[go: up one dir, main page]

CN105550584A - RBAC based malicious program interception and processing method in Android platform - Google Patents

RBAC based malicious program interception and processing method in Android platform Download PDF

Info

Publication number
CN105550584A
CN105550584A CN201511032125.3A CN201511032125A CN105550584A CN 105550584 A CN105550584 A CN 105550584A CN 201511032125 A CN201511032125 A CN 201511032125A CN 105550584 A CN105550584 A CN 105550584A
Authority
CN
China
Prior art keywords
user
module
application
kernel
rbac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201511032125.3A
Other languages
Chinese (zh)
Inventor
林莉
尼见
胡健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201511032125.3A priority Critical patent/CN105550584A/en
Publication of CN105550584A publication Critical patent/CN105550584A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an RBAC based malicious program interception and processing method in an Android platform, and belongs to the technical field of mobile security. For the technical field of existing mobile security, privacy data of a user have a leakage risk and a current malicious program detection method has problems to be solved, so that an RBAC based malicious program interception method is proposed. When an application accesses to the privacy data of the user, whether related operations are permitted or not is determined according to a role that the application belongs to and permission information corresponding to the application by querying an RBAC policy library, so that the privacy security of the user is ensured.

Description

一种Android平台下基于RBAC的恶意程序拦截及处置方法A malicious program interception and disposal method based on RBAC under the Android platform

技术领域technical field

本发明属于移动安全技术领域,具体涉及一种Android平台下基于RBAC的恶意程序拦截及处置方法。The invention belongs to the technical field of mobile security, and in particular relates to an RBAC-based malicious program interception and processing method under an Android platform.

背景技术Background technique

随着Android系统以及智能手机的快速发展,Android应用程序呈现爆炸式的增长。随之而来的是Android系统的安全性问题,以及恶意应用程序对移动终端的恶意攻击、对用户隐私信息的窃取等问题日益严重。由于Android第三方应用市场的监管不严,很多正常的应用程序被嵌入了窃取用户隐私的恶意代码并重新打包上传至Android市场,很多情况下杀毒软件无法拦截类似应用程序的恶意请求。目前主流的恶意程序检测方法分为静态检测和动态检测,静态检测对恶意代码库的依赖性较高,当出现新型的恶意程序时,其往往无法准确的识别恶意行为,其检出率和准确率还有待提高;动态检测方法包括MonkeyRunner、DroidBox、TaintDroid、Hips等,其特点是对于代码特征库的依赖强度小,通过捕获运行中的真正恶意行为来判断是否为恶意软件,同时存在着恶意程序绕过系统检测的风险。例如对于传统HIPS的程序检测方式,通过在用户态注入.so和.jar文件实现APIHOOK,如果恶意应用程序通过这种方式实现APIHOOK的话,就会绕过HIPS系统的检测,一定程度上给用户隐私安全带来了威胁。With the rapid development of the Android system and smart phones, Android applications show explosive growth. Followed by the security problems of the Android system, malicious attacks on mobile terminals by malicious applications, and the theft of user privacy information are becoming more and more serious. Due to the lax supervision of the Android third-party application market, many normal applications are embedded with malicious codes that steal user privacy and are repackaged and uploaded to the Android market. In many cases, antivirus software cannot intercept malicious requests from similar applications. The current mainstream malicious program detection methods are divided into static detection and dynamic detection. Static detection is highly dependent on the malicious code base. When a new type of malicious program appears, it is often unable to accurately identify malicious behavior. The rate needs to be improved; dynamic detection methods include MonkeyRunner, DroidBox, TaintDroid, Hips, etc., which are characterized by a small dependence on the code feature library, and judge whether it is malware by capturing real malicious behavior during operation, and there are malicious programs at the same time Risk of bypassing system detection. For example, for the traditional HIPS program detection method, APIHOOK is implemented by injecting .so and .jar files in the user state. If a malicious application implements APIHOOK in this way, it will bypass the detection of the HIPS system and give users privacy to a certain extent. Security poses a threat.

针对上述问题,本发明提出了一种Android平台下基于RBAC的恶意程序拦截及处置方法,通过动态插入LinuxHook内核模块,实现在内核层对应用程序读取用户隐私等恶意行为的监控,由于应用程序是无法修改AndroidLinux内核源码的,因此避免了恶意应用程序绕过系统检测。同时,本发明是针对应用程序具体恶意行为的监控,避免了对恶意程序代码库的依赖,提高了检测效率和准确率。当应用程序访问用户隐私数据时,本发明通过定义RBAC访问控制策略给出用户相关系统提示,用户可基于系统提示自主选择,从而保护了用户的隐私安全。In view of the above problems, the present invention proposes a malicious program interception and disposal method based on RBAC under the Android platform. By dynamically inserting the LinuxHook kernel module, the monitoring of malicious behaviors such as reading user privacy by the application program at the kernel layer is realized. Because the application program It is impossible to modify the AndroidLinux kernel source code, thus avoiding malicious applications from bypassing system detection. At the same time, the present invention is aimed at monitoring specific malicious behaviors of application programs, avoids dependence on malicious program code bases, and improves detection efficiency and accuracy. When an application program accesses user privacy data, the present invention provides user-related system prompts by defining RBAC access control policies, and users can choose independently based on the system prompts, thereby protecting user privacy and security.

发明内容Contents of the invention

本发明提出一种Android平台下基于RBAC的恶意程序拦截及处置方法,其特征在于,包括恶意行为检测模块、内核消息反馈模块、拦截提示模块和基于RBAC的拦截模块,步骤如下:The present invention proposes a malicious program interception and disposal method based on RBAC under the Android platform, which is characterized in that it includes a malicious behavior detection module, a kernel message feedback module, an interception prompt module and an RBAC-based interception module, and the steps are as follows:

步骤1:恶意行为检测模块通过在AndroidLinux系统中动态插入用于Hook的内核模块实现对应用程序读取用户隐私数据行为的内核层监控,为内核消息反馈模块提供消息源;Step 1: The malicious behavior detection module realizes the kernel layer monitoring of the behavior of reading user privacy data by the application program by dynamically inserting the kernel module used for Hook in the AndroidLinux system, and provides a message source for the kernel message feedback module;

步骤2:内核消息反馈模块通过netlinksocket实现内核层和用户层的消息通信,Netlinksocket采用全双工、异步的通讯方式,这样当内核态的Hook函数拦截到恶意程序的信息时发送到用户态的程序去处理,并将处理结果发送到内核态,Linux内核根据该信息决定是否允许该程序的相关操作;通过内核消息反馈模块,将恶意行为检测模块收集到的应用程序行为记录传递到拦截提示模块;Step 2: The kernel message feedback module realizes the message communication between the kernel layer and the user layer through netlinksocket. Netlinksocket adopts a full-duplex and asynchronous communication mode, so that when the Hook function in the kernel state intercepts the information of the malicious program, it is sent to the program in the user state To process, and send the processing result to the kernel mode, the Linux kernel decides whether to allow the relevant operation of the program according to the information; through the kernel message feedback module, the application program behavior record collected by the malicious behavior detection module is passed to the interception prompt module;

步骤3:拦截提示模块用于在收到内核层发来的消息之后,根据基于RBAC的拦截模块反馈的结果,给出用户细粒度的提示;Step 3: The interception prompt module is used to give the user fine-grained prompts according to the feedback result of the RBAC-based interception module after receiving the message from the kernel layer;

步骤4:基于RBAC的拦截模块通过查询RBAC策略库获取到当前应用程序所属的角色及其对应的权限信息,将查询结果反馈到拦截提示模块,拦截模块根据该结果给出用户细粒度的提示;根据RBAC策略库的查询结果;支持用户自主选择,在用户没有选择的情况下系统会默认根据RBAC策略库的查询结果来决定是否允许应用程序的相应请求。Step 4: The RBAC-based interception module obtains the role of the current application and its corresponding permission information by querying the RBAC policy library, and feeds back the query result to the interception prompt module, and the interception module gives the user fine-grained prompts based on the result; According to the query results of the RBAC policy library; users can choose independently. If the user does not choose, the system will determine whether to allow the corresponding request of the application according to the query results of the RBAC policy library by default.

进一步,还能动态更新RBAC策略库,具体为:在应用程序初次安装运行时,基于其基本功能为其指派相应角色,该角色只拥有完成该应用程序基本功能的最小权限集合,当应用程序请求其最小权限集合之外的权限时,拦截提示模块会给出用户相关安全提示,在用户明确选择授予该应用程序此权限时,通过设置新的角色调整RBAC策略库,即设置新角色拥有用户允许的最小权限之外的其他权限。Furthermore, the RBAC policy library can also be dynamically updated, specifically: when the application is installed and running for the first time, a corresponding role is assigned to it based on its basic functions. This role only has the minimum permission set to complete the basic functions of the application. When the application requests For permissions other than the minimum permission set, the interception prompt module will give the user relevant security prompts. When the user explicitly chooses to grant this permission to the application, adjust the RBAC policy library by setting a new role, that is, setting the new role to have the user permission permissions other than the minimum permissions.

通过动态插入LinuxHook内核模块,实现在内核层对应用程序读取用户隐私等恶意行为的实时监控;采用netlinksocket技术将Android架构中内核层捕获到的应用程序恶意行为反馈到应用层,插入的内核模块通过socket实现发送恶意行为信息并接收应用层的反馈,由于其部署在内核层从而保护了该过程不受恶意应用程序的干涉;在Android架构的应用层,引入RBAC的思想,通过设置RBAC策略库,依据应用程序所属角色给其分配相应权限,能够实现对恶意应用程序的最小授权。同时允许用户根据RBAC策略库的提示对应用程序读取用户隐私数据的行为做出相应选择,而非单一允许或禁止应用程序的所有行为,在保护用户隐私安全的同时,平衡了用户的使用体验。By dynamically inserting the LinuxHook kernel module, the real-time monitoring of malicious behaviors such as reading user privacy by the application program at the kernel layer is realized; the malicious behavior of the application program captured by the kernel layer in the Android architecture is fed back to the application layer by using netlinksocket technology, and the inserted kernel module Send malicious behavior information and receive feedback from the application layer through the socket, because it is deployed at the kernel layer to protect the process from the interference of malicious applications; in the application layer of the Android architecture, the idea of RBAC is introduced, by setting the RBAC policy library , and assign corresponding permissions to the application according to the role it belongs to, which can realize the minimum authorization for malicious applications. At the same time, users are allowed to make corresponding choices about the behavior of the application to read user privacy data according to the prompts of the RBAC policy library, instead of allowing or prohibiting all behaviors of the application, which balances the user experience while protecting user privacy and security. .

本发明可避免传统应用程序安装之后便会获得其所申请的所有权限的问题,其在用户点击同意赋予应用程序所申请的权限后,通过内核态监控,在该应用实际运行具体权限时,通过设置RBAC策略对应用程序的权限申请做二次拦截,可真正达到保护用户隐私的目的。此外,本发明在构建RBAC策略库时,针对当前安卓应用的特点,对安卓应用场景下的角色、权限、指派关系以及互斥角色等做了进一步的约束和规范,RBAC策略的设置充分体现了最小授权、职责分离和数据抽象三大安全原则。The present invention can avoid the problem that the traditional application program will obtain all the permissions applied for after it is installed. After the user clicks to agree to give the application program the application permission, it will monitor through the kernel state, and when the application actually runs specific permissions, through Setting the RBAC policy to intercept the permission application of the application for the second time can truly achieve the purpose of protecting user privacy. In addition, when constructing the RBAC policy library, the present invention further constrains and regulates the roles, permissions, assignment relationships, and mutually exclusive roles in the Android application scenario according to the characteristics of the current Android application. The setting of the RBAC policy fully reflects the Three security principles of minimal authorization, separation of duties, and data abstraction.

与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:

目前主流的恶意程序检测方法分为静态检测和动态监测,其中静态检测的主要方式包括:分析应用程序的签名信息、APK源码逆向分析、恶意代码库匹配等。静态检测对恶意代码库的依赖性较高,恶意程序的检出率和准确率还有待提高。动态检测通过实际运行应用程序,已期待触发其中的恶意行为,达到恶意程序检测的目的。主流的动态检测方法包括:MonkeyRunner、DroidBox、TaintDroid、HIPS等,其特点是对于代码特征库的依赖强度小,通过捕获运行中的真正恶意行为来判断是否为恶意软件,同时存在着恶意程序绕过系统检测的风险。例如HIPS不需要修改AndroidLinux内核,它通过在用户态注入.so和Jar文件实现目标API的Hook,从而拦截应用程序的相关操作。由于它是通过注入so文件实现APIhook的,同样应用程序自己也可以通过这种方式实现APIhook。因此,如果恶意程序的开发者实现了APIHook的话,就会绕过HIPS的系统检测,一定程度上给用户的隐私安全带来了威胁。At present, mainstream malicious program detection methods are divided into static detection and dynamic monitoring. The main methods of static detection include: analysis of application signature information, reverse analysis of APK source code, and malicious code library matching. Static detection relies heavily on malicious code libraries, and the detection rate and accuracy of malicious programs need to be improved. Dynamic detection is expected to trigger the malicious behavior in the application program by actually running it, so as to achieve the purpose of malicious program detection. The mainstream dynamic detection methods include: MonkeyRunner, DroidBox, TaintDroid, HIPS, etc., which are characterized by a small dependence on the code feature library, and judge whether it is malware by capturing real malicious behavior during operation, and there are malicious programs to bypass Risk of system detection. For example, HIPS does not need to modify the AndroidLinux kernel. It implements the Hook of the target API by injecting .so and Jar files in the user mode, thereby intercepting the related operations of the application. Since it implements APIhook by injecting so files, the application itself can also implement APIhook in this way. Therefore, if the developer of the malicious program implements APIHook, it will bypass the system detection of HIPS, which poses a threat to the user's privacy and security to a certain extent.

本方法采用LinuxHook技术,通过动态插入内核模块实现了在内核层监控应用程序的恶意行为,由于本方法是在内核层检测应用程序的恶意行为,并且应用程序是无法修改内核层函数调用的,因此避免了恶意程序绕过传统HIPS系统检测的风险;同时,本方法基于RBAC的访问控制技术给应用程序分配对应的角色,同时给相应的角色分配其能完成自身任务的最小权限组合,根据RBAC策略库来给出用户相关提示。例如地图类应用程序读取用户的位置信息时,系统弹出警示框提示用户,在用户无选择的情况下默认允许该行为;影音娱乐类应用程序读取用户的通讯录信息时,系统弹出警示框并默认阻断该行为,从而在允许用户自主选择的基础上更好的满足了用户的需求,同时保护了用户的隐私安全。本发明提出方法可避免传统APP安装之后便会获得其所申请的所有权限的问题,其在用户点击同意赋予APP所申请的权限后,通过对该应用运行时的监控,在该应用实际使用具体权限前,通过设置RBAC策略对APP的权限申请做二次拦截,可真正达到保护用户隐私的目的。This method adopts LinuxHook technology, has realized the malicious behavior of monitoring application program at the kernel layer by dynamically inserting the kernel module, because this method detects the malicious behavior of the application program at the kernel layer, and the application program cannot modify the kernel layer function call, so Avoiding the risk of malicious programs bypassing traditional HIPS system detection; at the same time, this method assigns corresponding roles to applications based on RBAC access control technology, and at the same time assigns corresponding roles the minimum permission combination that can complete their own tasks. According to RBAC strategy library to give user relevant hints. For example, when a map application reads the user's location information, the system pops up a warning box to prompt the user, and the behavior is allowed by default if the user has no choice; when an audio-visual entertainment application reads the user's address book information, the system pops up a warning box And this behavior is blocked by default, so as to better meet the needs of users on the basis of allowing users to choose independently, and at the same time protect the privacy and security of users. The method proposed by the present invention can avoid the problem that all the permissions applied for by the traditional APP will be obtained after the installation. After the user clicks to agree to grant the permissions applied for by the APP, by monitoring the application when it is running, the actual use of the application will be specific. Before permission, set the RBAC policy to do a second interception of APP permission application, which can truly achieve the purpose of protecting user privacy.

本发明提出方法在AndroidLinux的内核层监控应用程序的运行,可减少恶意应用程序绕过系统检测的风险,避免了传统HIPS方法的检测机制被旁路问题,具有更好的安全性和可靠性。The method proposed by the invention monitors the operation of application programs at the kernel layer of Android Linux, which can reduce the risk of malicious application programs bypassing system detection, avoid the detection mechanism of the traditional HIPS method being bypassed, and have better security and reliability.

本发明提出方法在构建RBAC策略库时,针对当前安卓应用程序的特点,对安卓应用场景下的角色、权限、指派关系以及互斥角色等做了进一步的约束和规范,RBAC策略的设置充分体现了最小授权、职责分离和数据抽象三大安全原则,支持RBAC策略库的动态调整,支持用户隐私安全和用户体验的平衡。When the method proposed by the present invention constructs the RBAC policy library, according to the characteristics of the current Android application program, further constraints and specifications are made on the roles, permissions, assignment relationships, and mutually exclusive roles in the Android application scene, and the setting of the RBAC policy is fully reflected. The three security principles of minimum authorization, separation of duties, and data abstraction are established, and the dynamic adjustment of the RBAC policy library is supported, and the balance between user privacy security and user experience is supported.

附图说明Description of drawings

图1基于RBAC的恶意程序拦截架构设计;Fig. 1 Architecture design of malicious program interception based on RBAC;

图2基于RBAC的恶意程序拦截流程;Figure 2 RBAC-based malicious program interception process;

图3基于RBAC的恶意程序拦截准确率;Figure 3 RBAC-based malicious program interception accuracy;

具体实施方式detailed description

下面结合附图和具体实施方式对本发明做进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

图1,为本发明所述的基于RBAC的恶意程序拦截架构图。图中按照Android系统架构将Android系统分为用户空间和内核空间两部分,该图描述了应用程序安装到Android移动设备后,当应用程序执行时内核层和应用层如何实现的对应用程序恶意行为的监控,具体基于RBAC的恶意程序拦截包括以下四个模块:恶意行为检测模块、内核消息反馈模块、拦截提示模块、基于RBAC的拦截模块。FIG. 1 is an architecture diagram of the RBAC-based malicious program interception described in the present invention. According to the Android system architecture, the Android system is divided into two parts, the user space and the kernel space. This figure describes how the kernel layer and the application layer implement malicious behaviors against the application program after the application program is installed on the Android mobile device when the application program is executed. Specifically, RBAC-based malicious program interception includes the following four modules: malicious behavior detection module, kernel message feedback module, interception prompt module, and RBAC-based interception module.

其中,恶意行为检测模块部署在AndroidLinux内核层,它通过插入的LinuxHook模块实现了对应用程序恶意行为的监控,当监控到应用程序读取用户隐私的行为时,会通过内核消息反馈模块将消息传递到拦截提示模块。内核消息反馈模块部署在应用层和内核层之间,是两者之间通信的桥梁,该模块负责将恶意行为检测模块收集的信息传递到拦截提示模块做进一步处理。Among them, the malicious behavior detection module is deployed in the AndroidLinux kernel layer. It realizes the monitoring of the malicious behavior of the application through the inserted LinuxHook module. to the intercept prompt module. The kernel message feedback module is deployed between the application layer and the kernel layer, and is a communication bridge between the two. This module is responsible for transferring the information collected by the malicious behavior detection module to the interception prompt module for further processing.

拦截提示模块部署在JNI层,当它收到内核消息反馈模块发来的消息时,会以对话框的形式呈现在用户面前,借助于基于RBAC的拦截模块的查询结果,给出用户相关提示。基于RBAC的拦截模块,通过分析容易泄漏用户隐私的安全权限及RBAC的三个著名安全原则,制定了RBAC策略库,对Android应用程序所属的角色及其对应的权限信息做了严格的限定。当应用程序访问用户相关的隐私数据时,会将RBAC策略库的查询结果反馈到拦截提示模块。The interception prompt module is deployed at the JNI layer. When it receives a message from the kernel message feedback module, it will be presented in front of the user in the form of a dialog box. With the help of the query result of the RBAC-based interception module, relevant prompts will be given to the user. Based on the RBAC interception module, by analyzing the security permissions that are easy to leak user privacy and the three famous security principles of RBAC, the RBAC policy library is formulated, and the roles and corresponding permission information of Android applications are strictly limited. When the application accesses user-related privacy data, it will feed back the query results of the RBAC policy library to the interception prompt module.

图2为基于RBAC的恶意程序拦截流程图,包括以下步骤:Figure 2 is a flowchart of malicious program interception based on RBAC, including the following steps:

步骤1:将待测试的应用程序安装到已经插入了用于Hook的内核模块的Android系统上,运行应用程序。Step 1: Install the application program to be tested on the Android system into which the kernel module for Hook has been inserted, and run the application program.

步骤2:应用程序运行过程中会涉及到访问用户隐私数据的行为,例如读取用户通讯录等行为。Step 2: During the running of the application, the behavior of accessing the user's private data will be involved, such as reading the user's address book and other behaviors.

步骤3:根据步骤2,查询系统RBAC策略库,获取当前应用程序的角色信息。Step 3: According to step 2, query the system RBAC policy library to obtain the role information of the current application.

步骤4:判断应用程序对应角色所具有的权限信息,例如某应用程序请求访问用户通讯录,该应用程序属于的角色为通讯类角色,该角色对应的访问通讯录的权限为“1”(“1”表示具有对应权限,“0”表示不具有对应权限),将查询结果反馈到下一步。Step 4: Determine the permission information of the corresponding role of the application program. For example, if an application program requests to access the user's address book, the role that the application program belongs to is a communication role, and the access permission of the role corresponding to the address book is "1" (" 1" means it has the corresponding authority, "0" means it does not have the corresponding authority), and the query result is fed back to the next step.

步骤5:根据查询结果,弹出提示对话框,给出用户相关提示。Step 5: According to the query result, a prompt dialog box will pop up to give relevant prompts to the user.

步骤6:用户根据系统提示做出选择,根据用户选择决定是否允许应用程序的相关操作,如果用户不选择,则默认按照RBAC策略库的查询结果来决定是否允许应用程序的相关操作。Step 6: The user makes a choice according to the system prompts, and decides whether to allow the relevant operations of the application according to the user's choice. If the user does not choose, it will decide whether to allow the relevant operations of the application according to the query results of the RBAC policy library by default.

步骤7:将用户的选择结果反馈至Android内核层,决定是否允许应用程序对相应资源的请求。Step 7: Feedback the user's selection result to the Android kernel layer, and decide whether to allow the application program to request the corresponding resource.

图3为基于RBAC的恶意程序拦截准确率比较图。图中横轴表示Android系统对应的权限信息,A-G依次代表位置信息访问、通讯记录访问、通讯录读取、短信记录读取、发送短信、邮件信息读取、连接网络,纵轴表示系统对应用程序访问用户隐私行为的拦截次数。本发明与传统的HIPS做了比较,实验表明当恶意应用程序访问用户的隐私记录时,本方法具有更高的系统拦截率。Figure 3 is a comparison chart of the interception accuracy of malicious programs based on RBAC. The horizontal axis in the figure represents the permission information corresponding to the Android system, A-G represents location information access, communication record access, address book reading, SMS record reading, sending text messages, email information reading, and connecting to the network in turn, and the vertical axis represents the system’s application The number of interception times when the program accesses the user's privacy behavior. The present invention is compared with the traditional HIPS, and experiments show that when a malicious application program accesses a user's privacy record, the present method has a higher system interception rate.

本发明所提出方法由恶意行为检测、内核消息反馈、拦截提示和基于RBAC的拦截4个模块组成,如图1所示。The method proposed by the present invention consists of four modules: malicious behavior detection, kernel message feedback, interception prompt and RBAC-based interception, as shown in FIG. 1 .

其中,恶意行为检测模块部署在AndroidLinux内核层,用于在内核层监控应用程序读取用户隐私数据的恶意行为,为内核消息反馈模块提供消息源。内核消息反馈模块借鉴netlinksocket技术,实现了恶意行为检测模块和拦截提示模块之间的通信,该模块可以将恶意行为检测模块发现的应用程序恶意行为传递到拦截提示模块进行进一步的处置。拦截提示模块部署在用户空间,当接收到恶意行为检测模块发来检测到的应用程序的恶意行为时,通过基于RBAC的拦截模块的反馈结果,以对话框的形式给出用户相关提示。基于RBAC的拦截模块通过查询RBAC策略库,当应用程序请求访问用户的隐私数据时,会根据该应用程序所属的角色及其对应的权限信息,来决定是否允许应用程序的相关操作,同时将查询结果返回拦截提示模块。Among them, the malicious behavior detection module is deployed at the AndroidLinux kernel layer, which is used to monitor the malicious behavior of the application program reading user privacy data at the kernel layer, and provides a message source for the kernel message feedback module. The kernel message feedback module uses the netlinksocket technology to realize the communication between the malicious behavior detection module and the interception prompt module. This module can transfer the malicious behavior of the application program discovered by the malicious behavior detection module to the interception prompt module for further processing. The interception prompt module is deployed in the user space. When the malicious behavior of the detected application is received from the malicious behavior detection module, it will give the user relevant prompts in the form of a dialog box based on the feedback result of the RBAC-based interception module. The RBAC-based interception module queries the RBAC policy library. When an application requests access to the user's private data, it will decide whether to allow the relevant operations of the application according to the role to which the application belongs and its corresponding permission information. At the same time, it will query The result is returned to the interception prompt module.

恶意行为检测模块负责在内核层监控应用程序读取用户隐私数据恶意行为的监控和记录,同时为内核消息反馈模块提供消息源,其步骤如下:The malicious behavior detection module is responsible for monitoring and recording the malicious behavior of reading user privacy data by the monitoring application program at the kernel layer, and at the same time providing the message source for the kernel message feedback module. The steps are as follows:

1.位于应用层的应用程序请求访问用户的隐私数据,调用相关函数发起系统调用请求;1. The application program at the application layer requests access to the user's private data, and calls related functions to initiate a system call request;

2.系统函数执行int0x80软中断指令,该指令的执行会让系统跳转到一个预设的内核控件地址,从而使程序进入操作系统内核状态;2. The system function executes the int0x80 soft interrupt instruction. The execution of this instruction will cause the system to jump to a preset kernel control address, so that the program enters the kernel state of the operating system;

3.修改系统调用表中的指针地址,使其指向本发明自定义的函数,例如修改sys_call_table[__NR_open],使其指向our_sys_open()函数;3. revise the pointer address in the system call table, make it point to the self-defined function of the present invention, for example revise sys_call_table[__NR_open], make it point to our_sys_open () function;

4.根据sys_call_table[__NR_open]查找指定函数,此时系统会先调用本发明定义的our_sys_open()函数,该函数中会记录应用程序的进程id、读取文件类型等信息,从而记录应用程序窃取用户隐私的恶意行为,记录完毕之后转向sys_call_table[__NR_open]原先的系统调用函数;4. Find the specified function according to sys_call_table[__NR_open]. At this time, the system will first call the our_sys_open() function defined by the present invention, which will record information such as the process id of the application program and the type of file read, thereby recording the application program to steal the user Malicious privacy behavior, after recording, turn to the original system call function of sys_call_table[__NR_open];

5.调用sys_open()函数,并将调用结果返回系统调用,最终将相关信息返回至用户层应用程序。5. Call the sys_open() function, and return the call result to the system call, and finally return the relevant information to the user-level application.

内核消息反馈模块负责将恶意行为检测模块发现的应用程序恶意行为传递到拦截提示模块进行进一步的处置,通过netlinksocket实现内核层和应用层的消息通信,具体步骤如下:The kernel message feedback module is responsible for passing the malicious behavior of the application program found by the malicious behavior detection module to the interception prompt module for further processing, and realizes the message communication between the kernel layer and the application layer through netlinksocket. The specific steps are as follows:

1.内核态程序通过函数netlink_kernel_create()去初始化netlinksocket连接;1. The kernel mode program initializes the netlinksocket connection through the function netlink_kernel_create();

2.用户态程序通过socket()函数创建用户态的套接字,指明用户态socket的地址域、协议类型。为了和内核态程序建立通信连接,本发明指定内核态程序和用户态程序使用同一个协议类型;2. The user mode program creates a user mode socket through the socket() function, and specifies the address domain and protocol type of the user mode socket. In order to establish a communication connection with the kernel state program, the present invention specifies that the kernel state program and the user state program use the same protocol type;

3.用户态程序通过bind()函数实现源socket地址和打开的socket地址的互相关联,其参数中s_nladdr表示netlink的地址结构体,nl_pid表示netlinksocket当前进程的PID,作为当前netlinksocket的本地地址,本发明通过getpid()函数来获取当前进程id值;3. The user state program realizes the correlation between the source socket address and the open socket address through the bind() function. Among its parameters, s_nladdr represents the address structure of netlink, and nl_pid represents the PID of the current process of netlinksocket, which is used as the local address of the current netlinksocket. Invented to obtain the current process id value through the getpid() function;

4.用户态程序通过函数sendmsg(fd,&msg,0)实现从用户态向内核态发送消息,将自己的地址、进程ID等字段发送到内核态程序,告知内核态程序自己的进程ID;4. The user mode program sends a message from the user mode to the kernel mode through the function sendmsg(fd,&msg,0), sends its own address, process ID and other fields to the kernel mode program, and informs the kernel mode program of its own process ID;

5.内核态程序将监控到的应用程序读取用户隐私记录的恶意行为,根据用户态发来的进程id和地址向指定位置发送消息;5. The kernel mode program will monitor the malicious behavior of the application program to read the user's privacy record, and send a message to the designated location according to the process id and address sent from the user mode;

6.用户态程序通过函数recvmsg(fd,&msg,0)来接受来自内核的消息,将恶意行为检测模块收集到的应用程序行为记录传递到拦截提示模块,供其做进一步的操作。6. The user state program receives the message from the kernel through the function recvmsg(fd,&msg,0), and transmits the application program behavior record collected by the malicious behavior detection module to the interception prompt module for further operation.

拦截提示模块负责以图形界面的方式给出用户应用程序读取用户隐私数据的相关提示,其基于内核消息反馈模块得到应用程序的相关行为信息,具体步骤如下:The interception prompt module is responsible for giving relevant prompts for user applications to read user privacy data in the form of a graphical interface. It obtains relevant behavior information of application programs based on the kernel message feedback module. The specific steps are as follows:

1.通过JAVAH命令将JAVA程序中用native关键字修饰的方法callHelloFromJava()生成对应的头文件,该方法在JAVA程序中声明,在C程序中实现,用于初始化用户层的netlinksocket通信,接收内核层发来的应用程序恶意行为信息;1. Use the JAVAH command to generate the corresponding header file for the method callHelloFromJava() modified with the native keyword in the JAVA program. This method is declared in the JAVA program and implemented in the C program. It is used to initialize the netlinksocket communication of the user layer and receive the kernel Application malicious behavior information sent by the layer;

2.将生成的com_example_testjni_MainActivity.h头文件保存在工程的jni目录下,用于Hello.c程序去实现Java类中声明的callHelloFromJava()方法;2. Save the generated com_example_testjni_MainActivity.h header file in the jni directory of the project, and use it in the Hello.c program to implement the callHelloFromJava() method declared in the Java class;

3.引入com_example_testjni_MainActivity.h头文件,在Hello.c文件中实现Java_com_exaple_testjni_MainActivity_callHelloFromJava(JNIEnv*env,jobjectobj)方法,该方法用于初始化用户态的netlinksocket连接,负责和内核态的socket建立通信连接,将自己的进程ID、通讯协议类型等信息发送到内核态进程;3. Introduce the com_example_testjni_MainActivity.h header file, and implement the Java_com_exaple_testjni_MainActivity_callHelloFromJava(JNIEnv*env, jobjectobj) method in the Hello.c file. This method is used to initialize the netlinksocket connection in the user mode, and is responsible for establishing a communication connection with the socket in the kernel mode. Information such as process ID and communication protocol type is sent to the kernel mode process;

4.当用户态socket收到内核态socket发来的消息时,会调用popWindow(Stringparam)方法,该方法用于弹出提示对话框,将应用程序读取用户隐私信息的恶意行为实时呈现在用户面前;4. When the user state socket receives a message from the kernel state socket, it will call the popWindow(Stringparam) method, which is used to pop up a prompt dialog box, and present the malicious behavior of the application program reading the user's private information in front of the user in real time ;

5.根据用户的选择通过用户态的socket连接,将消息反馈到内核态socket做进一步的处理。5. According to the user's choice, through the socket connection of the user state, the message is fed back to the socket of the kernel state for further processing.

基于RBAC的拦截模块负责根据应用程序具有的角色及其被指派的权限来决定是否允许应用程序进行相关操作,同时将查询结果返回拦截提示模块,具体如下:The RBAC-based interception module is responsible for deciding whether to allow the application to perform relevant operations according to the role of the application and its assigned permissions, and returns the query result to the interception prompt module, as follows:

本发明将安卓市场常见的应用程序进行分类,按类定义角色,记角色集R={R1,R2,…,Rn}。例如,可根据现有安卓应用程序的日常功能定义六个角色R1、R2、R3、R4、R5、R6,其中R1代表影音类、R2代表地图类、R3代表通讯类、R4代表支付类、R5代表购物类、R6代表游戏类。此外,通过分析安卓市场上常见的恶意应用程序样本,可得到易泄露用户隐私的权限组合情况,比如若INTERNET和READ_CONTACTS两个权限被恶意应用组合利用,则会泄露用户的通讯录隐私信息。本发明记组合后可能会泄露隐私的权限集合为P={P1,P2,…,Pn},基于对现有权限组合情况的分析,可定义P1=ACCESS_COARSE_LOCATION、P2=ACCESS_FINE_LOCATION、P3=WRITE_SMS、P4=WRITE_OWNER_DATA、P5=WRITE_CONTACTS、P6=SEND_SMS、P7=RECORD_AUDIO、P8=RECEIVE_SMS、P9=RECEIVE_MMS、P10=READ_PHONE_SMS、P11=READ_OWNER_DATA、P12=READ_CONTACTS、P13=PROCESS_OUTGOING_CALLS、P14=INTERNET、P15=CHANGE_WIFI_STATE、P16=CHANGE_NETWORK_STATE、P17=CALL_PHONE、P18=BROADCAST_SMS、P19=ACCESS_WIFI_STATE、P20=ACCESS_NETWORK_STATE。The present invention classifies common application programs in the Android market, defines roles by category, and records the role set R={R 1 , R 2 ,...,R n }. For example, six roles R 1 , R 2 , R 3 , R 4 , R 5 , and R 6 can be defined according to the daily functions of existing Android applications, where R 1 represents audio-visual, R 2 represents map, and R 3 represents Communication category, R 4 stands for payment category, R 5 stands for shopping category, R 6 stands for game category. In addition, by analyzing common malicious application samples in the Android market, we can obtain the combination of permissions that are easy to leak user privacy. For example, if the two permissions of INTERNET and READ_CONTACTS are combined by malicious applications, the privacy information of the user's address book will be leaked. In the present invention, the set of permissions that may leak privacy after combination is P={P 1 , P 2 ,...,P n }, based on the analysis of the existing combination of permissions, P 1 =ACCESS_COARSE_LOCATION, P 2 =ACCESS_FINE_LOCATION, P3 = WRITE_SMS , P4 = WRITE_OWNER_DATA, P5 = WRITE_CONTACTS, P6 = SEND_SMS , P7 = RECORD_AUDIO, P8 = RECEIVE_SMS, P9 = RECEIVE_MMS , P10 = READ_PHONE_SMS , PCT11 = READ_OWNER_DATA = AD_S , P1 P13 = PROCESS_OUTGOING_CALLS, P14 = INTERNET, P15 = CHANGE_WIFI_STATE , P16 = CHANGE_NETWORK_STATE , P17 = CALL_PHONE , P18 = BROADCAST_SMS, P19 = ACCESS_WIFI_STATE , P20 = ACCESS_NETWORK_STATE.

本发明用谓词G(Rm,Pn)表示角色Rm和权限Pn之间的指派关系,其中,G(Rm,Pn)=1表示角色Rm具有权限Pn;G(Rm,Pn)=0表示角色Rm不具有权限Pn。为了保护用户的隐私安全,本发明给对应角色指派其能实现基本功能所需的最小权限集合。例如,通讯类应用程序的基本功能是添加通讯录好友、发送即时消息、发送短信等,故其实现基本功能的最小权限集合为{SEND_SMS、RECEIVE_SMS、READ_PHONE_SMS、READ_CONTACTS、INTERNET、CALL_PHONE}。具体的,对于上述6类常见的安卓应用和20种组合后可能会泄露隐私的权限,角色权限指派关系如表1所示:The present invention uses the predicate G(R m , P n ) to represent the assignment relationship between the role R m and the authority P n , wherein G(R m , P n )=1 means that the role R m has the authority P n ; G(R m ,P n )=0 means that role R m does not have permission P n . In order to protect the user's privacy, the present invention assigns the minimum set of permissions required by the corresponding role to realize basic functions. For example, the basic functions of communication applications are to add contacts, send instant messages, send short messages, etc., so the minimum permission set for basic functions is {SEND_SMS, RECEIVE_SMS, READ_PHONE_SMS, READ_CONTACTS, INTERNET, CALL_PHONE}. Specifically, for the above 6 types of common Android applications and 20 permissions that may leak privacy after combination, the role permission assignment relationship is shown in Table 1:

表1角色权限指派关系表Table 1 Role and authority assignment relationship table

为了实现职责分离,本发明用谓词W(Ri,Rj)表示互斥角色关系,其中,应用程序不能同时被分配两个互斥的角色,例如W(Ri,Rj)=1表示角色Ri和Rj不是互斥角色,应用程序可以同时拥有角色Ri和Rj被指派的权限,W(Ri,Rj)=0表示角色Ri和Rj是两个互斥角色,应用程序不可同时拥有角色Ri和Rj被指派的权限。具体的,对于上述6个角色,角色互斥关系可如表2所示,例如,通讯类角色包含权限{SEND_SMS、RECEIVE_SMS、READ_PHONE_SMS、READ_CONTACTS、INTERNET、CALL_PHONE},支付类角色包含权限{INTERNET、ACCESS_WIFI_STATE},当属于支付类角色的应用程序被分配通讯类角色时,它就具有了访问用户通讯录并上传至服务器的能力,给用户的隐私安全造成了威胁,因此本发明将通讯类角色和支付类角色定义为互斥角色,即当应用程序拥有支付类角色时不能再被分配通讯类角色。In order to realize the separation of duties, the present invention uses the predicate W(R i , R j ) to represent the mutually exclusive role relationship, wherein an application cannot be assigned two mutually exclusive roles at the same time, for example, W(R i , R j )=1 means Roles R i and R j are not mutually exclusive roles, the application can have the permissions assigned by roles R i and R j at the same time, W(R i , R j )=0 means that roles R i and R j are two mutually exclusive roles , the application cannot have the assigned permissions of roles R i and R j at the same time. Specifically, for the above 6 roles, the role mutual exclusion relationship can be shown in Table 2. For example, the communication role includes permissions {SEND_SMS, RECEIVE_SMS, READ_PHONE_SMS, READ_CONTACTS, INTERNET, CALL_PHONE}, and the payment role includes permissions {INTERNET, ACCESS_WIFI_STATE }, when an application belonging to a payment role is assigned a communication role, it has the ability to access the user's address book and upload it to the server, which poses a threat to the privacy of the user. Therefore, the present invention combines communication roles and payment Class roles are defined as mutually exclusive roles, that is, when an application has a payment class role, it cannot be assigned a communication class role.

表2互斥角色关系定义表Table 2 Mutually exclusive role relationship definition table

为了平衡用户的使用体验,本发明支持动态更新RBAC策略库。在应用程序初次安装运行时,基于其基本功能为其指派相应角色,该角色只拥有完成该应用程序基本功能的最小权限集合,如表1所示的指派。当应用程序请求其最小权限集合之外的权限时,本发明提出的拦截提示模块会给出用户相关安全提示,在用户明确选择授予该应用程序此权限时,通过设置新的角色调整RBAC策略库,即设置新角色拥有用户允许的最小权限之外的其他权限。这样,当同一应用程序在运行时再次请求该权限时,本发明提出的基于RBAC的拦截模块根据调整后的RBAC策略库判断允许或拒绝应用程序的相关操作,避免反复弹出对话框影响用户使用体验。In order to balance user experience, the present invention supports dynamic updating of the RBAC policy library. When the application is installed and running for the first time, it is assigned a corresponding role based on its basic functions, and this role only has the minimum set of permissions to complete the basic functions of the application, as shown in Table 1. When an application program requests permissions other than its minimum permission set, the interception prompt module proposed by the present invention will give a user-related security prompt, and when the user explicitly chooses to grant this permission to the application program, the RBAC policy library is adjusted by setting a new role , that is, to set the new role to have other permissions than the minimum permissions allowed by the user. In this way, when the same application program requests the permission again during operation, the RBAC-based interception module proposed by the present invention judges whether to allow or deny the relevant operations of the application program according to the adjusted RBAC policy library, so as to avoid repeatedly popping up dialog boxes and affecting the user experience .

Claims (2)

1.一种Android平台下基于RBAC的恶意程序拦截及处置方法,其特征在于,包括恶意行为检测模块、内核消息反馈模块、拦截提示模块和基于RBAC的拦截模块,步骤如下:1. a malicious program interception and disposal method based on RBAC under an Android platform, is characterized in that, comprises malicious behavior detection module, kernel message feedback module, interception prompt module and interception module based on RBAC, and step is as follows: 步骤1:恶意行为检测模块通过在AndroidLinux系统中动态插入用于Hook的内核模块实现对应用程序读取用户隐私数据行为的内核层监控,为内核消息反馈模块提供消息源;Step 1: The malicious behavior detection module realizes the kernel layer monitoring of the behavior of reading user privacy data by the application program by dynamically inserting the kernel module used for Hook in the AndroidLinux system, and provides a message source for the kernel message feedback module; 步骤2:内核消息反馈模块通过netlinksocket实现内核层和用户层的消息通信,Netlinksocket采用全双工、异步的通讯方式,这样当内核态的Hook函数拦截到恶意程序的信息时发送到用户态的程序去处理,并将处理结果发送到内核态,Linux内核根据该信息决定是否允许该程序的相关操作;通过内核消息反馈模块,将恶意行为检测模块收集到的应用程序行为记录传递到拦截提示模块;Step 2: The kernel message feedback module realizes the message communication between the kernel layer and the user layer through netlinksocket. Netlinksocket adopts a full-duplex and asynchronous communication mode, so that when the Hook function in the kernel state intercepts the information of the malicious program, it is sent to the program in the user state To process, and send the processing result to the kernel mode, the Linux kernel decides whether to allow the relevant operation of the program according to the information; through the kernel message feedback module, the application program behavior record collected by the malicious behavior detection module is passed to the interception prompt module; 步骤3:拦截提示模块用于在收到内核层发来的消息之后,根据基于RBAC的拦截模块反馈的结果,给出用户细粒度的提示;Step 3: The interception prompt module is used to give the user fine-grained prompts according to the feedback result of the RBAC-based interception module after receiving the message from the kernel layer; 步骤4:基于RBAC的拦截模块通过查询RBAC策略库获取到当前应用程序所属的角色及其对应的权限信息,将查询结果反馈到拦截提示模块,拦截模块根据该结果给出用户细粒度的提示;根据RBAC策略库的查询结果;支持用户自主选择,在用户没有选择的情况下系统会默认根据RBAC策略库的查询结果来决定是否允许应用程序的相应请求。Step 4: The RBAC-based interception module obtains the role of the current application and its corresponding permission information by querying the RBAC policy library, and feeds back the query result to the interception prompt module, and the interception module gives the user fine-grained prompts based on the result; According to the query results of the RBAC policy library; users can choose independently. If the user does not choose, the system will determine whether to allow the corresponding request of the application according to the query results of the RBAC policy library by default. 2.根据权利要求1所述的方法,其特征在于还能动态更新RBAC策略库,具体为:在应用程序初次安装运行时,基于其基本功能为其指派相应角色,该角色只拥有完成该应用程序基本功能的最小权限集合,当应用程序请求其最小权限集合之外的权限时,拦截提示模块会给出用户相关安全提示,在用户明确选择授予该应用程序此权限时,通过设置新的角色调整RBAC策略库,即设置新角色拥有用户允许的最小权限之外的其他权限。2. The method according to claim 1, characterized in that the RBAC policy library can also be dynamically updated, specifically: when the application is installed and running for the first time, a corresponding role is assigned to it based on its basic functions, and the role only has the ability to complete the application. The minimum permission set for the basic functions of the program. When the application requests permissions other than its minimum permission set, the interception prompt module will give the user relevant security prompts. When the user explicitly chooses to grant the application this permission, by setting a new role Adjust the RBAC policy library, that is, set the new role to have other permissions than the minimum permissions allowed by the user.
CN201511032125.3A 2015-12-31 2015-12-31 RBAC based malicious program interception and processing method in Android platform Pending CN105550584A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511032125.3A CN105550584A (en) 2015-12-31 2015-12-31 RBAC based malicious program interception and processing method in Android platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511032125.3A CN105550584A (en) 2015-12-31 2015-12-31 RBAC based malicious program interception and processing method in Android platform

Publications (1)

Publication Number Publication Date
CN105550584A true CN105550584A (en) 2016-05-04

Family

ID=55829771

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511032125.3A Pending CN105550584A (en) 2015-12-31 2015-12-31 RBAC based malicious program interception and processing method in Android platform

Country Status (1)

Country Link
CN (1) CN105550584A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657022A (en) * 2016-11-24 2017-05-10 北京瑞星信息技术股份有限公司 Linux network access control method and device
CN106791168A (en) * 2017-01-13 2017-05-31 北京奇虎科技有限公司 Information of mobile terminal guard method, device and mobile terminal
CN107547495A (en) * 2016-06-24 2018-01-05 卡巴斯基实验室股份制公司 For protecting computer from the system and method for unwarranted remote management
CN108595945A (en) * 2018-04-18 2018-09-28 Oppo广东移动通信有限公司 Permission prompt method, device, mobile terminal, server and storage medium
CN109145598A (en) * 2017-06-19 2019-01-04 腾讯科技(深圳)有限公司 Method for detecting virus, device, terminal and the storage medium of script file
CN110119615A (en) * 2019-05-24 2019-08-13 北京智游网安科技有限公司 A kind of control method, device and the computer equipment of Android log anti-leak
CN110175452A (en) * 2019-05-14 2019-08-27 维沃移动通信有限公司 Data file protection method and mobile terminal
CN112231699A (en) * 2020-10-15 2021-01-15 北京明略昭辉科技有限公司 Intercepting method, apparatus, electronic device and computer-readable medium for reading function
CN112396071A (en) * 2019-08-13 2021-02-23 中兴通讯股份有限公司 Information monitoring method and device, terminal and storage medium
WO2021098327A1 (en) * 2019-11-22 2021-05-27 支付宝(杭州)信息技术有限公司 Private data protection-based method and device for abnormal collection behavior recognition

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140137184A1 (en) * 2012-11-13 2014-05-15 Auckland Uniservices Ltd. Security system and method for operating systems
CN104462970A (en) * 2014-12-17 2015-03-25 中国科学院软件研究所 Android application program permission abuse detecting method based on process communication
CN104951707A (en) * 2015-05-13 2015-09-30 上海交通大学 Sensitive resource access control policy system based on Android platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140137184A1 (en) * 2012-11-13 2014-05-15 Auckland Uniservices Ltd. Security system and method for operating systems
CN104462970A (en) * 2014-12-17 2015-03-25 中国科学院软件研究所 Android application program permission abuse detecting method based on process communication
CN104951707A (en) * 2015-05-13 2015-09-30 上海交通大学 Sensitive resource access control policy system based on Android platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LI LIN等: "RbacIP: A RBAC-Based Method for Intercepting and Processing Malicious Applications in Android Platform", 《INTRUST 2015 REVISED SELECTED PAPERS OF THE 7TH INTERNATIONAL CONFERENCE ON TRUSTED》 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107547495A (en) * 2016-06-24 2018-01-05 卡巴斯基实验室股份制公司 For protecting computer from the system and method for unwarranted remote management
CN106657022A (en) * 2016-11-24 2017-05-10 北京瑞星信息技术股份有限公司 Linux network access control method and device
CN106657022B (en) * 2016-11-24 2019-08-30 北京瑞星网安技术股份有限公司 Linux method for network access control and device
CN106791168A (en) * 2017-01-13 2017-05-31 北京奇虎科技有限公司 Information of mobile terminal guard method, device and mobile terminal
CN109145598A (en) * 2017-06-19 2019-01-04 腾讯科技(深圳)有限公司 Method for detecting virus, device, terminal and the storage medium of script file
CN109145598B (en) * 2017-06-19 2021-01-22 腾讯科技(深圳)有限公司 Virus detection method and device for script file, terminal and storage medium
CN108595945B (en) * 2018-04-18 2021-01-05 Oppo广东移动通信有限公司 Permission prompting method and device, mobile terminal, server and storage medium
CN108595945A (en) * 2018-04-18 2018-09-28 Oppo广东移动通信有限公司 Permission prompt method, device, mobile terminal, server and storage medium
CN110175452A (en) * 2019-05-14 2019-08-27 维沃移动通信有限公司 Data file protection method and mobile terminal
CN110119615A (en) * 2019-05-24 2019-08-13 北京智游网安科技有限公司 A kind of control method, device and the computer equipment of Android log anti-leak
CN110119615B (en) * 2019-05-24 2021-06-08 北京智游网安科技有限公司 Android log leakage-prevention control method and device and computer equipment
CN112396071A (en) * 2019-08-13 2021-02-23 中兴通讯股份有限公司 Information monitoring method and device, terminal and storage medium
WO2021098327A1 (en) * 2019-11-22 2021-05-27 支付宝(杭州)信息技术有限公司 Private data protection-based method and device for abnormal collection behavior recognition
CN112231699A (en) * 2020-10-15 2021-01-15 北京明略昭辉科技有限公司 Intercepting method, apparatus, electronic device and computer-readable medium for reading function
CN112231699B (en) * 2020-10-15 2025-01-03 北京明略昭辉科技有限公司 Read function interception method, device, electronic device and computer readable medium

Similar Documents

Publication Publication Date Title
CN105550584A (en) RBAC based malicious program interception and processing method in Android platform
US11960605B2 (en) Dynamic analysis techniques for applications
US12314781B2 (en) Sharing extension points to allow an application to share content via a sharing extension
US10885182B1 (en) System and method for secure, policy-based access control for mobile computing devices
US12174940B2 (en) Application-level sandboxing on devices
US11604878B2 (en) Dynamic analysis techniques for applications
US8844036B2 (en) Method and system for application-based policy monitoring and enforcement on a mobile device
US20200193017A1 (en) Leveraging Instrumentation Capabilities to Enable Monitoring Services
US10341365B1 (en) Methods and system for hiding transition events for malware detection
CN104239786B (en) ROOT-free active defense configuration method and device
US20150150119A1 (en) Framework for fine-grain access control from high-level application permissions
CN105427096A (en) Payment security sandbox realization method and system and application program monitoring method and system
US20160055344A1 (en) Data loss prevention during app execution using e-mail enforcement on a mobile device
Rangwala et al. A taxonomy of privilege escalation attacks in Android applications
Tang et al. {iOS}, your {OS}, everybody's {OS}: Vetting and analyzing network services of {iOS} applications
CN104239797A (en) Active defense method and device
CN113836529A (en) Process detection method, device, storage medium, and computer device
Zhang et al. SEIP: simple and efficient integrity protection for open mobile platforms
Khan et al. Differences in Inter-App Communication Between Android and iOS Systems
KR20150105271A (en) Malicious code blocking method, handheld device blocking the malicious code at kernel level and download server storing program of the malicious code blocking method
Kumar et al. Penetration testing of android-based smartphones
Aron et al. A concept of dynamic permission mechanism on android
Friesen PLOX: A Secure Serverless Framework for the Smart Home
Li et al. A light-weight software environment for confining Android malware
KR101397431B1 (en) System for providing isolated- executing-environment and method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160504

WD01 Invention patent application deemed withdrawn after publication