TWI801856B - Method of application control for child-program execution - Google Patents
Method of application control for child-program execution Download PDFInfo
- Publication number
- TWI801856B TWI801856B TW110115776A TW110115776A TWI801856B TW I801856 B TWI801856 B TW I801856B TW 110115776 A TW110115776 A TW 110115776A TW 110115776 A TW110115776 A TW 110115776A TW I801856 B TWI801856 B TW I801856B
- Authority
- TW
- Taiwan
- Prior art keywords
- program
- application
- parent
- control unit
- sub
- Prior art date
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Stored Programmes (AREA)
- Programmable Controllers (AREA)
Abstract
Description
本發明涉及一種應用程式控管之技術領域,特別是一種依於子程式執行之應用程式控管方法。 The present invention relates to the technical field of application program control, in particular to an application program control method based on subroutine execution.
隨著資訊化的發展,出現了大量的應用程式(APP)。同一個廠商可以提供多個應用程式。即使是不同的應用程式,尤其是同一個廠商提供的多個應用程式,可能存在相似的功能。為了適應技術發展或業務需要,常常需要對應用程式進行升級或換代,例如,新版本應用程式的發佈頻率可能大於1次/周。當發佈的新版本應用程式出現了錯誤或者業務出現故障時,需要用戶端的應用程式緊急回到指定版本的應用程式,才能夠滿足用戶的基本使用需求。 With the development of informatization, a large number of application programs (APP) have emerged. Multiple applications can be provided by the same vendor. Even different applications, especially multiple applications provided by the same vendor, may have similar functions. In order to adapt to technological development or business needs, it is often necessary to upgrade or replace the application program. For example, the release frequency of a new version of the application program may be greater than once per week. When an error occurs in the released new version of the application or the business fails, the user-side application needs to return to the specified version of the application in an emergency to meet the basic needs of the user.
現有的應用程式通常會限定可合法使用它的電腦裝置,避免應用程式被複製到其它未經合法授權的電腦裝置上使用。為達到這個目的,目前已有綁定硬體資訊的保護機制。在此機制中,應用程式一旦被啟動就會先讀取並驗證安裝它的電腦裝置中的硬體資訊,例如中央處理器編碼、硬碟序號等等,並只在驗證通過時才允許該電腦裝置正常執行它。這種機制雖可將應用程式與可正常執行它的合法電腦裝置綁定在一起,但因硬體資訊缺乏動態變化,故容易遭到破 解。 Existing application programs usually limit the computer devices that can legally use it to prevent the application program from being copied to other computer devices that are not legally authorized. To achieve this goal, there is currently a protection mechanism for binding hardware information. In this mechanism, once the application is started, it will first read and verify the hardware information in the computer device where it is installed, such as the CPU code, hard disk serial number, etc., and only allow the computer to The device executes it normally. Although this mechanism can bind the application program to a legitimate computer device that can execute it normally, it is vulnerable to damage due to the lack of dynamic changes in hardware information. untie.
此外,在網際網路普及的情形之下,在企業內通常都會建構與網際網路的連接,以取得各式各樣的應用程式。然而,從網際網路擷取的各種資訊或應用程式,可能也會有接收到惡意程式的情形發生。一旦惡意程式進入到資訊處理裝置,將會破壞其中的軟體或者是盜取其中的資訊,對於企業內的資訊安全造成莫大的傷害。 In addition, with the popularity of the Internet, connections to the Internet are usually established in enterprises to obtain various applications. However, various information or application programs retrieved from the Internet may also receive malicious programs. Once the malicious program enters the information processing device, it will destroy the software or steal the information therein, causing great harm to the information security in the enterprise.
另一方面,對於企業而言,在享受網際網路便利性的同時也應盡可能地將這些可能存在的惡意程式的威脅排除。關連於應用程式所實行的限制,傳統上係使用黑名單的控管方式來實施。因為全球的程式太多,因此以黑名單的控管方式已不符使用。 On the other hand, for enterprises, while enjoying the convenience of the Internet, they should also eliminate the threats of these possible malicious programs as much as possible. Restrictions related to the implementation of applications have traditionally been implemented using blacklist controls. Because there are too many programs in the world, the blacklist control method is no longer suitable for use.
近來駭客常使用本機上原有的程式,做為攻擊的程式,而不是使用駭客自己寫的程式。這樣會造成一個問題,例如Windows上內建的程式是常會被使用者使用的程式,但也是駭客最愛用的程式;如此,這些內建的程式是否可以設為應用程式控管,也是一大問題所在。 Recently, hackers often use the original programs on the machine as attack programs instead of using programs written by hackers themselves. This will cause a problem. For example, the built-in programs on Windows are programs that are often used by users, but they are also favorite programs for hackers; so, whether these built-in programs can be set as application control is also a big problem problem lies in.
再者,應用程式控管有強大的防護力,驅使本發明提供一種新穎的應用程式控管方法。 Furthermore, the application program control has a strong protection force, which drives the present invention to provide a novel application program control method.
本發明之目的在於提供一種依於子程式執行之應用程式控管方法。 The purpose of the present invention is to provide an application program control method based on subroutine execution.
本發明的依於子程式執行之應用程式控管方法可以大大地降低檢測的時間成本與提高資訊安全的檢測效率。 The application program control method based on subroutine execution of the present invention can greatly reduce the time cost of detection and improve the detection efficiency of information security.
本發明之依於子程式執行之應用程式控管方法,包括:指定一應用程式控管單元為一白名單程式;執行該應用程式控管單元,以產生子行程程式,基於該子行程程式與應用程式控管單元之繼承關係,其解出的子行程程式為白名單程式;以及,檢查該子行程程式之父行程,若該父行程為應用程式控管單元,則執行該子行程程式。 The application program control method based on subprogram execution of the present invention includes: specifying an application program control unit as a whitelist program; executing the application program control unit to generate a subroutine program, based on the subroutine program and The inheritance relationship of the application control unit, the sub-routine program solved by it is a whitelist program; and, the parent process of the sub-routine program is checked, and if the parent process is an application control unit, the sub-routine program is executed.
其中指定一應用程式控管單元為一白名單程式係透過一指定單元來執行。 Designating an application program control unit as a white list program is executed through a designated unit.
其中檢查該子行程程式之父行程係透過一檢查單元來執行。檢查該子行程程式之父行程係檢查該應用程式控管單元是否有勾選子程式繼承的項目。 The parent process of checking the child process program is executed through a checking unit. To check the parent process of the sub-program is to check whether the control unit of the application program has checked the sub-program inheritance item.
其中檢查單元具有勾選子行程繼承父行程的功能,以及檢查父行程為何之功能。 Among them, the checking unit has the function of checking whether the child stroke inherits the parent stroke, and the function of checking what the parent stroke is.
本發明之依於子程式執行之應用程式控管方法,包括:指定一安裝程式為一白名單程式;執行該安裝程式,以產生子行程程式,基於該子行程程式與安裝程式之繼承關係,其解出的該子行程程式為白名單程式;以及,檢查該子行程程式之父行程,若該父行程為安裝程式,則執行該子行程程式。 The application program control method based on subprogram execution of the present invention includes: specifying an installation program as a whitelist program; executing the installation program to generate a subroutine program, based on the inheritance relationship between the subroutine program and the installation program, The sub-routine program that it solves is a white list program; and, check the parent process of the sub-routine program, if the parent process is an installation program, then execute the sub-routine program.
其中該指定一安裝程式為一白名單程式係透過一指定單元來執行。其中該檢查該子行程程式之父行程係檢查該安裝程式是否有勾選子程式繼承的項目。 Wherein, specifying an installation program as a white list program is executed through a specified unit. Wherein, checking the parent process of the sub-program is to check whether the installer has checked the sub-program inheritance item.
110:ProcExp.Exe 110:ProcExp.Exe
120:ProcExp64.Exe 120:ProcExp64.Exe
130,220:檢查子行程之父行程為何 130,220: Check what is the parent process of the child process
200:安裝程式 200: Install program
210:子程式 210: Subroutine
〔第一圖〕顯示本發明之應用程式控管單元執行其子行程及檢查該子行程程式之父行程之示意圖。 [The first figure] is a schematic diagram showing that the application control unit of the present invention executes its sub-routine and checks the parent process of the sub-routine program.
〔第二圖〕顯示本發明之安裝程式執行其子行程及檢查該子行程程式之父行程之示意圖。 [The second figure] shows the schematic diagram of the installation program of the present invention executing its sub-routine and checking the parent process of the sub-routine program.
此處本發明將針對發明具體實施例及其觀點加以詳細描述,此類描述為解釋本發明之結構或步驟流程,其係供以說明之用而非用以限制本發明之申請專利範圍。因此,除說明書中之具體實施例與較佳實施例外,本發明亦可廣泛施行於其他不同的實施例中。以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技術之人士可藉由本說明書所揭示之內容輕易地瞭解本發明之 功效性與其優點。且本發明亦可藉由其他具體實施例加以運用及實施,本說明書所闡述之各項細節亦可基於不同需求而應用,且在不悖離本發明之精神下進行各種不同的修飾或變更。 Herein, the present invention will be described in detail with respect to specific embodiments of the invention and its viewpoints. Such descriptions are for explaining the structure or step flow of the present invention, and are for illustration rather than limiting the patent scope of the present invention. Therefore, except for the specific embodiments and preferred embodiments in the description, the present invention can also be widely implemented in other different embodiments. The implementation of the present invention is described below through specific specific examples, and those who are familiar with this technology can easily understand the principles of the present invention through the contents disclosed in this specification. Efficacy and its advantages. Moreover, the present invention can also be used and implemented through other specific embodiments, and various details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention.
本發明提出一種依於子程式執行之應用程式控管方法,其中透過指定父行程(Parent Process)為應用程式控管單元(程式)。在電腦領域之中,父行程係指已建立一個或多個子行程的行程。父行程程式在執行時會生出一些小程式去執行部份功能,其子行程繼承了父行程的大部分屬性,例如檔案描述符。 The present invention proposes an application program control method based on the execution of sub-programs, in which the parent process (Parent Process) is designated as the application program control unit (program). In computing, a parent journey is one that has created one or more child journeys. When the parent process program is executed, some small programs will be generated to perform some functions, and its child processes inherit most of the attributes of the parent process, such as file descriptors.
在本發明之中,於執行子行程時,系統會自動檢查該子行程的父行程是誰。若檢查出來的父行程有定義或者有勾選子行程(程式)繼承,基於該父行程(程式)為應用程式控管單元,該子行程(程式)有繼承關係,所以也自動成為應用程式控管單元。亦即,以被信任的父行程去執行子行程程式,則子行程也成為被信任的執行程式。白名單的子程式可以繼承為白名單。父行程為白名單,則繼承的子行程也為白名單。 In the present invention, when executing a sub-journey, the system will automatically check who is the parent of the sub-journey. If the checked parent process has a definition or checks the child process (program) inheritance, based on the parent process (program) as the application control unit, the child process (program) has an inheritance relationship, so it will automatically become the application control unit. pipe unit. That is, if the child process is executed by the trusted parent process, the child process also becomes the trusted execution program. Subroutines in the whitelist can inherit the whitelist. If the parent itinerary is whitelisted, the inherited child itinerary is also whitelisted.
本發明係以白名單做為控管方案,以取代傳統的黑名單控管方式。強大的白名單功能,足以阻斷大部份的駭客攻擊。在實際上的操作上而言,我們可以利用使用者的行為,去判別、分別執行的程式是正常使用的程式或者是駭客的程式。若是正常使用的程式即為應用程式控管的白名單,反之即為黑名單。 The present invention uses a white list as a control solution to replace the traditional black list control method. The powerful white list function is enough to block most hacker attacks. In terms of actual operation, we can use the user's behavior to judge whether the programs to be executed are normal programs or hacker programs. If the program is in normal use, it is the white list controlled by the application, otherwise it is the black list.
第一圖描繪了本發明之應用程式控管單元執行其子行程之示意圖。應用程式控管單元係於伺服器、電腦或計算機裝置之中執行。首先,透過伺服器之一指定單元以指定應用程式控管單元,其為特定的白名單程式。然後,執行該應用程式控管單元,以產生子行程程式,基於該子行程程式與應用程式控管單元之繼承關係,其解出的該子行程程式為白名單程式。之後,透過一檢查單元以檢查該子行程程式之父行程,若該父行程為應用程式控管單元,則執行該子行程程式。舉例而言,本實施例之中應用程式控管單元為ProcExp.Exe 110,其係為ProcExp64.Exe 120之父行程。亦即,ProcExp.Exe 110在Win64之下會執行ProcExp64.Exe 120,而ProcExp64.Exe 120即成為ProcExp.Exe 110之子行程。於執行子行程ProcExp64.Exe 120時,系統會執行步驟130,自動檢查該子行程ProcExp64.Exe 120的父行程為何。由於父行程ProcExp.Exe 110有定義或者有勾選子行程(程式)繼承,則由父行程ProcExp.Exe 110所解出的子行程ProcExp64.Exe 120可以繼承父行程ProcExp.Exe 110的大部分屬性。基於該父行程ProcExp.Exe 110為應用程式控管單元,該子行程ProcExp64.Exe 120也自動成為應用程式控管單元。亦即,以被信任的父行程ProcExp.Exe 110去執行子行程ProcExp64.Exe 120程式之後,則子行程ProcExp64.Exe 120也成為被信任的執行程式。換言之,父行程ProcExp.Exe 110白名單之子行程ProcExp64.Exe 120程式可以繼承為白名單。父行程ProcExp.Exe 110為白名單,則繼承的子行程ProcExp64.Exe 120因為是繼承的關係,所以也為白名單。在Win64之下,系統會執行子行程ProcExp64.Exe 120以取代原ProcExp.Exe。
The first figure depicts a schematic diagram of the sub-routine executed by the application control unit of the present invention. The application control unit is implemented in a server, computer or computer device. Firstly, an application program control unit is designated through a designated unit of the server, which is a specific white list program. Then, execute the application control unit to generate a sub-routine program. Based on the inheritance relationship between the sub-routine program and the application program control unit, the sub-routine program is a whitelist program. Afterwards, a check unit is used to check the parent process of the child process program, and if the parent process is an application program control unit, the child process program is executed. For example, the application control unit in this embodiment is
ProcExp.Exe為强大的進程管理器,可以用於便利地管理程序進 程,也可以執行或强行關閉任何程序。除此之外,ProcExp.Exe還可詳盡地顯示計算機信息:中央處理單元(CPU)、記憶體使用情况、動態連結函式庫(Dynamic-link library:DLL)、控制代碼、查看進程父子關係、結束指定進程,..等等。 ProcExp.Exe is a powerful process manager that can be used to manage programs conveniently program, and can execute or force close any program. In addition, ProcExp.Exe can also display computer information in detail: central processing unit (CPU), memory usage, dynamic link library (Dynamic-link library: DLL), control code, view process parent-child relationship, End the specified process, .. etc.
參考第一圖,在另一例子中,若系統單獨執行ProcExp64.Exe 120程式,而缺乏確認ProcExp64.Exe 120的父行程是誰的程序,則系統將無法判定ProcExp64.Exe 120是否為某一父行程的子行程,並且也缺乏父行程是否為白名單的檢查程序。因此,系統無法判定ProcExp64.Exe 120是否為白名單,而將其視為非白名單。
Referring to the first figure, in another example, if the system executes the
舉一實施例而言,子行程ProcExp64.Exe 120係透過一檢查單元以檢查其父行程為何。亦即,父行程ProcExp.Exe 110是經過檢查單元的檢查之後,確定其為子行程ProcExp64.Exe 120的父行程。舉例而言,檢查單元具有勾選子行程繼承父行程的功能或選項,以及檢查父行程為何之功能。當一應用程式或套裝軟體被檢查單元勾選子行程繼承,則於執行其子行程之後,其解出的子行程即具有白名單之功能。當然,執行子行程時,檢查單元也會執行檢查子行程之父行程為何130之功能。
As an example, the child
由上述可知,若父行程程式已經被確認其為應用程式控管程式,則由父行程程式所執行的子行程程式也是應用程式控管程式;此外,該子行程若所執行的子行程程式也是應用程式控管程式,可以往下類推N代。反之,若只是單獨執行子行程程式,則不是應用程式控管。 As can be seen from the above, if the parent process program has been confirmed as an application program control program, then the child process program executed by the parent process program is also an application program control program; in addition, if the child process program executed by the child process program is also The application program control program can be deduced down to N generations. Conversely, if the sub-routine program is only executed independently, it is not controlled by the application program.
另外,本發明可以透過一指定單元以指定特定的白名單程式,而該白名單程式所執行的子程式直接認可為應用程式控管程式。 In addition, the present invention can designate a specific whitelist program through a designation unit, and the subroutines executed by the whitelist program are directly recognized as application program control programs.
第二圖描繪了本發明之另一實施例之應用程式控管單元執行其子行程之示意圖。在本實施例之中,應用程式控管單元係為電腦或計算機裝置之一安裝程式200。在第二圖之中,應用程式控管單元為安裝程式200,其透過一指定單元以指定為白名單程式。安裝程式200於安裝時,也會執行安裝子程式210;而安裝程式200即成為其子程式210的父程式。同樣地,於執行子程式210時,系統會執行步驟220,自動檢查該子程式210的父程式為何。由於父行程安裝程式200有定義或者有勾選子行程(程式)繼承,則由父行程安裝程式200所解出的子程式210可以繼承父行程安裝程式200的大部分屬性。基於該父行程安裝程式200為應用程式控管單元,該子程式210也自動成為應用程式控管單元。亦即,以被信任的父行程安裝程式200去執行子程式210之後,則子程式210也成為被信任的執行程式。換言之,父行程安裝程式200白名單之子程式210可以繼承為白名單。父行程安裝程式200為白名單,則繼承的子程式210因為是繼承的關係,所以也為白名單。
The second figure depicts a schematic diagram of the application control unit executing its sub-routines in another embodiment of the present invention. In this embodiment, the application control unit is an
本發明可以指定特定的程式有繼承的屬性,使得其子程式變成白名單。相較於習知的黑名單控管方式,本發明提出依於子程式執行之應用程式控管方法,利用指定的應用程式控管單元來確定可執行的白名單,對於資訊安全的檢測效率大大地得到提升。 The present invention can designate a specific program to have inherited attributes, so that its subprograms become a white list. Compared with the conventional blacklist control method, the present invention proposes an application program control method based on subroutine execution, using a designated application program control unit to determine the executable white list, which greatly improves the detection efficiency of information security be enhanced.
在不脫離本文範疇之情況下,可對上述依於子程式執行之應用程式控管方法做出改變。因此,應當注意,包含在以上描述中並且在附圖中示出之內容應當被解釋為說明性的而非限制性之意義。以下申請專利範圍旨在涵蓋本文中所描述之所有一般特徵及特定特徵,以及本發明依於子程式執行之應用程式控管方法之範疇的所有陳述,其在語言上可被說成落在其間。 Variations may be made to the above method of subroutine execution-dependent application control without departing from the scope of this document. It is therefore to be noted that all matter contained in the above description and shown in the accompanying drawings shall be interpreted in an illustrative rather than a restrictive sense. The following claims are intended to cover all general and specific features described herein, as well as all statements of the scope of the present invention's method of controlling applications executed by subroutines, which language may be said to fall therebetween .
110:ProcExp.Exe 110:ProcExp.Exe
120:ProcExp64.Exe 120:ProcExp64.Exe
130:檢查子行程之父行程為何 130: Check what is the parent process of the child process
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110115776A TWI801856B (en) | 2021-04-30 | 2021-04-30 | Method of application control for child-program execution |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110115776A TWI801856B (en) | 2021-04-30 | 2021-04-30 | Method of application control for child-program execution |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202244724A TW202244724A (en) | 2022-11-16 |
TWI801856B true TWI801856B (en) | 2023-05-11 |
Family
ID=85793028
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW110115776A TWI801856B (en) | 2021-04-30 | 2021-04-30 | Method of application control for child-program execution |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI801856B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI556129B (en) * | 2014-11-07 | 2016-11-01 | 財團法人工業技術研究院 | Management server and method and user client device and monitoring method thereof |
TWI560571B (en) * | 2012-02-16 | 2016-12-01 | Samsung Electronics Co Ltd | Method and apparatus for protecting digital content using device authentication |
US20190080081A1 (en) * | 2017-09-08 | 2019-03-14 | Avecto Limited | Computer Device and Method for Controlling Process Components |
US20190318100A1 (en) * | 2018-04-17 | 2019-10-17 | Oracle International Corporation | High granularity application and data security in cloud environments |
US20200242236A1 (en) * | 2011-12-02 | 2020-07-30 | Invincea, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
US20200242239A1 (en) * | 2016-08-03 | 2020-07-30 | Sophos Limited | Mitigation of return-oriented programming attacks |
-
2021
- 2021-04-30 TW TW110115776A patent/TWI801856B/en active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200242236A1 (en) * | 2011-12-02 | 2020-07-30 | Invincea, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
TWI560571B (en) * | 2012-02-16 | 2016-12-01 | Samsung Electronics Co Ltd | Method and apparatus for protecting digital content using device authentication |
TWI556129B (en) * | 2014-11-07 | 2016-11-01 | 財團法人工業技術研究院 | Management server and method and user client device and monitoring method thereof |
US20200242239A1 (en) * | 2016-08-03 | 2020-07-30 | Sophos Limited | Mitigation of return-oriented programming attacks |
US20190080081A1 (en) * | 2017-09-08 | 2019-03-14 | Avecto Limited | Computer Device and Method for Controlling Process Components |
US20190318100A1 (en) * | 2018-04-17 | 2019-10-17 | Oracle International Corporation | High granularity application and data security in cloud environments |
Also Published As
Publication number | Publication date |
---|---|
TW202244724A (en) | 2022-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5420734B2 (en) | Software system with controlled access to objects | |
US6779117B1 (en) | Authentication program for a computer operating system | |
KR102255767B1 (en) | Systems and methods for virtual machine auditing | |
US9195823B1 (en) | System and method for intercepting process creation events | |
US8001596B2 (en) | Software protection injection at load time | |
RU2679175C1 (en) | Method of behavioral detection of malicious programs using a virtual interpreter machine | |
JP4870937B2 (en) | Method and system for limiting software updates | |
US7516477B2 (en) | Method and system for ensuring that computer programs are trustworthy | |
US20180006999A1 (en) | Computer security architecture and related computing method | |
US7665143B2 (en) | Creating secure process objects | |
US7243348B2 (en) | Computing apparatus with automatic integrity reference generation and maintenance | |
US8458673B2 (en) | Computer-implemented method and system for binding digital rights management executable code to a software application | |
US8271803B2 (en) | Anti-debugging protection of binaries with proxy code execution | |
US20070011723A1 (en) | Method for maintaining application compatibility within an application isolation policy | |
JP2005129066A (en) | Operating system resource protection | |
US7890756B2 (en) | Verification system and method for accessing resources in a computing environment | |
US11966461B2 (en) | Virtual environment type validation for policy enforcement | |
US8447975B2 (en) | Workstation application server programming protection via classloader policy based visibility control | |
US7076557B1 (en) | Applying a permission grant set to a call stack during runtime | |
Sze et al. | A portable user-level approach for system-wide integrity protection | |
TWI801856B (en) | Method of application control for child-program execution | |
US20240152610A1 (en) | Methods and systems for detecting and blocking malicious actions in operating system | |
Caillat et al. | Prison: Tracking process interactions to contain malware | |
CN115270117A (en) | Application program control and management method executed according to subprogram | |
TWI801855B (en) | System and method of application control based on root node |