamic fingerprint verification mechanism of the application program, so that the safety protection of the system is more comprehensive, and the operation safety of the operating system is enhanced.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for controlling startup of an application program, and an electronic device.
Background
Security defense of various types of hosts including bare metal servers, virtual machines and cloud servers is an important component of a network security attack and defense system. Since various service systems are running on the host and key service data are stored, host security defense is often the last line of defense against network attacks, and failure of host defense means that the important service system is affected or data is leaked.
An attacker usually realizes attack loads such as exploit load, remote control code, data stealing code and the like in an application program mode to prepare a tool or weapon malicious program, delivers the malicious program to an attack target host in a preposed exploit mode, a weak password blasting mode, a phishing mode and the like, activates the attack load in the malicious program and implements attack behaviors. Therefore, detection and interception of malicious programs such as viruses, trojans, backdoors, remote control agents and the like are important functions of host security defense.
Traditional malicious program detection and interception techniques can be classified into two major categories, namely blacklist interception and whitelist release, according to preset conditions for judging program legitimacy. The malicious program detection and interception technology based on the blacklist interception mechanism takes 'malicious judgment' as core logic, intent judgment is carried out on sensitive behaviors of an application program, when the malicious judgment logic in the detection mechanism is hit, a malicious weight is given to the application program, if the weight exceeds a preset threshold, the application program is considered to be a malicious program, and subsequent interception actions are triggered; the malicious program detection and interception technology based on the white list release mechanism takes 'legitimacy judgment' as core logic, an application white list allowing operation is preset in the system, and if the characteristics of the application hit the white list, the application is considered as a legal program, and the starting and executing actions of the application are not treated. Otherwise, if the feature of the application program does not hit the white list, the application program is judged to be an illegal program, and the starting and executing actions of the application program are intercepted.
However, the above conventional malicious program detection and interception method still has a problem of incomplete protection in the actual scenario of network attack and defense, so a scheme with more comprehensive protection and higher security level is needed in the field to further improve the overall strength of host security defense.
Disclosure of Invention
In view of this, the present application provides the following technical solutions:
a startup control method of an application program, comprising:
extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs;
respectively executing a sample program of each application program, and determining an execution track in a memory in the starting process of the sample program;
in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program;
processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program;
and controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
Optionally, the application program is an application program with access rights and an execution environment of the application program in an operating system.
Optionally, the determining the execution track in the memory during the starting process of the sample program includes:
monitoring a system call entry and a parameter list associated in a sample program starting process of the application program;
and determining the execution track of the application program and the dependence base thereof in the memory based on the monitored data, wherein the execution track comprises stack addresses and the access sequence of the stack addresses.
Optionally, before the execution data stream is obtained from the execution stack of the application program based on the execution track corresponding to the application program, the method further includes:
and loading an application program stack table formed by the program white list and all execution tracks.
Optionally, after obtaining the static fingerprint of the application program, the method further includes:
based on a first encryption algorithm, encrypting the static fingerprint by using a first private key to obtain a static fingerprint signature, wherein the program white list comprises spliced data, and the spliced data is obtained by splicing the static fingerprint and the corresponding static fingerprint signature.
Optionally, the loading the application program stack table formed by the program white list and all execution tracks includes:
verifying the spliced data based on a first public key corresponding to the first private key;
and if the verification is passed, loading the program white list.
Optionally, the controlling the start-up process of the application program based on the matching result of the dynamic fingerprint and the program white list includes:
if all the dynamic fingerprints exist in the program white list, allowing the application program to be started;
and if the dynamic fingerprint has the fingerprint which does not belong to the program white list, controlling to terminate the starting of the application program.
Optionally, the process number of the application program further obtained in the application program starting process, and the control terminates the starting of the application program, including:
and controlling to send out a process termination instruction comprising the process number.
The application also discloses a starting control device of the application program, which comprises:
the white list determining module is used for extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed and obtained based on program files of the application programs in combination with a first hash algorithm;
the program stack table determining module is used for respectively executing the sample program of each application program and determining the execution track in the memory in the starting process of the sample program;
the starting monitoring module is used for obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program in the starting process of the application program;
the dynamic fingerprint determining module is used for processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program;
and the program starting control module is used for controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
Further, the application also discloses an electronic device, which comprises:
a processor;
a memory for storing executable program instructions of the processor;
wherein the executable program instructions comprise: extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs; respectively executing a sample program of each application program, and determining an execution track in a memory in the starting process of the sample program; in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program; processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program; and controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
As can be seen from the above technical solutions, the embodiments of the present application disclose a method, an apparatus, and an electronic device for controlling startup of an application program, where the method includes: extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs; respectively executing a sample program of each application program, and determining an execution track in a memory in the starting process of the sample program; in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program; processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program; and controlling whether the application program is started or not based on a matching result of the dynamic fingerprint and the program white list. The scheme is based on the static fingerprint and dynamic fingerprint verification mechanism of the application program, so that the safety protection of the system is more comprehensive, the problem of starting control of the application program can be effectively solved, and the operation safety of an operating system is enhanced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flowchart of a method for controlling the start of an application program according to an embodiment of the present application;
FIG. 2 is a schematic diagram of one implementation of a startup control scheme for an application program disclosed in an embodiment of the present application;
fig. 3 is a schematic diagram of application whitelist loading and signature verification according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram illustrating a process of application authorization check and initiation control according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an application program start control device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The embodiment of the application can be applied to electronic equipment, the product form of the electronic equipment is not limited, and the electronic equipment can comprise but is not limited to smart phones, tablet computers, wearable equipment, personal computers (personal computer, PC), netbooks and the like, and can be selected according to application requirements.
Fig. 1 is a flowchart of a method for controlling the start of an application according to an embodiment of the present application. Referring to fig. 1, the method for controlling the start of an application may include:
step 101: and extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs.
The application program can be an application program with access right and an execution environment of the application program in an operating system. For the application program, a specific hash algorithm, i.e. the hash value of the first hash algorithm generator program file, may be used, which hash values are determined as static fingerprints of the corresponding application program. Wherein the first hashing algorithm may be, but is not limited to being: MD5, SHA-1, SHA-256, SHA-512, SM3, etc.
Regarding the determination of the application program applicable to the scheme of the application program, in particular, information such as file positions, file names, file types and the like of N application program files at specific positions in the file system can be collected to obtain an application program list L containing the information 1 . The collected application file types are not limited to the following: executable program file, dynamic link library file, shell program file, python program file, java program file, PHP program file, SQL programSequence files, javaScript program files, etc.
Based on the above, static fingerprints can be obtained, and application program sequence table L can be obtained 1 Each program file f of (3) i Generating f with a particular hashing algorithm i Hash value (Hash value) d of byte stream i Length H 1 Bits, called the static fingerprint of the application. Hereinafter, use s i Refer to the program file f i Is a static fingerprint of (c). Static fingerprints of multiple applications constitute a program white list.
Step 102: and respectively executing the sample program of each application program, and determining the execution track in the memory in the starting process of the sample program.
In this embodiment, according to different types of application programs, information such as a dependency library and a stack path when the application programs are loaded and started in a memory can be analyzed, and the information is encoded by a specific encoding method to obtain an execution track of the application program, where a set of execution tracks of a plurality of application programs can be called an application program stack table T.
Since there are a plurality of applications included in the system, but not all applications need to be secured, in the embodiment of the present application, in order to save corresponding processing resources, an application list P with a security requirement in the system may be first determined. The specific manner of determining the application list P will be described in detail in the following embodiments, and will not be described here too much.
Executing a sample program g of each application program in the application program sequence table P i At this time record g i Execution trace (stack address and sequence thereof) of itself and its dependent library in memory during starting, recorded as g i Stack table T of (1) i All stack tables T i The composition is an application stack table T.
Step 103: and in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program.
In an implementation, the system may monitor, in real time, a system call interface related to an application program in the application program list P, including, but not limited to execve, execveat, open, openat, read, ioctl, sendto, recvfrom, fork, vfork, clone, and the monitoring information may include a function entry address, a function parameter list, a function call parameter value, and the like.
When the type belongs to a certain application g of the application list P i At the beginning of start-up, the method can be based on g i Stack table T corresponding to the type of application stack table T i And acquiring the execution track information of the application program, and further acquiring stack information during execution of the application program to acquire an execution data stream started by the application program.
Step 104: and processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program.
After obtaining the application-initiated execution data stream, the execution data stream may be processed using a first hash algorithm to obtain corresponding hash values that form the application g i And its dynamic fingerprints of the dependent libraries.
Step 105: and controlling whether the application program is started or not based on a matching result of the dynamic fingerprint and the program white list.
After the dynamic fingerprint of the application program is obtained, the dynamic fingerprint can be used for matching a program white list, and whether each item of data in the dynamic fingerprint is in the program white list or not is determined. Dynamic fingerprints in the program whitelist are legitimate fingerprints, while dynamic fingerprints not in the program whitelist may be determined to be illegitimate fingerprints.
The starting control method of the application program is based on the static fingerprint and dynamic fingerprint verification mechanism of the application program, so that the safety protection of the system is more comprehensive, the problem of starting control of the application program can be effectively solved, and the running safety of an operating system is enhanced.
Fig. 2 is a schematic diagram illustrating an implementation principle of a startup control scheme of an application program according to an embodiment of the present application, and the content of the embodiments described later may be understood in conjunction with the content shown in fig. 2.
In the above embodiment, the determination of the application list P may be based on the application firstList L 1 Obtaining an application type list P contained in a system designated position 1 Then collecting the application program execution environment information in the system, including configuration information such as Shell interpreter, python interpreter and execution environment, java compiling and execution environment, PHP interpreter and execution environment, C/C++ library version and header file version, SQL interpreter, javaScript interpreter and execution environment, etc. compiling, interpreting, executing related file position and environment variable, etc. to obtain the application program type list P supported by the system 2 Finally take P 1 And P 2 The intersection P of (a) is the application list P to be analyzed in the system.
Applications that need to be analyzed refer to specific types of applications on the system, where the specific types need to satisfy: the control-supporting application types described above correspond to the program list L 1 The method comprises the steps of carrying out a first treatment on the surface of the The system has an execution environment for this type of application.
In the foregoing embodiment, the determining, by executing the sample program of each application program, an execution track in a memory during a start process of the sample program may include: monitoring a system call entry and a parameter list associated in a sample program starting process of the application program; and determining the execution track of the application program and the dependence base thereof in the memory based on the monitored data, wherein the execution track comprises stack addresses and the access sequence of the stack addresses.
The specific implementation can be that a kernel module X for monitoring the starting process of the application program is loaded in a system kernel, and a system call entry address and a parameter list which are involved in the starting of the application program of the monitoring type in P are monitored. Then for each application program in list P, its sample program g is executed i At this time, the kernel monitoring module X records g i Execution trace (stack address and sequence thereof) of itself and its dependent library in memory during starting, recorded as g i Stack table T of (1) i 。
After the sample program of all application programs is executed, traversing all generated classification stack tables T i And fusing and de-duplicating to obtain a stack table T of all types of application programs in the list P. Application programThe sequence stack table T is stored as a disk file in binary format.
The foregoing details the implementation of obtaining an application stack table, which is convenient for those skilled in the art to better understand and implement the technical solution of the present application.
In the foregoing embodiment, after obtaining the static fingerprint of the application program, the method may further include: based on a first encryption algorithm, encrypting the static fingerprint by using a first private key to obtain a static fingerprint signature, wherein the program white list comprises spliced data, and the spliced data is obtained by splicing the static fingerprint and the corresponding static fingerprint signature.
In an implementation, application program sequence list L can be applied 1 Each program file f of (3) i Static fingerprints s of (2) i Based on a specific asymmetric encryption algorithm, a secure private key Prikey (first private key) with the length of K is used for encrypting the static fingerprint to obtain ciphertext information m of the program static fingerprint i Length H 2 Bits, called signature of static fingerprint of the program, subsequent section is unified with e i Refer to the program file f i Is a signature of a static fingerprint of (a).
Then, in the application list L 1 M applications (N.gtoreq.M) that are allowed to execute are determined, and are called legal authorized program list L 2 . From L 2 Static fingerprints of M legal authorized programs in the database and fingerprint signature thereof are spliced to obtain the fingerprint signature with the length of M× (H 1 +H 2 ) Is called an application whitelist W. The application whitelist W is stored as a disk file in binary format.
In the foregoing embodiment, before the obtaining, based on the execution trace corresponding to the application, an execution data stream from an execution stack of the application, the method may further include: and loading an application program stack table formed by the program white list and all execution tracks.
Specifically, the kernel module X for monitoring the starting process of the application program can be reloaded in the system kernel, and the kernel module reads the application program whitelist W and the application program stack table T from the specified position of the disk when loading, and stores the application program whitelist W and the application program stack table T in the system memory space opened up by the kernel module in a specific data structure. When the application white list W is loaded, a secure public key PubKey (first public key) paired with a secure private key PriKey is used to verify each recorded fingerprint and its signature, if the verification is passed, the fingerprint is proved to be a legal fingerprint (not tampered), otherwise, the fingerprint is judged to be an illegal fingerprint (possibly tampered), and the subsequent process is terminated. The process is shown in fig. 3.
Those skilled in the art will recognize that asymmetric key algorithms typically provide two paired algorithms, one being a signature algorithm (sign) and the other being a verification algorithm (verify), when used for digital signatures. According to the different principles of the asymmetric key algorithm, the internal implementation of sign and verify is different. In this embodiment, the signature verification process is: a verification algorithm paired with a signature algorithm employed by the fingerprint signature is used; the inputs of the verification algorithm are public key, fingerprint and signature, which are all byte values. The output of the verification algorithm is a verification conclusion (signature legal/signature illegal), the signature and the signature verification process are combined together, and the hash value signed by the signature can be ensured to be consistent with the hash value obtained in the current step.
Based on the above, the loading the application stack table formed by the program white list and all execution tracks may include: verifying the spliced data based on a first public key corresponding to the first private key; and if the verification is passed, loading the program white list.
The content of the embodiment is based on a mechanism of static and dynamic mixed fingerprint signature verification of the application program by a kernel stack analysis technology, so that the problem of starting control of the application program is effectively solved, and the operation safety of an operating system is enhanced.
In the foregoing embodiment, the controlling the start-up process of the application program based on the matching result of the dynamic fingerprint and the program white list may include: if all the dynamic fingerprints exist in the program white list, allowing the application program to be started; and if the dynamic fingerprint has the fingerprint which does not belong to the program white list, controlling to terminate the starting of the application program.
The process number of the application program further obtained in the application program starting process, and the control to terminate the starting of the application program may include: and controlling to send out a process termination instruction comprising the process number.
When a type belongs to a certain application program g of the list P i When starting, the kernel module month is according to g i Stack table T corresponding to the type of application stack table T i Obtaining the execution track information of the device, and further collecting stack information during execution of the device, wherein the stack information comprises g i Process number pid currently allocated in system i 。
In the process of extracting dynamic fingerprints of programs, a kernel module X is used for extracting dynamic fingerprints of programs according to a stack table T i Slave application g i Capturing binary data streams of itself and all its dependent library files in the execution stack (denoted b 1 ,b 2 ,...,b n ) B is obtained using the same hashing algorithm as in 1.2 1 ,b 2 ,...,b n And is denoted as h 1 ,h 2 ,...,h n Called application g i And its dynamic fingerprints of the dependent libraries.
The kernel module X searches h item by item in the application white list W 1 ,h 2 ,...,h n In the searching process, if a certain fingerprint h exists i If the W is missed, the searching process is terminated, otherwise, the searching process is continued until h 1 ,h 2 ,...,h n And finishing the searching.
If a dynamic fingerprint h i A miss W results in the lookup process terminating, indicating application g i Or a dependency library thereof is not in the legal program list authorized to be executed by the system, thus the application program g is applied i Judging that the operation is illegally executed; if h 1 ,h 2 ,...,h n All find out and hit W, then represent application g i And all its dependent libraries are in the legal program list authorized to be executed by the system, so that application program g will be i And judging that the execution is legal.
If application program g i If the execution is determined to be legal, the kernel module X does not execute other actions, g i The start-up and execution of (a) may proceed normally. If application program g i If the execution is judged to be illegal, the kernel module X sends the process number of pid to the kernel Signal module according to a one-way communication mechanism i Process termination signal (SIGKILL or SIGTERM signal), g i Is terminated immediately.
The unidirectional communication mechanism, that is, the kernel module X, maintains unidirectional communication with the module (Signal module) in the kernel, which manages the process semaphore, that is, the Signal is only transferred from the sender kernel module X to the receiver Signal module. This one-way communication procedure can be used to Signal to the Signal module that the illegal program corresponding process is terminated.
Fig. 4 is a schematic diagram illustrating a process of application authorization check and start control according to an embodiment of the present application, and the foregoing related matters may be understood in conjunction with fig. 4. According to the starting control scheme of the application program, the security attack behavior can be accurately positioned in the practical application, the characteristics of the application program can be verified, the legality of the characteristics can be verified, in addition, the dependence programs such as a dynamic link library and a function library related to the application program can be associated and verified, and the attack behavior of implanting malicious codes through replacing library files can be effectively defended.
For the foregoing method embodiments, for simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will appreciate that the present application is not limited by the order of acts described, as some acts may, in accordance with the present application, occur in other orders or concurrently. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
The method is described in detail in the embodiments disclosed in the application, and the method can be implemented by using various devices, so that the application also discloses a device, and a specific embodiment is given in the following detailed description.
Fig. 5 is a schematic structural diagram of an application program start control device according to an embodiment of the present application. As shown in fig. 5, the start control device 50 of the application program may include:
the whitelist determination module 501 is configured to extract static fingerprints of all application programs, where all static fingerprints constitute a program whitelist, and the static fingerprints are processed based on a program file of the application program in combination with a first hash algorithm.
The program stack table determining module 502 is configured to execute the sample program of each application program respectively, and determine an execution track in the memory during the starting process of the sample program.
And the starting monitoring module 503 is configured to obtain an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program during the starting process of the application program.
A dynamic fingerprint determination module 504, configured to process the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program.
Program start control module 505 is configured to control a start process of the application program based on a result of matching the dynamic fingerprint with the program white list.
The starting control device of the application program in the embodiment is based on the static fingerprint and dynamic fingerprint verification mechanism of the application program, so that the safety protection of the system is more comprehensive, the problem of starting control of the application program can be effectively solved, and the running safety of an operating system is enhanced.
Specific implementation of the application program start control device and each module included in the application program start control device, and other possible implementations can be referred to the content description of the corresponding parts in the method embodiment, and the detailed description is not repeated here.
The application program start control device in the above embodiment includes a processor and a memory, where the white list determining module, the program stack table determining module, the start monitoring module, the dynamic fingerprint determining module, the program start control module and the like in the above embodiment are stored as program modules in the memory, and the processor executes the program modules stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel fetches the corresponding program module from the memory. The kernel can be provided with one or more kernels, and the processing of the return visit data is realized by adjusting kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
In an exemplary embodiment, a computer readable storage medium is also provided, which can be directly loaded into an internal memory of a computer, and contains software code, where the computer program can implement the steps shown in any embodiment of the method for controlling the start of an application program after being loaded and executed by the computer.
In an exemplary embodiment, a computer program product is also provided, which can be directly loaded into an internal memory of a computer, and contains software codes, and the computer program can implement the steps shown in any embodiment of the method for controlling the start of an application program after being loaded and executed by the computer.
Further, the embodiment of the application provides electronic equipment. Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 6, the electronic device 60 includes at least one processor 601, at least one memory 602 connected to the processor, and a bus 603; the processor and the memory complete communication with each other through a bus; the processor is used for calling the program instructions in the memory to execute the starting control method of the application program.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A startup control method of an application program, characterized by comprising:
extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs;
respectively executing a sample program of each application program, and determining an execution track in a memory in the starting process of the sample program;
in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program;
processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program;
and controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
2. The method according to claim 1, wherein the application is an application having access rights and having an execution environment in an operating system.
3. The method for controlling the start of an application program according to claim 1, wherein the step of executing the sample program of each of the application programs, respectively, and determining execution traces in the memory during the start of the sample program comprises:
monitoring a system call entry and a parameter list associated in a sample program starting process of the application program;
and determining the execution track of the application program and the dependence base thereof in the memory based on the monitored data, wherein the execution track comprises stack addresses and the access sequence of the stack addresses.
4. The method according to claim 1, characterized by further comprising, before the obtaining an execution data stream from an execution stack of the application based on the execution trace corresponding to the application:
and loading an application program stack table formed by the program white list and all execution tracks.
5. The method for controlling the start-up of an application according to claim 4, further comprising, after obtaining a static fingerprint of the application:
based on a first encryption algorithm, encrypting the static fingerprint by using a first private key to obtain a static fingerprint signature, wherein the program white list comprises spliced data, and the spliced data is obtained by splicing the static fingerprint and the corresponding static fingerprint signature.
6. The method for controlling the start of an application according to claim 5, wherein said loading an application stack table comprising said program whitelist and all execution traces comprises:
verifying the spliced data based on a first public key corresponding to the first private key;
and if the verification is passed, loading the program white list.
7. The method for controlling the start-up of an application according to claim 1, wherein the controlling the start-up process of the application based on the matching result of the dynamic fingerprint and the program whitelist comprises:
if all the dynamic fingerprints exist in the program white list, allowing the application program to be started;
and if the dynamic fingerprint has the fingerprint which does not belong to the program white list, controlling to terminate the starting of the application program.
8. The method according to claim 7, wherein the process number of the application program, which is also obtained during the start-up of the application program, is used for the control to terminate the start-up of the application program, comprising:
and controlling to send out a process termination instruction comprising the process number.
9. An application program start control device, comprising:
the white list determining module is used for extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed and obtained based on program files of the application programs in combination with a first hash algorithm;
the program stack table determining module is used for respectively executing the sample program of each application program and determining the execution track in the memory in the starting process of the sample program;
the starting monitoring module is used for obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program in the starting process of the application program;
the dynamic fingerprint determining module is used for processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program;
and the program starting control module is used for controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
10. An electronic device, comprising:
a processor;
a memory for storing executable program instructions of the processor;
wherein the executable program instructions comprise: extracting static fingerprints of all application programs, wherein all the static fingerprints form a program white list, and the static fingerprints are processed by combining a first hash algorithm based on program files of the application programs; respectively executing a sample program of each application program, and determining an execution track in a memory in the starting process of the sample program; in the starting process of the application program, obtaining an execution data stream from an execution stack of the application program based on the execution track corresponding to the application program;
processing the execution data stream based on the first hash algorithm to obtain a dynamic fingerprint of the application program;
and controlling the starting process of the application program based on the matching result of the dynamic fingerprint and the program white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695104.4A CN117668822A (en) | 2023-12-11 | 2023-12-11 | Application program starting control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695104.4A CN117668822A (en) | 2023-12-11 | 2023-12-11 | Application program starting control method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117668822A true CN117668822A (en) | 2024-03-08 |
Family
ID=90071127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311695104.4A Pending CN117668822A (en) | 2023-12-11 | 2023-12-11 | Application program starting control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117668822A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050021971A1 (en) * | 2003-07-23 | 2005-01-27 | Microsoft Corporation | Application identification and license enforcement |
| CN102831356A (en) * | 2011-06-14 | 2012-12-19 | 武汉安珈教育科技有限公司 | Software dynamic credibility authentication method based on software fingerprint |
| US20150074759A1 (en) * | 2013-08-20 | 2015-03-12 | Steven Dale Shanklin | Application trust-listing security service |
| US20190116178A1 (en) * | 2017-10-12 | 2019-04-18 | Sap Se | Application error fingerprinting |
| CN113221095A (en) * | 2021-05-26 | 2021-08-06 | 珠海市魅族科技有限公司 | Application program protection method and device, electronic equipment and storage medium |
| CN115098196A (en) * | 2022-05-30 | 2022-09-23 | 北京丁牛科技有限公司 | Verification method and device, electronic equipment and storage medium |
-
2023
- 2023-12-11 CN CN202311695104.4A patent/CN117668822A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050021971A1 (en) * | 2003-07-23 | 2005-01-27 | Microsoft Corporation | Application identification and license enforcement |
| CN102831356A (en) * | 2011-06-14 | 2012-12-19 | 武汉安珈教育科技有限公司 | Software dynamic credibility authentication method based on software fingerprint |
| US20150074759A1 (en) * | 2013-08-20 | 2015-03-12 | Steven Dale Shanklin | Application trust-listing security service |
| US20190116178A1 (en) * | 2017-10-12 | 2019-04-18 | Sap Se | Application error fingerprinting |
| CN113221095A (en) * | 2021-05-26 | 2021-08-06 | 珠海市魅族科技有限公司 | Application program protection method and device, electronic equipment and storage medium |
| CN115098196A (en) * | 2022-05-30 | 2022-09-23 | 北京丁牛科技有限公司 | Verification method and device, electronic equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| WANG, X 等: "Fingerprint-jacking: Practical fingerprint authorization hijacking in Android apps", BLACKHAT, 2020, 31 December 2020 (2020-12-31) * |
| 刁成嘉, 赵宏, 施汝军: "信息安全的保障──双向指纹密钥校验系统", 计算机工程与设计, no. 02, 28 February 2002 (2002-02-28) * |
| 胡海生;: "一种基于白名单机制的电力监控主机恶意代码防御方案", 计算机应用与软件, no. 09, 15 September 2017 (2017-09-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11100546B2 (en) | Method and system for provenance tracking in software ecosystems | |
| JP6670907B2 (en) | System and method for blocking script execution | |
| US7934261B1 (en) | On-demand cleanup system | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| US7607122B2 (en) | Post build process to record stack and call tree information | |
| WO2014194803A1 (en) | Cloud security-based file processing method and device | |
| JP4975127B2 (en) | Apparatus for providing tamper evidence to executable code stored on removable media | |
| KR20160039306A (en) | Dynamic cleaning for malware using cloud technology | |
| JP6341964B2 (en) | System and method for detecting malicious computer systems | |
| AU2021319159B2 (en) | Advanced ransomware detection | |
| Breitenbacher et al. | HADES-IoT: A practical and effective host-based anomaly detection system for IoT devices (extended version) | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN110348180B (en) | Application program starting control method and device | |
| Jeong et al. | MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android | |
| CN117668822A (en) | Application program starting control method and device and electronic equipment | |
| CN112507302A (en) | Calling party identity authentication method and device based on cryptographic module execution | |
| Krishnan et al. | PAM: process authentication mechanism for protecting system services against malicious code attacks | |
| Uppin et al. | Analysis of Android Malware Using Data Replication Features Extracted by Machine Learning Tools | |
| Gamao | Malware Analysis on Android Apps: A Permission-based Approach | |
| CN113836542B (en) | Trusted white list matching method, system and device | |
| Lv et al. | A software upgrade security analysis method based on program analysis | |
| KR102534012B1 (en) | System and method for authenticating security level of content provider | |
| KR101825699B1 (en) | Method for improving security in program using CNG(cryptography API next generation) and apparatus for using the same | |
| Vandhana et al. | VIEGO: Malware Generating Tool |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |