CN117786658A - Unauthorized application determination method, electronic device, and computer-readable medium - Google Patents

Unauthorized application determination method, electronic device, and computer-readable medium Download PDF

Info

Publication number
CN117786658A
CN117786658A CN202311810221.0A CN202311810221A CN117786658A CN 117786658 A CN117786658 A CN 117786658A CN 202311810221 A CN202311810221 A CN 202311810221A CN 117786658 A CN117786658 A CN 117786658A
Authority
CN
China
Prior art keywords
application
audit
unauthorized
determination method
signature verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311810221.0A
Other languages
Chinese (zh)
Inventor
石忠玉
纪建芳
范雪俭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202311810221.0A priority Critical patent/CN117786658A/en
Publication of CN117786658A publication Critical patent/CN117786658A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The present disclosure provides an unauthorized application determination method, including: configuring audit rules of an audit subsystem, wherein the audit rules comprise events which need to be monitored during application running and are related to signature verification of the application; running the application; and monitoring the event according to the audit rule by the audit subsystem, and judging whether the application is an unauthorized application or not. The present disclosure also provides an electronic device, a computer-readable medium. The method uses a hash algorithm for processing, and the algorithm has high strength and is relatively safe; dynamic judgment of application authorization can be realized by means of real-time monitoring system call, timely protection is facilitated, and safety and stability of the system are guaranteed.

Description

Unauthorized application determination method, electronic device, and computer-readable medium
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a method for determining unauthorized applications, an electronic device, and a computer readable medium.
Background
Dynamic decisions in the in-vehicle system for third party unauthorized applications are typically based on application signature verification, behavioral analysis, and security sandboxes.
For example, when a user attempts to install an unauthorized third party application, the vehicle system may first verify the digital signature of the application and refuse to install if the signature is invalid or not on a white list. For installed applications, the vehicle-to-machine system identifies potential malicious behavior by signature verification, behavior analysis, etc., techniques including file access, network access, etc., while the application is running. The prior art can only analyze some file accesses by looking up the log, and cannot realize the dynamic judgment of unauthorized application.
Disclosure of Invention
The embodiment of the disclosure provides an unauthorized application judging method, electronic equipment and a computer readable medium.
In a first aspect, an embodiment of the present disclosure provides an unauthorized application determination method, including:
configuring audit rules of an audit subsystem, wherein the audit rules comprise events which need to be monitored during application running and are related to signature verification of the application;
running the application;
and monitoring the event according to the audit rule by the audit subsystem, and judging whether the application is an unauthorized application or not.
In some embodiments, prior to configuring the audit rules of the audit subsystem, comprising: and starting the auditing subsystem.
In some embodiments, the event comprises: a process of the signature verification of the application, and/or an attempt to bypass the signature verification of the application.
In some embodiments, monitoring the event according to the audit rules includes:
monitoring an exeve system call, and monitoring the signature verification process of the application; and/or
Monitoring ptrace system calls for attempts to bypass the signature verification of the application.
In some embodiments, running the application includes: the signature verification of the application is performed using a hash algorithm at runtime of the application.
In some embodiments, monitoring, by the audit subsystem, the event according to the audit rule, and determining whether the application is an unauthorized application includes:
generating an audit log of an unauthorized application when the signature verification is monitored to fail or the signature verification of the application is attempted to be bypassed according to the audit rule, wherein the audit log comprises information of the unauthorized application;
and judging whether the application is an unauthorized application or not according to the audit log.
In some embodiments, determining from the audit log whether the application is an unauthorized application includes:
searching keywords related to the event, which are set in the audit rule, in the audit log;
and when the keyword is searched, determining the application name of the unauthorized application.
In some embodiments, the application is installed in a vehicle operator system.
In a second aspect, embodiments of the present disclosure provide an electronic device, including:
one or more processors;
and a memory having one or more programs stored thereon, which when executed by the one or more processors, cause the one or more processors to implement the unauthorized application determination method according to the first aspect of the embodiments of the present disclosure.
In a third aspect, embodiments of the present disclosure provide a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements the unauthorized application determination method according to the first aspect of the embodiments of the present disclosure.
In the embodiment of the disclosure, the dynamic judgment of the application authorization can be realized by a mode of real-time monitoring system call, so that the protection is convenient to achieve in time. By utilizing the system disclosed by the invention, such as a vehicle-mounted system, the unauthorized application of the third party can be effectively and dynamically judged, and the safety and stability of the system are ensured.
Drawings
Fig. 1 is a flowchart of an unauthorized application determination method in an embodiment of the present disclosure.
Fig. 2 is a schematic diagram of the composition of an electronic device in an embodiment of the disclosure.
Detailed Description
In order to better understand the technical solutions of the present disclosure, the following detailed description of the technical solutions of the present disclosure is provided with reference to the accompanying drawings.
Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, but may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Embodiments of the disclosure and features of embodiments may be combined with each other without conflict.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Embodiments of the present disclosure are directed to a method of dynamic unauthorized determination of third party applications in a computer system. By configuring the audit rules of the audit subsystem, monitoring the key system call and combining the signature verification process of the application, the embodiment can effectively identify the operation of the unauthorized application and improve the security of the system. The auditing subsystem, auditing rules, signature verification process and embodiments are described in more detail below.
In the present disclosure, unless otherwise specified, the following technical terms are to be understood as follows:
and (3) an auditing subsystem: the audit subsystem is a security audit system for collecting and recording behavior events of the system, the kernel and the user process. It helps track operations performed on the system and provides a comprehensive audit of system activity. The audit subsystem is generally capable of reliably collecting event information that may or may not be related to security.
Audit rules: audit rules are key parameters configuring the audit subsystem for defining a set of rules that specify the type of event, conditions, and actions to be audited. These rules determine which system activities the audit subsystem monitors and records at run-time. By defining rules, specific events can be captured and relevant information recorded in an audit log for subsequent analysis and auditing. Therefore, the audit rule is used as a configuration mechanism to ensure that the system meets the requirements of safety and compliance in the running process, and by configuring the audit rule, the system can monitor and record key events, thereby providing comprehensive audit on the system activity.
Audit log: the audit log is a file for recording key events and activities in the system, and the behavior of the system can be tracked, monitored and analyzed through the audit log. Audit logs include, but are not limited to, time stamps, event types, application names, event descriptions, keywords, or success/failure flags, etc. The content of the audit log typically depends on the operating system and the specific configuration.
According to the embodiment of the disclosure, whether the third party application is an unauthorized application is judged by means of signature verification on the application, audiotd is a process for auditing in an operating system, a signature verification event in the system can be identified by configuring an auditing rule, a result of the signature verification event can be analyzed, and when a signature verification failure occurs or the application bypasses the signature verification and the like, the audiotd can generate a corresponding audit log, so that dynamic judgment on the third party unauthorized application is realized by the principle.
The embodiments of the present disclosure are applicable not only to vehicle systems, but also to other systems involving system security. This illustrates that the disclosed methods are versatile and can be used in a variety of contexts as long as unauthorized decisions need to be made for third party applications.
The embodiment of the disclosure provides an unauthorized determination method for a third party application in a system such as a vehicle machine, and the application is used for determining whether unauthorized by performing signature verification operation on the application when running, so that potential safety risks are reduced, and particularly in environments with high safety requirements such as the vehicle machine system.
Fig. 1 is a flowchart of an unauthorized application determination method according to an embodiment of the present disclosure.
In a first aspect, referring to fig. 1, an embodiment of the present disclosure provides an unauthorized application determination method, including:
s11, configuring an audit rule of an audit subsystem, wherein the audit rule comprises events which need to be monitored during application running and are related to signature verification of the application;
s12, running the application;
and S13, monitoring the event according to the audit rule by the audit subsystem, and judging whether the application is an unauthorized application or not.
In the embodiment of the disclosure, an audiotd auditing subsystem is self-contained in the Android kernel, and the auditing subsystem is responsible for realizing the auditing function of the user space. audiotd is a daemon process that can monitor related events generated by system calls and processes to audit the running third party applications and determine if they are unauthorized applications. Specifically, in the disclosed embodiments, the auditing subsystem monitors system call events by configuring auditing rules to implement components that apply unauthorized decisions to third parties.
In some embodiments, prior to configuring the audit rules of the audit subsystem, comprising: and starting the auditing subsystem.
In some embodiments, the event comprises: a process of the signature verification of the application, and/or an attempt to bypass the signature verification of the application.
In some embodiments, monitoring the event according to the audit rules includes:
monitoring an exeve system call, and monitoring the signature verification process of the application; and/or
Monitoring ptrace system calls for attempts to bypass the signature verification of the application.
In the disclosed embodiments, the system configures the auditing rules of the auditing subsystem, by which the system specifies which activities the auditing subsystem should focus on and under what conditions the auditing is triggered. For example, audit rules may include primarily monitoring rules for both exeve and ptrace, where exeve is typically a system call that is generated when an application performs a check, and ptrace is a system call used to track and manipulate other processes, through which an attacker can monitor and modify the memory and register states of a target process, by modifying the relevant data structure contents or function return values, thereby bypassing the check. Through the monitoring of the two system calls, the system can comprehensively capture events related to application execution and process tracking, and the detection capability of unauthorized behaviors is improved.
In the embodiment of the disclosure, audit rules are loaded when audiotd is started, corresponding audit logs are generated for system calls of hit rules, the system calls generated by signature verification operation are monitored through configuration rules, and the signature verification result is judged to determine unauthorized application.
In the embodiment of the disclosure, the rule setting is not limited to the execution and ptrace, and can be modified in detail according to specific scenes and requirements so as to adapt to the characteristics of different systems and applications. This includes the possibility to configure rules to generate audit logs only when unauthorized applications are present, or to adapt the rules to accommodate different signature verification algorithms. This flexibility allows for a wider applicability of the disclosed embodiments.
In the embodiment of the disclosure, the audit rules can be further expanded and modified to more fully monitor and control the behavior of unauthorized applications. If the unauthorized application has specific file operation behaviors in the file system, an audit rule can be added to monitor the operations of creating, modifying, deleting and the like of the file. This allows file operations associated with unauthorized applications to be recorded for further analysis and processing via audit logs. If an unauthorized application is associated with network communications, you can configure audit rules to monitor network activity, including the establishment and closure of network connections, etc. This allows logging of the network activity of the application and helps identify potential unauthorized communications. You can specifically monitor the system call parameters associated with them, depending on the nature of the unauthorized application. This allows to capture the behaviour of unauthorized applications more accurately. In this way, the execution parameters of the unauthorized application can be recorded. The creation, exit, parent-child relationship, etc. information of the process is monitored to understand the association of unauthorized applications with other processes. By monitoring the return value of the system call, an abnormal condition in the execution process of the application can be detected. And aiming at new threats and attack modes, the audit rule is updated regularly, so that the monitoring capability of the system for the latest threats is ensured to be maintained. Those skilled in the art will appreciate that the particular modification and expansion of audit rules should be tailored to the particular application scenario and security requirements. The audit rule is ensured to be set, so that the behavior of unauthorized application can be effectively monitored, and excessive interference to normal operation can be avoided.
In some embodiments, running the application includes: the signature verification of the application is performed using a hash algorithm at runtime of the application.
In embodiments of the present disclosure, a hash algorithm may be employed to verify the signature of an application when installing and running a third party application for ensuring the integrity and origin of the application. In applying the signature, the developer first selects a hash algorithm, such as SHA-256, SHA-1, MD5, etc. In Android 9.0 (API level 28) and higher, new applications are required to use stronger algorithms, such as SHA-256 can be used. However, embodiments of the present disclosure are not particularly limited to the particular hash algorithm used, as the algorithm is at the discretion of the application developer. The developer first hashes the applied data using the selected hash algorithm to generate a digest, also known as a hash value or digital signature. The developer digitally signs the generated digest using their private key. This typically involves the use of an asymmetric encryption algorithm, wherein a private key is used for signature generation and a corresponding public key is used to verify the signature. The generated signature will be published with the application. This signature will serve as a digital identification of the application, ensuring the integrity and origin of the application. When a user tries to install or run an application, the Android system decrypts the application signature by using the public key of the developer, and obtains an original abstract. Meanwhile, the system also performs the same hash operation on the applied data to generate a new abstract. The system compares the digest in the developer signature with the digest that the system generated for the application data. If the two digests match, the system confirms that the application was signed by the developer and thus considered trusted. The digest matching process verifies the integrity and authenticity of the application. It should be noted that although the embodiments of the present disclosure do not explicitly specify the hash algorithm to be used, in practical applications, a more secure algorithm, such as SHA-256, may be selected in order to meet the best practices of security and recommendation.
In some embodiments, monitoring, by the audit subsystem, the event according to the audit rule, and determining whether the application is an unauthorized application includes:
generating an audit log of an unauthorized application when the signature verification is monitored to fail or the signature verification of the application is attempted to be bypassed according to the audit rule, wherein the audit log comprises information of the unauthorized application;
and judging whether the application is an unauthorized application or not according to the audit log.
In the embodiment of the disclosure, through configured audit rules, audiotd captures events generated by the verification and matches the events with the rules. If a rule is matched, particularly if a signature verification failure is monitored or an event is attempted to bypass the signature verification, the audit subsystem may generate an audit log of the unauthorized application. The generated audit log contains critical information such as the name of the unauthorized application, and/or the event type, etc. By analyzing these logs, it can be determined whether the application is unauthorized. Those skilled in the art will appreciate that rules may be configured according to requirements such that the audit system only generates audit logs when unauthorized applications are present. This arrangement helps to reduce unnecessary logging, enabling administrators to pay more precise attention to the presence of unauthorized applications while mitigating impact on system performance. In addition, rules may be modified to enable authorized applications to also generate logs so that the activity of the application can be monitored in real time and potential abnormal behavior can be discovered in time.
In some embodiments, determining from the audit log whether the application is an unauthorized application includes:
searching keywords related to the event, which are set in the audit rule, in the audit log;
and when the keyword is searched, determining the application name of the unauthorized application.
In the disclosed embodiments, to identify events related to application audits, some specific tags, such as "app_signature_verification" may be defined in the audit rules. These tags act as keywords for identification in the audit rules, helping the system distinguish between different types of audit events. The configured audit rules allow the system to capture activities related to unauthorized application decisions at runtime and generate corresponding audit logs. These logs record system call events and information related to application security. By looking at the generated audit log, the system can identify the behavior of unauthorized applications, especially failure to verify the application signature. For example, keywords are searched in an audit log of audiotd, and further keywords with verification failures are searched to check the detailed audit log, so that the user can check which application generates the verification failure event, and unauthorized applications existing in the system can be checked conveniently.
In some embodiments, the application is installed in a vehicle operator system.
In the disclosed embodiments, while Android is illustrated, the methods and principles described are equally applicable to other operating systems, such as Linux, windows, etc. Different operating systems may have different audit subsystems, for example, in a Linux system, an audio framework provided by a Linux kernel may be used. This framework also allows configuration of audit rules, monitoring of system calls, and generation of audit logs. While the specific audit subsystem and configuration may vary among different operating systems, the audit mechanisms and methods of the cores are similar. By understanding the audit subsystem of a particular operating system, similar configuration rules and monitoring system calls may be employed to achieve dynamic decisions on unauthorized applications. This versatility allows the described method to be applied on different operating systems, enhancing its applicability and flexibility.
In general, in an embodiment of the present disclosure, the present invention provides an unauthorized application determination method. According to the method, an audit subsystem is integrated in an Android kernel, an audit rule monitoring system call event is configured, and the audit rule monitoring system call event is a call related to application signature verification, so that unauthorized judgment of third-party application is realized. During the installation and running of the application, a developer signs the application by using a hash algorithm, and generates a digital signature as an identification of the application. The audiotd audit subsystem captures the behavior of the application in real time by monitoring system calls, particularly those related to application signature verification, and generates an audit log. By analyzing these logs, the system can dynamically determine whether the application is an unauthorized application, such as if there is a failure to verify the application signature. The real-time monitoring and judging mechanism provides a powerful application safety control means for the system, and ensures the integrity and source of third party application, thereby enhancing the overall safety of the system.
Fig. 2 is a schematic diagram of the composition of an electronic device in an embodiment of the disclosure.
In a second aspect, referring to fig. 2, an embodiment of the present disclosure provides an electronic device, including:
one or more processors 201;
a memory 202 having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement the unauthorized application determination method according to the first aspect of the embodiments of the present disclosure;
one or more I/O interfaces 203, coupled between the processor and the memory, are configured to enable information interaction of the processor with the memory.
Wherein the processor 201 is a device having data processing capabilities, including but not limited to a Central Processing Unit (CPU) or the like; memory 202 is a device with data storage capability including, but not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically charged erasable programmable read-only memory (EEPROM), FLASH memory (FLASH); an I/O interface (read/write interface) 203 is connected between the processor 201 and the memory 202 to enable information interaction between the processor 201 and the memory 202, including but not limited to a data Bus (Bus) or the like.
In some embodiments, processor 201, memory 202, and I/O interface 203 are connected to each other and, in turn, to other components of the computing device via bus 204.
In a third aspect, an embodiment of the present disclosure provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the unauthorized application determination method according to the first aspect of the embodiment of the present disclosure.
In order to enable those skilled in the art to more clearly understand the technical solutions provided by the embodiments of the present disclosure, the following details of the technical solutions provided by the embodiments of the present disclosure are described by specific embodiments:
example 1
The unauthorized determination method for the third party application in the embodiment of the disclosure comprises the following implementation procedures:
starting an audiotd auditing subsystem in the android kernel;
configuring audit rules of audiotd, wherein the rules mainly monitor the execution and ptrace system call;
running a third party application while verifying the signature of the application using a hash algorithm;
judging whether the applied signature verification is successful or not;
if the signature verification of the application is successful, determining that the application is an authorized application;
if the verification of the application fails, an audit log of the unauthorized application is generated, and keywords of the verification failure are searched in the audit log to determine the unauthorized application.
