WO2017016231A1 - Policy management method, system and computer storage medium - Google Patents

Policy management method, system and computer storage medium Download PDF

Info

Publication number
WO2017016231A1
WO2017016231A1 PCT/CN2016/077630 CN2016077630W WO2017016231A1 WO 2017016231 A1 WO2017016231 A1 WO 2017016231A1 CN 2016077630 W CN2016077630 W CN 2016077630W WO 2017016231 A1 WO2017016231 A1 WO 2017016231A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain
application
policy
secure
security
Prior art date
Application number
PCT/CN2016/077630
Other languages
French (fr)
Chinese (zh)
Inventor
宋云霞
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2017016231A1 publication Critical patent/WO2017016231A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Definitions

  • the present invention relates to the field of application security technologies, and in particular, to a policy management method, system, and computer storage medium.
  • the Android system controls the permissions through the sandbox mechanism.
  • the superuser (root) permissions of the electronic device are usurped, then all application resources can be accessed by the superuser, and the virus program will also wait for the electronic device. The control of the device seriously affects the security of electronic devices.
  • SEAndroid SELinux-based security mechanism
  • the central idea of SEAndroid is to establish a security policy through the Mandatory Access Control (MAC) technology. Even if the root privileges are taken over, the access rights are still restricted by the security policy, thus minimizing the security risks brought by the attacks;
  • the existing technology improves the security of the security application of the Android system to a certain extent.
  • the security policy file of the SEAndroid is installed in the platform/external/sepolicy directory, that is, the deployed security policy files are placed. In a non-secure environment, it is conceivable that once a hacker intercepts the security policy file, the access rules set in the policy are tampered with and malicious code is embedded, so that the security policy cannot guarantee the power. Security of child devices and security applications.
  • the birth of a processor with secure isolation opens up a new path for the security of electronic devices, integrating protection functions into the core to ensure the security of the Android system, while providing a secure software platform for semiconductor manufacturers, device manufacturers and Operating system partners extend and develop their own security solutions on a shareable framework.
  • the ARM processor's TrustZone technology completely isolates the non-secure execution environment from the secure execution environment and can be converted between a secure mode and a non-secure mode via a security monitor (Monitor).
  • embodiments of the present invention are expected to provide a policy management method, system, and computer storage medium, which can improve the security of the Android system.
  • the embodiment of the invention provides a policy management method, and the method includes:
  • the security isolation technology is used to divide the execution environment into a non-secure execution environment and a secure execution environment
  • domain division is performed for each application; and a mandatory access control MAC query service is provided for access between applications of each domain according to a pre-defined policy file;
  • the policy file is managed; wherein the management includes at least one or more of the following: query, load, update, and store.
  • the foregoing provides a MAC query service for access between applications in each domain according to a pre-defined policy file, including:
  • the managing the policy file includes:
  • the first instruction is sent to the security execution environment side, including:
  • the performing the first operation on the policy file according to the first instruction includes:
  • the domain division of each application further includes:
  • the managing the policy file further includes:
  • the preset rule includes at least one or more of the following:
  • the embodiment of the present invention further provides a policy management system, which uses a security isolation technology to divide the execution environment into a non-secure execution environment and a security execution environment; the system includes: a non-secure operating system and a security operating system;
  • the non-secure operating system is configured to perform domain division for each application according to a pre-defined policy file; and provide a MAC query service for access between applications of each domain according to a pre-defined policy file;
  • the security operating system is located in a secure execution environment and is configured to manage a policy file.
  • the management includes at least one or more of the following: query, load, update, and store.
  • the non-secure operating system includes a first policy management module and a first communication proxy module;
  • the first policy management module is configured to perform domain division on each application; when the preset condition is met, the first communication proxy module sends a first instruction to the security execution environment side;
  • the first communication proxy module is configured to send a first instruction to the secure execution environment, receive a first command response result returned by the secure execution environment side, and send the first command response result to the first a policy management module;
  • the security operating system includes a second policy management module and a second communication proxy module;
  • the second policy management module is configured to perform a first operation on the policy file according to the first instruction, where the first operation includes at least one or more of the following: query, load, update, and store Transmitting, by the second communication proxy module, a first command response result to the non-secure execution environment side;
  • the second communication proxy module is configured to receive the first instruction sent by the first communication proxy module, and send the first instruction to the second policy management module; and receive the return of the second policy module The first command responds to the result and sends the first command response result to the first communication agent module.
  • the first policy management module includes: a domain division unit and a MAC management unit; wherein
  • the domain dividing unit is configured to perform domain partitioning on each application; when detecting that the first application accesses the second application, acquiring domain information of the first application and the second application; and the first application And sending the domain information of the second application to the MAC management unit;
  • the MAC management unit is configured to send a first instruction to the security execution environment side, where the first instruction carries at least the domain information of the first application and the second application.
  • the second policy management module includes:
  • the policy query unit is configured as:
  • the domain dividing unit is further configured to:
  • the second policy management module further includes:
  • a policy update unit configured to formulate a policy file for the new application based on the first information of the new application according to a preset rule, where the first information includes at least domain information, a user identifier, and based on the new application Policy file update policy library;
  • a secure storage unit configured to store policy files to a non-volatile secure storage space
  • a policy loading unit configured to read a policy file from the non-volatile secure storage space and load the policy file into a policy library located in a secure operating system kernel, so that the policy update unit updates the policy library .
  • the preset rule includes at least one or more of the following:
  • the embodiment of the invention provides a computer storage medium, wherein the computer storage medium stores a computer program, and the computer program is used to execute the policy management method described above.
  • the policy management method, the system, and the computer storage medium provided by the embodiments of the present invention use the security isolation technology to divide the execution environment into a non-secure execution environment and a security execution environment; in the non-secure execution environment, domain division is performed on each application; Providing a MAC query service for access between applications of each domain according to a pre-defined policy file; in the secure execution environment, managing a policy file; wherein the management includes at least one or more of the following: Query, load, update, store.
  • the technical solution in the embodiment of the present invention can improve the security of the Android system and greatly improve the user experience.
  • FIG. 1 is a schematic flowchart of a policy management method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a framework of a policy management system according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a process flow of a policy in a new application installation process according to an embodiment of the present invention:
  • FIG. 4 is a process flow of a non-secure domain application accessing a security domain application according to an embodiment of the present invention schematic diagram
  • FIG. 5 is a schematic diagram of a process flow of a security domain application accessing a security domain application according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart of a policy management method according to an embodiment of the present invention, which is applied to an electronic device. As shown in FIG. 1 , the policy management method mainly includes the following steps:
  • Step 101 The security isolation technology is used to divide the execution environment into a non-secure execution environment and a security execution environment.
  • the policy management deployed in the Android system can be divided into a secure part and a non-secure part by using a processor with security isolation function.
  • the processor may be an ARM processor with security isolation.
  • Step 102 Perform domain division on each application in the non-secure execution environment, and provide a mandatory access control MAC query service for access between applications of each domain according to a pre-defined policy file.
  • Step 103 In the security execution environment, manage the policy file; wherein the management includes at least one or more of the following: query, load, update, and store.
  • the security management technology is introduced, and the policy management is divided into the security side and the non-secure side, and the non-secure side only sends the command, and the real policy storage and operation are performed in the security execution environment (trusted environment).
  • the security execution environment trusted environment.
  • the providing the MAC query service for the access between the applications of the respective domains according to the pre-defined policy file may include:
  • the managing the policy file may include:
  • sending the first instruction to the security execution environment side including:
  • the first application is equivalent to an access subject
  • the file or socket resource in the second application is equivalent to an access object.
  • the first application may be an application of a security domain or an application of a non-security domain.
  • the second application may be an application of a security domain, an application of a non-security domain, or an application of a system domain. It is worth noting that: applications are generally processes, all belong to the main body, while resources in the application such as files and sockets belong to the object.
  • the performing the first operation on the policy file according to the first instruction may include:
  • the domain division of each application may further include:
  • the managing the policy file further includes:
  • the preset rule includes at least one or more of the following:
  • the first rule is: allowing a non-secure domain application to access the non-secure domain application;
  • the second rule is: not allowing the non-secure domain application to access the security domain application;
  • the third rule is: disallowing the security domain application Accessing the non-secure domain application;
  • the fourth rule is: allowing the security domain application to access the security domain application;
  • the fifth rule is: allowing the non-secure domain application and the security domain application to access the system domain application.
  • the application in the system domain is an application pre-installed by an electronic device of the Android system, such as a calculator application, a flashlight application, and the like.
  • the policy management of the Android deployment is divided into non-secure and security parts by using a processor with security isolation function, wherein the non-secure part is responsible for domain division and MAC control management functions, and the security part is responsible for secure storage of policies and policies. Load, query, and update features. In this way, the policy can be saved and operated completely from the non-secure environment.
  • the security policy can be deployed on the smart terminal and the policy can be managed securely. Slightly document. For example: in MAC mode: The objects and permissions that the web server process can operate are clearly listed in the security policy (only access to the network and access to specific files, etc.).
  • FIG. 2 is a schematic diagram of a framework of a policy management system according to an embodiment of the present invention.
  • the policy management system uses a security isolation technology to divide an execution environment into a non-secure execution environment and a security execution environment, where the system mainly includes : non-secure operating system 10, secure operating system 20; wherein
  • the non-secure operating system 10 is located in a non-secure execution environment, and is configured to perform domain division on each application; and provide a MAC query service for access between applications of each domain according to a pre-defined policy file;
  • the security operating system 20 is located in a secure execution environment and configured to manage policy files.
  • the management includes at least one or more of the following: query, load, update, and store.
  • the non-secure operating system 10 runs in a non-secure execution environment of a processor with a security isolation function, and may be a commonly used operating system on an electronic device, such as a Linux operating system, on which Android can be run.
  • a Linux operating system on which Android can be run.
  • Various applications of the system may be a commonly used operating system on an electronic device, such as a Linux operating system, on which Android can be run.
  • the security operating system 20 runs in the secure execution environment of the processor with the security isolation function, and is responsible for performing secure storage and related operations on the policy file.
  • the operation includes at least: query, Load, update.
  • the system mainly comprises:
  • the security monitor 30 is an operation mode of the ARM processor, that is, a monitor mode, which is responsible for switching the execution environment; wherein the execution environment includes a non-secure execution environment and security The full execution environment; here, it is worth noting that the security monitor is not a hardware unit, but a working mode of the central processing unit (CPU), with the user (User) mode, management (Supervisor, referred to as Svc The mode is a parallel relationship. The CPU must be in one of several execution modes at any time. When the first communication agent module receives the upper layer query command, it is in Svc mode, and the second communication agent module calls system management in Svc mode.
  • the controller (SMC, System Management Controller) command changes the CPU to monitor mode to convert between a secure execution environment and a non-secure execution environment.
  • a non-volatile secure storage space 40 is responsible for storing security policy files.
  • the non-volatile secure storage space 40 is an exclusive area of the second policy management module 21 and is not accessed by an application in a non-secure execution environment or other security applications in a secure execution environment.
  • the security policy file is stored in the non-volatile secure storage space 40, since the access to all files, directories, and ports in the Android system is based on policies, the security side only needs to formulate a fine-grained and high-security policy. It is possible to isolate communication between applications through inter-process communication (IPC, Internet Process Connection), file system, socket (socket) and the like.
  • IPC Internet Process Connection
  • file system file system
  • socket socket
  • the non-secure operating system 10 includes a first policy management module 11 and a first communication proxy module 12;
  • the first policy management module 11 is configured to perform domain division on each application; when the preset condition is met, the first communication proxy module 12 sends a first instruction to the security execution environment side;
  • the first communication proxy module 12 is configured to send a first instruction to the secure execution environment, receive a first command response result returned by the secure execution environment side, and send the first command response result to the The first policy management module 11;
  • the security operating system 20 includes a second policy management module 21 and a second communication proxy module 22;
  • the second policy management module 21 is configured to perform a policy file according to the first instruction. a first operation; wherein the first operation includes at least one or more of the following: querying, loading, updating, and storing; sending, by the second communication proxy module 22, the non-secure execution environment side An instruction response result;
  • the second communication proxy module 22 is configured to receive the first instruction sent by the first communication proxy module 12, and send the first instruction to the second policy management module 21; receive the second policy The first instruction response result returned by the module 21 is sent to the first communication proxy module 12.
  • the first policy management module 11 and the second policy management module 21 perform operations such as updating, querying, and storing security policies by sending commands to control communication between applications; and the first The policy management module 11 communicates with the second policy management module 21 through the first communication proxy module 12; the second policy management module 21 communicates with the first policy management module 11 through the second communication proxy module 22.
  • the first policy management module 11 is responsible for marking various applications as different domains (security levels), where the various applications include: applications published with the system, or applications published by third parties.
  • the first policy management module 11 includes: a domain dividing unit 111 and a MAC management unit 112;
  • the domain dividing unit 111 is configured to perform domain partitioning on each application; when detecting that the first application accesses the second application, acquiring domain information of the first application and the second application; and the first The application and the domain information of the second application are sent to the MAC management unit 112;
  • the MAC management unit 112 is configured to send a first instruction to the security execution environment side, where the first instruction carries at least the domain information of the first application and the second application.
  • the domain can be divided into three categories: one is a system domain, one is a security domain, and the other is a non-security domain.
  • the second policy management module 21 includes:
  • the policy query unit 211 is configured to:
  • the result of the query is to allow access or to deny access.
  • the domain dividing unit 111 is further configured to:
  • domain A represents a non-secure domain
  • domain B represents a security domain
  • domain C represents a system domain
  • the application 1 is an application running on the non-secure operating system 10, and if it is not verified at the time of installation, it is in a non-secure domain, that is, domain A; the application 2 is running on the non-secure operating system 10
  • the application verified by the publisher's signature at the time of installation, is in the security domain, domain B.
  • the MAC management unit 112 is responsible for managing access rights between applications.
  • the first policy management module 11 when a subject (an Android application) accesses an object (a file or socket of another Android application), first, the first policy management module 11 performs basic autonomous access control (DAC, Discretionary Access Control), if the check fails, directly returns to reject the access; if the check passes, the second communication proxy module 12 is called to switch to the policy query unit 212 of the second side policy management module 21 of the security side, The policy query unit 212 queries whether the subject has access rights; and returns a check to the subject Ask for results.
  • non-secure applications such as Application 1) and Secure Side Applications (Application 2) can be prevented from communicating using components.
  • the second policy management module 21 further includes:
  • the policy update unit 212 is configured to formulate, according to the preset rule, a policy file about the new application based on the first information of the new application, where the first information includes at least domain information, a user identifier, based on the new The applied policy file update policy library;
  • the secure storage unit 213 is configured to store the policy file in a non-volatile secure storage space
  • a policy loading unit 214 configured to read a policy file from the non-volatile secure storage space 40 and load the policy file into a policy library located in a secure operating system kernel to facilitate the policy update unit update Policy library.
  • the non-volatile secure storage space 40 is an exclusive area of the second policy management module 21 and is not accessed by an application in a non-secure execution environment or other security applications in a secure execution environment.
  • the security policy file is stored in the non-volatile secure storage space 40, since the access to all files, directories, and ports in the Android system is based on policies, the security side only needs to formulate a fine-grained and high-security policy. , you can isolate the communication between applications through IPC, file system, sockets, etc.
  • the policy file may be represented in a binary form.
  • the preset rule includes at least one or more of the following:
  • the first rule is: allowing a non-secure domain application to access the non-secure domain application;
  • the second rule is: not allowing the non-secure domain application to access the security domain application;
  • the third rule is: disallowing the security domain application Accessing the non-secure domain application;
  • the fourth rule is: allowing the security domain application to access the security domain application;
  • the fifth rule is: allowing the non-secure domain application and the security domain application to access the system domain application.
  • the policy update unit 212 is responsible for performing security update of the policy file and the policy library according to the instruction of the MAC management module 112 located on the non-secure side when the application is installed or uninstalled.
  • the policy loading unit 211 is responsible for reading a policy file from a non-volatile secure storage space exclusive to the second policy management module 21, and loading the policy file to be located in a secure manner.
  • the policy library of the operating system kernel it is also responsible for responding to the instructions of the policy update unit 212, and when a new application installs or uninstalls an application, the loading process is started.
  • FIG. 3 is a schematic diagram of a process flow of a policy in a new application installation process according to an embodiment of the present invention. As shown in FIG. 3, the process mainly includes the following steps:
  • Step 301 Install a new application in a non-secure execution environment.
  • the new application refers to an application that is not installed in the electronic device, wherein the system of the electronic device is an Android system.
  • Step 302 The domain dividing unit in the first policy management module performs domain division on the new application.
  • the domain dividing unit verifies the new application according to the digital certificate signature of the new application, and if the verification passes, marking the new application as a security domain; if the verification fails, marking the new application Is a non-secure domain.
  • Step 303 The domain dividing unit sends information such as domain information and user name of the new application to the MAC management unit in the first policy management module.
  • Step 304 The MAC management unit sends a policy update instruction to the policy update unit by using the first communication proxy module.
  • the first communication proxy module is started to notify the security side update policy.
  • the step 304 may include:
  • Step 304a The first communication proxy module executes the first instruction to cause the processor to be in a security monitor mode, in which the non-secure side context is saved;
  • Step 304b The security monitor switches to the secure execution environment and restores the security side context.
  • the secure execution environment may also be referred to as a trusted execution environment.
  • steps 305 to 314 are operations performed in a secure execution environment.
  • Step 305 The policy update unit in the second management module formulates a policy for the new application, and issues an update policy library instruction.
  • the policy defined by the policy update unit for the new application is referred to as a first policy file.
  • Step 306 to step 307 The policy update unit invokes the secure storage unit to store the first policy file to the non-volatile secure storage space exclusive to the second policy management module.
  • Step 308 After completing the storage of the first policy file, the secure storage unit returns a storage success response to the policy update unit.
  • Step 309 The second management module invokes a policy loading unit to start a policy loading process.
  • Step 310 to step 312 The policy loading unit reads the first policy file and reads After the completion is completed, the first policy file is loaded into the policy library.
  • the policy library is located in the kernel of the secure operating system.
  • Step 313 The policy loading unit returns an update policy library success response to the policy update unit.
  • Step 314 The policy update unit returns a policy update complete message to the MAC management unit.
  • the step 314 can include:
  • Step 314a The second communication proxy module executes the second instruction to place the processor in a security monitor mode, in which the secure side context is saved;
  • Step 314b The security monitor switches to the non-secure execution environment and restores the non-secure side context.
  • Step 315 The MAC management unit parses the execution result returned by the security side. At this point, the new application policy is loaded, and the new application completes the installation.
  • FIG. 4 is a schematic flowchart of a process for a non-secure domain application to access a security domain application according to an embodiment of the present invention. As shown in FIG. 4, the process mainly includes the following steps:
  • Step 401 The non-secure domain application accesses the security domain application.
  • the access of the application between the domains may be detected by a domain partitioning unit in the first policy management module.
  • the non-secure domain application is application 1
  • the security domain application is application 2.
  • Step 402 The first policy management module invokes a MAC management unit to perform a permission query.
  • Step 403 The MAC management unit in the first policy management module sends a query request to a policy query unit in a second policy management module located on the security side.
  • the query request includes at least: domain information of the application 1 and the application 2.
  • the step 403 may include:
  • Step 403a The second communication proxy module saves the non-secure side context, and executes the first instruction to keep the processor in the secure mode;
  • Step 403b The security monitor (monitor) switches to the secure execution environment and restores the security side context.
  • the secure execution environment may also be referred to as a trusted execution environment.
  • steps 404 to 405 are operations performed in a secure execution environment.
  • Step 404 The policy query unit obtains the domain information of the application 1 and the application 2, and matches the policy in the policy database of the kernel of the security operating system, and the result is that the access is denied.
  • non-secure applications are not allowed to access secure domain applications.
  • Step 405 The policy query unit returns a query result to the MAC management unit.
  • the step 405 can include:
  • Step 405a The second communication agent module executes the second instruction to place the processor in a security monitor mode in which the secure side context is saved.
  • Step 405b The security monitor switches to the non-secure execution environment and restores the non-secure side context.
  • Step 406 The MAC management unit returns the query result to the access subject (ie, the non-secure domain application), and prohibits the access.
  • the MAC management unit in the first policy management module sends a message through the first communication proxy module, and switches to The secure execution environment is queried by the second policy management module located in the secure execution environment. Since the policy library is located in the secure execution environment, the security of the Android system is improved.
  • FIG. 5 is a flowchart of processing a security domain application accessing a security domain application according to an embodiment of the present invention. Intention, as shown in Figure 5, the process mainly includes the following steps:
  • Step 501 The security domain application accesses the security domain application.
  • the access of the application between the domains may be detected by a domain partitioning unit in the first policy management module.
  • Step 502 The first policy management module invokes a MAC management unit to perform a permission query.
  • Step 503 The MAC management unit in the first policy management module sends a query request to a policy query unit in a second policy management module located on the security side.
  • the query request includes at least: domain information of the access subject and the access object.
  • the step 503 can include:
  • Step 503a The second communication proxy module executes the first instruction, so that the processor is in a security monitor mode, in which the non-secure side context is saved;
  • Step 503b The security monitor switches to the secure execution environment and restores the security side context.
  • the secure execution environment may also be referred to as a trusted execution environment.
  • steps 504 to 505 are operations performed in a secure execution environment.
  • Step 504 The policy query unit obtains the domain information of the access subject and the access object, and matches the policy in the policy database of the kernel of the security operating system, and the result is allowed access.
  • Step 505 The policy query unit returns a query result to the MAC management unit.
  • the step 505 can include:
  • Step 505a The second communication proxy module saves the security side context, and executes the second instruction to keep the processor in the non-secure mode.
  • Step 505b The security monitor switches to the non-secure execution environment and restores the non-secure side context.
  • Step 506 The MAC management unit returns the query result to the access subject, allowing the access.
  • security domain applications are allowed to access each other, that is, data between security applications can be shared.
  • the embodiment of the invention further describes a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the policy management method described in the foregoing embodiments.
  • the technical solution of the present invention divides the policy management into a security side and a non-secure side by introducing a processor with a security isolation function, and has a security side and a non-secure side. Each module cooperates.
  • the non-secure side is only responsible for sending policy access commands and policy update commands to the security side, but only the command level.
  • the real policy file storage, policy file loading, policy rule calculation, and policy file update are performed.
  • the technical solution of the present invention will greatly improve the security of the Android system, compared with the security-related operation of the existing SEAndroid.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps:
  • the foregoing storage medium includes: a removable storage device, a read-only memory (ROM), a magnetic disk, or an optical disk, and the like, which can store program codes.
  • the above-described integrated unit of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a mobile storage device, a ROM, a magnetic disk, or an optical disk.
  • the execution environment is divided into a non-secure execution environment and a security execution environment by using a security isolation technology; in the non-secure execution environment, each application is domain-divided; according to a pre-defined policy file for each domain Providing a MAC query service by access between applications; in the secure execution environment, managing a policy file; wherein the management includes at least the following One or several of: query, load, update, store; thus, can improve the security of the Android system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

An embodiment of the present invention discloses a policy management method, comprising: adopting a security isolation technique and dividing an execution environment into a non-secure execution environment and a secure execution environment; in the non-secure execution environment, dividing various applications into fields, and according to a preset policy file, providing a media access control (MAC) query service for access between each application of the fields; in the secure execution environment, managing the policy file, wherein, the managing comprises at least one of the following: querying, loading, updating, or storing. An embodiment of the present invention also discloses a policy management system and a computer storage medium.

Description

一种策略管理方法、系统及计算机存储介质Strategy management method, system and computer storage medium 技术领域Technical field

本发明涉及应用安全技术领域,具体涉及一种策略管理方法、系统及计算机存储介质。The present invention relates to the field of application security technologies, and in particular, to a policy management method, system, and computer storage medium.

背景技术Background technique

随着移动互联网及各种电子设备的不断普及,安卓(Android)系统的电子设备的安全性问题成为业界和用户关注的焦点。目前,Android系统漏洞频发的主要原因有:开放的开发环境、对电子设备数据缺乏保护机制、非常有限的控制及管理策略。With the continuous popularization of mobile Internet and various electronic devices, the security of electronic devices of Android (Android) system has become the focus of attention of the industry and users. At present, the main reasons for the frequent occurrence of Android system vulnerabilities are: open development environment, lack of protection mechanism for electronic device data, very limited control and management strategies.

通常,Android系统通过沙箱机制进行权限控制,但是,如果电子设备的超级用户(root)权限被篡夺,那么,所有的应用程序资源都能被超级用户访问,而且病毒程序也会伺机获得电子设备的控制权,严重影响电子设备的安全性。Usually, the Android system controls the permissions through the sandbox mechanism. However, if the superuser (root) permissions of the electronic device are usurped, then all application resources can be accessed by the superuser, and the virus program will also wait for the electronic device. The control of the device seriously affects the security of electronic devices.

针对上述问题,为了阻止恶意应用(App)对Android系统或其它应用程序的攻击,从4.3版本开始,Android系统引入了一套基于SELinux的安全机制,称为SEAndroid,来加强系统的安全性。SEAndroid的中心理念是通过强制访问控制(MAC,Mandatory Access Control)技术制定安全策略,即使root权限被篡夺,访问权限仍然受到安全策略的限制,从而能最大程度减少攻击带来的安全风险;可以说,现有技术在一定程度上提高了安卓系统的安全应用的安全性,但是,仍然存在以下问题:SEAndroid的安全策略文件安装在platform/external/sepolicy目录下,即部署的安全策略文件都放在非安全环境中保存,可想而知,一旦黑客截获该安全策略文件,将策略中设定的访问规则篡改,并植入恶意代码,这样安全策略也不能保证电 子设备及安全应用的安全性。In response to the above problems, in order to prevent malicious applications (App) attacks on Android systems or other applications, starting from version 4.3, the Android system introduced a SELinux-based security mechanism called SEAndroid to enhance system security. The central idea of SEAndroid is to establish a security policy through the Mandatory Access Control (MAC) technology. Even if the root privileges are taken over, the access rights are still restricted by the security policy, thus minimizing the security risks brought by the attacks; The existing technology improves the security of the security application of the Android system to a certain extent. However, the following problems still exist: the security policy file of the SEAndroid is installed in the platform/external/sepolicy directory, that is, the deployed security policy files are placed. In a non-secure environment, it is conceivable that once a hacker intercepts the security policy file, the access rules set in the policy are tampered with and malicious code is embedded, so that the security policy cannot guarantee the power. Security of child devices and security applications.

具有安全隔离功能的处理器的诞生为电子设备的安全开辟了崭新的道路,它将保护功能集成到内核以保证Android系统的安全性,同时提供安全软件平台,使半导体制造商、设备制造商和操作系统合作商在一个可共用的框架上扩展和开发自己的安全解决方案。例如,ARM处理器的安全隔离(TrustZone)技术将非安全执行环境和安全执行环境彻底隔离,并可通过安全监控器(Monitor)在安全模式与非安全模式之间进行转换。The birth of a processor with secure isolation opens up a new path for the security of electronic devices, integrating protection functions into the core to ensure the security of the Android system, while providing a secure software platform for semiconductor manufacturers, device manufacturers and Operating system partners extend and develop their own security solutions on a shareable framework. For example, the ARM processor's TrustZone technology completely isolates the non-secure execution environment from the secure execution environment and can be converted between a secure mode and a non-secure mode via a security monitor (Monitor).

因此,如何利用具有安全隔离技术提高Android系统的安全性成为亟待解决的问题。Therefore, how to improve the security of Android system with security isolation technology has become an urgent problem to be solved.

发明内容Summary of the invention

有鉴于此,本发明实施例期望提供一种策略管理方法、系统及计算机存储介质,能提高安卓系统的安全性。In view of this, embodiments of the present invention are expected to provide a policy management method, system, and computer storage medium, which can improve the security of the Android system.

为达到上述目的,本发明实施例的技术方案是这样实现的:To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:

本发明实施例提供了一种策略管理方法,所述方法包括:The embodiment of the invention provides a policy management method, and the method includes:

采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;The security isolation technology is used to divide the execution environment into a non-secure execution environment and a secure execution environment;

在所述非安全执行环境中,对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供强制访问控制MAC查询服务;In the non-secure execution environment, domain division is performed for each application; and a mandatory access control MAC query service is provided for access between applications of each domain according to a pre-defined policy file;

在所述安全执行环境中,对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。In the secure execution environment, the policy file is managed; wherein the management includes at least one or more of the following: query, load, update, and store.

上述方案中,所述按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务,包括:In the foregoing solution, the foregoing provides a MAC query service for access between applications in each domain according to a pre-defined policy file, including:

满足预设条件时,向所述安全执行环境侧发送第一指令;When the preset condition is met, sending a first instruction to the secure execution environment side;

接收所述安全执行环境侧返回的第一指令响应结果;Receiving a first command response result returned by the secure execution environment side;

相应的,所述对策略文件进行管理,包括:Correspondingly, the managing the policy file includes:

根据所述第一指令对策略文件进行第一操作;其中,所述第一操作至 少包括下述中的一种或几种:查询、加载、更新、存储;Performing a first operation on the policy file according to the first instruction; wherein the first operation is to Less include one or more of the following: query, load, update, store;

向所述非安全执行环境侧返回第一指令响应结果。Returning the first command response result to the non-secure execution environment side.

上述方案中,所述满足预设条件时,向所述安全执行环境侧发送第一指令,包括:In the above solution, when the preset condition is met, the first instruction is sent to the security execution environment side, including:

当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;Obtaining domain information of the first application and the second application when detecting that the first application accesses the second application;

向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。Transmitting, to the security execution environment side, a first instruction, where the first instruction carries at least the domain information of the first application and the second application.

上述方案中,所述根据所述第一指令对策略文件进行第一操作,包括:In the above solution, the performing the first operation on the policy file according to the first instruction includes:

根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果;Obtaining a query result according to the first application and the domain information query policy library of the second application;

基于所述查询结果向所述非安全执行环境侧返回第一指令响应结果。Returning a first command response result to the non-secure execution environment side based on the query result.

上述方案中,所述对各应用进行域划分,还包括:In the above solution, the domain division of each application further includes:

将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain.

上述方案中,所述对策略文件进行管理,还包括:In the above solution, the managing the policy file further includes:

按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;Determining, according to a preset rule, a policy file about the new application based on the first information of the new application, where the first information includes at least domain information and a user identifier;

基于所述新应用的策略文件更新策略库。Updating the policy library based on the policy file of the new application.

上述方案中,所述预设规则至少包括下述中的一种或几种:In the above solution, the preset rule includes at least one or more of the following:

非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications,

非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications,

安全域应用访问非安全域应用的第三规则, The third rule for the security domain application to access the non-secure domain application,

安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application,

非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain.

本发明实施例还提供了一种策略管理系统,采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;所述系统包括:非安全操作系统和安全操作系统;其中,The embodiment of the present invention further provides a policy management system, which uses a security isolation technology to divide the execution environment into a non-secure execution environment and a security execution environment; the system includes: a non-secure operating system and a security operating system;

所述非安全操作系统,位于非安全执行环境中,配置为对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务;The non-secure operating system is configured to perform domain division for each application according to a pre-defined policy file; and provide a MAC query service for access between applications of each domain according to a pre-defined policy file;

所述安全操作系统,位于安全执行环境中,配置为对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。The security operating system is located in a secure execution environment and is configured to manage a policy file. The management includes at least one or more of the following: query, load, update, and store.

上述方案中,所述非安全操作系统包括第一策略管理模块和第一通讯代理模块;其中,In the above solution, the non-secure operating system includes a first policy management module and a first communication proxy module;

所述第一策略管理模块,配置为对各应用进行域划分;满足预设条件时,通过所述第一通讯代理模块向所述安全执行环境侧发送第一指令;The first policy management module is configured to perform domain division on each application; when the preset condition is met, the first communication proxy module sends a first instruction to the security execution environment side;

所述第一通讯代理模块,配置为向所述安全执行环境发送第一指令;接收所述安全执行环境侧返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一策略管理模块;The first communication proxy module is configured to send a first instruction to the secure execution environment, receive a first command response result returned by the secure execution environment side, and send the first command response result to the first a policy management module;

相应的,所述安全操作系统包括第二策略管理模块和第二通讯代理模块;其中,Correspondingly, the security operating system includes a second policy management module and a second communication proxy module;

所述第二策略管理模块,配置为根据所述第一指令对策略文件进行第一操作;其中,所述第一操作至少包括下述中的一种或几种:查询、加载、更新、存储;通过所述第二通讯代理模块向所述非安全执行环境侧发送第一指令响应结果; The second policy management module is configured to perform a first operation on the policy file according to the first instruction, where the first operation includes at least one or more of the following: query, load, update, and store Transmitting, by the second communication proxy module, a first command response result to the non-secure execution environment side;

所述第二通讯代理模块,配置为接收所述第一通讯代理模块发送的第一指令,并将所述第一指令发送至所述第二策略管理模块;接收所述第二策略模块返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一通讯代理模块。The second communication proxy module is configured to receive the first instruction sent by the first communication proxy module, and send the first instruction to the second policy management module; and receive the return of the second policy module The first command responds to the result and sends the first command response result to the first communication agent module.

上述方案中,所述第一策略管理模块包括:域划分单元和MAC管理单元;其中,In the foregoing solution, the first policy management module includes: a domain division unit and a MAC management unit; wherein

所述域划分单元,配置为对各应用进行域划分;当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;并将所述第一应用以及所述第二应用的域信息发送至MAC管理单元;The domain dividing unit is configured to perform domain partitioning on each application; when detecting that the first application accesses the second application, acquiring domain information of the first application and the second application; and the first application And sending the domain information of the second application to the MAC management unit;

所述MAC管理单元,配置为向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。The MAC management unit is configured to send a first instruction to the security execution environment side, where the first instruction carries at least the domain information of the first application and the second application.

上述方案中,所述第二策略管理模块,包括:In the above solution, the second policy management module includes:

策略查询单元,配置为:The policy query unit is configured as:

根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果;Obtaining a query result according to the first application and the domain information query policy library of the second application;

基于所述查询结果向所述非安全执行环境侧发送第一指令响应结果。Sending a first command response result to the non-secure execution environment side based on the query result.

上述方案中,所述域划分单元,还配置为:In the above solution, the domain dividing unit is further configured to:

将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain.

上述方案中,所述第二策略管理模块还包括:In the above solution, the second policy management module further includes:

策略更新单元,配置为按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;基于所述新应用的策略文件更新策略库; a policy update unit, configured to formulate a policy file for the new application based on the first information of the new application according to a preset rule, where the first information includes at least domain information, a user identifier, and based on the new application Policy file update policy library;

安全存储单元,配置为将策略文件存储到非易失性安全存储空间;a secure storage unit configured to store policy files to a non-volatile secure storage space;

策略加载单元,配置为从所述非易失性安全存储空间中读取策略文件,并将所述策略文件加载到位于安全操作系统内核的策略库中,以便于所述策略更新单元更新策略库。a policy loading unit configured to read a policy file from the non-volatile secure storage space and load the policy file into a policy library located in a secure operating system kernel, so that the policy update unit updates the policy library .

上述方案中,所述预设规则至少包括下述中的一种或几种:In the above solution, the preset rule includes at least one or more of the following:

非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications,

非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications,

安全域应用访问非安全域应用的第三规则,The third rule for the security domain application to access the non-secure domain application,

安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application,

非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain.

本发明实施例提供了一种计算机存储介质,所述计算机存储介质中存储有计算机程序,所述计算机程序用于执行以上所述的策略管理方法。The embodiment of the invention provides a computer storage medium, wherein the computer storage medium stores a computer program, and the computer program is used to execute the policy management method described above.

本发明实施例提供的策略管理方法、系统及计算机存储介质,采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;在所述非安全执行环境中,对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务;在所述安全执行环境中,对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。如此,本发明实施例所述技术方案能提高安卓系统的安全性,大大提高了用户的使用体验。The policy management method, the system, and the computer storage medium provided by the embodiments of the present invention use the security isolation technology to divide the execution environment into a non-secure execution environment and a security execution environment; in the non-secure execution environment, domain division is performed on each application; Providing a MAC query service for access between applications of each domain according to a pre-defined policy file; in the secure execution environment, managing a policy file; wherein the management includes at least one or more of the following: Query, load, update, store. As such, the technical solution in the embodiment of the present invention can improve the security of the Android system and greatly improve the user experience.

附图说明DRAWINGS

图1为本发明实施例提供的策略管理方法的流程示意图;FIG. 1 is a schematic flowchart of a policy management method according to an embodiment of the present invention;

图2为本发明实施例提供的策略管理系统的框架示意图;2 is a schematic diagram of a framework of a policy management system according to an embodiment of the present invention;

图3为本发明实施例提供的新应用安装过程中策略的处理流程示意图:FIG. 3 is a schematic diagram of a process flow of a policy in a new application installation process according to an embodiment of the present invention:

图4为本发明实施例提供的非安全域应用访问安全域应用的处理流程 示意图;4 is a process flow of a non-secure domain application accessing a security domain application according to an embodiment of the present invention schematic diagram;

图5为本发明实施例提供的安全域应用访问安全域应用的处理流程示意图。FIG. 5 is a schematic diagram of a process flow of a security domain application accessing a security domain application according to an embodiment of the present invention.

具体实施方式detailed description

下面结合附图和具体实施例对本发明的技术方案进一步详细阐述。The technical solutions of the present invention are further elaborated below in conjunction with the accompanying drawings and specific embodiments.

图1为本发明实施例提供的策略管理方法的流程示意图,应用于电子设备中,如图1所示,所述策略管理方法主要包括以下步骤:FIG. 1 is a schematic flowchart of a policy management method according to an embodiment of the present invention, which is applied to an electronic device. As shown in FIG. 1 , the policy management method mainly includes the following steps:

步骤101:采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境。Step 101: The security isolation technology is used to divide the execution environment into a non-secure execution environment and a security execution environment.

在一实施例中,可利用具有安全隔离功能的处理器将部署于安卓系统的策略管理分为安全部分和非安全部分。In an embodiment, the policy management deployed in the Android system can be divided into a secure part and a non-secure part by using a processor with security isolation function.

这里,所述处理器可以是具有安全隔离功能的ARM处理器。Here, the processor may be an ARM processor with security isolation.

步骤102:在所述非安全执行环境中,对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供强制访问控制MAC查询服务。Step 102: Perform domain division on each application in the non-secure execution environment, and provide a mandatory access control MAC query service for access between applications of each domain according to a pre-defined policy file.

步骤103:在所述安全执行环境中,对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。Step 103: In the security execution environment, manage the policy file; wherein the management includes at least one or more of the following: query, load, update, and store.

也就是说,本实施例通过引入安全隔离技术,将策略管理分成安全侧和非安全侧完成,非安全侧只是发送命令,真正的策略的存储和操作在安全执行环境(可信环境)中进行,提高了策略存储及操作(查询、更新、加载等)的安全性,从而提高了安卓系统安全性。That is to say, in this embodiment, the security management technology is introduced, and the policy management is divided into the security side and the non-secure side, and the non-secure side only sends the command, and the real policy storage and operation are performed in the security execution environment (trusted environment). Improves the security of the policy storage and operations (query, update, load, etc.), thus improving the security of the Android system.

上述方案中,在一实施例中,所述按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务,可以包括:In the foregoing solution, in an embodiment, the providing the MAC query service for the access between the applications of the respective domains according to the pre-defined policy file may include:

满足预设条件时,向所述安全执行环境侧发送第一指令;When the preset condition is met, sending a first instruction to the secure execution environment side;

接收所述安全执行环境侧返回的第一指令响应结果; Receiving a first command response result returned by the secure execution environment side;

相应地,所述对策略文件进行管理,可以包括:Correspondingly, the managing the policy file may include:

根据所述第一指令对策略文件进行第一操作;其中,所述第一操作至少包括下述中的一种或几种:查询、加载、更新、存储;Performing a first operation on the policy file according to the first instruction; where the first operation includes at least one or more of the following: query, load, update, and store;

向所述非安全执行环境侧返回第一指令响应结果。Returning the first command response result to the non-secure execution environment side.

上述方案中,在一实施例中,所述满足预设条件时,向所述安全执行环境侧发送第一指令,包括:In the foregoing solution, in an embodiment, when the preset condition is met, sending the first instruction to the security execution environment side, including:

当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;Obtaining domain information of the first application and the second application when detecting that the first application accesses the second application;

向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。Transmitting, to the security execution environment side, a first instruction, where the first instruction carries at least the domain information of the first application and the second application.

这里,所述第一应用相当于访问主体,所述第二应用中的文件或套接字资源相当于访问客体。其中,所述第一应用可以是安全域的应用,也可以是非安全域的应用;所述第二应用可以是安全域的应用,也可以是非安全域的应用,还可以是系统域的应用。值得说明的是:应用一般都是进程,都属于主体,而应用中的资源如文件、套接字属于客体。Here, the first application is equivalent to an access subject, and the file or socket resource in the second application is equivalent to an access object. The first application may be an application of a security domain or an application of a non-security domain. The second application may be an application of a security domain, an application of a non-security domain, or an application of a system domain. It is worth noting that: applications are generally processes, all belong to the main body, while resources in the application such as files and sockets belong to the object.

上述方案中,在一实施例中,所述在根据所述第一指令对策略文件进行第一操作,可以包括:In the foregoing solution, in an embodiment, the performing the first operation on the policy file according to the first instruction may include:

根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果;Obtaining a query result according to the first application and the domain information query policy library of the second application;

基于所述查询结果向所述非安全执行环境侧返回第一指令响应结果。Returning a first command response result to the non-secure execution environment side based on the query result.

上述方案中,优选地,所述对各应用进行域划分,还可以包括:In the above solution, preferably, the domain division of each application may further include:

将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。 Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain.

上述方案中,在一实施例中,所述对策略文件进行管理,还包括:In the above solution, in an embodiment, the managing the policy file further includes:

按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;Determining, according to a preset rule, a policy file about the new application based on the first information of the new application, where the first information includes at least domain information and a user identifier;

基于所述新应用的策略文件更新策略库。Updating the policy library based on the policy file of the new application.

如此,能够及时为新安装的应用制定策略,从而保证电子设备安全环境的安全性。In this way, strategies can be developed for newly installed applications in a timely manner to ensure the security of the secure environment of electronic devices.

其中,所述预设规则至少包括下述中的一种或几种:The preset rule includes at least one or more of the following:

非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications,

非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications,

安全域应用访问非安全域应用的第三规则,The third rule for the security domain application to access the non-secure domain application,

安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application,

非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain.

这里,所述第一规则是:允许非安全域应用访问非安全域应用;所述第二规则是:不允许非安全域应用访问安全域应用;所述第三规则是:不允许安全域应用访问非安全域应用;所述第四规则是:允许安全域应用访问安全域应用;所述第五规则是:允许非安全域应用以及安全域应用访问系统域应用。Here, the first rule is: allowing a non-secure domain application to access the non-secure domain application; the second rule is: not allowing the non-secure domain application to access the security domain application; the third rule is: disallowing the security domain application Accessing the non-secure domain application; the fourth rule is: allowing the security domain application to access the security domain application; the fifth rule is: allowing the non-secure domain application and the security domain application to access the system domain application.

其中,所述系统域中的应用为安卓系统的电子设备预先安装的应用,如计算器应用、手电筒应用等。The application in the system domain is an application pre-installed by an electronic device of the Android system, such as a calculator application, a flashlight application, and the like.

本实施例通过采用具有安全隔离功能的处理器将安卓部署的策略管理分割为非安全和安全两个部分,其中非安全部分负责域划分、MAC控制管理功能,安全部分负责策略的安全存储、策略加载、查询和更新功能。这样,可将策略的保存和操作与非安全环境彻底隔离,在不改变现有安卓技术架构的前提下,可以将安全策略部署在智能终端上并可以安全地管理策 略文件。例如:MAC模式下:Web服务器进程所能操作的对象和权限均在安全策略中明确列出(只允许访问网络和访问特定文件等)。即便Web服务器被注入了恶意病毒,仍然无法借由Web服务器进程为所欲为,因为所有安全策略上没有授权的行为仍然是不允许的,更重要的是,策略存储在安全环境,是不可能被篡改或恶意代码植入的。In this embodiment, the policy management of the Android deployment is divided into non-secure and security parts by using a processor with security isolation function, wherein the non-secure part is responsible for domain division and MAC control management functions, and the security part is responsible for secure storage of policies and policies. Load, query, and update features. In this way, the policy can be saved and operated completely from the non-secure environment. Without changing the existing Android technology architecture, the security policy can be deployed on the smart terminal and the policy can be managed securely. Slightly document. For example: in MAC mode: The objects and permissions that the web server process can operate are clearly listed in the security policy (only access to the network and access to specific files, etc.). Even if the web server is injected with a malicious virus, it is still impossible to do whatever it wants by the web server process, because the unauthorized behavior of all security policies is still not allowed. More importantly, the policy is stored in a secure environment and cannot be tampered with or Malicious code is implanted.

实施例二Embodiment 2

图2为本发明实施例提供的策略管理系统的框架示意图,如图2所示,所述策略管理系统采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境,所述系统主要包括:非安全操作系统10、安全操作系统20;其中,2 is a schematic diagram of a framework of a policy management system according to an embodiment of the present invention. As shown in FIG. 2, the policy management system uses a security isolation technology to divide an execution environment into a non-secure execution environment and a security execution environment, where the system mainly includes : non-secure operating system 10, secure operating system 20; wherein

所述非安全操作系统10,位于非安全执行环境中,配置为对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务;The non-secure operating system 10 is located in a non-secure execution environment, and is configured to perform domain division on each application; and provide a MAC query service for access between applications of each domain according to a pre-defined policy file;

所述安全操作系统20,位于安全执行环境中,配置为对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。The security operating system 20 is located in a secure execution environment and configured to manage policy files. The management includes at least one or more of the following: query, load, update, and store.

在一实施例中,所述非安全操作系统10运行于具有安全隔离功能的处理器的非安全执行环境中,它可以是电子设备上常用的操作系统,如Linux操作系统,其上可运行安卓系统的各种应用。In an embodiment, the non-secure operating system 10 runs in a non-secure execution environment of a processor with a security isolation function, and may be a commonly used operating system on an electronic device, such as a Linux operating system, on which Android can be run. Various applications of the system.

在一实施例中,所述安全操作系统20运行在所述具有安全隔离功能的处理器的安全执行环境中,负责对策略文件进行安全存储和相关操作;其中,所述操作至少包括:查询、加载、更新。In an embodiment, the security operating system 20 runs in the secure execution environment of the processor with the security isolation function, and is responsible for performing secure storage and related operations on the policy file. The operation includes at least: query, Load, update.

在一实施例中,所述系统主要包括:In an embodiment, the system mainly comprises:

安全监视器30,是ARM处理器的一种运行模式,即监控(monitor)模式,负责切换执行环境;其中,所述执行环境包括非安全执行环境和安 全执行环境;这里,值得说明的是,安全监视器不是一个硬件单元,而是中央处理器(CPU,Central Processing Unit)的一种工作模式,与用户(User)模式、管理(Supervisor,简称Svc)模式等是并列关系,CPU任何时刻必定处于几种执行模式之一,第一通讯代理模块收到上层查询命令时,处于Svc模式,第二通讯代理模块在Svc模式下此时会调用系统管理控制器(SMC,System Management Controller)指令,使CPU换为monitor模式,可在安全执行环境与非安全执行环境之间进行转换。The security monitor 30 is an operation mode of the ARM processor, that is, a monitor mode, which is responsible for switching the execution environment; wherein the execution environment includes a non-secure execution environment and security The full execution environment; here, it is worth noting that the security monitor is not a hardware unit, but a working mode of the central processing unit (CPU), with the user (User) mode, management (Supervisor, referred to as Svc The mode is a parallel relationship. The CPU must be in one of several execution modes at any time. When the first communication agent module receives the upper layer query command, it is in Svc mode, and the second communication agent module calls system management in Svc mode. The controller (SMC, System Management Controller) command changes the CPU to monitor mode to convert between a secure execution environment and a non-secure execution environment.

非易失性安全存储空间40,负责存储安全策略文件。A non-volatile secure storage space 40 is responsible for storing security policy files.

这里,所述非易失性安全存储空间40是所述第二策略管理模块21独享的区域,不会被非安全执行环境中的应用或安全执行环境中的其他安全应用所访问。Here, the non-volatile secure storage space 40 is an exclusive area of the second policy management module 21 and is not accessed by an application in a non-secure execution environment or other security applications in a secure execution environment.

由于安全策略文件保存在非易失性安全存储空间40中,因为安卓系统中对所有的文件、目录、端口的访问都是基于策略设定的,安全侧只要制定细粒度、高安全性的策略,就可以隔离应用间通过进程间通信(IPC,Internet Process Connection)、文件系统、套接字(socket)等方式的通信。Since the security policy file is stored in the non-volatile secure storage space 40, since the access to all files, directories, and ports in the Android system is based on policies, the security side only needs to formulate a fine-grained and high-security policy. It is possible to isolate communication between applications through inter-process communication (IPC, Internet Process Connection), file system, socket (socket) and the like.

在一实施例中,所述非安全操作系统10包括第一策略管理模块11和第一通讯代理模块12;其中,In an embodiment, the non-secure operating system 10 includes a first policy management module 11 and a first communication proxy module 12;

所述第一策略管理模块11,配置为对各应用进行域划分;满足预设条件时,通过所述第一通讯代理模块12向所述安全执行环境侧发送第一指令;The first policy management module 11 is configured to perform domain division on each application; when the preset condition is met, the first communication proxy module 12 sends a first instruction to the security execution environment side;

所述第一通讯代理模块12,配置为向所述安全执行环境发送第一指令;接收所述安全执行环境侧返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一策略管理模块11;The first communication proxy module 12 is configured to send a first instruction to the secure execution environment, receive a first command response result returned by the secure execution environment side, and send the first command response result to the The first policy management module 11;

相应的,所述安全操作系统20包括第二策略管理模块21和第二通讯代理模块22;其中,Correspondingly, the security operating system 20 includes a second policy management module 21 and a second communication proxy module 22;

所述第二策略管理模块21,配置为根据所述第一指令对策略文件进行 第一操作;其中,所述第一操作至少包括下述中的一种或几种:查询、加载、更新、存储;通过所述第二通讯代理模块22向所述非安全执行环境侧发送第一指令响应结果;The second policy management module 21 is configured to perform a policy file according to the first instruction. a first operation; wherein the first operation includes at least one or more of the following: querying, loading, updating, and storing; sending, by the second communication proxy module 22, the non-secure execution environment side An instruction response result;

所述第二通讯代理模块22,配置为接收所述第一通讯代理模块12发送的第一指令,并将所述第一指令发送至所述第二策略管理模块21;接收所述第二策略模块21返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一通讯代理模块12。The second communication proxy module 22 is configured to receive the first instruction sent by the first communication proxy module 12, and send the first instruction to the second policy management module 21; receive the second policy The first instruction response result returned by the module 21 is sent to the first communication proxy module 12.

也就是说,所述第一策略管理模块11与第二策略管理模块21通过发送命令的方式完成安全策略的更新、查询、存储等操作,以控制各应用之间的通信;且所述第一策略管理模块11通过所述第一通讯代理模块12与第二策略管理模块21进行通讯;所述第二策略管理模块21通过所述第二通讯代理模块22与第一策略管理模块11进行通讯。That is, the first policy management module 11 and the second policy management module 21 perform operations such as updating, querying, and storing security policies by sending commands to control communication between applications; and the first The policy management module 11 communicates with the second policy management module 21 through the first communication proxy module 12; the second policy management module 21 communicates with the first policy management module 11 through the second communication proxy module 22.

其中,所述第一策略管理模块11负责将各种应用标记为不同的域(安全级别),其中,所述各种应用包括:随系统发布的应用、或第三方发布的应用。The first policy management module 11 is responsible for marking various applications as different domains (security levels), where the various applications include: applications published with the system, or applications published by third parties.

在一实施例中,所述第一策略管理模块11包括:域划分单元111和MAC管理单元112;其中,In an embodiment, the first policy management module 11 includes: a domain dividing unit 111 and a MAC management unit 112;

所述域划分单元111,配置为对各应用进行域划分;当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;并将所述第一应用以及所述第二应用的域信息发送至MAC管理单元112;The domain dividing unit 111 is configured to perform domain partitioning on each application; when detecting that the first application accesses the second application, acquiring domain information of the first application and the second application; and the first The application and the domain information of the second application are sent to the MAC management unit 112;

所述MAC管理单元112,配置为向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。The MAC management unit 112 is configured to send a first instruction to the security execution environment side, where the first instruction carries at least the domain information of the first application and the second application.

这里,可以将域分为3大类:一类是系统域、一类是安全域、一类是非安全域。 Here, the domain can be divided into three categories: one is a system domain, one is a security domain, and the other is a non-security domain.

在一实施例中,所述第二策略管理模块21,包括:In an embodiment, the second policy management module 21 includes:

策略查询单元211,配置为:The policy query unit 211 is configured to:

根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果;Obtaining a query result according to the first application and the domain information query policy library of the second application;

基于所述查询结果向所述非安全执行环境侧发送第一指令响应结果。Sending a first command response result to the non-secure execution environment side based on the query result.

其中,所述查询结果为允许访问、或为拒绝访问。The result of the query is to allow access or to deny access.

在一实施例中,所述域划分单元111,还配置为:In an embodiment, the domain dividing unit 111 is further configured to:

将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain.

例如,在图2中,域A表示非安全域,域B表示安全域,域C表示系统域;For example, in FIG. 2, domain A represents a non-secure domain, domain B represents a security domain, and domain C represents a system domain;

举例来说,应用1是运行于非安全操作系统10之上的应用程序,如果安装时未经验证,则处在非安全域,即域A;应用2是运行于非安全操作系统10之上的应用程序,安装时通过发行商签名验证,则处在安全域,即域B。For example, the application 1 is an application running on the non-secure operating system 10, and if it is not verified at the time of installation, it is in a non-secure domain, that is, domain A; the application 2 is running on the non-secure operating system 10 The application, verified by the publisher's signature at the time of installation, is in the security domain, domain B.

在一实施例中,所述MAC管理单元112负责对各应用之间的访问权限进行管理。In an embodiment, the MAC management unit 112 is responsible for managing access rights between applications.

在一实施例中,当一个主体(一个安卓应用)访问一个客体(另一个安卓应用的文件或套接字)时,首先,所述第一策略管理模块11进行基本的自主访问控制(DAC,Discretionary Access Control)检查,如果检查不通过,直接返回拒绝此次访问;如果检查通过,则调用所述第二通讯代理模块12切换到安全侧第二策略管理模块21的策略查询单元212,以由所述策略查询单元212查询所述主体是否拥有访问权限;并向所述主体返回查 询结果。如此,能阻止非安全应用(如应用1)和安全侧应用(应用2)使用组件进行通信。In an embodiment, when a subject (an Android application) accesses an object (a file or socket of another Android application), first, the first policy management module 11 performs basic autonomous access control (DAC, Discretionary Access Control), if the check fails, directly returns to reject the access; if the check passes, the second communication proxy module 12 is called to switch to the policy query unit 212 of the second side policy management module 21 of the security side, The policy query unit 212 queries whether the subject has access rights; and returns a check to the subject Ask for results. In this way, non-secure applications (such as Application 1) and Secure Side Applications (Application 2) can be prevented from communicating using components.

在一实施例中,所述第二策略管理模块21还包括:In an embodiment, the second policy management module 21 further includes:

策略更新单元212,配置为按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;基于所述新应用的策略文件更新策略库;The policy update unit 212 is configured to formulate, according to the preset rule, a policy file about the new application based on the first information of the new application, where the first information includes at least domain information, a user identifier, based on the new The applied policy file update policy library;

安全存储单元213,配置为将策略文件存储到非易失性安全存储空间;The secure storage unit 213 is configured to store the policy file in a non-volatile secure storage space;

策略加载单元214,配置为从所述非易失性安全存储空间40中读取策略文件,并将所述策略文件加载到位于安全操作系统内核的策略库中,以便于所述策略更新单元更新策略库。a policy loading unit 214 configured to read a policy file from the non-volatile secure storage space 40 and load the policy file into a policy library located in a secure operating system kernel to facilitate the policy update unit update Policy library.

这里,所述非易失性安全存储空间40是所述第二策略管理模块21独享的区域,不会被非安全执行环境中的应用或安全执行环境中的其他安全应用所访问。Here, the non-volatile secure storage space 40 is an exclusive area of the second policy management module 21 and is not accessed by an application in a non-secure execution environment or other security applications in a secure execution environment.

由于安全策略文件保存在非易失性安全存储空间40中,因为安卓系统中对所有的文件、目录、端口的访问都是基于策略设定的,安全侧只要制定细粒度、高安全性的策略,就可以隔离应用间通过IPC、文件系统、套接字等方式的通信。Since the security policy file is stored in the non-volatile secure storage space 40, since the access to all files, directories, and ports in the Android system is based on policies, the security side only needs to formulate a fine-grained and high-security policy. , you can isolate the communication between applications through IPC, file system, sockets, etc.

本实施例中,所述策略文件可用二进制形式进行表示。In this embodiment, the policy file may be represented in a binary form.

在一实施例中,所述预设规则至少包括下述中的一种或几种:In an embodiment, the preset rule includes at least one or more of the following:

非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications,

非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications,

安全域应用访问非安全域应用的第三规则,The third rule for the security domain application to access the non-secure domain application,

安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application,

非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。 The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain.

这里,所述第一规则是:允许非安全域应用访问非安全域应用;所述第二规则是:不允许非安全域应用访问安全域应用;所述第三规则是:不允许安全域应用访问非安全域应用;所述第四规则是:允许安全域应用访问安全域应用;所述第五规则是:允许非安全域应用以及安全域应用访问系统域应用。Here, the first rule is: allowing a non-secure domain application to access the non-secure domain application; the second rule is: not allowing the non-secure domain application to access the security domain application; the third rule is: disallowing the security domain application Accessing the non-secure domain application; the fourth rule is: allowing the security domain application to access the security domain application; the fifth rule is: allowing the non-secure domain application and the security domain application to access the system domain application.

在一实施例中,所述策略更新单元212,负责当应用进行安装或卸载时,根据位于非安全侧的MAC管理模块112的指示,进行策略文件以及策略库的安全更新。In an embodiment, the policy update unit 212 is responsible for performing security update of the policy file and the policy library according to the instruction of the MAC management module 112 located on the non-secure side when the application is installed or uninstalled.

在一实施例中,所述策略加载单元211,负责从所述第二策略管理模块21所独享的非易失性安全存储空间中读取策略文件,并将所述策略文件加载到位于安全操作系统内核的策略库中;还负责响应策略更新单元212的指令,当有新应用安装或卸载某应用时,启动加载流程。In an embodiment, the policy loading unit 211 is responsible for reading a policy file from a non-volatile secure storage space exclusive to the second policy management module 21, and loading the policy file to be located in a secure manner. In the policy library of the operating system kernel; it is also responsible for responding to the instructions of the policy update unit 212, and when a new application installs or uninstalls an application, the loading process is started.

实施例三Embodiment 3

图3为本发明实施例提供的新应用安装过程中策略的处理流程示意图,如图3所示,该流程主要包括以下步骤:FIG. 3 is a schematic diagram of a process flow of a policy in a new application installation process according to an embodiment of the present invention. As shown in FIG. 3, the process mainly includes the following steps:

步骤301:在非安全执行环境中安装新应用。Step 301: Install a new application in a non-secure execution environment.

这里,所述新应用是指电子设备中未安装的应用,其中,所述电子设备的系统为安卓系统。Here, the new application refers to an application that is not installed in the electronic device, wherein the system of the electronic device is an Android system.

步骤302:第一策略管理模块中的域划分单元对所述新应用进行域划分。Step 302: The domain dividing unit in the first policy management module performs domain division on the new application.

在一实施例中,域划分单元根据所述新应用的数字证书签名对所述新应用进行验证,如果验证通过,标记所述新应用为安全域;如果验证不通过,则标记所述新应用为非安全域。In an embodiment, the domain dividing unit verifies the new application according to the digital certificate signature of the new application, and if the verification passes, marking the new application as a security domain; if the verification fails, marking the new application Is a non-secure domain.

也就是说,每当电子设备中新安装一个应用,都要对所述新安装的应用进行域的划分,以实时为所述新安装的应用制定策略文件,并更新策略 库。That is to say, whenever an application is newly installed in the electronic device, the newly installed application is divided into domains, and a policy file is prepared for the newly installed application in real time, and the policy is updated. Library.

步骤303:所述域划分单元将所述新应用的域信息、用户名等信息发送至所述第一策略管理模块中的MAC管理单元。Step 303: The domain dividing unit sends information such as domain information and user name of the new application to the MAC management unit in the first policy management module.

步骤304:所述MAC管理单元通过第一通讯代理模块向策略更新单元发送策略更新指令。Step 304: The MAC management unit sends a policy update instruction to the policy update unit by using the first communication proxy module.

也就是说,当MAC管理单元接收到所述新应用的域信息、用户名等信息时,启动第一通讯代理模块,以通知安全侧更新策略。That is, when the MAC management unit receives the domain information, the user name, and the like of the new application, the first communication proxy module is started to notify the security side update policy.

在一实施例中,所述步骤304可以包括:In an embodiment, the step 304 may include:

步骤304a:第一通讯代理模块执行第一指令,以使处理器处于安全监视器(monitor)模式,在此模式下保存非安全侧上下文;Step 304a: The first communication proxy module executes the first instruction to cause the processor to be in a security monitor mode, in which the non-secure side context is saved;

步骤304b:安全监视器(monitor)切换到安全执行环境,恢复安全侧上下文。Step 304b: The security monitor switches to the secure execution environment and restores the security side context.

这里,所述安全执行环境也可以称为可信执行环境。Here, the secure execution environment may also be referred to as a trusted execution environment.

需要说明的是,以下步骤305~步骤314是在安全执行环境中进行的操作。It should be noted that the following steps 305 to 314 are operations performed in a secure execution environment.

步骤305:第二略管理模块中的策略更新单元为所述新应用制定策略,并发出更新策略库指令。Step 305: The policy update unit in the second management module formulates a policy for the new application, and issues an update policy library instruction.

本实施例中,假设策略更新单元为所述新应用制定的策略称为第一策略文件。In this embodiment, it is assumed that the policy defined by the policy update unit for the new application is referred to as a first policy file.

步骤306~步骤307:策略更新单元调用安全存储单元,将第一策略文件存储至所述第二策略管理模块独享的非易失性安全存储空间。Step 306 to step 307: The policy update unit invokes the secure storage unit to store the first policy file to the non-volatile secure storage space exclusive to the second policy management module.

步骤308:所述安全存储单元完成对所述第一策略文件的存储后,向所述策略更新单元返回存储成功响应。Step 308: After completing the storage of the first policy file, the secure storage unit returns a storage success response to the policy update unit.

步骤309:所述第二略管理模块调用策略加载单元,启动策略加载流程。Step 309: The second management module invokes a policy loading unit to start a policy loading process.

步骤310~步骤312:所述策略加载单元读取所述第一策略文件,当读 取完毕后,加载所述第一策略文件到策略库中。Step 310 to step 312: The policy loading unit reads the first policy file and reads After the completion is completed, the first policy file is loaded into the policy library.

这里,所述策略库位于安全操作系统的内核中。Here, the policy library is located in the kernel of the secure operating system.

步骤313:所述策略加载单元向所述策略更新单元返回更新策略库成功响应。Step 313: The policy loading unit returns an update policy library success response to the policy update unit.

步骤314:所述策略更新单元向所述MAC管理单元返回策略更新完成消息。Step 314: The policy update unit returns a policy update complete message to the MAC management unit.

在一实施例中,所述步骤314可以包括:In an embodiment, the step 314 can include:

步骤314a:第二通讯代理模块执行第二指令,以使处理器处于安全监视器(monitor)模式,在此模式下保存安全侧上下文;Step 314a: The second communication proxy module executes the second instruction to place the processor in a security monitor mode, in which the secure side context is saved;

步骤314b:安全监视器(monitor)切换到非安全执行环境,恢复非安全侧上下文。Step 314b: The security monitor switches to the non-secure execution environment and restores the non-secure side context.

步骤315:所述MAC管理单元解析安全侧返回的执行结果,至此,新应用策略加载完成,所述新应用完成安装。Step 315: The MAC management unit parses the execution result returned by the security side. At this point, the new application policy is loaded, and the new application completes the installation.

实施例四Embodiment 4

图4为本发明实施例提供的非安全域应用访问安全域应用的处理流程示意图,如图4所示,该流程主要包括以下步骤:FIG. 4 is a schematic flowchart of a process for a non-secure domain application to access a security domain application according to an embodiment of the present invention. As shown in FIG. 4, the process mainly includes the following steps:

步骤401:非安全域应用访问安全域应用。Step 401: The non-secure domain application accesses the security domain application.

在一实施例中,可以由所述第一策略管理模块中的域划分单元来检测各个域之间应用的访问。In an embodiment, the access of the application between the domains may be detected by a domain partitioning unit in the first policy management module.

本实施例中,所述非安全域应用为应用1,所述安全域应用为应用2。In this embodiment, the non-secure domain application is application 1, and the security domain application is application 2.

步骤402:所述第一策略管理模块调用MAC管理单元进行权限查询。Step 402: The first policy management module invokes a MAC management unit to perform a permission query.

步骤403:所述第一策略管理模块中的MAC管理单元向位于安全侧的第二策略管理模块中的策略查询单元发送查询请求。Step 403: The MAC management unit in the first policy management module sends a query request to a policy query unit in a second policy management module located on the security side.

其中,所述查询请求中至少包括:应用1和应用2的域信息。The query request includes at least: domain information of the application 1 and the application 2.

在一实施例中,所述步骤403可以包括: In an embodiment, the step 403 may include:

步骤403a:第二通讯代理模块保存非安全侧上下文,执行第一指令,以使处理器处于安全模式;Step 403a: The second communication proxy module saves the non-secure side context, and executes the first instruction to keep the processor in the secure mode;

步骤403b:安全监视器(monitor)切换到安全执行环境,恢复安全侧上下文。Step 403b: The security monitor (monitor) switches to the secure execution environment and restores the security side context.

这里,所述安全执行环境也可以称为可信执行环境。Here, the secure execution environment may also be referred to as a trusted execution environment.

需要说明的是,以下步骤404~步骤405是在安全执行环境中进行的操作。It should be noted that the following steps 404 to 405 are operations performed in a secure execution environment.

步骤404:所述策略查询单元获取应用1和应用2的域信息,并到安全操作系统的内核的策略库中匹配策略,得出结果为拒绝访问。Step 404: The policy query unit obtains the domain information of the application 1 and the application 2, and matches the policy in the policy database of the kernel of the security operating system, and the result is that the access is denied.

也就是说,不允许非安全应用访问安全域应用。In other words, non-secure applications are not allowed to access secure domain applications.

步骤405:所述策略查询单元向所述MAC管理单元返回查询结果。Step 405: The policy query unit returns a query result to the MAC management unit.

在一实施例中,所述步骤405可以包括:In an embodiment, the step 405 can include:

步骤405a:第二通讯代理模块执行第二指令,以使处理器处于安全监视器(monitor)模式,在此模式下保存安全侧上下文。Step 405a: The second communication agent module executes the second instruction to place the processor in a security monitor mode in which the secure side context is saved.

步骤405b:安全监视器(monitor)切换到非安全执行环境,恢复非安全侧上下文。Step 405b: The security monitor switches to the non-secure execution environment and restores the non-secure side context.

步骤406:所述MAC管理单元将查询结果返回给访问主体(即非安全域应用),禁止此次访问。Step 406: The MAC management unit returns the query result to the access subject (ie, the non-secure domain application), and prohibits the access.

也就是说,当检测到非安全域应用试图访问安全域应用中的某一文件或某一套接字时,第一策略管理模块中的MAC管理单元通过第一通讯代理模块发消息,切换到安全执行环境,由位于安全执行环境中的第二策略管理模块查询访问权限,由于策略库位于安全执行环境中,因此,提高了安卓系统的安全性。That is, when it is detected that the non-secure domain application attempts to access a certain file or a certain socket in the security domain application, the MAC management unit in the first policy management module sends a message through the first communication proxy module, and switches to The secure execution environment is queried by the second policy management module located in the secure execution environment. Since the policy library is located in the secure execution environment, the security of the Android system is improved.

实施例五Embodiment 5

图5为本发明实施例提供的安全域应用访问安全域应用的处理流程示 意图,如图5所示,该流程主要包括以下步骤:FIG. 5 is a flowchart of processing a security domain application accessing a security domain application according to an embodiment of the present invention; Intention, as shown in Figure 5, the process mainly includes the following steps:

步骤501:安全域应用访问安全域应用。Step 501: The security domain application accesses the security domain application.

在一实施例中,可以由所述第一策略管理模块中的域划分单元来检测各个域之间应用的访问。In an embodiment, the access of the application between the domains may be detected by a domain partitioning unit in the first policy management module.

步骤502:所述第一策略管理模块调用MAC管理单元进行权限查询。Step 502: The first policy management module invokes a MAC management unit to perform a permission query.

步骤503:所述第一策略管理模块中的MAC管理单元向位于安全侧的第二策略管理模块中的策略查询单元发送查询请求。Step 503: The MAC management unit in the first policy management module sends a query request to a policy query unit in a second policy management module located on the security side.

其中,所述查询请求中至少包括:访问主体与访问客体的域信息。The query request includes at least: domain information of the access subject and the access object.

在一实施例中,所述步骤503可以包括:In an embodiment, the step 503 can include:

步骤503a:第二通讯代理模块执行第一指令,以使处理器处于安全监视器(monitor)模式,在此模式下保存非安全侧上下文;Step 503a: The second communication proxy module executes the first instruction, so that the processor is in a security monitor mode, in which the non-secure side context is saved;

步骤503b:安全监视器(monitor)切换到安全执行环境,恢复安全侧上下文。Step 503b: The security monitor switches to the secure execution environment and restores the security side context.

这里,所述安全执行环境也可以称为可信执行环境。Here, the secure execution environment may also be referred to as a trusted execution environment.

需要说明的是,以下步骤504~步骤505是在安全执行环境中进行的操作。It should be noted that the following steps 504 to 505 are operations performed in a secure execution environment.

步骤504:所述策略查询单元获取访问主体与访问客体的域信息,并到安全操作系统的内核的策略库中匹配策略,得出结果为允许访问。Step 504: The policy query unit obtains the domain information of the access subject and the access object, and matches the policy in the policy database of the kernel of the security operating system, and the result is allowed access.

也就是说,允许安全应用访问安全域应用。That is, allowing secure applications to access secure domain applications.

步骤505:所述策略查询单元向所述MAC管理单元返回查询结果。Step 505: The policy query unit returns a query result to the MAC management unit.

在一实施例中,所述步骤505可以包括:In an embodiment, the step 505 can include:

步骤505a:第二通讯代理模块保存安全侧上下文,执行第二指令,以使处理器处于非安全模式;Step 505a: The second communication proxy module saves the security side context, and executes the second instruction to keep the processor in the non-secure mode.

步骤505b:安全监视器(monitor)切换到非安全执行环境,恢复非安全侧上下文。 Step 505b: The security monitor switches to the non-secure execution environment and restores the non-secure side context.

步骤506:所述MAC管理单元将查询结果返回给访问主体,允许此次访问。Step 506: The MAC management unit returns the query result to the access subject, allowing the access.

也就是说,允许安全域应用间互相访问,即安全应用间数据可以实现共享。In other words, security domain applications are allowed to access each other, that is, data between security applications can be shared.

本发明实施例还记载了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行前述各个实施例所述的策略管理方法。The embodiment of the invention further describes a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the policy management method described in the foregoing embodiments.

综上所述,与现有技术相比较,本发明所述技术方案,通过引入了具有安全隔离功能的处理器,将策略管理分为安全侧和非安全侧,有安全侧和非安全侧的各个模块协作完成,非安全侧只负责发送策略访问命令、策略更新命令给安全侧,只是命令层面的控制;而真正的策略文件的存储、策略文件的加载、策略规则的计算、策略文件的更新等都放在了引入安全隔离处理器的安全侧,与现有SEAndroid的策略相关操作相比,本发明所述技术方案将大大提高安卓系统的安全性。In summary, compared with the prior art, the technical solution of the present invention divides the policy management into a security side and a non-secure side by introducing a processor with a security isolation function, and has a security side and a non-secure side. Each module cooperates. The non-secure side is only responsible for sending policy access commands and policy update commands to the security side, but only the command level. The real policy file storage, policy file loading, policy rule calculation, and policy file update are performed. The technical solution of the present invention will greatly improve the security of the Android system, compared with the security-related operation of the existing SEAndroid.

在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.

上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。 The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

另外,在本发明各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage device includes the following steps: The foregoing storage medium includes: a removable storage device, a read-only memory (ROM), a magnetic disk, or an optical disk, and the like, which can store program codes.

或者,本发明上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, the above-described integrated unit of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes various media that can store program codes, such as a mobile storage device, a ROM, a magnetic disk, or an optical disk.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

工业实用性Industrial applicability

本发明实施例中,采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;在所述非安全执行环境中,对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务;在所述安全执行环境中,对策略文件进行管理;其中,所述管理至少包括下述中 的一种或几种:查询、加载、更新、存储;如此,能提高安卓系统的安全性。 In the embodiment of the present invention, the execution environment is divided into a non-secure execution environment and a security execution environment by using a security isolation technology; in the non-secure execution environment, each application is domain-divided; according to a pre-defined policy file for each domain Providing a MAC query service by access between applications; in the secure execution environment, managing a policy file; wherein the management includes at least the following One or several of: query, load, update, store; thus, can improve the security of the Android system.

Claims (15)

一种策略管理方法,所述方法包括:A policy management method, the method comprising: 采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;The security isolation technology is used to divide the execution environment into a non-secure execution environment and a secure execution environment; 在所述非安全执行环境中,对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供强制访问控制MAC查询服务;In the non-secure execution environment, domain division is performed for each application; and a mandatory access control MAC query service is provided for access between applications of each domain according to a pre-defined policy file; 在所述安全执行环境中,对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。In the secure execution environment, the policy file is managed; wherein the management includes at least one or more of the following: query, load, update, and store. 根据权利要求1所述的方法,其中,所述按照预先制定的策略文件为各个域的应用间的访问提供MAC查询服务,包括:The method according to claim 1, wherein said providing a MAC query service for access between applications of each domain according to a pre-defined policy file comprises: 满足预设条件时,向所述安全执行环境侧发送第一指令;When the preset condition is met, sending a first instruction to the secure execution environment side; 接收所述安全执行环境侧返回的第一指令响应结果;Receiving a first command response result returned by the secure execution environment side; 相应的,所述对策略文件进行管理,包括:Correspondingly, the managing the policy file includes: 根据所述第一指令对策略文件进行第一操作;其中,所述第一操作至少包括下述中的一种或几种:查询、加载、更新、存储;Performing a first operation on the policy file according to the first instruction; where the first operation includes at least one or more of the following: query, load, update, and store; 向所述非安全执行环境侧返回第一指令响应结果。Returning the first command response result to the non-secure execution environment side. 根据权利要求2所述的方法,其中,所述满足预设条件时,向所述安全执行环境侧发送第一指令,包括:The method of claim 2, wherein when the predetermined condition is met, sending the first instruction to the secure execution environment side comprises: 当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;Obtaining domain information of the first application and the second application when detecting that the first application accesses the second application; 向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。Transmitting, to the security execution environment side, a first instruction, where the first instruction carries at least the domain information of the first application and the second application. 根据权利要求2所述的方法,其中,所述根据所述第一指令对策略文件进行第一操作,包括:The method of claim 2, wherein the performing the first operation on the policy file according to the first instruction comprises: 根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果; Obtaining a query result according to the first application and the domain information query policy library of the second application; 基于所述查询结果向所述非安全执行环境侧返回第一指令响应结果。Returning a first command response result to the non-secure execution environment side based on the query result. 根据权利要求1所述的方法,其中,所述对各应用进行域划分,还包括:The method according to claim 1, wherein the domain division of each application further comprises: 将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain. 根据权利要求5所述的方法,其中,所述对策略文件进行管理,还包括:The method of claim 5, wherein the managing the policy file further comprises: 按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;Determining, according to a preset rule, a policy file about the new application based on the first information of the new application, where the first information includes at least domain information and a user identifier; 基于所述新应用的策略文件更新策略库。Updating the policy library based on the policy file of the new application. 根据权利要求6所述的方法,其中,所述预设规则至少包括下述中的一种或几种:The method of claim 6, wherein the preset rule comprises at least one or more of the following: 非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications, 非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications, 安全域应用访问非安全域应用的第三规则,The third rule for the security domain application to access the non-secure domain application, 安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application, 非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain. 一种策略管理系统,采用安全隔离技术将执行环境分为非安全执行环境和安全执行环境;所述系统包括:非安全操作系统和安全操作系统;其中,A policy management system that uses a security isolation technology to divide an execution environment into a non-secure execution environment and a security execution environment; the system includes: a non-secure operating system and a secure operating system; 所述非安全操作系统,位于非安全执行环境中,配置为对各应用进行域划分;按照预先制定的策略文件为各个域的应用间的访问提供MAC查询 服务;The non-secure operating system is configured in a non-secure execution environment, configured to perform domain division on each application; and provide MAC query for inter-application access of each domain according to a pre-defined policy file. service; 所述安全操作系统,位于安全执行环境中,配置为对策略文件进行管理;其中,所述管理至少包括下述中的一种或几种:查询、加载、更新、存储。The security operating system is located in a secure execution environment and is configured to manage a policy file. The management includes at least one or more of the following: query, load, update, and store. 根据权利要求8所述的系统,其中,所述非安全操作系统包括第一策略管理模块和第一通讯代理模块;其中,The system of claim 8, wherein the non-secure operating system comprises a first policy management module and a first communication agent module; 所述第一策略管理模块,配置为对各应用进行域划分;满足预设条件时,通过所述第一通讯代理模块向所述安全执行环境侧发送第一指令;The first policy management module is configured to perform domain division on each application; when the preset condition is met, the first communication proxy module sends a first instruction to the security execution environment side; 所述第一通讯代理模块,配置为向所述安全执行环境发送第一指令;接收所述安全执行环境侧返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一策略管理模块;The first communication proxy module is configured to send a first instruction to the secure execution environment, receive a first command response result returned by the secure execution environment side, and send the first command response result to the first a policy management module; 相应的,所述安全操作系统包括第二策略管理模块和第二通讯代理模块;其中,Correspondingly, the security operating system includes a second policy management module and a second communication proxy module; 所述第二策略管理模块,配置为根据所述第一指令对策略文件进行第一操作;其中,所述第一操作至少包括下述中的一种或几种:查询、加载、更新、存储;通过所述第二通讯代理模块向所述非安全执行环境侧发送第一指令响应结果;The second policy management module is configured to perform a first operation on the policy file according to the first instruction, where the first operation includes at least one or more of the following: query, load, update, and store Transmitting, by the second communication proxy module, a first command response result to the non-secure execution environment side; 所述第二通讯代理模块,配置为接收所述第一通讯代理模块发送的第一指令,并将所述第一指令发送至所述第二策略管理模块;接收所述第二策略模块返回的第一指令响应结果,并将所述第一指令响应结果发送至所述第一通讯代理模块。The second communication proxy module is configured to receive the first instruction sent by the first communication proxy module, and send the first instruction to the second policy management module; and receive the return of the second policy module The first command responds to the result and sends the first command response result to the first communication agent module. 根据权利要求9所述的系统,其中,所述第一策略管理模块包括:域划分单元和MAC管理单元;其中,The system according to claim 9, wherein the first policy management module comprises: a domain division unit and a MAC management unit; wherein 所述域划分单元,配置为对各应用进行域划分;当检测到第一应用访问第二应用时,获取所述第一应用以及所述第二应用的域信息;并将所述 第一应用以及所述第二应用的域信息发送至MAC管理单元;The domain dividing unit is configured to perform domain partitioning on each application; when detecting that the first application accesses the second application, acquiring domain information of the first application and the second application; Transmitting, by the first application, the domain information of the second application to the MAC management unit; 所述MAC管理单元,配置为向所述安全执行环境侧发送第一指令;其中,所述第一指令中至少携带有所述第一应用以及所述第二应用的域信息。The MAC management unit is configured to send a first instruction to the security execution environment side, where the first instruction carries at least the domain information of the first application and the second application. 根据权利要求9所述的系统,其中,所述第二策略管理模块,包括:The system of claim 9, wherein the second policy management module comprises: 策略查询单元,配置为:The policy query unit is configured as: 根据所述第一应用以及所述第二应用的域信息查询策略库,获得查询结果;Obtaining a query result according to the first application and the domain information query policy library of the second application; 基于所述查询结果向所述非安全执行环境侧发送第一指令响应结果。Sending a first command response result to the non-secure execution environment side based on the query result. 根据权利要求10所述的系统,其中,所述域划分单元,还配置为:The system of claim 10, wherein the domain dividing unit is further configured to: 将系统中预先安装的应用标记为系统域;当检测到有新应用安装时,验证所述新应用的数字证书签名,如果验证通过,将所述新应用标记为安全域;如果验证不通过或者没有数字证书签名,则将所述新应用标记为非安全域。Marking a pre-installed application in the system as a system domain; when detecting a new application installation, verifying the digital certificate signature of the new application, if the verification is passed, marking the new application as a security domain; if the verification fails or If there is no digital certificate signature, the new application is marked as a non-secure domain. 根据权利要求12所述的系统,其中,所述第二策略管理模块还包括:The system of claim 12, wherein the second policy management module further comprises: 策略更新单元,配置为按照预设规则,基于所述新应用的第一信息制定关于所述新应用的策略文件;其中,所述第一信息至少包括域信息、用户标识;基于所述新应用的策略文件更新策略库;a policy update unit, configured to formulate a policy file for the new application based on the first information of the new application according to a preset rule, where the first information includes at least domain information, a user identifier, and based on the new application Policy file update policy library; 安全存储单元,配置为将策略文件存储到非易失性安全存储空间;a secure storage unit configured to store policy files to a non-volatile secure storage space; 策略加载单元,配置为从所述非易失性安全存储空间中读取策略文件,并将所述策略文件加载到位于安全操作系统内核的策略库中,以便于所述策略更新单元更新策略库。a policy loading unit configured to read a policy file from the non-volatile secure storage space and load the policy file into a policy library located in a secure operating system kernel, so that the policy update unit updates the policy library . 根据权利要求13所述的系统,其中,所述预设规则至少包括下述中的一种或几种: The system of claim 13 wherein said predetermined rule comprises at least one or more of the following: 非安全域应用访问非安全域应用的第一规则,The first rule for non-secure domain applications to access non-secure domain applications, 非安全域应用访问安全域应用的第二规则,The second rule for non-secure domain applications to access security domain applications, 安全域应用访问非安全域应用的第三规则,The third rule for the security domain application to access the non-secure domain application, 安全域应用访问安全域应用的第四规则,The fourth rule of the security domain application accessing the security domain application, 非安全域应用、安全域应用访问系统域应用的第五规则;其中,所述域至少分为:系统域、安全域、非安全域。The fifth rule of the non-secure domain application and the security domain application accessing the system domain application; wherein the domain is at least divided into: a system domain, a security domain, and a non-security domain. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1至7任一项所述的方法。 A computer storage medium having stored therein computer executable instructions for performing the method of any one of claims 1 to 7.
PCT/CN2016/077630 2015-07-27 2016-03-29 Policy management method, system and computer storage medium WO2017016231A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510448288.3A CN106411814B (en) 2015-07-27 2015-07-27 Method and system for policy management
CN201510448288.3 2015-07-27

Publications (1)

Publication Number Publication Date
WO2017016231A1 true WO2017016231A1 (en) 2017-02-02

Family

ID=57884070

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/077630 WO2017016231A1 (en) 2015-07-27 2016-03-29 Policy management method, system and computer storage medium

Country Status (2)

Country Link
CN (1) CN106411814B (en)
WO (1) WO2017016231A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019237864A1 (en) * 2018-06-12 2019-12-19 杨力祥 Security user architecture and authority control method
CN113794677A (en) * 2021-07-28 2021-12-14 北京永信至诚科技股份有限公司 Control method, device and system for high-interaction honeypot
CN114039788A (en) * 2021-11-15 2022-02-11 绿盟科技集团股份有限公司 Strategy transmission method, network gate system, electronic equipment and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273162A (en) * 2017-06-13 2017-10-20 福州汇思博信息技术有限公司 A kind of method and terminal for updating Java.policy
CN111400723A (en) * 2020-04-01 2020-07-10 中国人民解放军国防科技大学 Mandatory access control method and system for operating system kernel based on TEE extension
CN116232659A (en) * 2022-12-23 2023-06-06 厦门网宿有限公司 Data processing method, device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130101630A (en) * 2012-02-16 2013-09-16 삼성전자주식회사 Method and electronic device for firmware updating
CN104008332A (en) * 2014-04-30 2014-08-27 浪潮电子信息产业股份有限公司 Intrusion detection system based on Android platform
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN104601580A (en) * 2015-01-20 2015-05-06 浪潮电子信息产业股份有限公司 Policy container design method based on mandatory access control

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727555A (en) * 2009-12-04 2010-06-09 苏州昂信科技有限公司 Access control method for operation system and implementation platform thereof
CN101783799A (en) * 2010-01-13 2010-07-21 苏州国华科技有限公司 Mandatory access control method and system thereof
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
US20140365781A1 (en) * 2013-06-07 2014-12-11 Technische Universitaet Darmstadt Receiving a Delegated Token, Issuing a Delegated Token, Authenticating a Delegated User, and Issuing a User-Specific Token for a Resource

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130101630A (en) * 2012-02-16 2013-09-16 삼성전자주식회사 Method and electronic device for firmware updating
CN104008332A (en) * 2014-04-30 2014-08-27 浪潮电子信息产业股份有限公司 Intrusion detection system based on Android platform
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN104601580A (en) * 2015-01-20 2015-05-06 浪潮电子信息产业股份有限公司 Policy container design method based on mandatory access control

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019237864A1 (en) * 2018-06-12 2019-12-19 杨力祥 Security user architecture and authority control method
CN113794677A (en) * 2021-07-28 2021-12-14 北京永信至诚科技股份有限公司 Control method, device and system for high-interaction honeypot
CN114039788A (en) * 2021-11-15 2022-02-11 绿盟科技集团股份有限公司 Strategy transmission method, network gate system, electronic equipment and storage medium
CN114039788B (en) * 2021-11-15 2023-05-26 绿盟科技集团股份有限公司 Policy transmission method, gateway system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN106411814A (en) 2017-02-15
CN106411814B (en) 2019-12-06

Similar Documents

Publication Publication Date Title
JP7086908B2 (en) How to authenticate the actions performed on the target computing device
US11531759B2 (en) Trusted updates
Smalley et al. Security enhanced (se) android: bringing flexible mac to android.
US9916475B2 (en) Programmable interface for extending security of application-based operating system
RU2679721C2 (en) Attestation of host containing trusted execution environment
Bugiel et al. Practical and lightweight domain isolation on android
JP6392879B2 (en) Mobile communication apparatus and operation method thereof
KR102244645B1 (en) Management of authenticated variables
US8909940B2 (en) Extensible pre-boot authentication
KR101176646B1 (en) System and method for protected operating system boot using state validation
JP5881835B2 (en) Web-based interface to access basic input / output system (BIOS) functionality
US20090125974A1 (en) Method and system for enforcing trusted computing policies in a hypervisor security module architecture
KR101308859B1 (en) Terminal having temporary root authority granting function and root authority granting method using the same
KR101281678B1 (en) Method and Apparatus for authorizing host in portable storage device and providing information for authorizing host, and computer readable medium thereof
CN106411814B (en) Method and system for policy management
KR20130040692A (en) Method and apparatus for secure web widget runtime system
CN112446029B (en) Trusted Computing Platform
CN104735091A (en) Linux system-based user access control method and device
US20160004859A1 (en) Method and system for platform and user application security on a device
Yao et al. Building secure firmware
US11301228B2 (en) Managing removal and modification of installed programs on a computer device
CN106886718A (en) A kind of terminal safety protection method, terminal based on credible micro- domain
Dimou Automatic security hardening of Docker containers using Mandatory Access Control, specialized in defending isolation
Iannillo et al. An REE-independent Approach to Identify Callers of TEEs in TrustZone-enabled Cortex-M Devices
CN113515779A (en) File integrity check method, device, device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16829599

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16829599

Country of ref document: EP

Kind code of ref document: A1