WO2015010627A1 - A management method, system, and computer-readable storage medium for internet connection of applications - Google Patents

A management method, system, and computer-readable storage medium for internet connection of applications Download PDF

Info

Publication number
WO2015010627A1
WO2015010627A1 PCT/CN2014/082873 CN2014082873W WO2015010627A1 WO 2015010627 A1 WO2015010627 A1 WO 2015010627A1 CN 2014082873 W CN2014082873 W CN 2014082873W WO 2015010627 A1 WO2015010627 A1 WO 2015010627A1
Authority
WO
WIPO (PCT)
Prior art keywords
control information
intercepted application
allowing
application
system call
Prior art date
Application number
PCT/CN2014/082873
Other languages
French (fr)
Inventor
Sheng Guan
Original Assignee
Tencent Technology (Shenzhen) Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology (Shenzhen) Company Limited filed Critical Tencent Technology (Shenzhen) Company Limited
Publication of WO2015010627A1 publication Critical patent/WO2015010627A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Abstract

A method and system for managing Internet connections of a plurality of applications have been disclosed. The method includes at least the following operations : intercepting within a kernel space, an application executing a socket system call; determining control information corresponding to the intercepted application based on : a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space,and identification information of the intercepted application; and allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application. The disclosed method may be utilized to complete application-based and kernel-level control on Internet access traffic and/or duration and effectively protect user privacy.

Description

A Management Method, System, and Computer-Readable Storage Medium for Internet Connection of Applications
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The application claims priority to Chinese Patent Application No. 2013103139007, filed on July 24, 2013, which may be incorporated by reference in its entireties.
FIELD OF THE TECHNOLOGY
[0002] The present invention relates to the technologies of managing the Internet access of the Internet applications installed on a terminal, particularly to a management method, system, and computer-readable storage medium for Internet connection of applications.
BACKGROUND
[0003] Currently, a terminal's connection to Internet has at least the following problems:
1 . When the terminal may be connected to the Internet, a plurality of applications installed in the terminal (including the unnecessary applications) may get connected to the Internet automatically. In this regard, the unnecessary Internet access traffic may consume network resources and may incur cost to internet access (e.g., using up data plan).
2. Private information stored on the terminal may be susceptible to leakage while the plurality of applications of the terminal are connected to the Internet, thus posing security issues.
[0004] To sum up, existing network connection methods implemented on terminals tend to incur high Internet access expenses and may have low security performance.
SUMMARY
[0005] The disclosure provides a management method, system, and computer-readable storage medium for Internet connection of applications, which aim to overcome at least the above-mentioned problems.
[0006] An embodiment of the disclosure discloses a method for managing Internet connections of a plurality of applications. The method include at least the operations of: intercepting within a kernel space, an application executing a socket system call; determining control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and identification information of the intercepted application; and allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
[0007] Another embodiment of the disclosure discloses a management system for Internet connection of applications. The system includes at least a processor with circuitry operating in conjunction with at least a memory which stores instruction codes operable as plurality of modules, wherein the plurality of modules may include: an intercept module which intercepts within a kernel space, an application executing a socket system call; a determination module which determines control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and identification information of the intercepted application; and a management module which allows or denies the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
[0008] Another embodiment of the disclosure discloses a non-transitory computer-readable storage medium, wherein the computer readable storage medium stores a program which includes codes or instructions to cause a processor circuitry to execute operations for managing network connections of a plurality of applications. The operations may include: intercepting within a kernel space, an application executing a socket system call; determining control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, identification information of the intercepted application; and allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
[0009] The management method, system, and computer-readable storage medium for Internet connection of applications performs intercepting in the kernel space an application that executes a socket system call when connected to the Internet and based on the determined control information corresponding to the intercepted application. Thus, unnecessary applications may be prevented from accessing the Internet, thus lower the cost of network traffic. In addition, traffic of the plurality of applications running in the terminal may be measured and statistically monitored in the user space so that a traffic threshold may be set for the plurality of applications. Thus, when the traffic consumption of one or more applications exceeds the traffic threshold setting, the application in the kernel space may be denied executing a socket system call. Accordingly, the traffic consumption of applications may be brought under control to conserve network resources and to save access traffic cost, in addition to preventing unnecessary applications being connected to the Internet which may increase security risk.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] Figure 1 may be a flowchart illustrating an exemplary management method for Internet connection of applications, according to an embodiment of the disclosure.
[0011] Figure 2 depicts an exemplary structural diagram for a management system for Internet connection of applications, according to an embodiment of the disclosure.
[0012] Figure 3 depicts an exemplary schematic diagram for a management method for Internet connection of applications, according to an embodiment of the disclosure.
DETAILED DESCRIPTION OF THE EMBODIMENTS
[0013] The various embodiments of the present disclosure are further described in details in combination with attached drawings and embodiments below. It should be understood that the specific embodiments described here are used only to explain the present disclosure, and are not used to limit the present disclosure. In addition, for the sake of keeping description brief and concise, the newly added features, or features that are different from those previously described in each new embodiment will be described in details. Similar features may be referenced back to the prior descriptions in a prior numbered drawing or referenced ahead to a higher numbered drawing.
[0014] In order to clarify the object, technical scheme and advantages of the present disclosure more specifically, the present disclosure may be illustrated in further details with the accompanied drawings and embodiments. It should be understood that the embodiments described herein are merely examples to illustrate the present disclosure, but not to limit the present disclosure.
[0015] Figure 1 may be a flowchart illustrating an exemplary management method for Internet connection of applications, according to an embodiment of the disclosure. The method may include at least the following exemplary operations:
[0016] Step 101 : intercepting within a kernel space, an application executing a socket system call. More specifically, Internet access by a plurality of applications installed on a terminal (such as a Linux-based terminal) may be controlled. The kernel space may be referred to as a protected virtual address space in a Linux system. Core applications of a Linux system may run in the kernel space independent of common applications. In contrast to the kernel space, common application programs may be run in the user space instead. Common application programs which run in the user space may not directly access the protected kernel space. It should be noted that the Linux-based systems in the disclosed embodiment may be for illustrative purpose only, and therefore may be limited to other operating systems in actual implementations.
[0017] In addition, the intercepting within the kernel space and the application executing the socket system call may include utilizing a preset function within the kernel space, updating an ingress address of the socket system call which may be executed by the intercepted application, to an ingress address of the preset function.
[0018] For example, when attempting Internet access, an application may execute a socket system call, and the ingress address of the socket system call may be stored in the Linux system call table. Therefore, the ingress address of the socket system call may be updated to an ingress address of the preset function. Subsequent executions by the application (i.e., the intercepted application) which attempts Internet access may go to the preset function. Thus, socket system call execution may thus be managed utilizing the preset function, when the application attempts Internet access.
[0019] Step 102: determining control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and identification information of the intercepted application. [0020] Furthermore, prior to the determining of the control information corresponding to the intercepted application, the following operations may further be performed: writing to a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications through utilizing a preset write callback function in the user space; and reading from the created character device in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications.
[0021] Step 103: allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application, wherein the allowing of the intercepted application executing the socket system call, may include returning the ingress address of the socket system call prior to the update to the intercepted application.
[0022] The ingress address of the socket system call prior to the update may be the original ingress address of the socket system call in the Linux system call table. Upon obtaining the address of the socket system call, the intercepted application may execute the socket call to establish a socket connection and perform Internet communication.
[0023] In addition, prior to the allowing or denying of the intercepted application executing the socket system call according to the control information corresponding to the intercepted application, the operation may further include: judging whether the socket system call uses one of: Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6); if yes, allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application; otherwise, allowing the intercepted application to execute the socket system call.
[0024] Socket system call may be used in various scenarios. Therefore, whether or not an application may exceed socket system call to get connected to the Internet needs to be judged or determined. For example, if a domain value in the attribute information about the socket system call initiated by the application may be an INET (for IPv4) or INET6 (for IPv6). It may indicate that the application may be establishing a socket connection for Internet access which needs to be allowed or denied in order to execute socket system call based on the control information corresponding to the application; otherwise, it may indicate that the application may be executing a socket system call to perform services other than an Internet access and therefore may need to be allowed to execute the socket system call in order to keep the other services of the application unaffected.
[0025] In an embodiment, the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection. Accordingly, the allowing or denying of the intercepted application to execute the socket system call in response to the control information corresponding to the intercepted application, may further include: if the control information is allowing the network connection, allowing the intercepted application to execute the socket system call; if the control information is denying the network connection, denying the intercepted application to execute the socket system call.
[0026] In case if the intercepted application satisfies the duration for allowing network connection or the time period for allowing network connection (i.e., in allowing the network connection over the duration or allowing network connection over the time period), then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
[0027] Wherein, when the control information may be allowed connection duration and/or allowed connection within a time period, the time for identifying the Internet connection operations of an application may be restricted. Therefore, when the intercepted application does not meet the duration for allowing network connection or the time period for allowing network connection, whether the control information corresponding to the intercepted application needs to be updated may be confirmed to make the management of application Internet connection more interactive.
[0028] If updating may be needed, the corresponding processing may be performed after the updated control information may be obtained. Accordingly, the following operation may be further performed: obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and obtaining in the kernel space, updated control information corresponding to the intercepted application in the user space, and based on the updated control information, allowing or denying the intercepted application to execute the socket system call. [0029] Wherein, the obtaining in the user space the control information of the intercepted application which is not satisfied in step 102, and the obtaining in the kernel space of the updated control information in step 103 corresponding to the intercepted application in the user space, the operations may include the following operations: writing to the character device the control information with which the intercepted application does not satisfy; reading and displaying the control information from the character device utilizing the preset read callback function in the user space, obtaining updated control information corresponding to the intercepted application, and writing to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and in the kernel space, reading from the character device the updated control information corresponding to the intercepted application.
[0030] For example, when the control information may allow network connection for a duration and allow network connection within a time period in step 102, if the history connection duration of the intercepted application in step 101 does not exceed the allowed connection duration corresponding to the application and the time when the intercepted application executes the socket system call may be within the allowed connection time period for the application, the application may be allowed to execute the socket system call.
[0031] If the history connection duration of the intercepted application in step 101 exceeds the allowed connection duration corresponding to the application or the time when the intercepted application executes the socket system call may not be within the allowed connection time period for the application, the intercepted application may be denied to execute a socket system call. Alternatively, in the user space, the information about the conditions in the control information that the intercepted application does not meet may be obtained, in the kernel space, the updated control information corresponding to the intercepted application in the user space may be obtained, and the intercepted application may be allowed or denied to execute a socket system call based on the updated control information.
[0032] If the updated control information allows network connection, the intercepted application may be allowed to execute the socket system call. If the updated control information denies network connection, the intercepted application may be denied to execute the socket system call. [0033] In the case the updated control information may be allowed a network connection for a duration and/or allowed network connection within a time period, and if the intercepted application meets the conditions specified in the control information, the intercepted application may be allowed to execute the socket system call; otherwise, the intercepted application may be denied to execute the socket system call.
[0034] Wherein, the method may further include the operations of: obtaining in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writing to the kernel space an instruction of denying the intercepted application to execute a socket system call; correspondingly, reading the instruction in the kernel space and denying the intercepted application to execute the socket system call according to the instruction.
[0035] Figure 2 depicts an exemplary structural diagram for a management system (20) for Internet connection of applications, according to an embodiment of the disclosure. The management system (20) may include at least a processor with circuitry (27) operating in conjunction with hardware and at least a memory (26) which stores instruction codes operable as plurality of modules, wherein the plurality of modules may include an intercept module (21 ), a determination module (22), a management module (23), an acquisition module (24) and a measurement module (25):
[0036] The intercept module (21 ) intercepts within a kernel space, an application executing a socket system call. The determination module (22) determines control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and identification information of the intercepted application. The management module (23) allows or denies the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
[0037] Wherein, the intercept module (21 ) may further utilizes a preset function within the kernel space, update the ingress address of the socket system call executed by the application to an ingress address of the preset function;
[0038] The management module (23) may be further used to return the ingress address of the socket system call prior to update to the intercepted application, wherein, the determination module (22) may read from a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications, wherein the mapping relationship between the control information and the corresponding identification information of the plurality of applications are written by the determination module (22) to the character device utilizing a preset write callback function in the user space.
[0039] Wherein, prior to the allowing or denying of the intercepted application executing the socket system calls according to the control information corresponding to the intercepted application: the management module (23) may be further used to judge whether the socket system call uses IPv4 or IPv6. If yes, the management module allows or denies the intercepted application to execute the socket system call based on the control information corresponding to the intercepted application; otherwise, the management module allows the intercepted application to execute the socket system call.
[0040] Wherein, the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection, , wherein the management module is utilized to: allow the intercepted application to execute the socket system call if the control information is allowing the network connection; deny the intercepted application to execute the socket system call if the control information is denying the network connection; and if the control information is the duration for allowing network connection or the time period for allowing network connection, and the intercepted application satisfies the duration for allowing network connection or the time period for allowing network connection, then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
[0041] Wherein, the management module (23) may be further used to, if the control information being the duration for allowing network connection or the time period for allowing network connection, and the intercepted application does not satisfy the duration for allowing network connection or the time period for allowing network connection, the management module is utilized to: obtain in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and obtain in the kernel space, updated control information corresponding to the intercepted application in the user space, and based on the updated control information, allowing or denying the intercepted application to execute the socket system call.
[0042] The management module (23) writes to the character device the control information with which the intercepted application does not satisfy.
[0043] The system further includes an acquisition module (24), which reads and displays the control information from the character device utilizing the preset read callback function in the user space, obtains updated control information corresponding to the intercepted application, and writes to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and the management module is further reads from the character device in the kernel space, the updated control information corresponding to the intercepted application.
[0044] Wherein, the system further includes a measurement module (25), which obtains in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writes to the kernel space an instruction of denying the intercepted application to execute a socket system call; and the management module (23) further reads the instruction in the kernel space and denies the intercepted application to execute the socket system call according to the instruction.
[0045] The present embodiment further provides a non-transitory computer-readable storage medium, wherein the computer readable storage medium stores a program which comprises codes or instructions to cause a processor circuitry to execute operations for managing network connections of a plurality of applications, the operations include: intercepting within a kernel space, an application executing a socket system call; determining control information corresponding to the intercepted application based on: a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, identification information of the intercepted application; and allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application. [0046] Wherein, the storage medium further comprises an instruction that instructs at least one processor to execute the following operations, the operations may include: prior to the determining of the control information corresponding to the intercepted application, writing to a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications through utilizing a preset write callback function in the user space; and reading from the created character device in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications.
[0047] Wherein, the storage medium further comprises an instruction that instructs at least one processor to execute the following operations, the operations may include: prior to the allowing or denying of the intercepted application executing the socket system call according to the control information corresponding to the intercepted application, the operations further include: judging whether the socket system call uses one of: Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6); if yes, allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application; otherwise, allowing the intercepted application to execute the socket system call.
[0048] Wherein, the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection; wherein the allowing or denying of the intercepted application to execute the socket system call in response to the control information corresponding to the intercepted application, further include: if the control information is allowing the network connection, allowing the intercepted application to execute the socket system call; if the control information is denying the network connection, denying the intercepted application to execute the socket system call; if the duration for allowing network connection or the time period for allowing network connection (i.e., in allowing the network connection over the duration or allowing network connection over the time period), then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
[0049] Wherein, obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and the obtaining in the kernel space of the updated control information corresponding to the intercepted application in the user space, which may include: writing to the character device control information with which the intercepted application does not satisfy; reading and displaying the control information from the character device utilizing the preset read callback function in the user space, obtaining updated control information corresponding to the intercepted application, and writing to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and in the kernel space, reading from the character device the updated control information corresponding to the intercepted application.
[0050] Wherein, the storage medium further comprises an instruction that instructs at least one processor to execute the following operations, the operations may include: obtaining in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writing to the kernel space an instruction of denying the intercepted application to execute a socket system call; correspondingly, reading the instruction in the kernel space and denying the intercepted application to execute the socket system call according to the instruction.
[0051] Figure 3 depicts an exemplary schematic diagram for a management method for Internet connection of applications, according to an embodiment of the disclosure. As shown in the embodiment of Figure 3, a firewall (34) may be set in the Linux system. When an application (36) executes a socket system call, the firewall (34) may intercept the application (36) which executes the socket system call by changing origin_sys_socket, which may be the ingress address of socket system call in the Linux system call table to the preset modify_sys_socket, and using socket_func to store the original ingress address origin_sys_socket. Relevant exemplary code implementation may be as follows: socket_func = (origin_sys_socket) table[ NR_socket];
table[ NR_socket] = (unsigned long) modify_sys_socket;
[0052] In an embodiment, a Unique Identifier (UID) may be used as the identification information of an application. The UID may be a unique identifier assigned to each application running on a Linux-based mobile terminal. The UID of an application may be used as the index to search the UID of a locally stored application and the control information corresponding to the UID. If the control information corresponding to the application may be found, the control information may be used to manage the execution of socket system call by the application; otherwise, the application may be allowed to execute socket system call and the original ingress address socketjunc of the socket system call may be returned to the application. Relevant exemplary code implementation may be as follows: uid = (int) getuid_func();
if (!firewall_find_rule(uid, &r_verdict, &r_seconds, &r_timestamp)) {
printk(KERN_INFO "--socket- no rule for %d\n", uid);
goto ok;
[0053] Wherein, the processing from goto to ok may be returning the attribute information (family, type, and protocol) about the socket system call and the original ingress address socket_funcok to the application. Relevant exemplary code may be as follows: ok:
return socket_func(family, type, protocol);
table[ NR_socket] = (unsigned long) socketjunc;
socketjunc = NULL;
[0054] Note that, if no control information corresponding to the application may be found, the application may also be denied to execute the socket system call.
[0055] In the present embodiment, a firewall (34) may be used to obtain the control information corresponding to an application from the application Mobile Phone Manager in the user space (31 ) and create a character device (38) named talk in the kernel space (32). Relevant exemplary code may be as follows:
#define dev_name "talk"; // Device name,
static dev dev_no; //Device No.
struct class* dev_class; //Device class,
struct device* dev; // Device node in the dev directory.
[0056] By using the preset write callback function, the application Mobile Phone Manager writes the control information corresponding to the application into the character device. The firewall (34) may obtain the control information from the character device (38) and, based on the control information, controls execution of socket system call by the application (36):
[0057] 1 ) If the control information corresponding to the application may be allowing connection, the application may be allowed to execute the socket system call; if the control information corresponding to the application may be denying connection, the application may be denied to execute the socket system call. Relevant exemplary code may be as follows: verdict = GET_VERDICT(r_verdict, network_type. counter);
if (verdict == VERDICT_ACCEPT) {
printk(KERN_INFO "--socket- VERDICT_ACCEPT for %d\n", uid);
goto ok;
} else if (verdict == VERDICT_DROP) {
printk(KERN_INFO "--socket- VERDICT_DROP for %d\n", uid);
return -EACCES;
}
[0058] Wherein, the processing of goto ok when the control information corresponding to the application may be allowing connection or may be the same as that mentioned above. When the control information corresponding to the application may be denying connection, the error code EACCES may be returned to the application, identifying the application as having no authority of executing socket system call.
[0059] 2) When the control information is a duration for allowing network connection, or a time period for allowing network connection, the history connection duration of the application does not exceed the allowed connection duration, and the current time when the application executes socket call may be within the allowed connection time period, then the original ingress address of socket system call may be returned to the application. Relevant exemplary may be as follows: if (time_prior to(jiffies, r_timestamp + r_seconds*HZ)) {
printk(KERN_INFO "-socket- VERDICT_TIP timein for %d\n", uid); goto ok;
[0060] Wherein, relevant code of the read callback function may be as follows: static ssize_t device_read(struct file *filp, char user *buffer, size_t len, loff t
*offset) {
//Judge whether any daemon may be waiting for a request.
if (talk_is_waiting_request()) {
printk(KERN_WARNING "daemon existAn");
return READ_DEAMON_EXIST;// Read the data in the buffer.
return pull_from_circle(buffer, len, true);
}
[0061] Relevant exemplary code of the write callback function may be as follows: static ssize_t device_write(struct file *filp, const char user *buff, size_t len, loff_t
*off) {
char* data;
int ret;
// Allocate memory.
data = (char*) _kmalloc(len+1 , GFP_KERNEL);
if (!data) {
printk(KERN_WARNING "kmalloc failed\n");
return MEMORY_ERROR;
}
// Copy data to the kernel space,
if (copy_from_user(data, buff, len)) {
printk(KERN_ERR "copy from user failed\n");
kfree(data);
return OTHER_ERROR; }
data[len] = 0;
//Analyze data. ret = talk_semantic_analysis(data, len+1 );
if (ret < 0) {
kfree(data);
return ret;
}kfree(data);
return len;
}
[0062] 3) If the application fails to meet both of the above-mentioned duration for allowing network connection and time period for allowing network connection, the control information which the application fails to meet may be written to the character device talk. The Mobile Phone Manager (33) in the user space (31 ) reads the control information from using the preset read callback function and presents the control information. By using the preset write callback function, the Mobile Phone Manager (33) writes to the character device the obtained updated control information corresponding to the application.
[0063] Based on the control information obtained from the character device (38), the firewall (34) controls the execution of socket system call by the application. The control information may comprise the judgment information about whether to allow or deny the application to get connected to the Internet. The control information may also include the connection duration and/or connection time period corresponding to the application.
[0064] For example, assume that the control information may be the judgment information. When the control information may be allowing connection, the intercepted application may be allowed to execute socket system call. When the control information may be denying connection, the intercepted application may be denied to execute socket system call. Relevant exemplary code may be as follows: if (time_prior to(jiffies, r_timestamp + r_seconds*HZ)) { printk(KERN_INFO "--socket- VERDICT_TIP timein for %d\n", uid); goto ok;
} else { printk(KERN_INFO "--socket- VERDICT_TIP timeout for %d\n", uid); sprintf(buff, "%d%d %d %d ", TYPE_FI REWALL, DETAIL_FIREWALL_REQUEST, uid, (int) getpid_func()); push_to_circle(buff, strlen(buff)); return -EACCES;
}
[0065] The Mobile Phone Manager (33) running in the user space (31 ) may also obtain the traffic threshold that the user sets for one or more applications and measure the traffic consumption of the application (36) . When the traffic consumption of the application exceeds the corresponding traffic threshold, the Mobile Phone Manager (33), by using the preset write callback function, writes to the character device (38) talk the instruction of denying the application to execute socket system call. According to the instruction, the firewall in the kernel space returns the error code EACCES to the application, identifying the application as having no authority of executing socket system call and thus making the application (36) stop the Internet connection operations;
[0066] Accordingly, the Mobile Phone Manager (33) running in the user space (31 ) may also obtain the global traffic threshold that the user sets for two or more applications and measure the global traffic consumption of the plurality of applications. When the global traffic consumption of the plurality of applications exceeds the corresponding global traffic threshold, the Mobile Phone Manager (33), by using the preset write callback function, writes to the character device talk the instruction of denying the plurality of applications to execute socket system call. According to the instruction, the firewall (34) in the kernel space (32) may return the error code EACCES to the plurality of applications, identifying the plurality of applications as having no authority of executing socket system call and thus making the plurality of applications stop Internet connection operations.
[0067] With the present disclosure, based on the control information from the user space (31 ), whether an application (36) may be allowed to execute socket system call for Internet connection, the duration for allowing network connection and the time period for allowing network connection are managed in the kernel space by using the control information; in the user space, Internet traffic consumption may be measured and the traffic threshold set for the application may be obtained through the application in the user space to deny any application with traffic consumption exceeding the threshold to get connected to the Internet; Internet connection of applications may be managed by using a variety of methods.
[0068] It should be understood by those with ordinary skill in the art that all or some of steps of the foregoing embodiments may be implemented by hardware, or software program codes stored on a non-transitory computer-readable storage medium with computer-executable commands stored within. For example, the disclosure may be implemented as an algorithm as codes stored in a program module or a system with multi-program-modules. The computer-readable storage medium may be, for example, nonvolatile memory such as compact disc, hard drive. ROM or flash memory.
[0069] The foregoing represents only some preferred embodiments of the present disclosure and their disclosure may not be construed to limit the present disclosure in any way. Those of ordinary skill in the art may recognize that equivalent embodiments may be created via slight alterations and modifications using the technical content disclosed above without departing from the scope of the technical solution of the present disclosure, and such summary alterations, equivalent has changed and modifications of the foregoing embodiments are to be viewed as being within the scope of the technical solution of the present disclosure.

Claims

The Claims What may be claimed is:
1 . A method for managing network connections of a plurality of applications, comprising:
intercepting within a kernel space, an application executing a socket system call; determining control information corresponding to the intercepted application based on:
a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and
identification information of the intercepted application; and
allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
2. The method according to claim 1 , wherein the intercepting within the kernel space, the application executing the socket system call, comprising:
utilizing a preset function within the kernel space, updating an ingress address of the socket system call which may be executed by the intercepted application, to an ingress address of the preset function;
wherein the allowing of the intercepted application executing the socket system call, comprising:
returning the ingress address of the socket system call prior to the update to the intercepted application.
3. The method according to claim 1 , wherein, prior to the determining of the control information corresponding to the intercepted application, the method further comprising: writing to a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications utilizing a preset write callback function in the user space; and reading from the created character device in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications.
4. The method according to claim 1 , wherein, prior to the allowing or denying of the intercepted application executing the socket system call according to the control information corresponding to the intercepted application, the method further comprising: judging whether the socket system call uses one of: Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6); if yes, allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application; otherwise, allowing the intercepted application to execute the socket system call.
5. The method according to claim 1 , wherein the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection,
wherein the allowing or denying of the intercepted application to execute the socket system call in response to the control information corresponding to the intercepted application, further comprising:
if the control information is allowing the network connection, allowing the intercepted application to execute the socket system call;
if the control information is denying the network connection, denying the intercepted application to execute the socket system call; and
if the control information is the duration for allowing network connection or the time period for allowing network connection, and the intercepted application satisfies the duration for allowing network connection or the time period for allowing network connection, then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
6. The method according to claim 5, wherein, if the control information being the duration for allowing network connection or the time period for allowing network connection, but the intercepted application does not satisfy the duration for allowing network connection or the time period for allowing network connection, the method further comprising:
obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and
obtaining in the kernel space, updated control information corresponding to the intercepted application in the user space, and based on the updated control information, allowing or denying the intercepted application to execute the socket system call.
7. The method according to claim 6, wherein, the obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and obtaining in the kernel space, updated control information corresponding to the intercepted application in the user space, comprising:
writing to the character device the control information with which the intercepted application does not satisfy;
reading and displaying the control information from the character device utilizing the preset read callback function in the user space, obtaining updated control information corresponding to the intercepted application, and writing to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and
in the kernel space, reading from the character device the updated control information corresponding to the intercepted application.
8. The method according to any of claims 1 to 7, wherein, the method further comprising:
obtaining in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writing to the kernel space an instruction of denying the intercepted application to execute a socket system call; and
correspondingly, reading the instruction in the kernel space and denying the intercepted application to execute the socket system call according to the instruction.
9. A management system for Internet connection of applications, wherein the system comprises at least a processor with circuitry operating in conjunction with at least a memory which stores instruction codes operable as plurality of modules, wherein the plurality of modules comprise:
an intercept module which intercepts within a kernel space, an application executing a socket system call;
a determination module which determines control information corresponding to the intercepted application based on:
a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space, and identification information of the intercepted application; and
a management module which allows or denies the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
10. The system according to claim 9, wherein:
the intercept module which utilizes a preset function within the kernel space, updating an ingress address of the socket system call which may be executed by the intercepted application, to an ingress address of the preset function; and
the management module returns the ingress address of the socket system call prior to the update to the intercepted application.
11 . The system according to claim 9, wherein prior to the determining of the control information corresponding to the intercepted application:
the determination module reads from a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications, wherein the mapping relationship between the control information and the corresponding identification information of the plurality of applications are written to the character device utilizing a preset write callback function in the user space.
12. The system according to claim 9, wherein prior to the allowing or denying of the intercepted application executing the socket system call according to the control information corresponding to the intercepted application:
the management module judges whether the socket system call uses one of: Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6); if yes, allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application; otherwise, allowing the intercepted application to execute the socket system call.
13. The system according to claim 9, wherein the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection, wherein the management module may be utilized to:
allow the intercepted application to execute the socket system call if the control information is allowing the network connection;
deny the intercepted application to execute the socket system call if the control information is denying the network connection; and
if the control information is the duration for allowing network connection or the time period for allowing network connection, and the intercepted application satisfies the duration for allowing network connection or the time period for allowing network connection, then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
14. The system according to claim 13, wherein if the control information being the duration for allowing network connection or the time period for allowing network connection, but the intercepted application does not satisfy the duration for allowing network connection or the time period for allowing network connection, the management module may be utilized to:
obtain in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and
obtain in the kernel space, updated control information corresponding to the intercepted application in the user space, and based on the updated control information, allowing or denying the intercepted application to execute the socket system call.
15. The system according to claim 14, wherein:
the management module writes to the character device the control information with which the intercepted application does not satisfy; and
the system further comprises an acquisition module, which reads and displays the control information from the character device utilizing the preset read callback function in the user space, obtains updated control information corresponding to the intercepted application, and writes to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and the management module may be further reads from the character device in the kernel space, the updated control information corresponding to the intercepted application.
16. The system according to any of claims 9 to 15, wherein the system further comprises:
a measurement module, which obtains in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writes to the kernel space an instruction of denying the intercepted application to execute a socket system call; and
the management module further reads the instruction in the kernel space and denies the intercepted application to execute the socket system call according to the instruction.
17. A non-transitory computer-readable storage medium, wherein the computer readable storage medium stores a program which comprises codes or instructions to cause a processor circuitry to execute operations for managing network connections of a plurality of applications, the operations comprising:
intercepting within a kernel space, an application executing a socket system call;
determining control information corresponding to the intercepted application based on:
a mapping relationship between control information and corresponding identification information of the plurality of applications, wherein the plurality of applications operate within a user space,
identification information of the intercepted application; and
allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application.
18. The non-transitory computer readable storage medium according to claim 17, wherein the intercepting within the kernel space, the application executing the socket system call, comprising:
utilizing a preset function within the kernel space, updating an ingress address of the socket system call which may be executed by the intercepted application, to an ingress address of the preset function;
wherein the allowing of the intercepted application executing the socket system call, comprising: and
returning the ingress address of the socket system call prior to the update to the intercepted application.
19. The non-transitory computer readable storage medium according to claim 17, wherein, prior to the determining of the control information corresponding to the intercepted application, the operations further comprising:
writing to a character device created in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications through utilizing a preset write callback function in the user space; and
reading from the created character device in the kernel space, the mapping relationship between the control information and the corresponding identification information of the plurality of applications.
20. The non-transitory computer readable storage medium according to claim 17, wherein, prior to the allowing or denying of the intercepted application executing the socket system call according to the control information corresponding to the intercepted application, the operations further comprising:
judging whether the socket system call uses one of: Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6); if yes, allowing or denying the intercepted application executing the socket system call according to the control information corresponding to the intercepted application; otherwise, allowing the intercepted application to execute the socket system call.
21 . The non-transitory computer readable storage medium according to claim 17, wherein the control information may be: allowing the network connection, denying the network connection, a duration for allowing network connection, or a time period for allowing network connection;
wherein the allowing or denying of the intercepted application to execute the socket system call in response to the control information corresponding to the intercepted application, further comprising:
if the control information iss allowing the network connection, allowing the intercepted application to execute the socket system call;
if the control information iss denying the network connection, denying the intercepted application to execute the socket system call;
if the control information is the duration for allowing network connection or the time period for allowing network connection, and the intercepted application satisfies the duration for allowing network connection or the time period for allowing network connection, then allowing the intercepted application to execute the socket system call; otherwise, denying the intercepted application to execute the socket system call.
22. The non-transitory computer readable storage medium according to claim 21 , wherein, if the control information being the duration for allowing network connection or the time period for allowing network connection, but the intercepted application does not satisfy the duration for allowing network connection or the time period for allowing network connectio, the operations further comprising:
prising:
obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and
obtaining in the kernel space, updated control information corresponding to the intercepted application in the user space, and based on the updated control information, allowing or denying the intercepted application to execute the socket system call.
23. The non-transitory computer readable storage medium according to claim 22, wherein, obtaining in the user space, the control information of the intercepted application which does not satisfy the duration for allowing network connection or the time period for allowing network connection, and obtaining in the kernel space, updated control information corresponding to the intercepted application in the user space, comprising: writing to the character device the control information with which the intercepted application does not satisfy;
reading and displaying the control information from the character device utilizing the preset read callback function in the user space, obtaining updated control information corresponding to the intercepted application, and writing to the character device the updated control information corresponding to the intercepted application utilizing the preset write callback function; and
in the kernel space, reading from the character device the updated control information corresponding to the intercepted application.
24. The non-transitory computer readable storage medium according to anyone of claims 17-23, wherein, the operations further comprising:
obtaining in the user space, traffic flow threshold information of the intercepted application, measuring traffic flow statistics of the application, and when the traffic flow statistics of the intercepted application exceeds the corresponding traffic threshold, writing to the kernel space an instruction of denying the intercepted application to execute a socket system call;
correspondingly, reading the instruction in the kernel space and denying the intercepted application to execute the socket system call according to the instruction.
PCT/CN2014/082873 2013-07-24 2014-07-24 A management method, system, and computer-readable storage medium for internet connection of applications WO2015010627A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310313900.7 2013-07-24
CN201310313900.7A CN104346137B (en) 2013-07-24 2013-07-24 A kind of management method, system and the computer readable storage medium of application networking

Publications (1)

Publication Number Publication Date
WO2015010627A1 true WO2015010627A1 (en) 2015-01-29

Family

ID=52392743

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/082873 WO2015010627A1 (en) 2013-07-24 2014-07-24 A management method, system, and computer-readable storage medium for internet connection of applications

Country Status (2)

Country Link
CN (1) CN104346137B (en)
WO (1) WO2015010627A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126011A (en) * 2016-06-15 2016-11-16 依偎科技(南昌)有限公司 The resource occupation method for information display of a kind of application program and mobile terminal
CN113032468A (en) * 2019-12-09 2021-06-25 浙江大搜车软件技术有限公司 Data writing method, device and computer readable storage medium
US20220012110A1 (en) * 2020-07-09 2022-01-13 Netflix, Inc. Networking-related system call interception and modification

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809046B (en) * 2015-05-27 2018-01-16 广东欧珀移动通信有限公司 A kind of application program networking control method and application program networking control device
US20170195250A1 (en) * 2016-01-06 2017-07-06 Google Inc. Automatic data restrictions based on signals
CN106452946A (en) * 2016-09-21 2017-02-22 深圳市金立通信设备有限公司 Flow control method and terminal
CN107613511A (en) * 2017-09-20 2018-01-19 北京珠穆朗玛移动通信有限公司 Network management, mobile terminal and device
CN107612670A (en) * 2017-09-29 2018-01-19 努比亚技术有限公司 A kind of receiving/transmission method of data, device, terminal and computer-readable recording medium
CN108093428B (en) * 2017-11-06 2021-02-19 每日互动股份有限公司 Server for authenticating real traffic
CN108491234A (en) * 2018-03-19 2018-09-04 深圳乐信软件技术有限公司 A kind of real-time traffic control method, device, equipment and storage medium
CN108845828B (en) * 2018-05-29 2021-01-08 深圳市国微电子有限公司 Coprocessor, matrix operation acceleration method and system
CN115277670A (en) * 2022-06-24 2022-11-01 维沃移动通信有限公司 Network connection control method and device of target application and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030110308A1 (en) * 2001-11-21 2003-06-12 Sun Microsystems Inc., A California Corporation Fast socket technology implementation using doors
US20090022095A1 (en) * 2007-07-16 2009-01-22 Cellport Systems, Inc. Communication Channel Selection and Use
US20110201285A1 (en) * 2010-02-16 2011-08-18 Qualcomm Incorporated Methods and apparatus providing intelligent radio selection for legacy and non-legacy applications
WO2012128792A1 (en) * 2011-03-18 2012-09-27 Qualcomm Incorporated Management of network access requests
WO2013091410A1 (en) * 2011-12-19 2013-06-27 华为数字技术(成都)有限公司 Network access method, system and device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414997B (en) * 2007-10-15 2013-06-12 北京瑞星信息技术有限公司 Method and apparatus for preventing malevolence program from accessing network
US20090296685A1 (en) * 2008-05-29 2009-12-03 Microsoft Corporation User-Mode Prototypes in Kernel-Mode Protocol Stacks
CN101873640B (en) * 2010-05-27 2013-04-24 华为终端有限公司 Flow processing method, device and mobile terminal
US8831658B2 (en) * 2010-11-05 2014-09-09 Qualcomm Incorporated Controlling application access to a network
CN102355667B (en) * 2011-06-30 2015-12-09 北京邮电大学 Application program network connection control method and system in mobile intelligent terminal system
CN102685016B (en) * 2012-06-06 2015-01-07 济南大学 Internet flow distinguishing method
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030110308A1 (en) * 2001-11-21 2003-06-12 Sun Microsystems Inc., A California Corporation Fast socket technology implementation using doors
US20090022095A1 (en) * 2007-07-16 2009-01-22 Cellport Systems, Inc. Communication Channel Selection and Use
US20110201285A1 (en) * 2010-02-16 2011-08-18 Qualcomm Incorporated Methods and apparatus providing intelligent radio selection for legacy and non-legacy applications
WO2012128792A1 (en) * 2011-03-18 2012-09-27 Qualcomm Incorporated Management of network access requests
WO2013091410A1 (en) * 2011-12-19 2013-06-27 华为数字技术(成都)有限公司 Network access method, system and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126011A (en) * 2016-06-15 2016-11-16 依偎科技(南昌)有限公司 The resource occupation method for information display of a kind of application program and mobile terminal
CN113032468A (en) * 2019-12-09 2021-06-25 浙江大搜车软件技术有限公司 Data writing method, device and computer readable storage medium
US20220012110A1 (en) * 2020-07-09 2022-01-13 Netflix, Inc. Networking-related system call interception and modification

Also Published As

Publication number Publication date
CN104346137A (en) 2015-02-11
CN104346137B (en) 2019-05-14

Similar Documents

Publication Publication Date Title
WO2015010627A1 (en) A management method, system, and computer-readable storage medium for internet connection of applications
RU2622876C2 (en) Method, device and electronic device for connection control
CN107547746B (en) Resource allocation method and related product
US9336054B2 (en) Method and apparatus for configuring resource
US20140053167A1 (en) Method, device, and mobile terminal for api interception
WO2019080429A1 (en) Electronic apparatus, access request control method, and computer readable storage medium
CN107547745B (en) Resource allocation method and related product
CN107807852B (en) Application program performance control method, device and computer readable storage medium
US11811832B2 (en) Queryless device configuration determination-based techniques for mobile device management
JP2016502186A (en) Method, apparatus, program and recording medium for setting application state
CN109831351B (en) Link tracking method, device, terminal and storage medium
EP3468105A1 (en) Method and apparatus for arranging network resources
CN104809046A (en) Application program networking control method and application program networking control device
CN103092663B (en) A kind of method of set up applications in the terminal and device
CN114826749A (en) Interface access control method, device and medium
CN104516744A (en) Software updating method and system
US11943127B2 (en) Network-based control method for power consumption of applications, terminal and storage medium
CN105447384B (en) A kind of anti-method monitored, system and mobile terminal
CN104426836A (en) Invasion detection method and device
CN109905407B (en) Management method, system, equipment and medium for accessing intranet based on VPN server
CN105184149A (en) Method and system for preventing rogue program from frequently acquiring user position information
CN112017330B (en) Intelligent lock parameter configuration method and device, intelligent lock and storage medium
WO2020007250A1 (en) Pseudo base station identification on-off control method and device, mobile terminal, and storage medium
CN114244703B (en) Bare metal server checking and deploying method, device, equipment and medium
US20110209215A1 (en) Intelligent Network Security Resource Deployment System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14829732

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 02.08.2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14829732

Country of ref document: EP

Kind code of ref document: A1