Example two
The method and the device can be applied to dynamic judgment of unauthorized access of the third party application on the vehicle.
According to the unauthorized application determination method described in the embodiments of the present disclosure, the following specific operation steps may be adopted:
1. an operating system is built that turns on the audiotd function.
2. In audit rules, such as/etc/audio/audio.rules, the following rules are added:
-a always,exit-F arch=b64-F success=no-S execve-k app_signature_verification
-a always,exit-F arch=b64-F success=no-S ptrace-k app_signature_verification
3. an unauthorized third party application is installed in the system.
4. And restarting the vehicle, when the operating system of the vehicle is started, starting the audiotd module by default, and loading the rule file.
5. And running a third party application in the vehicle system.
6. The application runtime operating system or security software may perform a signature verification operation on the application.
7. Executing an ausearch-k app_signature_verification command to search a log of the signature verification failure, judging the name of the unauthorized application by checking the exe field of the log, and performing corresponding processing.
In the disclosed embodiments, those skilled in the art will appreciate that the rules specifically set forth above are exemplary and that various modifications may be made in accordance with the methods of the present disclosure.
In embodiments of the present disclosure, by viewing the results of the audit log, corresponding actions may be taken to handle unauthorized applications, such as prohibiting them from continuing to run or taking other security measures.
Example III
According to the unauthorized application determination method described in the embodiments of the present disclosure, the following is a specific operation procedure applicable to the server system:
1. an operating system is built on the server system, and the operating system is ensured to be supported by an audiotd auditing subsystem.
2. Audit rules are configured in the server system to monitor system calls related to unauthorized application decisions. For example, rules are configured to monitor events related to application launch and behavior detection, such as execution (execution) and process tracking (ptrace).
-a always,exit-F arch=b64-F success=no-S execve-k server_app_verification
-a always,exit-F arch=b64-F success=no-S ptrace-k server_app_verification
The above rule is used to monitor system calls for execution and process tracking, and the key is "server_app_verification".
3. A simulated unauthorized application is installed in the server system for testing validity of audit rules.
4. Restarting the server system ensures that the audiotd module is started by default at system start-up and loads the preconfigured audit rule file.
5. And running an installed unauthorized application in the server system to trigger a corresponding system call.
6. When the application runs, the operating system or the security software performs signature verification operation on the application. If the verification fails, an audit log is generated according to the rule.
7. Searching audit logs related to unauthorized application judgment by using an ausearch-k server_app_verification command, and searching logs with a keyword of 'server_app_verification'. And judging the name of the unauthorized application by checking the exe field of the log so as to perform corresponding processing.
With this embodiment, it is possible to verify that the unauthorized application determination method of the embodiment of the present disclosure is applied in the server system. An administrator can adjust audit rules to accommodate different scenarios and system features according to the specific security requirements of the server. This demonstrates the versatility and applicability of the method, not limited to vehicle systems alone.
The dynamic judging method using the unauthorized application of the present disclosure is described based on audiotd in an operating system, and by using audiotd configuration rules in the operating system, system call is monitored in real time, relevant information of the system call can be identified, and the signature verification result of the application is analyzed to make unauthorized judgment, so that the intrusion prevention capability of the vehicle is improved.
The embodiment of the disclosure uses a hash algorithm for processing, and the algorithm has high strength and is relatively safe; dynamic judgment of application authorization can be realized by means of real-time monitoring system call, timely protection is facilitated, and safety and stability of the system are guaranteed.
The method and the device solve the problem that the unauthorized judgment of the application cannot be carried out and only the file access can be monitored. The method and the device realize dynamic authorization judgment on the access of the third party application in the operating system of the vehicle machine by configuring the audit rule and monitoring system call.
The method of the embodiment of the disclosure has wide applicability, is not limited to a vehicle-to-machine system, can be popularized to various scenes related to system safety, and provides a general method for dynamically judging unauthorized application for various systems.
The technical principle and the method of the embodiment can be applied to different types of vehicle systems such as vehicle information entertainment systems, vehicle control systems and the like. By configuring audit rules in the systems and monitoring key system calls, dynamic judgment of unauthorized application can be realized in the vehicle-mounted system, so that the safety of the whole vehicle-mounted system is improved.
Servers are critical components in computer networks, requiring extremely high security. The method of the embodiment is also suitable for a server system, and the key system call is monitored by configuring audit rules, so that the dynamic judgment of unauthorized application is realized. The method provides a powerful security protection mechanism for the server system and prevents potential malicious application intrusion.
The embedded system is widely applied to various electronic devices, such as intelligent home, industrial control and the like. The method of the embodiment is also suitable for the embedded system, and the key system call is monitored by configuring the audit rule, so that the dynamic judgment of the unauthorized application is realized. The embedded system provides an effective safety guarantee for the embedded system, and ensures that the equipment is free from the influence of unauthorized application in the running process.
In addition to the vehicle system, the method of the embodiment can also be applied to other mobile devices, such as smart phones, tablet computers, and the like. By configuring audit rules in the mobile equipment, key system call is monitored, dynamic judgment of unauthorized application is realized, and threat of malicious application to user data and equipment security is effectively prevented.
The method can also be applied to other system security fields, such as network security equipment, information security management systems and the like. By flexibly configuring audit rules in systems in different fields, monitoring key system call, dynamic judgment of unauthorized application can be realized in various safety key scenes, and reliable guarantee is provided for the overall safety of the system.
In summary, the method of the embodiment of the disclosure has universality and flexibility, can be widely applied to different types of systems, and provides a powerful and universal security solution for dynamically judging unauthorized application for various systems.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purpose of limitation. In some instances, it will be apparent to one skilled in the art that features, characteristics, and/or elements described in connection with a particular embodiment may be used alone or in combination with other embodiments unless explicitly stated otherwise. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the disclosure as set forth in the appended claims.

Claims (10)

1. An unauthorized application determination method, comprising:
configuring audit rules of an audit subsystem, wherein the audit rules comprise events which need to be monitored during application running and are related to signature verification of the application;
running the application;
and monitoring the event according to the audit rule by the audit subsystem, and judging whether the application is an unauthorized application or not.
2. The unauthorized application determination method according to claim 1, wherein, before configuring the audit rule of the audit subsystem, comprising: and starting the auditing subsystem.
3. The unauthorized application determination method according to claim 2, wherein the event includes: a process of the signature verification of the application, and/or an attempt to bypass the signature verification of the application.
4. An unauthorized application determination method according to claim 3, wherein monitoring the event according to the audit rule includes:
monitoring an exeve system call, and monitoring the signature verification process of the application; and/or
Monitoring ptrace system calls for attempts to bypass the signature verification of the application.
5. The unauthorized application determination method according to any one of claims 1-4, wherein running the application includes: the signature verification of the application is performed using a hash algorithm at runtime of the application.
6. The unauthorized application determination method according to any one of claims 1-4, wherein the monitoring, by the audit subsystem, of the event according to the audit rule, whether the application is an unauthorized application, includes:
generating an audit log of an unauthorized application when the signature verification is monitored to fail or the signature verification of the application is attempted to be bypassed according to the audit rule, wherein the audit log comprises information of the unauthorized application;
and judging whether the application is an unauthorized application or not according to the audit log.
7. The unauthorized application determination method according to claim 6, wherein determining whether the application is an unauthorized application according to the audit log comprises:
searching keywords related to the event, which are set in the audit rule, in the audit log;
and when the keyword is searched, determining the application name of the unauthorized application.
8. The unauthorized application determination method according to any one of claims 1-4, wherein the application is installed in a vehicle-mounted operating system.
9. An electronic device, comprising:
one or more processors;
a memory having one or more programs stored thereon, which when executed by the one or more processors, cause the one or more processors to implement the unauthorized application determination method according to any one of claims 1 to 8.
10. A computer readable medium having stored thereon a computer program which, when executed by a processor, implements the unauthorized application determination method according to any one of claims 1 to 8.
CN202311810221.0A 2023-12-26 2023-12-26 Unauthorized application determination method, electronic device, and computer-readable medium Pending CN117786658A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311810221.0A CN117786658A (en) 2023-12-26 2023-12-26 Unauthorized application determination method, electronic device, and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311810221.0A CN117786658A (en) 2023-12-26 2023-12-26 Unauthorized application determination method, electronic device, and computer-readable medium

Publications (1)

Publication Number Publication Date
CN117786658A true CN117786658A (en) 2024-03-29

Family

ID=90384570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311810221.0A Pending CN117786658A (en) 2023-12-26 2023-12-26 Unauthorized application determination method, electronic device, and computer-readable medium

Country Status (1)

Country Link
CN (1) CN117786658A (en)

Similar Documents

Publication Publication Date Title
US11514159B2 (en) Method and system for preventing and detecting security threats
US8601273B2 (en) Signed manifest for run-time verification of software program identity and integrity
US8364973B2 (en) Dynamic generation of integrity manifest for run-time verification of software program
US8375442B2 (en) Auditing a device
CN105608386A (en) Trusted computing terminal integrity measuring and proving method and device
KR20150106937A (en) Context based switching to a secure operating system environment
AU2021319159B2 (en) Advanced ransomware detection
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
WO2021121382A1 (en) Security management of an autonomous vehicle
Kumara et al. Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment
Breitenbacher et al. HADES-IoT: A practical and effective host-based anomaly detection system for IoT devices (extended version)
Almohri et al. Droidbarrier: Know what is executing on your android
CN115310084A (en) Tamper-proof data protection method and system
CN115879099A (en) DCS controller, operation processing method and protection subsystem
CN113127873A (en) Credible measurement system of fortress machine and electronic equipment
CN110348180B (en) Application program starting control method and device
CN112422527A (en) Safety protection system, method and device of transformer substation electric power monitoring system
WO2020007249A1 (en) Operating system security active defense method and operating system
Qi et al. A comparative study on the security of cryptocurrency wallets in android system
CN115795432A (en) Program integrity verification system and method suitable for read-only file system
CN117786658A (en) Unauthorized application determination method, electronic device, and computer-readable medium
CN113836542B (en) Trusted white list matching method, system and device
US11507673B1 (en) Adaptive cyber-attack emulation
CN117668822B (en) Application program starting control method and device and electronic equipment
WO2022100660A1 (en) Behavior control method, apparatus, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination