WO2021118125A1 - 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치, 방법 및 그 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체 - Google Patents
안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치, 방법 및 그 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체 Download PDFInfo
- Publication number
- WO2021118125A1 WO2021118125A1 PCT/KR2020/017016 KR2020017016W WO2021118125A1 WO 2021118125 A1 WO2021118125 A1 WO 2021118125A1 KR 2020017016 W KR2020017016 W KR 2020017016W WO 2021118125 A1 WO2021118125 A1 WO 2021118125A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- android
- secure container
- container
- application
- executable
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Definitions
- the present invention provides an apparatus, method, and method for building a secure container that can be implemented by an Android application that can be implemented without violating the Android framework by enabling a container call at the application level without root authority while showing fast performance compared to the existing secure container technology It relates to a computer-readable recording medium on which the program is recorded.
- Container technology is similar to virtual machines, but by simplifying isolation technology, it can share a kernel with the host operating system. Because of this, it is receiving a lot of attention as a faster and lighter technology than the existing virtual machine.
- privilege escalation can be achieved by using the vulnerability inside the container, which may affect the host operating system as well as the control right of the container.
- the container is driven as one process. Therefore, when a task requiring confidentiality is performed inside the container, a separate method to restrict access from the host operating system is required.
- a virtual machine can implement a safer environment than the above container technology, but it has the disadvantage of being heavy and high overhead because it adopts a method of virtualizing and running all systems including virtual CPU and virtual memory.
- a secure container can build an isolated environment using a lightweight virtual machine and inherit the safety of the virtual machine.
- overhead can be reduced by simplifying the operating system inside the virtual machine and executing only the libraries and applications to be used.
- the Android framework has not yet been provided to the user to utilize the secure container by directly calling the Android application level.
- a binder which is a communication device provided by Android, which causes the Android application to not directly execute the secure container.
- Patent Document 1 Republic of Korea Patent No. 10-1857009
- Patent Document 2 Republic of Korea Patent No. 10-1997061
- the present invention is intended to solve the above problems, and it is possible to call a container at the application level without root authority while showing fast performance compared to the existing secure container technology, so that it can be implemented without violating the Android framework.
- An object of the present invention is to provide a computer-readable recording medium in which an apparatus and method for constructing a secure container that can be executed by the user and a program thereof are recorded.
- an apparatus for constructing a secure container executable by an Android application is installed in an Android device, and includes: a Linux kernel generator for generating a Linux kernel module supporting a virtualization environment in the Android kernel; a container service generation unit generating an Android service module having access to the Linux kernel module in an Android framework; and an application command processing unit that receives a command of an Android application and requests the Android service module to create a secure container, wherein the secure container is generated by the Linux kernel module in response to the secure container creation request.
- the communication function between the secure container and the Android service module is built by the secure container, and the communication function between the Android application and the secure container is built by the Android service module.
- a proxy for providing each application with a console connected to the secure container.
- the Linux kernel module is KVM, which is a Linux kernel module for implementing a lightweight virtual machine environment.
- the KVM is preferably virtualized for each virtual machine at the hardware level through the hypervisor mode provided by the ARM environment.
- the KVM uses the lkvm binary, and it is preferable to cross-compile the lkvm source code for the ARM architecture, integrate all the dynamic libraries, and compile together as a static library.
- the secure container includes a microkernel as a kernel used in the secure container, and it is preferable that a busybox-based minimum root file system is implemented as a root file system to be used for the secure container.
- the method for building a secure container executable by an Android application is stored in the memory of the Android device and executed by the processor, and the Linux kernel generator creates a Linux kernel module supporting the virtualization environment in the Android kernel.
- creating a machine a system service creation step of creating an Android service module having access to the Linux kernel module in an Android framework in a container service creation unit; a container creation request step of receiving an Android application command from the application command processing unit and requesting the Android service module to create a secure container; and a secure container creation step of receiving a creation request from the Linux kernel module through the Android service module and creating a secure container.
- a first connection step of establishing a communication function between the secure container and the Android service module by the secure container and a second connection step of establishing a communication function between the Android application and the secure container by the Android service module.
- the method further includes a proxy step of providing, in the container service generating unit, a console connected to the secure container to each application.
- the step of creating the virtual machine is a step of building KVM, which is a Linux kernel module for implementing a lightweight virtual machine environment.
- virtualization for each virtual machine is performed at the hardware level through the hypervisor mode provided by the ARM environment in the virtual machine creation step.
- the lkvm binary it is preferable to use the lkvm binary to utilize the KVM in the virtual machine creation step, receive the lkvm source code, cross-compile for the ARM architecture, integrate all the dynamic libraries, and compile together as a static library.
- a microkernel is generated as a kernel to be used in the secure container, and a busybox-based minimum root file system is implemented as a root file system to be used for the secure container.
- the computer-readable recording medium is characterized in that a computer program for performing the method of constructing a secure container executable by an Android application as described above is recorded.
- the present invention implements a secure container without invading the Android framework by directly making a container call at the application level without root authority while showing fast performance compared to the existing secure container technology.
- an environment in which the secure container can be utilized at the application level is provided, and applications can execute and terminate the secure container without rooting or administrator privileges and execute specific commands within the secure container.
- FIG. 1 is a view showing an Android device to which a secure container building apparatus according to the present invention is applied.
- FIG. 2 is a configuration diagram showing a device for building a secure container executable by an Android application according to the present invention.
- FIG. 3 is a diagram illustrating a secure container creation architecture implemented in an Android environment according to the present invention.
- FIG. 4 is a diagram showing the performance characteristics of the built secure container according to the present invention.
- FIG. 5 is a flowchart illustrating a method of constructing a secure container executable by an Android application according to the present invention.
- the secure container construction apparatus 20 executable by the Android application according to the present invention is mounted on the Android device 10 and executed.
- the Android device 10 includes a terminal device using an Android operating system (OS).
- OS Android operating system
- Such an Android terminal device may include a mobile device.
- a mobile device is a device capable of wireless communication. It can be used with various types of mobile devices such as smartphones, tablet computers, laptops, netbooks, PDA, PMP, PSP, MP3 players, ebook readers, navigation devices, smart cameras, electronic dictionaries, electronic watches, and game machines include
- a mobile device includes a device having mobility, an application, a terminal, a user-equipment (UE), a mobile station (MS), a wireless device, a handheld device, etc. It can be called by other terms and runs various applications based on Android.
- An application program is a program developed to perform a specific task using a mobile device, and not only various applications, software tools, processes and service objects, but also multimedia contents such as games, videos, and photos, and a viewer or player that executes the multimedia contents. It may include all executable programs such as
- the secure container building apparatus 20 executable by the Android application according to the present invention includes a Linux kernel generating unit 21 , a container service generating unit 22 , and an application command processing unit 23 .
- the Linux kernel generator 21 generates the Linux kernel module 11 in the Android kernel
- the container service generator 22 generates the Android service module 12 in the Android framework.
- the application command processing unit 23 makes a container creation request according to the command of the Android application.
- the above configurations of the present invention may be implemented by a program that can be processed by the processor 25 . Accordingly, it may be configured to further include the memory 24 and the processor 25 or may use process resources in conjunction with them.
- the network interface 26 communicates with an external terminal and may be used for program download.
- FIG. 3 shows a secure container creation architecture implemented in an Android environment according to the present invention.
- a secure container environment executable at the application level is implemented in the Android device 10 .
- the Android secure container environment built in the Android device 10 includes a Linux kernel module 11 , an Android service module 12 , an Android application 13 , and a secure container 14 .
- the Linux kernel module 11 creates the secure container 14 using a virtualization environment
- the Android service module 12 is built to be included in the Android framework for operation in an Android environment different from the Linux operating system. .
- the Android application 13 requests the creation of a container from the Linux kernel module 11 through the Android service module 12, and after the creation of the secure container 14, it directly communicates with the secure container 14 using the established communication function. communicate
- This invention makes it possible to build a secure container 14 in an Android environment.
- the secure container 14 is implemented without encroaching on the Android framework because it can be called at the application level while showing fast performance.
- the above-described Linux kernel generating unit 21 creates the Linux kernel module 11 in an Android kernel at a lower level of the Android OS.
- the Linux kernel module 11 is implemented as a virtualization module to support a virtualization environment.
- the Linux kernel module 11 is a Kernel-based Virtual Machine (KVM) that is a Linux kernel module 11 for implementing a lightweight virtual machine environment, and the KVM 11 is built in the Android kernel of the Android environment.
- KVM Kernel-based Virtual Machine
- the Android kernel was developed by being derived from the Linux kernel, the functions provided by the Linux kernel can be utilized. Therefore, when the KVM 11 is applied to the Android kernel, it is possible to support vcpu and vmem for a virtualization environment.
- virtualization for a virtual machine is possible at the hardware level by using the hypervisor mode (HYP mode) provided in the ARM environment as an example.
- hypervisor mode provided in the ARM environment
- the lkvm binary is preferably used, and the lkvm source code is cross-compiled for the ARM architecture, and the dynamic libraries are integrated and compiled together as a static library.
- the container service creation unit 22 constructs the Android service module 12 to be included in the Android framework so as to have access to the Linux kernel module 11 . Accordingly, the Android application 13 can access the Linux kernel module 11 through the Android service module 12 .
- the general Android framework does not allow the Android application 13 to directly use the function provided by the Linux kernel module 11 . Also, all Android applications are sandboxed.
- the conventional Android interprocess communication relied on a communication device, Binder, and in order to run a container through the Binder in the Android application 13, there is a limitation that the corresponding service must be registered in the Binder.
- the present invention makes the Linux kernel module 11 accessible by building the Android service module 12 in the Android framework by the container service creation unit 22, and creates a secure container 14 at the application level. make it possible
- the generated Android service module 12 is added as a system service type that can be included in the Android framework in consideration of an Android environment different from the existing Linux operating system.
- the Android service module 12 has access to the ARM-based lightweight virtual machine environment construction tool to create the secure container 14, and creates the secure container 14 according to the request of the Android application 13 and can be removed
- the present invention further includes a proxy that provides a console connected to the secure container 14 to each application.
- the Android service module 12 may also serve as a proxy.
- the application command processing unit 23 receives the command of the Android application 13 and executes it. For example, the application command processing unit 23 called by the execution of the Android application 13 processes the command.
- the Android application 13 includes several applications implemented and executed at the application level.
- the Android application 13 in the present invention requests the Android service module 12 to create the secure container 14 .
- the application command processing unit 23 transmits a container creation command by accessing the Android service module 12 according to a container creation request from the Android application 13 .
- the secure container 14 is a new virtual environment construction technology that can satisfy both the security of the virtual machine and the performance of the container technology, and is created by the Linux kernel module 11 when a creation request is made in the Android application 13 .
- the secure container 14 includes a micro kernel as a kernel used in the corresponding secure container 14 .
- a microkernel of the secure container 14 a zircon kernel is used as an example.
- Zircon kernel is a kernel developed for Google Fuchsia OS applied to embedded devices and has the advantage of providing basic scheduling and system calls. In addition, it has the advantage of being able to operate in multiple apps on various devices, from watch to desktop.
- a busybox-based minimum root file system is preferably implemented as a root file system to be used for the secure container 14 as described above.
- This root file system provides busybox, which provides only basic commands without daemons or additional services utilized by the Linux operating system. Afterwards, like the docker container image, the application and libraries to be executed in the secure container 14 are integrated based on the base root file system and the container is executed.
- the secure container 14 builds a communication function between the secure container 14 and the Android service module 12
- the Android service module 12 builds a communication function between the Android application 13 and the secure container 14 . do.
- the Android application 13 can directly use the secure container 14 to execute and terminate the secure container 14 without rooting or administrator authority, and to execute a specific command inside the secure container 14 .
- the container service generating unit 22 may build the above communication function instead of the secure container 14 and/or the Android service module 12, and through this, substantially the same function may be provided. .
- the Android framework capable of utilizing the secure container 14 provides an environment for creating the secure container 14 at the level of the application 13 driven in Android.
- the present invention shows a faster speed compared to the existing secure container management tool.
- the security container 14 of the present invention was measured at the Android application level after being built in the Hikey960 device (4*Cortex A73 + 4*Cortex A53 Big.Little CPU architecture, 4GB LPDDR4 DRAM, 32GB UFS flash, Android 9.0) environment.
- Kata container an existing secure container technology, it was performed in an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 16GB RAM, Ubuntu 16.04 environment.
- the busybox image was used for the image used in the test, and the required time was calculated for the operation of performing the sha1sum value in each environment.
- the required time was calculated by recording the timestamp before the call and the timestamp after the call at the application level, and shows the average value and characteristics of the required time calculated through 10 iterations in each environment.
- the secure container construction method of the present invention includes a virtual machine creation step (S11), a system service creation step (S12), a container creation request step (S13), and a secure container creation step (S14). Furthermore, after the creation of the secure container 14, a connection step (S15: S15-1, S15-2) of establishing a communication function between modules is included.
- the Android device 10 is representative of a mobile terminal equipped with a computing function, such as a smartphone, and this has already been described above.
- the secure container 14 is created using a virtual environment
- the system service creation step (S12) a system service is built in the Android framework to enable operation in the Android environment.
- the Android application 13 requests the Linux kernel module 11 to create a container through the Android service module 12 . Therefore, the secure container 14 is created in the secure container creation step (S14). After the secure container 14 is created, a communication function between modules is established.
- This invention builds a secure container 14 in the Android environment.
- the secure container 14 is implemented without encroaching on the Android framework because it can be called at the application level while showing fast performance.
- the Linux kernel module 11 supporting the virtualization environment is created in the Android kernel at the lower level of the Android OS.
- the Linux kernel module 11 is generated by the Linux kernel generator 21 .
- the Linux kernel module 11 constructs a Kernel-based Virtual Machine (KVM), which is the Linux kernel module 11 for implementing a lightweight virtual machine environment. That is, the KVM 11 is built in the Android kernel of the Android environment.
- KVM Kernel-based Virtual Machine
- the Android kernel Since the Android kernel was developed by being derived from the Linux kernel, the functions provided by the Linux kernel can be utilized. Therefore, by applying KVM to the Android kernel, it is possible to support virtual environments such as vcpu and vmem.
- hypervisor mode provided in the ARM environment, virtualization for a virtual machine is possible at the hardware level. For example, it is possible to provide system bus virtualization and CPU interrupt virtualization for virtual machines.
- the lkvm binary is preferably used, and the lkvm source code is cross-compiled for the ARM architecture, and the dynamic libraries are integrated and compiled together as a static library.
- the Android service module 12 having access right to the Linux kernel module 11 is generated as it is included in the Android framework.
- the Android service module 12 is generated by the container service creation unit 22 .
- the Android service module 12 As the Android service module 12 is built to be included in the Android framework, it has access to the Linux kernel module 11 . Accordingly, the Android application 13 can access the Linux kernel module 11 through the Android service module 12 .
- the Android framework does not allow the Android application 13 to directly use the function provided by the Linux kernel module 11 . Also, all Android applications are sandboxed.
- the conventional Android interprocess communication relied on a communication device, Binder, and in order to run a container through the Binder in the Android application 13, there is a limitation that the corresponding service must be registered in the Binder.
- the present invention ensures accessibility to the Linux kernel module 11 by building the Android service module 12 in the Android framework, so that the Android application 13 can create or remove the secure container 14 . .
- the Android service module 12 is additionally implemented in the form of a system service that can be included in the Android framework in consideration of an Android environment different from the existing Linux operating system.
- the Android service module 12 has access to the ARM-based lightweight virtual machine environment construction tool to create the secure container 14, and can create/remove the secure container 14 at the application level.
- the present invention further includes a proxy step of providing a console connected to the secure container 14 to each application.
- the proxy step is possible after the creation of the secure container 14 , and may be performed by the container service creation unit 22 or the Android service module 12 created by it.
- the Android application 13 requests the Android service module 12 to create a container.
- the command of the Android application 13 is received and processed by the application command processing unit 23 .
- the application command processing unit 23 called by the execution of the Android application 13 receives a container creation command and transmits it to the Android service module 12 .
- the Android application 13 includes several applications implemented and executed at the application level. In particular, the Android application 13 requests the Android service module 12 to create the secure container 14 .
- the Android service module 12 grants access to the Linux kernel module 11 to the corresponding Linux kernel module 11 .
- the secure container 14 is created in the Linux kernel module 11 , which has received a creation request through the Android service module 12 .
- the secure container 14 is a new virtual environment construction technology that can satisfy both the security of the virtual machine and the performance of the container technology, and is created by the Linux kernel module 11 in response to a creation request in the Android application 13 . .
- the secure container 14 is also created with a micro kernel used in the secure container 14 .
- a microkernel of the secure container 14 a zircon kernel is used as an example.
- Zircon kernel is a kernel developed for Google Fuchsia OS applied to embedded devices and has the advantage of providing basic scheduling and system calls. In addition, it has the advantage of being able to operate in multiple apps on various devices, from the watch to the desktop.
- a busybox-based minimum root file system as the root file system to be used for the secure container 14 as described above.
- This root file system provides busybox, which provides only basic commands without daemons or additional services utilized by the Linux operating system. Afterwards, like the docker container image, the application and libraries to be executed in the secure container 14 are integrated based on the base root file system and the container is executed.
- connection step (S15: S15-1, S15-2) is a step of establishing a communication function, and after the security container 14 is created, between the security container 14 and the Android service inside the terminal device and/or security Data communication is connected between the container 14 and the Android application 13 .
- the Android application 13 can directly use the secure container 14 to execute and terminate the secure container 14 without rooting or administrator authority, and to execute a specific command inside the secure container 14 .
- the communication function described above may be built by the container service creation unit 22 instead of the secure container 14 and/or the Android service module 12 if necessary, and substantially the same function may be provided through this. .
- the methods according to the embodiment of the present invention may be implemented as an application or implemented in the form of program instructions that may be executed through various computer components and recorded in a computer-readable recording medium.
- the computer readable recording medium may include program instructions, data files, data structures, etc. alone or in combination, and the recorded program instructions are specially designed and constructed for the present invention, and are known and available to those skilled in the art of computer software. it might be
- Examples of computer-readable recording media include hard disks, optical recording media such as CDROMs and DVDs, magneto-optical media such as floppy disks, and program instructions such as ROM, RAM, flash memory, and the like. hardware devices specially configured to store and perform
- a terminal device equipped with a memory function it includes a mobile terminal equipped with a computing function, such as a smart phone.
- the mobile terminal includes several types of Android devices 10 as described above.
- a server may also be included, and the server includes a download server or a cloud server that provides a download service of the corresponding program.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
Description
Claims (15)
- 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치에 있어서,안드로이드 디바이스에 설치되며,가상화 환경을 지원하는 리눅스 커널 모듈(11)을 안드로이드 커널(kernel)에 생성하는 리눅스 커널 생성부(21)와;상기 리눅스 커널 모듈(11)에 접근 권한을 갖는 안드로이드 서비스 모듈(12)을 안드로이드 프레임워크에 생성하는 컨테이너 서비스 생성부(22); 및안드로이드 어플리케이션(13)의 명령을 전달받아 상기 안드로이드 서비스 모듈(12)에 보안 컨테이너(14)의 생성을 요청하는 어플리케이션 명령 처리부(23);를 포함하여,상기 보안 컨테이너(14) 생성 요청에 따라 상기 리눅스 커널 모듈(11)에 의해 보안 컨테이너(14)가 생성되는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제1항에 있어서,상기 보안 컨테이너(14)에 의해 상기 보안 컨테이너(14)와 안드로이드 서비스 모듈(12)간 통신 기능이 구축되고,상기 안드로이드 서비스 모듈(12)에 의해 상기 안드로이드 어플리케이션(13)과 보안 컨테이너(14)간 통신 기능이 구축되는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제1항에 있어서,상기 보안 컨테이너(14)와 연결된 콘솔을 각 어플리케이션들에게 제공해주는 프록시(proxy)를 더 포함하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제1항에 있어서,상기 리눅스 커널 모듈(11)은,경량 가상 머신 환경을 구현하기 위한 리눅스 커널 모듈(11)인 KVM(Kernel-based Virtual Machine)인 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제4항에 있어서,상기 KVM은,ARM 환경에서 제공하는 하이퍼바이져 모드(HYP mode)를 통해 하드웨어 레벨에서 각 가상머신을 위한 가상화가 이루어지는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제5항에 있어서,상기 KVM은,lkvm 바이너리를 사용하며, lkvm 소스코드를 받아 ARM 아키텍처를 위해 크로스 컴파일하고 동적 라이브러리들을 모두 통합하여 정적 라이브러리로 함께 컴파일을 수행하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 제1항에 있어서,상기 보안 컨테이너(14)는,상기 보안 컨테이너(14)에서 사용되는 커널로서 마이크로 커널을 포함하되,상기 보안 컨테이너(14)를 위해 사용될 루트 파일 시스템으로 busybox 기반의 미니멈 루트 파일 시스템이 구현되는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치.
- 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법에 있어서,안드로이드 디바이스의 메모리에 저장되어 프로세서에 의해 실행되며,리눅스 커널 생성부(21)에서 가상화 환경을 지원하는 리눅스 커널 모듈(11)을 안드로이드 커널에 생성하는 가상머신 생성단계(S11)와;컨테이너 서비스 생성부(22)에서 상기 리눅스 커널 모듈(11)에 접근 권한을 갖는 안드로이드 서비스 모듈(12)을 안드로이드 프레임워크에 생성하는 시스템 서비스 생성단계(S12)와;어플리케이션 명령 처리부(23)에서 안드로이드 어플리케이션(13)의 명령을 전달받아 상기 안드로이드 서비스 모듈(12)에 보안 컨테이너(14)의 생성을 요청하는 컨테이너 생성 요청단계(S13); 및상기 리눅스 커널 모듈(11)에서 상기 안드로이드 서비스 모듈(12)을 통해 생성 요청을 받아 보안 컨테이너(14)를 생성하는 보안 컨테이너 생성단계(S14);를 포함하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제8항에 있어서,상기 보안 컨테이너(14)에 의해 상기 보안 컨테이너(14)와 안드로이드 서비스 모듈(12)간 통신 기능을 구축하는 제1 연결단계(S15-1); 및상기 안드로이드 서비스 모듈(12)에 의해 상기 안드로이드 어플리케이션(13)과 보안 컨테이너(14)간 통신 기능을 구축하는 제2 연결단계(S15-2);를 더 포함하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제8항에 있어서,상기 컨테이너 서비스 생성부(22)에서 상기 보안 컨테이너(14)와 연결된 콘솔을 각 어플리케이션들에게 제공하는 프록시 단계를 더 포함하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제8항에 있어서,상기 가상머신 생성단계(S11)는,경량 가상 머신 환경을 구현하기 위한 리눅스 커널 모듈(11)인 KVM(Kernel-based Virtual Machine)을 구축하는 단계인 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제11항에 있어서,상기 가상머신 생성단계(S11)에서,ARM 환경에서 제공하는 하이퍼바이져 모드(HYP mode)를 통해 하드웨어 레벨에서 각 가상머신을 위한 가상화가 이루어지는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제12항에 있어서,상기 가상머신 생성단계(S11)에서,상기 KVM의 활용하기 위해 lkvm 바이너리를 사용하며, lkvm 소스코드를 받아 ARM 아키텍처를 위해 크로스 컴파일하고 동적 라이브러리들을 모두 통합하여 정적 라이브러리로 함께 컴파일을 수행하는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제8항에 있어서,상기 보안 컨테이너 생성단계(S14)에서는,상기 보안 컨테이너(14)에서 사용될 커널로서 마이크로 커널이 함께 생성되되,상기 보안 컨테이너(14)를 위해 사용될 루트 파일 시스템으로 busybox 기반의 미니멈 루트 파일 시스템이 구현되는 것을 특징으로 하는 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법.
- 제8항 내지 제14항 중 어느 하나의 항과 같은 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 방법을 수행하기 위한, 컴퓨터 프로그램이 기록된 컴퓨터로 판독 가능한 기록 매체.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/784,483 US20220405385A1 (en) | 2019-12-12 | 2020-11-27 | Secure container construction device and method executable by android application, and computer-readable recording medium on which program thereof is recorded |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2019-0165648 | 2019-12-12 | ||
KR20190165648 | 2019-12-12 | ||
KR1020200027118A KR102235556B1 (ko) | 2019-12-12 | 2020-03-04 | 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치, 방법 및 그 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체 |
KR10-2020-0027118 | 2020-03-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021118125A1 true WO2021118125A1 (ko) | 2021-06-17 |
Family
ID=75466406
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2020/017016 WO2021118125A1 (ko) | 2019-12-12 | 2020-11-27 | 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치, 방법 및 그 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20220405385A1 (ko) |
KR (1) | KR102235556B1 (ko) |
WO (1) | WO2021118125A1 (ko) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113934464A (zh) * | 2021-12-14 | 2022-01-14 | 北京鲸鲮信息系统技术有限公司 | Linux系统中启动安卓应用的方法、装置和电子设备 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113190282B (zh) * | 2021-04-07 | 2024-04-09 | 北京字节跳动网络技术有限公司 | 安卓运行环境构建的方法及装置 |
CN114385305B (zh) * | 2022-03-23 | 2022-07-08 | 麒麟软件有限公司 | 一种录制Linux屏幕并分享给安卓应用的系统和方法 |
CN116360928B (zh) * | 2023-05-15 | 2023-08-29 | 摩尔线程智能科技(北京)有限责任公司 | 一种安卓容器显示系统的优化方法及装置、电子设备 |
CN117112144B (zh) * | 2023-09-22 | 2024-03-12 | 上海卓悠网络科技有限公司 | 一种在android系统上部署k3s的方法及系统、存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20170142672A (ko) * | 2016-06-20 | 2017-12-28 | 주식회사 씨오티커넥티드 | 신뢰실행환경 기반의 컴퓨팅 장치 |
KR101895893B1 (ko) * | 2016-11-16 | 2018-10-24 | 숭실대학교산학협력단 | 안드로이드 보안을 위한 듀오 os 모델 및 이를 탑재한 모바일 장치, 이를 이용한 모바일 장치의 보안 방법 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101857009B1 (ko) | 2017-01-19 | 2018-05-11 | 숭실대학교산학협력단 | 안드로이드 악성코드 분석을 위한 컨테이너 플랫폼 및 이를 이용한 모바일 장치의 보안 방법 |
KR101997061B1 (ko) | 2017-09-29 | 2019-07-05 | 숭실대학교산학협력단 | 리눅스 기반 안드로이드 컨테이너 플랫폼, 이를 탑재한 장치 및 리눅스 기반 안드로이드 컨테이너 환경에서의 보안 시스템 구축 방법 |
-
2020
- 2020-03-04 KR KR1020200027118A patent/KR102235556B1/ko active IP Right Grant
- 2020-11-27 WO PCT/KR2020/017016 patent/WO2021118125A1/ko active Application Filing
- 2020-11-27 US US17/784,483 patent/US20220405385A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20170142672A (ko) * | 2016-06-20 | 2017-12-28 | 주식회사 씨오티커넥티드 | 신뢰실행환경 기반의 컴퓨팅 장치 |
KR101895893B1 (ko) * | 2016-11-16 | 2018-10-24 | 숭실대학교산학협력단 | 안드로이드 보안을 위한 듀오 os 모델 및 이를 탑재한 모바일 장치, 이를 이용한 모바일 장치의 보안 방법 |
Non-Patent Citations (4)
Title |
---|
ANONYMOUS: "Android & Virtualization on Fast Models", VIRTUAL OPEN SYSTEMS, 20 October 2019 (2019-10-20), XP055820961, Retrieved from the Internet <URL:https://web.archive.org/web/20191020235309/http://www.virtualopensystems.com/en/solutions/guides/kvm-android-on-fastmodels/> * |
EARLENCE FERNANDES; ALEXANDER CROWELL; AJIT ALURI; ATUL PRAKASH: "Anception: Application Virtualization For Android", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 27 January 2014 (2014-01-27), 201 Olin Library Cornell University Ithaca, NY 14853, XP080003857 * |
LEI XU, ZONGHUI WANG, WENZHI CHEN: "The Study and Evaluation of ARM-Based Mobile Virtualization", INTERNATIONAL JOURNAL OF DISTRIBUTED SENSOR NETWORKS, vol. 11, no. 7, 1 July 2015 (2015-07-01), pages 310308, XP055388713, ISSN: 1550-1477, DOI: 10.1155/2015/310308 * |
YUN, JAEHYEON ET AL.: "A method of Implementing a Secure Container Environment That Can be Called at The Android Application Level", CONFERENCE ON INFORMATION SECURITY AND CRYPTOGRAPHY-WINTER 2019 (CISC-W'19), 30 November 2019 (2019-11-30), pages 1 - 4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113934464A (zh) * | 2021-12-14 | 2022-01-14 | 北京鲸鲮信息系统技术有限公司 | Linux系统中启动安卓应用的方法、装置和电子设备 |
Also Published As
Publication number | Publication date |
---|---|
US20220405385A1 (en) | 2022-12-22 |
KR102235556B1 (ko) | 2021-04-02 |
KR102235556B9 (ko) | 2022-10-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021118125A1 (ko) | 안드로이드 어플리케이션에 의해 실행 가능한 보안 컨테이너 구축 장치, 방법 및 그 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체 | |
KR101019937B1 (ko) | 보안 운영 시스템 스위칭 | |
WO2016072760A1 (ko) | 전가상화 시스템에서 자원을 감시하는 장치 및 방법 | |
CN111858004A (zh) | 基于tee扩展的计算机安全世界实时应用动态加载方法及系统 | |
CN110622138B (zh) | 一种数据迁移方法及装置 | |
US20140325664A1 (en) | Systems and methods for replacing application methods at runtime | |
WO2017030252A1 (ko) | 컨테이너 이미지 보안 검사 방법 및 그 장치 | |
US20190065736A1 (en) | Systems and methods for preventing malicious applications from exploiting application services | |
WO2018212474A1 (ko) | 독립된 복원영역을 갖는 보조기억장치 및 이를 적용한 기기 | |
WO2021045428A1 (en) | Method and apparatus for improving runtime performance after application update in electronic device | |
WO2018076890A1 (zh) | 数据备份的方法、装置、存储介质、服务器及系统 | |
WO2020162715A1 (en) | Electronic device, storage medium, and method for process scheduling | |
EP3827333A1 (en) | Method for controlling execution of heterogeneous operating systems and electronic device and storage medium therefor | |
CN113703924A (zh) | 基于可信执行环境的安全虚拟机系统设计方法及系统 | |
WO2016195343A1 (ko) | 가상화 시스템에서 파일 입출력 제어를 위한 방법 | |
WO2018208032A1 (ko) | 고립된 사용자컴퓨팅부를 갖는 컴퓨터 | |
US20130145363A1 (en) | System and method thereof for running an unmodified guest operating system in a para-virtualized environment | |
WO2016159496A1 (ko) | 보안 기능이 추가된 애플리케이션 배포 방법, 상기 애플리케이션의 동작 방법 | |
WO2014200201A1 (ko) | 시스템 보호를 위한 파일 보안용 관리장치와 관리방법 | |
WO2019225849A1 (ko) | 게스트 운영체제의 무결성과 파일 입출력 제어를 통해서 보안 서비스를 제공하는 보안 장치 및 방법 | |
Futagami et al. | Secure out-of-band remote management of virtual machines with transparent passthrough | |
US10261921B2 (en) | Universal secure platform virtualization system and method thereof | |
WO2018021864A1 (ko) | 클라우드 기반의 서비스 제공 방법 | |
WO2020209561A1 (ko) | 이종 운영체제를 실행하는 전자 장치 및 그 방법 | |
WO2016108677A1 (ko) | 웹 컨텐츠 출력 장치 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20900575 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20900575 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 05.12.2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20900575 Country of ref document: EP Kind code of ref document: A1 |