CN104376256B

CN104376256B - Program process hatching control and device

Info

Publication number: CN104376256B
Application number: CN201410724739.7A
Authority: CN
Inventors: 曹阳; 杨威
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2014-12-02
Filing date: 2014-12-02
Publication date: 2017-04-05
Anticipated expiration: 2034-12-02
Also published as: CN104376256A

Abstract

The present invention relates to a kind of program process hatching control, comprises the following steps：Operation control module is injecting for closing the shut-off module that campaign management services are connected with former couveuse to system service process；By the control module using former couveuse constructor couveuse；The request initiated to run application program of the campaign management services in system service process registers is received by the control module, and passes it to the sub- couveuse；Hatch new process to run the application program in response to the request by the sub- couveuse.Present invention also offers a kind of corresponding device for performing the method.The invention enables destination application can be run in sandbox running environment, the safety of system is can ensure that.

Description

Program process hatching control and device

Technical field

The present invention relates to security of computer software technical field, more particularly to a kind of program process hatching control And corresponding device.

Background technology

Sandbox is a kind of performing environment according to security strategy limiting program behavior, has extensively been practically applicable to various behaviour at present Make in system.By taking Android as an example, some application programs, for realize application program inherent function need outside purpose, it is special It is not commercial object, random application system authority obtains privacy of user data, performs network access, keep device activity, send Note behavior etc..It is light then privacy of user leaking data may be caused, or occupying system resources, it is heavy then may be detained by malice Take, product placement, consume rate, fraud inveigle etc., make user suffer a loss.Therefore, the execution ring for being provided by sandbox technology Border, is managed to the resource of system, authority by sandbox, allows application program to run in the sandbox, the access elder generation of application program Jing sandboxs are examined that by security strategy thus, a kind of isolation operational effect relative to system itself of formation can be effectively The safety of protection system.For security strategy used in sandbox, adapting to a variety of operating systems has different details Consider that the ABC that these relevant technologies are realized is grasped by those skilled in the art, do not repeated for this reason.

There are various examples at present to realize sandbox technology.In these examples, on the one hand, sandbox technology is for compatible market Various applications, typically only by the security strategy of restriction sandbox, control the executable resource of the application and realize.However, Security fields, the technical merit of attacking and defending both sides are shifting, traditional sandbox only by restriction security strategy, are difficult to sometimes Guarantee to reach desired purpose, it is necessary to by means of new departure of richer technology content.On the other hand, sandbox technology is often It is related to system bottom operation, and in the operating system of the Unix systems such as with Android as representative, itself has strict power Limit management, so, just causes on the premise of Root mandates are not obtained, it is difficult to go to construct sandbox using sandbox technology.Can be only Path is warded off, is gone to realize exempting from the sandbox environment under Root environment, however, in this case, is often caused more many Technology barrier, its protection effect are still limited, and these obstacles are depending on the specific implementation of sandbox.

Causing these sandbox examples to be difficult to the reason for obtaining more preferably effect is determined by the set logic of operating system 's.Specifically, developer's aware operating systems of malicious application realize principle and various function interfaces, for For Android, or even the source code for knowing its opening.On this basis, developer is able to according to these principles, for being The there is provided various functions module of system, function interface etc. are illegally utilized, and around the safety original purport of open system, reach the non-of itself Method purpose.

Android itself for the purpose of safety, realized using virtual machine principle, so that at utmost reduce can The intrusion of energy may.Virtual machine is used to further run program process.The startup of virtual machine comes from the Zygote (industry of system It is interior to be referred to as couveuse) module, init function loadings of the Zygote by Linux bottom layer realizations.After Zygote is loaded, will pass through Replicating itself, new process is named as SystemServer, and SystemServer is for hatching function fork () of itself The process of first successful operation of Zygote hatchings, is that the convenient present invention for understanding is called long subprocess.Then, by SystemServer processes remove a series of function of initializing for realizing system service, carry out initially including the service to Native layers Change, the service to Java layers are initialized, and are eventually entered into Binder communication systems and are monitored request, are provided to application layer and system Various service requests.In this process, ActivityManagerService (AMS) and PackageManagerService (PMS) service in interior a series of Java layers is loaded successively, and Zygote then withdraws to backstage and continues to monitor whether have new Hatching request.When AMS initiates hatching request to Zygote for operation application program, Zygote will continue hatching certainly Body, then by new Zygote process loaded virtual machines, makes the application program run in the virtual machine.

Android is desirable with this mechanism to realize safer Process Protection effect, on the one hand it is desired to ensure that single The collapse of individual virtual machine does not interfere with the normal operation of other virtual machines, on the other hand, it is desirable to each program process Can be managed in units of virtual machine.From this view point, the virtual machine just natural speciality with sandbox, only This speciality is open and clear for application developer.Then, in reality, many malicious applications exactly make use of These speciality of Android process loading principles, on the premise of system Root authority is obtained, using various known viral handss Section or hacker's means, are deep into the bottom of Android, including Zygote, SystemServer may be illegally used, so as to Reach illegal objective.

Really, the rights management of Android is more strict, in the case where Root is not obtained, rogue program it is many often Rule infringement means can be refused by general safety applications software.However, as Android is increasingly opened, and user goes out In the needs of self-defined pre-installation application, increasing mobile terminal device is by permanent Root, then, these mobile terminals Safety problem is just increasingly projected, and improves the Security mechanism of Root equipment, realizes specifically effectively sandbox example, It is outstanding question in the industry.

Anatomy to prior art above substantially can be summarised as in terms of two, or perhaps the problem of two levels, and one is How operating system avoids being attacked so as to realize its security purpose by bottom under Root environment；Two is how operating system exist Safer sandbox example has been realized under Root environment.Though these two aspects complements each other, also there is its relative independentability.

The content of the invention

The first object of the present invention is provided a kind of program process and incubates to overcome aforesaid at least part of problem Change control method.

Second mesh of the present invention is to provide a kind of program process for being suitable to construct the method described in the first purpose to incubate Change control device.

To realize the purpose of the present invention, the present invention is adopted the following technical scheme that：

A kind of program process hatching control that the present invention is provided, comprises the following steps：

Operation control module is injecting for closing the connection of campaign management services and former couveuse to system service process Shut-off module；

By the control module using former couveuse constructor couveuse；

By the control module receive system service process registers campaign management services for run application program and The request of initiation, and pass it to the sub- couveuse；

Hatch new process to run the application program in response to the request by the sub- couveuse.

Further, the leader process of the request of campaign management services in the implementation procedure of the control module, is obtained, including Following steps：

The connection of control module and former couveuse is set up using the socket of former couveuse；

The connection maintained based on the former couveuse socket by campaign management services is closed using the shut-off module；

The operation application program of the campaign management services is monitored using the socket of the former couveuse and is initiated Request.

Preferably, the step of control module is using former couveuse constructor couveuse, in control module and former hatching Device is performed after setting up connection.

A variants of the invention, the operation control module turn off the step of module to inject to system service process Suddenly, after the step of the connection that the socket using former couveuse sets up control module and former couveuse, and perform The shut-off module is closing the connection maintained based on the former couveuse socket by campaign management services.

Further, the sub- couveuse is set up and has corresponding socket, and the control module passes through sub- couveuse socket The connection with the sub- couveuse is set up, with to the described request of the sub- couveuse transmission.

Further, the request is passed to sub- couveuse or former hatching according to data determination is pre-seted by the control module Device.

Preferably, described pre-set data, via user interface based on application program receive user to be run to the original The selected results of couveuse and sub- couveuse and generate.

Further, the sub- couveuse constructs the socket described in which, the socket from after the hatching of former couveuse Corresponding data storage is in corresponding file.The socket file of the sub- couveuse is stored in local directory.Preferably, The socket file of the sub- couveuse is stored in system directory/dev/socket.The socket file of the sub- couveuse Title it is identical with the process title of the sub- couveuse.

Further, control module is comprised the steps using the process of former couveuse constructor couveuse：

Replicate the executable code of former couveuse；

Insert in the executable code for realizing the call instruction of external call；

Run amended executable code to realize the construction of the sub- couveuse.

Preferably, the call instruction for realizing external call, for calling outside monitoring unit, to realize to current son The monitoring of the event behavior that the process space constructed by couveuse occurs.

Additionally, during the control module is using former couveuse constructor couveuse, also including to the executable generation Insert in code for realizing the code of sub- couveuse self checking.

Further, methods described of the invention also comprises the steps：

By control module with the sub- couveuse new with constructor couveuse identical method construct；

For application program to be run, data are pre-seted by control module foundation the request of campaign management services is passed to One in related former couveuse and many sub- couveuses, thinks that corresponding couveuse is selected in the operation of the application program.

Specifically, the sub- couveuse utilizes fork functions to hatch for running the new process of the application program.

Preferably, to the shut-off module of system service process injection, which is used for the letter for realizing its at least part of function Number is contained in shared library file.

Preferably, the system service process be SystemServer processes, the former couveuse be Zygote processes, institute Campaign management services process is stated for ActivityManagerService processes.

Preferably, according to known setting data, the control module determines whether that meeting the campaign management services is initiated Request.Specifically, the control module extracts application features letter from the request after described request is received Breath, based on this feature information from arranging application program corresponding to this feature information is checked in data whether known to Local or Remote Should be limited or be prohibited, when which is should to be limited or answer forbidden application program, control module by this ask in go to Its minor couveuse outside the former couveuse or the not transfer request are to any couveuse.

A kind of program process hatching control device that the present invention is provided, including：

Described control module, is configured to：

For injecting for closing the shut-off module that campaign management services are connected with former couveuse to system service process；

For utilizing former couveuse constructor couveuse；

For receiving the request initiated to run application program of the campaign management services in system service process registers, And pass it to the sub- couveuse；

Described sub- couveuse, for hatching new process to run the application program in response to the request.

Specifically, the control module includes adapter, and which is configured to perform following function：

The connection maintained based on the former couveuse socket by campaign management services is closed using the shut-off module,

The control module monitors applying for operation for the campaign management services using the socket of the former couveuse Program and the request initiated.

The adapter is additionally configured to be responsible for system service process injecting incubating with original for cutting out campaign management services Change the shut-off module of the connection of device.

Further, the adapter is additionally configured to perform following function：The socket having by sub- couveuse is built The connection of the control module and the sub- couveuse is stood, with to the described request of the sub- couveuse transmission.

Preferably, the request is passed to sub- couveuse or former hatching according to data determination is pre-seted by the control module Device.It is described to pre-set data, the former couveuse and son is incubated based on application program receive user to be run via user interface Change the selected results of device and generate.

Specifically, the corresponding data storage of socket of the sub- couveuse is in corresponding file.The sub- couveuse Socket file be stored in local directory.Preferably, the socket file of the sub- couveuse be stored in system directory/ In dev/socket.The title of the socket file of the sub- couveuse is identical with the process title of the sub- couveuse.

Further, the control module includes constructor, for utilizing former couveuse constructor couveuse, the constructor quilt It is configured to perform following function：

Replicate the executable code of former couveuse；

Run amended executable code to realize the construction of the sub- couveuse.

Additionally, the constructor is additionally configured to perform following function：Insert for realizing son in the executable code The code of couveuse self checking.

Specifically, the shut-off module is configured with shared library file, and the shared library file includes for realizing the pass The function of at least part of function of disconnected module.

Further, the control module includes authentication unit, for, after described request is received, carrying from the request Application features information is taken, it is right from inspection this feature information institute in data is arranged known to Local or Remote based on this feature information Whether the application program answered should be limited or be prohibited, and when which is should to be limited or answer forbidden application program, control mould Block by this ask in go to its minor couveuse outside the former couveuse or the not transfer request to any couveuse.

Compared to prior art, the present invention at least has the advantage that：

1st, the present invention constructs new sub- couveuse using the intrinsic former couveuse Zygote of android system, makes son Couveuse independently of former couveuse, then by controlling the steering of the request of campaign management services, and realize application program by Run in the sub- couveuse of present invention construction.General forcible entry is realized based on mechanism known to system, due to son Couveuse independence relative to former couveuse, rogue program as the internal mechanism of sub- couveuse can not be recognized, thus, even if disliking Meaning program attempts to go deep into system bottom in the case of system Root to destroy Zygote, or attempts by such as The mode of ELF File Infections realizes virus disseminating, and these attempt possible antithetical phrase couveuse failure, by the derivative process of sub- couveuse The operation of the application program of loading is also just safer.

2nd, the sub- couveuse of the present invention is constructed, and it is sent out campaign management services to be realized by the control module of the present invention The management of the request for rising, its essence control the source of the operation process of application program, and as sub- couveuse has relative Independence, therefore, the process space for hatching out by sub- couveuse, after application program is loaded with, is become as a sandbox. After being aided with the monitoring unit to the event behavior implementing monitoring of application program, more remarkable sandbox monitoring can be played naturally Effect.

3rd, the present invention is referred to by the external call further by external call instruction is implanted in sub- couveuse construction process Order can realize the loading to monitoring unit, the monitoring unit of loading is started prior to application program, so that it is guaranteed that event row For monitoring effect.As sub- couveuse is substantially the copy of system original couveuse, therefore it is suitable for the tune to fork () function With, therefore sub- couveuse can be used for hatching the new process space for being suitable to application program operation.The sub- couveuse of the present invention exists In construction process, just implanted external call instruction, single by the module of the external call instruction loading, including the monitoring Including unit, the hatching that can be carried out by respond request in company with sub- couveuse and be replicated, therefore and guarantee that monitoring unit exists Work in each new process produced by sub- couveuse, it is possible to obtain good operational reliability.

4th, the present invention can go out multiple sub- couveuses being mutually independent by its method construct, this little couveuse with Former couveuse sets up connection by corresponding socket with the control module of the present invention, therefore can be by the control module of the present invention Effectively safeguard.Control module even can increase corresponding reclaim mechanism, when necessary by kill a small pin for the case couveuse come Recovery system internal memory.More importantly, many individual sub- couveuses can be used for realizing the operational management of different type application program, allow One sub- couveuse corresponds to a class application program, and allows another sub- couveuse corresponding to another class method, is conducive in the same manner changing Kind system safety.

As can be seen here, the advantage acquired by the present invention is systematicness, not only with safety is carried out from bottom to application layer The effect of protection, and with the management function for flexible transfer being carried out to process and control.

The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description Obtain substantially, or recognized by the practice of the present invention.

Description of the drawings

Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments It is substantially and easy to understand, wherein：

The theory diagram of a kind of system that Fig. 1 is the general idea of the present invention and provides；

Fig. 2 is the schematic flow sheet of the program process hatching control of the present invention；

Fig. 3 is the concrete steps schematic flow sheet of step S12 of the present invention；

Fig. 4 is the concrete steps schematic flow sheet of step S13 of the present invention；

Fig. 5 is the schematic flow sheet of the security sandbox building method of the present invention；

Fig. 6 is the concrete steps schematic flow sheet of step S31 of the present invention；

Fig. 7 is the concrete fine division step schematic flow sheet of step S312 of the present invention.

Specific embodiment

Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from start to finish Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein, " It is individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that arranging used in the description of the present invention Diction " including " refers to there is the feature, integer, step, operation, element and/or component, but it is not excluded that existing or adding One or more other features, integer, step, operation, element, component and/or their group.It should be understood that when we claim unit Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange Diction "and/or" includes the one or more associated wholes or any cell of listing item and all combinations.

Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein (include technology art Language and scientific terminology), with art of the present invention in those of ordinary skill general understanding identical meaning.Should also It is understood by, those terms defined in such as general dictionary, it should be understood that with the context with prior art The consistent meaning of meaning, and unless by specific definitions as here, will not otherwise use idealization or excessively formal implication To explain.

Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal unit " had both included wireless communication The equipment of number receptor, which only possesses the equipment of the wireless signal receiver of non-emissive ability, includes again receiving and launches hardware Equipment, its have can on bidirectional communication link, perform two-way communication reception and transmitting hardware equipment.This equipment Can include：Honeycomb or other communication equipments, there is single line display or multi-line display or no multi-line to show for which The honeycomb of device or other communication equipments；PCS (Personal Communications Service, PCS Personal Communications System), which can With combine voice, data processing, fax and/or its communication ability；PDA (Personal Digital Assistant, it is personal Digital assistants), which can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day Go through and/or GPS (Global Positioning System, global positioning system) receptor；Conventional laptop and/or palm Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its His equipment." terminal " used herein above, " terminal unit " they can be portable, can transport, installed in the vehicles (aviation, Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth And/or any other position in space is run." terminal " used herein above, " terminal unit " can also be communication terminal, on Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet Equipment) and/or the equipment such as the mobile phone with music/video playing function, or intelligent television, Set Top Box.

Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, remote network devices etc. are general Read, with effects equivalent, which includes but is not limited to computer, network host, single network server, multiple webserver collection Or the cloud that multiple servers are constituted.Here, cloud is by a large amount of computers or network clothes based on cloud computing (Cloud Computing) Business device is constituted, wherein, cloud computing is one kind of Distributed Calculation, and be made up of the loosely-coupled computer collection of a group is super Virtual machine.In embodiments of the invention, can be by any logical between remote network devices, terminal unit and WNS servers Letter mode realizes communication, including but not limited to, based on the mobile communication of 3GPP, LTE, WIMAX, based on TCP/IP, udp protocol Computer network communication and based on bluetooth, the low coverage wireless transmission method of infrared transmission standard.

It will be appreciated by those skilled in the art that " application ", " application program ", " application software " and class alleged by the present invention Like the concept of statement, it is the same concept well known to those skilled in the art, refers to and instructed by series of computation machine and related data The computer software for being suitable to electronics operation of the organic construction of resource.Unless specified, programming language is not received in this name itself Species, rank, the operating system or platform of operation of also not rely by which are limited.In the nature of things, this genus is not also appointed The terminal of what form is limited.

The application scenarios implemented by the following method and apparatus that will be described of the invention, the base being mounted on mobile terminal In the running environment of Android operation system.

Those skilled in the art should it is contemplated that, as disclosed technology is related to android system Level resources are called, thus, need to be that the operation of application program with present example is obtained before the present invention is implemented Root authority, but acquisition Root authority belongs to existing and known prerequisite technology in itself, and in reality, mobile phone users have had The standby operational capacity and self consciousness for voluntarily obtaining Root authority.Additionally, the enlightened mobile terminal in part is when its machine dispatches from the factory The Root authority of system is opened for user, or has deliberately provided convenience means to obtain Root authority.Therefore, should not It is regarded as affecting the necessary component of present invention enforcement.

It is well known that Root authority refers to system manager's power of Unix type operating systems (including Linux, Android) Limit, similar to Administrator (manager) authority in Windows (form) system；Root authority can be accessed and be repaiied Use almost all of file (android system file and user file, not including ROM) in the mobile device at family instead.But, by Still strict for the management of Root authority in current mobile terminal system, most applications or program do not possess under normal circumstances Root authority, therefore for some operations for needing to have Root authority cannot just be performed, for example, install or unload the behaviour such as application Make, and for example implement methods and apparatus of the present invention.Based on this, the present invention recommends to obtain Root authority in the following way：Pass through The built-in SU of calling system (Super User, power user) orders obtain Root authority, or are weighed with Root by obtaining The shell of limit obtains Root authority and the launching process in shell, then after the Root authority mandate for obtaining the system, Without the need for repeating application Root authority when follow-up other calling process can be made to perform associative operation；Concrete Root authority was obtained Journey can refer to the Root authority call function of prior art, because the realization of power sheerly prior art category is carried with regard to Root, this It is bright to will not be described here.After obtaining Root authority, also just can implement right in bottom operation, including the present invention to system Zygote ELF infection contact, allow control module to run as underlying services, even thus set up based on Binder mechanism Communication etc., be based on this and realize.

The realization of the present invention depends on the intrinsic principle of Android operation system, thus, in the same manner, it is necessary to first introduce with Lower content：

First, Zygote start-up courses：

Android system can start Linux basic systems on startup first, and then guiding loads Linux Kernel simultaneously Start initialization process (Init).Then Linux finger daemons are started.While Linux finger daemons are started also need to open Dynamic Zygote processes.

Zygote is in the field of business to be visually referred to as couveuse, after Zygote process initiations, initializes a Dalvik first VM (virtual machine) example, is then that it loads resource and system shared library, and opens Socket to monitor service, when receiving establishment During Dalvik VM example requests, oneself can be farthest multiplexed by COW (copy on write) technology, generate one newly Dalvik VM examples.Fork principle of the creation method of Dalvik VM examples based on linux system.Zygote processes are being System run duration, when receiving establishment virtual machine request by Socket listening ports, by calling fork functions, incubates from itself Dalvik VM examples are dissolved, can be understood as having hatched the process space for operational objective application program.

After Zygote process initiations are completed, Init processes can start Runtime processes.Runtime processes are first just Beginningization service managerZ-HU (Service Manager), and it is registered as in the acquiescence of the service of binding (Binder services) Hereafter manager, is responsible for the registration of binding service and searches.Then Runtime processes can send activation system to Zygote processes The request of serviced component (System Server), after Zygote processes receive request, meeting " hatching " goes out a new Dalvik VM examples activation system service processes.

SystemServer can start two local services (being serviced by the native that C or C++ write), Surface first Flinger and Audio Flinger, the two local system services are registered as IPC service objects to service managerZ-HU, so as to When them are needed it is easy to find.Then SystemServer can start some android system management services, bag Hardware service and system framework product platform service are included, wherein also including campaign management services ActivityManagerService (AMS) IPC service objects are registered as, and by them.

Mean that system is ready for after SystemServer is loaded with all of system service, it can be to all Service sends system ready (systemReady) broadcast.When needing to start an Android application program, ActivityManagerService can send request and notify that Zygote processes are this by Socket inter-process communication mechanisms Application program creates a new process.

2nd, AMS response applications program start-up course：

In Android application framework layers, it is to be responsible for Android by ActivityManagerService components to answer With the new process of program creation, it is original be also operate in an independent process among, but this process is in system Create during startup.ActivityManagerService components typically can be created for application program in a case where One new process：When system determines to start Activity or Service in a new process, AMS is just Can attempt to create a new process, then start this Activity or Service in this new process.

When ActivityManagerService starts an application program, Socket and Zygote will be passed through Process is communicated, and asks mono- subprocess of its fork process out as this application program that will start.Front Can see in the introduction in face, two in system critical services PackageManagerService and ActivityManagerService, is and the SystemServer processes being responsible for starting by SystemServer processes Itself it is that fork is out during startup for Zygote processes.

As can be seen that between Zygote and AMS, being to realize communicating based on socket sockets.Zygote is in startup It is front that socket socket files are created by init, it is stored under system directory/dev/socket, and the set for generally being created Interface document, its filename and Zygote process titles are identicals, thus, by this mechanism, at said system catalogue Check socket file, you can whether checking system creates new couveuse.This document is stored with regard to the socket sockets Setting data.AMS is exactly based on one such socket file of reading to set up its direction communication mechanism with Zygote 's.The communication mechanism based on socket that the follow-up present invention will be disclosed, with realize in the same manner herein.

3rd, to the reference technique of system service process SystemServer function of injecting module：

As it was previously stated, after Zygote starts, first thing is to go out SystemServer from itself fork so as to become and be System service processes, load the service processes such as AMS, PMS by the system service process.Therefore, widely use in prior art Injection technique will need the power function for realizing specific function to be injected in SystemServer, be allowed to be carried out, and realize Purpose.

For example it is of the prior art it is a kind of realize system service process code injection process be：

Step 1：Search com.android.phone, system_server in android system ,/system/bin/ The process number Process ID of tri- processes of meidaserver, i.e. PID；

Step 2：Respectively three described runnings state of a process are modified according to described PID, perform loading prison Visual organ module instruction, opens up memory headroom and will write wherein for the instruction for loading monitor module；

Step 3：The buffer status of three described processes are changed respectively, are redirected CPU and are performed described instruction；

Step 4：According to described instruction, monitor module is loaded in the memory headroom of infusion appliance module, described prison Visual organ module starts initialization operation；

Step 5：Monitor module searches the initial address of the libbinder.so of current process after initialization terminates, And position ioctl functions corresponding list item in the global object list Global Ojects Table of libbinder.so The address of corresponding list item in address, i.e. GOT；

Step 6：The content of the corresponding GOT list items of modification ioctl, is carried out using the address of Hook Function hooked_ioctl Replace；

Step 7：When software performs sensitive behavior, ioctl and com.android.phone, system_ can be passed through One or more of tri- processes of server ,/system/bin/mediaserver is communicated and data exchange, hook letter Number hooked_ioctl reads the sensitive behavior type of simultaneously analysis software；

Step 8：The promoter of described monitor module write sensitive behavior and time, in journal file, obtain software Sensitive behavior monitoring record；

Step 9：When described monitor module monitors sensitive behavior, user is sent messages to, while making sensitive behavior Operation suspension；

Step 10：Described user decides whether the execution for running sensitive behavior, returns and agrees to or refuse order to institute The monitor module stated；

Step 11：Described monitor module obtains the result that described user selects, and makes quick if user selects to agree to Sense behavior is continued executing with；Terminate continuing executing with for sensitive behavior if user selects refusal.

Can realize in prior art that the scheme of similar above-mentioned injection is too numerous to enumerate, be referred to above-mentioned with regard to monitor The method of module to provide to the injection of system service process SystemServer for the follow-up control module for disclosing of the invention Know scheme.But the announcement to make the present invention follow-up more has clear, it is necessary to know, the shut-off module that the present invention will be disclosed is used In realizing closing the correlation function of Socket connections between AMS and Zygote, being total to as disclosed in preceding example can be implemented in Enjoy in library file libbinder.so, in this case, by carrying out to the dynamic library file reversely, can be at least in part Understand realization function of the invention realizes details.

4th, the infection contact principle based on Linux executable file ELF

ELF (Excutable Linking Format) file is the executable file of Linux, for depositing executable generation Code.ELF infection contact principles are a kind of prior arts, and by the executable code of reproducer, insertion thereto realizes certain The newly-increased code attempted, then performs amended executable code, so as to the purpose for realizing modifying program.The present invention Following announcement, will utilize this principle, and modification is made to system original couveuse Zygote, so as to construct sub- hatching Device, realizes the method for the present invention, device and sandbox example by sub- couveuse.

After said system principle and relevant knowledge has been understood, it is easy to further understand embodiments of the invention.

It should be noted that the present invention attempts to be described with reference to the static state and dynamic two aspects of computer program, institute The static aspect of meaning, refers to that program installation kit, file, database are stored in the storage object of medium；So-called dynamic aspect, refers to The dynamic object performed in being transferred internal memory, including but not limited to process, thread, used data etc..In view of computer These features of software engineering, should not by it is of the present invention and each method, step, sub-step, device, unit, module etc., Only static or only dynamic aspect is interpreted as in isolation, and those skilled in the art should be known to this.So, people in the art Member should be corresponded to dynamic Process Movement about static statement according to the present invention, or have according to the present invention Close dynamic Process Movement and correspond to its static form of expression, it is established that be static to associate with dynamic both sides necessity, with The present invention is understood based on this.

Additionally, the present invention combines sandbox principle and proposes, so, those skilled in the art are able to reference to known sandbox reality Show principle to understand the enforcement of the present invention.The effect of sandbox is the running environment that relative closure is provided for destination application, is made Application program is accessed to the resource of system, by the application of sandbox security strategy, and is limited within the scope of regulation.Cause And, it is to provide a kind of sandbox example that the present invention will subsequently disclose its substantive one side.

A kind of program process hatching control device for applying the present invention is understood referring initially to Fig. 1 and is realized One system principle diagram.The control device includes control module 12, sub- couveuse 13, and the former couveuse 10 that system is intrinsic With campaign management services scheduler module in system service process 23 (ActivityManagerService, hereinafter referred to as AMS).With It is lower to disclose function and the working mechanism realized by modules in detail：

Described control module 12, as the independent process based on system bottom, can set up based on Binder machines The communication of system, can trigger interface program by the click commands of user and be called by the program process；Adb can also be passed through Shell-command signs in system and goes to perform.Control module is responsible for setting up process running environment, and various relevant connections are set up for this. As can be seen that based on the needs for accessing android system bottom, control module has relative complex function, has been listed below Help realize several aspects of the present invention：On the one hand, the control module 12 is needed in running using former couveuse 10 (Zygote) one or more sub- couveuses 13 (StepZygote) are constructed, on the other hand, needs are responsible for system service entering The Socket connections that journey injection turns off module and cuts off between campaign management services and former couveuse 10, another further aspect control mould Block 12 is also needed to be responsible for monitoring and receives the request initiated by the AMS processes registered in system service process 2, and the request is AMS Socket for load operating application program based on former couveuse 10 and the connection set up and propose, control module 12 is needed Described sub- couveuse 13 is forwarded the request to, so that the request for guaranteeing AMS is effectively responded.What AMS was initiated please Ask, generally include the parameter of program UID, bag name etc, and under normal circumstances, couveuse will be corresponding request return process PID, AMS are derived from its program entry address and are able to loading application programs.But the control of the control module 12 due to the present invention Make and use, this mechanism will be realized come transfer by control module 12.

As can be seen that in control module 12 shown in Fig. 1, adapter 122 and constructor 121 are further comprised, and Authentication unit 123.

Described adapter 122 is responsible for performing following function：

1st, the connection of control module 12 and former couveuse 10 is set up using the socket of former couveuse 10.The reality of this function It is existing, perform after control module 12 is able to operation.After control module 12 is run, by reading former 10, couveuse Zygote socket files under/dev/socket/ catalogues, the socket file are stored with corresponding socket data, come Control module 12 is set up to the connection between former couveuse 10, so as to subsequently through 121 constructor couveuse 13 of constructor and Realize other controls to former couveuse 10.

2nd, module 120 is turned off to be allowed to perform to the injection of system service process 2 one, to close between AMS and Zygote Socket.Specifically, first connect and be injected into SystemServer processes, obtain android.os.process classes SZygoteSocket member, calls the close methods of the member, such as socket.close (), realize AMS and Zygote it Between Socket connection shut-off, thus, the connection quilt maintained based on 10 socket of former couveuse by campaign management services 3 Close.That is, be previously noted AMS being closed herein by socket and Zygote direction communications, but this communication mechanism It is disconnected, so that AMS directly can not be communicated with former couveuse 10.It should be noted that inject to system service process being used for Close shut-off module 120 this function that campaign management services are connected with original couveuse, although in the present embodiment by connecting Device is performing, it is to be understood by those skilled in the art that the function also can be come by a module more upper than adapter 122 Perform.

3rd, the socket having by sub- couveuse 13 sets up the connection of the control module 12 and the sub- couveuse 13, With to the described request of sub- couveuse 13 (StepZygote) transmission.New hatching is constructed in the constructor 121 of the present invention After device, according to the intrinsic functions of Zygote, one will be produced under local directory with 13 corresponding socket of sub- couveuse text Name.This socket file can be of the same name with the process title (StepZygote) of sub- couveuse 13 with profit identification, also may be used certainly It is not of the same name.In the same manner, although this socket file can be stored in other local catalogue, recommendation is stored in/del/ Socket catalogues are with profit identification.Thus, the adapter 122 just reads the socket file, with the socket and the sub- couveuse 13 set up the communication based on socket mechanism.

The adapter 122 is by performing above-mentioned function so that control module 12 can utilize the former couveuse 10 Socket to monitor 3 process of campaign management services (AMS) be to run the request that application program is initiated, and control original The connectivity port of couveuse 10 and sub- couveuse 13.Once AMS attempts setting up the company with the former couveuse 10 (Zygote) of acquiescence Connect, control module 12 just can receive the request, and which is passed to former couveuse 10 or sub- couveuse 13 on demand, by corresponding Couveuse to its return needed for process PID.

Described constructor 121, with reference to the introduction that contact technique is infected previously with regard to ELF, could be aware that, the constructor The executable code of former couveuse 10 in function performed by 121, was replicated before this, was then inserted for realizing in code is performed The call instruction of external call, adds the code of the program self checking for realizing sub- couveuse 13 if necessary, finally operation modification Executable code is just capable of achieving to realize the construction of the sub- couveuse 13, thus using 10 constructor couveuse 13 of former couveuse Function.

Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, call an external function, Namely the monitoring unit 130 that subsequently will be disclosed in detail of the invention is called, it is aided with and realizes a sandbox example, specifically, Realize the monitoring of the event behavior that the process space constructed to current sub- couveuse 13 occurs.It is to be understood that sub- couveuse After 13 call fork functions to replicate itself, these external calls and self-checking code can be replicated, that is to say, that not only sub 13 process of couveuse itself, and described monitoring unit 130 can also be loaded by its process hatched, so as to sub- couveuse 13 One new process of hatching, that is, mean to provide a sandbox environment for corresponding destination application, be also achieved that this Bright sandbox example.

The control module 12 can call constructor 121 to go to realize many sub- couveuses according to identical logic on demand 13, make many sub- couveuses 13 be respectively used to respond the request that different application programs are classified, so as to create for android system Multiple safe couveuses.Attack of the external program to former couveuse 10, will not impact in theory by the control module The 12 sub- couveuses 13 for building.

The authentication unit 123, is so as to realize the optional component of interaction and setting, the checking for the ease of system operatio Unit 123 extracts application features information for after the request that control module 12 receives the AMS, from the request, The information such as such as previously described UID, bag name, (are for example deposited based on data are arranged known to those characteristic informations from Local or Remote Be stored in local or remote data base) in inspection this feature information corresponding to application program whether should be limited or banned Only, when which is should to be limited or answer forbidden application program, by control module 12 be responsible for by this ask in go to the original Its minor couveuse 13 outside couveuse 10 or the not transfer request are to any couveuse.The known setting data can be stored Whether each UID is to the mapping relations between sub- couveuse 13, and limited or forbidden information.Obviously, checking is set Unit 123 can provide safer control effect, by configuring described known setting data, especially in the known setting number During according to timely long-range renewal can be obtained, the malicious application of mobile terminal can be controlled in time by this data Operation.

In view of the authentication unit 123, the control module 12 of the present invention is connected with the socket of miscellaneous part establishing Afterwards, actually play the effect of router.Therefore, control module 12 needs similar routing table to pre-set data, This pre-sets data both can be consistent, or independent with the known setting data in aforementioned authentication unit 123, this In the case of authentication unit 123 become the foundation that control module 12 realizes its routing function, be particularly well-suited to many height hatch The situation of device 13.And in some simple examples, for example, collect only by the user interface provided by station terminal before User instruction, is selected destination application to be run is placed in sandbox by user and is run, that is, meaned the application program It is placed in the process space hatched by sub- couveuse 13 and runs, in this case, the described data that pre-set can be understood as pin The parameter arranged to the intended application to be run, control module 12 are just can determine that and will wait to run with this by obtaining the parameter Sub- couveuse 13 rather than former couveuse 10 are given in the corresponding request of destination application, so as to be constructed by the sub- couveuse 13 The process space of the destination application, loading the destination application runs which.In the same manner, if user passes through desk module The user interface of offer selectes non-sandbox operation, then control module 12 is given to former couveuse 10 in being understood as answering, so as to The destination application is run by former couveuse 10.

Can be seen that how one or more sub- couveuses 13 are utilized with former couveuse 10 by above-mentioned analysis, both may be used Depending on the security strategy that program is provided, selecting on demand for user is also may depend on；Both can be realized using database technology, Can also be realized using the form of parameter；Both the scheduling reality between single sub- couveuse 13 and former couveuse 10 can only have been realized Example, it is also possible to the Scheduling instances realized many sub- couveuses 13 with former couveuse 10 and deposit.Regardless of according to the control of the present invention Molding block 12 can realize effective process hatching control and dispatching effect.

As it was previously stated, the sub- couveuse 13 of the present invention, as the present invention is using ELF infection contact principle de-duplicates Zygote and constructor couveuse 13, in this case, Zygote per se known and intrinsic operating mechanism is not changed, because This, the sub- couveuse 13 that produces under the control of control module 12, its still according to the realization mechanism of former couveuse 10, for responding In the request of 12 transfer of control module, and new process is hatched, and asked with the response of process PID accordingly.AMS obtains the process PID, destination application that will be to be run are loaded in the corresponding process space, are transported destination application OK.As can be seen that a sub- couveuse 13 collapses, or the process death hatched by sub- couveuse 13, original will not be incubated Change device 10 and its associated process produces impact, vice versa.

As can be seen here, security procedure of the invention hatching control device can realize safer process fuzhiqing ointment.

In order to the program process for illustrating the present invention hatches the detailed implementation of control device, Fig. 2 is referred to, this It is bright to operate in conjunction with mechanism and a kind of program process hatching control is provided.The method comprises the steps：

S11, to system service process 2 injection shut-off module 120.

The program realized by the method after operation, premised on Root authority is obtained, using known injection side Method, injects the shut-off module 120 of the present invention to system service process SystemServer 2, this part, both including aforesaid Shared library file libbinder.so, all facilitate implementation the operation successfully injected also to include modification to address table etc., To realize the Socket closed between AMS and Zygote connections whereby.

S12, by the control module 12 using former 10 constructor couveuse 13 of couveuse.

It should be noted that the step for realization, with step S13 in the middle part of molecular steps can be adjusted according to practical situation Order is performed.

This step is substantially the sequencing implementation procedure of the function realized by the constructor 121 in aforementioned means, is used In realizing obtaining sub- couveuse 13 on demand, and this demand will by control module 12 according to aforesaid known setting data and/or Pre-set data to realize, or force to construct automatically and apply according to default rule.With reference to the function of the constructor 121, Refering to Fig. 3, this step can be subdivided into following steps：

S121, the executable code for replicating former couveuse Zygote 10；

S122, insert in the executable code for realizing the call instruction of external call, according to different embodiments Need, by the call instruction call for realize the present invention sandbox example monitoring unit 130, using the monitoring unit 130 realizing the monitoring of the event behavior to the process space hatched by posttectonic sub- couveuse 13；

S123, the program self checking that can be used for realizing to executable code insertion sub- couveuse StepZygote 13 Code so that sub- couveuse 13 is difficult to be attacked；

S124, run amended executable code so that the sub- couveuse 13 is able to Successful construct, await orders for New process is hatched in request for campaign management services ActivityManagerService 3.

It will be appreciated by those skilled in the art that in the present invention, can be by this step S12 on the basis of former couveuse 10 Sub- couveuse 13 is constructed, but the quantity of sub- couveuse 13 is not restricted to one, sub- couveuse 13 is expansible in theory Number is only limited by memory headroom and is copied multiple sub- couveuses 13 with same nature, as long as the present invention takes off Show, the effective scheduling to multiple such sub- couveuses 13 is realized in control module 12.

It is emphasized that above-mentioned steps S122 can change order with S123 realizing.

S13, the campaign management services 3 (process) registered in system service process 2 are received by the control module 12 as fortune Row application program and the request initiated, and pass it to the sub- couveuse 13.

Understand that the present invention is realized to system service process SystemServer 2 with reference to regard to the description previously with regard to device Injection after, control module 12 can erect new system architecture, and refering to Fig. 4, its build process sees below step：

S131, the connection that control module 12 and former couveuse 10 are set up using the socket of former couveuse 10.

Address above, the socket file/dev/socket/zygote of former couveuse Zygote 10 is to set up socket The basis of connection.In this step, control module 12 reads the socket file, sets up the connection with former couveuse 10.Therefore, Can pay the utmost attention to abovementioned steps S12 are performed after this sub-step, will more be in order and realize logic.

S132, execution turn off module 120 to close campaign management services 3 (process) based on 10 socket of former couveuse The connection for being maintained.

With reference to knowable to above, AMS processes are maintain which and are connected with the socket of former couveuse Zygote 10, and this step is led to The shut-off module 120 for being injected into systemserver processes is crossed, the sZygoteSocket of android.os.process classes is obtained Member, is called the close methods such as socket.close () of the member to close AMS and is connected with the socket of Zygote so that Former couveuse 10 can not correspond directly to the request of the hatching process of AMS, further to obtain bigger control.Can see Go out, abovementioned steps S11 should be implemented before step S132, both S11 can be placed between S131 and S132 and implemented, it is also possible to will Step S132 is immediately implemented after being placed in step S11.Those skilled in the art can become the multiple enforcements for dissolving the present invention accordingly Example.

S133, monitored using the socket of the former couveuse 10 campaign management services 3 to run application process And the request initiated.

In aforementioned step, under the control of control module 12, the construction of the sub- couveuse 13 is had been realized in, because This, according to the logic of init function creations Zygote, sub- couveuse StepZygote 13 is by establishment/dev/socket/ Stepzygote socket files, certain socket file can be stored in local elsewhere, also must be with sub- couveuse 10 Process title it is identical.In this step, control module 12 sets up the socket companies with the sub- couveuse 13 by the socket Connect, at the same time, begin listening for the socket of former couveuse 10, so as to monitor AMS initiation hatching process request, so as to It is follow-up from control module 12 to former couveuse 10 or 13 transfer of the sub- couveuse request.

In this step, control module 12 realizes building for new system architecture with above-mentioned sub-step, in order to further More intelligentized management is realized, control module 12 also achieves the function of similar route.Specifically, when control module 12 connects When receiving the described request of AMS initiations, need to make which judgement for passing to which kind of couveuse, the logic of this judgement according to According to can have numerous embodiments.What is had been given by the announcement of aforementioned hatching control device for the present invention pre-sets number According to known setting data and its related auxiliary logic, be that this method performs basis.

In order to realize the control function of this species route, the control module 12 will process which as follows and be supervised The AMS requests heard：

The control module 12, after the request that control module 12 receives the AMS, extracts from the request and applies journey The information such as sequence characteristics information, such as previously described UID, bag name, are arranged based on known to those characteristic informations from Local or Remote Whether the application program in data (such as being stored in local or remote data base) corresponding to inspection this feature information should Limited or be prohibited, when which is should to be limited or answer forbidden application program, be responsible for asking this by control module 12 In go to its minor couveuse 13 outside the former couveuse 10 or the not transfer request to any couveuse.The known setting Whether data can store each UID to the mapping relations between sub- couveuse 13, and limited or forbidden information.It is aobvious So, this processing procedure of Jing control modules 12, using the teaching of the invention it is possible to provide safer and more effective control management effect, it is described by configuring Known setting data, especially when the known setting data can obtain timely long-range renewal, can be by this kind of data To control the operation of the malicious application of mobile terminal in time.

The control module 12 of the present invention has actually been played after establishing and being connected with the socket of miscellaneous part The effect of router.Therefore, control module 12 needs a similar routing table to pre-set data, and this pre-sets data and both may be used With consistent with aforesaid known setting data, or even unite two into one, or independent, related data becomes in this case The foundation of its routing function is realized for control module 12, is particularly well-suited to that there are many sub- couveuses 13.In some letters In single example, for example, the user instruction collected only by the user interface provided by a desk module, being selected by user will Destination application to be run is placed in sandbox and runs, that is, mean for the application program to be placed in what sub- couveuse 13 was hatched Run in the process space, it is in this case, described to pre-set data and the user instruction is characterized as waiting to run for this Intended application and the parameter that arranges, control module 12 by obtaining the parameter, just can determine that by with the intended application journey to be run Sub- couveuse 13 rather than former couveuse 10 are given in the corresponding request of sequence, so that the intended application is constructed by the sub- couveuse 13 The process space of program, loading the destination application runs which.In the same manner, if user is the user that provided by front station terminal Non- sandbox operation is selected at interface, then control module 12 is given to former couveuse 10 in being understood as answering, so as to by former couveuse 10 run the destination application.

S14, hatch new process to run the application program in response to the request by the sub- couveuse 13.

As it was previously stated, through the control of the control module 12, after the request of AMS is carried out transfer by control module 12, What its transfer target was to determine, the former couveuse 10 of system is given to if not in, is then given to sub by for constructing of the invention Couveuse 13.It should be noted that transfer designated herein, the not only former request one of and AMS initiations upper including form and construction The instruction of cause, also include through the control module 12 according to 13 agreement of sub- couveuse (such as by constructor couveuse When 13 to executable code insert correlative code) established rule be processed conversion, can be by the sub- couveuse 13 according to this Agreement and the instruction read.

After the request from AMS that the sub- couveuse 13 is turned in receiving control module 12, it is inherited from according to which The intrinsic mechanism of former couveuse Zygote 10, copies new process using its fork () function, process PID is returned to AMS. New process is responsible for the monitoring unit 130 of interface is prefixed when being carried in constructor couveuse 13, is also responsible for being configured to operation Play the virtual machine instance of the destination application of the request.

After AMS obtains process entrance, just the destination application is loaded in the process space of the new process, Make the destination application successful operation.When the destination application terminates operation, reclaim virtual according to its mechanism by system Machine space.

As described above, the program process hatching control that the present invention is provided can be played more for application program For the protection effect of safety.

As can be seen that the announcement to the program process hatching control and device of the present invention above, focuses on and is The realization of system aspect.Further, the present invention will project the embodiment for disclosing the present invention in application layer by other examples.Should manage Solution, based on the fact same inventive concept, the thinking employed in method and apparatus disclosed above also will also apply to In method and apparatus hereinafter.

Referring to Fig. 1, the present invention further provides a kind of security sandbox constructing apparatus, including control module 12, Sub- couveuse 13, and monitoring unit 130.

Described control module 12, with reference to Fig. 1, specifically includes adapter 122, constructor 121, can also further include One authentication unit 123.The adapter 122 is used for the connection that MCM maintenance control module 12 is carried out based on socket, to realize control Module 12 respectively with the connection between former couveuse 10 and sub- couveuse 13；The constructor 121 is for former couveuse 10 being Sub- couveuse 13 described in base configuration；The authentication unit 123 for according to it is known setting data determine whether to meet the work The request that dynamic management service 3 (process) is initiated.It is institute only realizing a sub- couveuse 13 and giving tacit consent to by the sub- couveuse 13 There is application program to hatch in the example of new process, the authentication unit 123 obviously directly can be omitted.

Described control module 12 is injected to system service process SystemServer 2 by method disclosed above Shut-off module 120, the injection of the shut-off module 120 can be called to implement and be responsible for by the adapter 122 of control module 12.Institute The control module 12 stated, as the independent process based on system bottom, can set up the communication based on Binder mechanism, can Called by the program process with the click commands triggering interface program by user；Adb shell-commands can also be passed through Sign in system to go to perform.Control module is responsible for setting up process running environment, and various relevant connections are set up for this.As can be seen that Based on the needs for accessing android system bottom, control module has relative complex function, is listed below contributing to realizing this Several aspects of invention：On the one hand, need to construct one or more using former couveuse 10 (Zygote) in running Sub- couveuse 13 (StepZygote), on the other hand, needs are responsible for system service process injection shut-off module and cut-out activity Socket connections between management service and former couveuse 10, another further aspect, control module 12 also need to be responsible for monitoring and receive In the request initiated of AMS processes of the registration of system service process 2, the request be AMS for load operating application program base The connection set up in the socket of former couveuse 10 and propose, control module 12 needs to forward the request to described son Couveuse 13, so that the request for guaranteeing AMS is effectively responded.AMS initiate request, generally include program UID, bag name it The parameter of class, and under normal circumstances, couveuse will be corresponding request return process PID, AMS is with being derived from its program entry Location and be able to loading application programs.But the control action of the control module 12 due to the present invention, this mechanism will be by controlling mould Block 12 carrys out transfer realization.

Described adapter 122 is responsible for performing following function：

2nd, module 120 is turned off to be allowed to perform to the injection of system service process 2 one, to close between AMS and Zygote Socket.Specifically, first connect and be injected into SystemServer processes, obtain android.os.process classes SZygoteSocket member, calls the close methods of the member, such as socket.close (), realize AMS and Zygote it Between Socket connection shut-off, thus, the connection quilt maintained based on 10 socket of former couveuse by campaign management services 3 Close.That is, be previously noted AMS being closed herein by socket and Zygote direction communications, but this communication mechanism It is disconnected, so that AMS directly can not be communicated with former couveuse 10.

3rd, the socket having by sub- couveuse 13 sets up the connection of the control module 12 and the sub- couveuse 13, With to the described request of sub- couveuse 13 (StepZygote) transmission.New hatching is constructed in the constructor 121 of the present invention After device, according to the intrinsic functions of Zygote, one will be produced under local directory with 13 corresponding socket of sub- couveuse text Name.This socket file can be of the same name with the process title (StepZygote) of sub- couveuse 13 with profit identification, also may be used certainly It is not of the same name.In the same manner, although this socket file can be stored in other local catalogue, recommendation is stored in/del/ Socket catalogues are with profit identification., thus, the adapter 122 just reads the socket file, with the socket and the sub- couveuse 13 set up the communication based on socket mechanism.

Call instruction designated herein, can flexibly be realized by those skilled in the art, for example, call an external function, Namely the monitoring unit 130 of this device is called, it is aided with and realizes a sandbox example, specifically, realizes to current son hatching The monitoring of the event behavior that the process space constructed by device 13 occurs.It is to be understood that sub- couveuse 13 calls fork functions multiple After system itself, these external calls and self-checking code can be replicated, that is to say, that not only 13 process of sub- couveuse from Body, and described monitoring unit 130 can also be loaded by its process hatched, newly enter so as to sub- couveuse 13 hatches one Journey, that is, mean to provide a sandbox running environment for corresponding destination application.

In theory, the control module 12 can call constructor 121 to go to realize many height according to identical logic on demand Couveuse 13, makes the request of the application programs classification that many sub- couveuses 13 are respectively used to respond different, so as to for Android systems System creates multiple safe couveuses.Attack of the external program to former couveuse 10, will not impact in theory by the control The sub- couveuse 13 that molding block 12 builds.

Described sub- couveuse 13, for by itself hatch process context and in the process context loading monitoring it is single Unit 130 and treats operation program.Sub- couveuse 13 is constructed by control module 12, and control module 12 is former using ELF infection contacts Reason de-duplicate Zygote and constructor couveuse 13, in this case, Zygote per se known and intrinsic operating mechanism is not It is changed, therefore, the sub- couveuse 13 that produces under the control of control module 12, which still realizes machine according to former couveuse 10 Reason, for the request in response to 12 transfer of control module, and is hatched new process, and is asked with the response of process PID accordingly. AMS obtains process PID, and destination application that will be to be run is loaded in the corresponding process space, answers target Run with program.As can be seen that a sub- couveuse 13 collapses, or a process hatched by sub- couveuse 13 is dead Die, impact will not be produced on former couveuse 10 and its associated process, vice versa.And operation is able in destination application Before, as control module 12 has inserted the instruction for calling the monitoring unit 130 inside sub- couveuse 13, therefore, this In the case of kind, monitoring unit 130 will be loaded in advance, and start to monitor the event behavior that its process being located occurs, It is achieved that the monitoring of the event behavior of the destination application to follow-up operation.

The monitoring unit 130, as it was previously stated, loading prior to the destination application.The monitoring unit 130 is The implementor of sandbox running environment, using Hook technologies, is made up of some hook plug-in units, and each hook plug-in unit is using hook The entrance of the related call instruction in function pair destination application is monitored, intercepts and captures this call instruction, turn to and perform Corresponding Hook Function, carrys out the response call instruction according to sandbox inherent logic by the Hook Function, so as to reach monitor event The purpose of behavior.

Need exist for supplement be：Term " hook " is covered for by intercepting the function transmitted between component software Call, message or event to be changing or increase the technology of the behavior of operating system, application program or other software component.And locate The code for managing this intercepted function call, event or message is thus referred to as hook hook functions.Hook is generally used for various Target, including being debugged to function and be extended to function.Its example can be included in keyboard or mouse event is delivered to Them are intercepted before application program, or hooking system service call (system call), with monitor or change application program or other Function of component etc..The present embodiment can adopt hook hook functions to take over installation required when the application program runs certainly Verification operation.

Succinct for what is described, the concrete introduction for relating to the use of the monitoring unit 130 of the present invention will be given in subsequent set, this Postpone explanation in place.

As this device essentially consists in the construction of explanation sandbox example, therefore, it is necessary to further disclose with institute of the present invention A desk module in the program of realization, the desk module can pass through the moving component provided by a fail-safe software (Activity) realizing, run the moving component and one user interface will be provided, can be set out by the user interface all System application and user application, when user click on operation certain apply when, further can play frame allow user select whether pass through Sandbox runs this intended application, when user selectes to be run by sandbox, naturally, is called in driving and control in the present invention mould Block 12 on this basis, by AMS because sub- couveuse 13 rather than former couveuse are given in the request produced by above-mentioned interface operation 10, in making the sandbox running environment realized by the monitoring unit 130 that the intended application runs on the present invention.Certainly, desk module The realization of the user interface for being provided is very flexible and changeable, and the above only provides an example, and those skilled in the art can With flexible.If for convenient consideration, those skilled in the art can avoid this user interface and provide process, directly write from memory Think to start the destination application clicked in desktop of user by sub- couveuse 13, then whole process will become it is more quick just Profit, and the route work of control module 12 and the work of its authentication unit 123 also accordingly will simplify.

It can be seen that, the security sandbox constructing apparatus of the present invention, by the form for building sub- couveuse 13, can be to treat that operation should Safer, reliable, independent running environment is realized with program.

Accordingly, security sandbox building method of the invention, is to do more efficient tissue according to the handling process of machine, By performing this method, optimize the operational efficiency of program realized according to the present invention, to be more efficiently application program structure Make sandbox running environment.

Refer to shown in Fig. 5, the security sandbox building method of the present invention comprises the steps：

S31, the sub- couveuse 13 that hatching process context is configured to using system original couveuse 10.

The purpose of this step is to construct the new sub- couveuse independently of 10 processes of system original couveuse Zygote 13, can refer to shown in Fig. 6 and be subdivided into following sub-step：

S311, operation control module 12.

As it was previously stated, user can pass through user circle that desk module receive user is provided in desktop or the desk module The clicking operation in face, or instructed by adb shell, drive certain destination application to be identified as needs by desk module Run in sandbox, so as to the control module 12 for calling the present invention is allowed to be run.With regard to the work(realized by control module 12 Can refer to above, not repeat for this reason.

S312, using the control module 12, the sub- couveuse 13 is constructed based on former couveuse 10.

This step obtains sub- couveuse 13 on demand using control module 12, and this demand can be by control module 12 according to front The known setting data stated and/or pre-set data to realize, or force to construct automatically and apply according to default rule.With reference to Fig. 7, this sub-step can be subdivided into the sub-step for being performed by control module 12 as follows：

S3121, the control module 12 set up the connection with former couveuse 10 using the socket of former couveuse 10.

Socket file/the dev/socket/zygote of former couveuse Zygote 10 is the base for setting up socket connection Plinth.In this step, control module 12 reads the socket file, sets up the connection with former couveuse 10.

S3122, it is allowed to perform to close campaign management services 3 based on former hatching to system service process injection shut-off module The connection maintained by the socket of device 10.

As it was previously stated, a shut-off module 120 is injected to be allowed to perform from control module to system service process 2, to close Socket between AMS and Zygote.Specifically, first connect and be injected into SystemServer processes, obtain The sZygoteSocket member of android.os.process classes, calls the close methods of the member, for example Socket.close (), realizes the shut-off of the Socket connections between AMS and Zygote, as a result, former couveuse 10 can not The request of the hatching process of AMS is corresponded directly to, control module further obtains bigger control.It is pointed out that ginseng Read described previously, to the injection of system service process 2 shut-off module 120 with go to perform shut-off operation using the shut-off module 120 can To be divided into two fine division steps, as long as and keeping this precedence relationship, two fine division steps separate execution.That is, After shut-off module 120 injection, it is not necessarily to implement immediately shut-off operation, can is subsequently again because of latter fine division step Needs and in advance called enforcement shut-off.Previous fine division step can be called in control module 12 1 and be performed, and then hold Row S3121, then perform later step.Those skilled in the art should know this flexible, owning under this principle is acted on Situation of change is accordingly to be regarded as being same as the present embodiment.

S3123, the executable code for replicating former couveuse 10 are simultaneously implanted into for loading the tune of the monitoring unit 130 to which With instruction.

The execution of this sub-step, can be refering to the process previously with regard to step S121-S124：

S121, the executable code for replicating former couveuse Zygote 10；

S122, insert in the executable code for realizing the call instruction of external call, according to different embodiments Need, the monitoring unit 130 of the present invention is called by the call instruction, is realized to by structure so as to using the monitoring unit 130 The monitoring of the event behavior of the process space hatched by the sub- couveuse 13 after making；

S123, can be used to realize the program self-correcting of sub- couveuse StepZygote 13 to executable code insertion on demand The code tested so that sub- couveuse 13 is difficult to be attacked, it is noted that, this sub-step is optional in the present invention；

S3124, the code of the execution sub- couveuse are with constructor couveuse 13.Once the sub- couveuse 13 is transported OK, just it is individually present relative to former couveuse Zygote 10.

S313, control module 12 is set up with the connection of sub- couveuse 13.

Under the control of control module 12, construction and the operation of the sub- couveuse 13 are had been realized in, therefore, according to Ini processes create the logic of Zygote, and establishment/dev/socket/stepzygote is socketed by sub- couveuse StepZygote 13 Mouth file.In this sub-step, control module 12 is set up by the socket and is connected with the socket of the sub- couveuse 13, by This, just can begin listening for the socket of former couveuse 10, to monitor the request of the hatching process of AMS initiations, so as to follow-up From control module 12 to former couveuse 10 or 13 transfer of the sub- couveuse request.

It will be appreciated by those skilled in the art that in the present invention, can be by this step S31 on the basis of former couveuse 10 Sub- couveuse 13 is constructed, but the quantity of sub- couveuse 13 is not restricted to one, sub- couveuse 13 is expansible in theory Number is only limited by memory headroom and is copied multiple sub- couveuses 13 with same nature, as long as the present invention takes off Show, the effective scheduling to multiple such sub- couveuses 13 is realized in control module 12.

It is emphasized that in order to simplify length, involved control module 12 in safety sandbox building method, with this Control device described by bright security sandbox constructing apparatus has one-to-one corresponding, therefore control module 12 is realized in the apparatus Other optional sexual function, such as with regard to transfer, function etc. of route, be applied equally in this method, can by these are suitable for The a series of change selected sexual function and cause, it should also consider this method with band, do not repeat for this reason.

S32, hatched by the sub- couveuse 13, thought that application program to be run sets up the process context.

When reaching this step, through the control of the control module 12, when control module 12 listens to the request of AMS Afterwards, transfer will be carried out to the request, what its transfer target was to determine, the former couveuse 10 of system is given to if not in, is then turned To a sub- couveuse 13 by present invention construction.It should be noted that transfer designated herein, not only including form and construction The upper instruction consistent with the original request of AMS initiations, also include through the control module 12 according to 13 agreement (example of sub- couveuse Such as by constructor couveuse 13 to executable code insert correlative code) established rule be processed conversion, energy quilt The instruction that the sub- couveuse 13 is read according to the agreement.

After the request from AMS that the sub- couveuse 13 is turned in receiving control module 12, it is inherited from according to which The intrinsic mechanism of former couveuse Zygote 10, copies new process using its fork () function, process PID is returned to AMS, Corresponding process context is just established as application program to be run with this.

S33, using process obtained by the sub- couveuse 13 hatching, by monitoring unit 130 and application program run loading Run in the process context, by the event behavior implementing monitoring of application program to be run described in the monitoring unit 130 pairs.

New process is responsible for the monitoring unit 130 of interface is prefixed when being carried in constructor couveuse 13, is also responsible for construction and uses The virtual machine instance of the destination application of the request is initiated in operation.After AMS obtains process entrance, just by the target Application program is loaded in the process space of the new process, makes the destination application successful operation.When the intended application When EP (end of program) is run, virtual machine space is reclaimed according to its mechanism by system.

It is that application program constructs safe sandbox reality to be disclosed using the security sandbox building method of the present invention in detail above The overall process of example, by the method, can be the safer reliable process running environment of each application program construction.

Although disclose in detail many aspects of the general idea of the present invention above, state to the greatest extent not yet.People in the art Member it is to be understood that the program process hatching control of the present invention, between device and security sandbox building method, device, It is two aspects of general idea of the present invention, the technological means for being adopted are mutually confirmations, therefore, one aspect is said It is bright, while in will also apply on the other hand.So, even if there is careless omission, this area in the announcement in terms of certain of the present invention Technical staff also can search out on the other hand needed for explanation, so as to reduce the whole scheme of this aspect, and should not be as According to negate this certain in terms of abundant record.

In order to project the sandbox example of the present invention, the present invention quilt that many places are addressed above is disclosed in further detail below and is incubated Change the related embodiment of the monitoring unit 130 of the loading of device 13.

Using the monitoring unit 130 of the present invention, it is possible to achieve the structure of more powerful sandbox running environment.The monitoring Unit 130 can obtain hook plug-in unit (the hook letter corresponding to specific event behavior from a backstage sandbox HOOK frameworks Number), the particular event behavior of simultaneously monitoring objective application is linked up with so as to realize to intended application using one or more hook plug-in units The monitoring of the activity of program process.The hook plug-in unit of described backstage sandbox HOOK frameworks, is managed concentratedly beyond the clouds, to each Terminal is distributed.Wherein, high in the clouds is mainly configured with Java hook plugin libraries and Native hook plugin libraries.Monitoring unit 130 When needing to link up with concrete event behavior, request is sent to backstage sandbox HOOK frameworks by long-range card i/f, is obtained for spy Determine the HOOK functions of event behavior, i.e., described hook plug-in unit is set up the monitoring capture to particular event behavior whereby and processed.

After sub- couveuse 13 is loaded with monitoring unit 130, the intended application of operation request is initiated in loading to AMS Program.As monitoring unit 130 is loaded prior to destination application, destination application has just been monitored single once running Unit 130 establishes monitoring using hook plug-in unit, therefore, all event behaviors of destination application are in monitoring unit 130 Within monitoring range.The installation kit of destination application is complete unmodified, can be passed through The examination of PackageManagerService, therefore, after destination application is loaded, completely legal, normally can transport OK, realize that the institute that destination application can be realized originally is functional.

As monitoring unit 130 and destination application are in the same process space, thus, operating monitoring unit 130 establish the monitoring to all event behaviors of destination application.What is produced in destination application running is any Event behavior, its event message can monitored unit 130 capture and processed accordingly.

The particular event behavior monitored unit 130 that destination application is produced is captured, and substantially triggers particular event During behavior, in produced event message monitored unit 130, corresponding hook plug-in unit (Hook Function) is captured.Capture the thing Part message, you can know the intention of the event, can carry out follow-up process then.

Particular event behavior is processed, needs the behavior of acquisition event to process strategy.In this sub-step, Ke Yijin One step Help of System service is realizing human-computer interaction function.In order to realize man-machine interaction effect, the present invention can combine safety in advance One interactive module is registered as system service by software, is communicated with the interactive module by the interactive interface that monitoring unit 130 is set up, So as to realize the acquisition to user instruction or preset instructions.

The acquisition modes of event behavioral strategy are very versatile and flexible, can be performed by constructing a strategy generating device, with Under enumerate several by the present invention strategies selecting one or be used in any combination：

(1), after the capture of monitoring unit 130 particular event behavior, by the interactive interface, sending to the interactive module please Asking, strategy being processed from interactive module to the user interface pop-up inquiry user of fail-safe software, the pop-up interface directly can be informed Content and its risk of the user about event behavior, select corresponding option tactful as processing by user.User selects corresponding After option determination, interactive module obtains the process strategy for the particular event behavior, is fed back to monitoring unit 130, Corresponding event behavior of the process strategy by monitoring unit 130 according to produced by the user instruction to destination application is carried out The process of next step.

(2) when some have been acknowledged as low-risk event behavior generation relatively, such as read-only operation to contact person Behavior, or when user is provided with from the process strategy that line retrieval should be taken for particular event behavior for the present invention, this Process strategy of the invention using a local policy database retrieval accordingly for particular event behavior.That is, this is local In policy database, particular event behavior and the corresponding association processed between strategy are established, and stores various events Behavior and the corresponding record data for processing corresponding relation between strategy, can use for present invention retrieval.The present invention is from local After corresponding process strategy is obtained in policy database, the process of next step can be done to corresponding event behavior.

(3) if user is provided with the long-range option for processing strategy, or acquiescence of obtaining in local policy number for the present invention According to library searching less than particular event behavior specific strategy when remotely can obtain, and or carried out by aforementioned (1st) kind situation Interact and cannot get response of the user to pop-up within the regulation time limit, such situation, fail-safe software can be by which The remote policy interface built, sends request to the high in the clouds of pre- framework, obtains the corresponding process corresponding to the particular event behavior Strategy, and for follow-up process.

It is pointed out that relevant three of the above obtains the mode for processing strategy, can intersect and use cooperatively, for example, one Denier interactive module receives the feature of the event message of the transmission of monitoring unit 130, you can according to default setting, plant with reference to (2nd) Mode elder generation line retrieval local policy data base, obtains the process strategy of system recommendation (if can not be from local policy data base Obtain, it might even be possible to further obtain from the policy database of high in the clouds by (3rd) kind mode).Then, mode is planted with reference to (1st), The process strategy that system recommendation is arranged at pop-up interface is default option.If user does not confirm that the acquiescence is selected within the regulation time limit , then it is defined execution subsequent instructions by the process strategy of system recommendation；If it is changed into new default option by user, to Monitoring unit 130 returns the process strategy that user is arranged.It can be seen that, interactive process can be more flexible freely to realize 's.

Described local policy data base, can be a copy of high in the clouds policy database, therefore, in the present invention, if A renewal step is put, for high in the clouds policy database being downloaded for updating local policy data base.

Generally, the strategy for particular event behavior often could be arranged to " refusal ", " RUN ", " inquiry " three See option, its concrete purpose for characterizing is：

Refusal：For the particular event behavior, the falseness that event behavior has been finished is sent to destination application Message, to forbid the event behavior to actually occur；

Operation：Do not make any changes for the particular event behavior, corresponding event message is forwarded directly to into system and is disappeared Breath mechanism, it is allowed to which destination application continues its event behavior；

Inquiry：Independence depends on both of the aforesaid option one of arbitrarily, and for the particular event behavior, labelling its state is Unknown state, when follow-up repetition occurs the behavior, needs the inquiry user of row pop-up again.

In practical application, option " inquiry " can be ignored, it is only necessary to consider whether to refuse or allow current event behavior to occur .

Described event behavior, it is varied, specifically include following several big types：

(1) terminal, relevant operation of networking：

Obtain operator's informaiton：Destination application for example can be moved by getSimOperatorName () function The IMSI of dynamic terminal, thus can determine whether the title of operator, further can send agreement instruction to operator, realize The illegal objective deducted fees etc.Monitor supervision platform, just can be to the capture of event behavior by linking up with message related to this.

Switching APN operations：In the same manner, destination application realizes ANP switching controls by the function relevant with APN switchings Operation, also can monitored unit 130 be monitored by calling corresponding hook plug-in unit.

Similar operation, also including obtain handset identity code IME operation, also with it is above-mentioned in the same manner.

(2) informing advertisement operation：Informing advertisement is the means for most easily being utilized by rogue program, and monitoring unit 130 leads to Cross and call corresponding hook plug-in unit to be monitored the event message that notify functions are produced, also can be to its implementing monitoring.

(3) traffic operation：

As phone dials operation, the event of calling system dialing interface can be monitored by startActivity () function Behavior, can set up event behavior monitoring to dialing phone operation using corresponding hook plug-in unit.

Note is operated, corresponding to the function of sendTextMessage () etc, in the same manner, can be by hook plug-in unit to this Class function sets up event behavior monitoring.

Contact person operates：Query (), insert () function are corresponded generally to, monitoring unit 130 is hung using hook plug-in unit Hook this class function can realize that the monitoring to such event behavior is captured.

(4) command operation：

As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring unit 130 is by monitoring this The return message of function, is just capable of achieving the monitoring of such event behavior.

(5) interface and access operation：

The event behavior of shortcut is created such as, then corresponding to sentBroacast () function.In the same manner, for concealing program The operation of icon, can also correspond to specific function and monitor it.

As http network accesses operation, then corresponding to functions such as sentTo (), write ().

(6) procedure operation：

Such as application loading operation, refers to that current goal application program loads the operation of related application, by right The functions such as dexClassloader (), loadLibrary () carry out hook monitoring, it is possible to achieve such event behavior is caught Obtain.

Attached bag is and for example installed, then corresponding to installPackage () function.

(7) other risky operation：

For example, subprocess invades operation, derivant operation, the operation of activation equipment manager etc..

Wherein, subprocess refers to the subprocess that destination application is set up, when destination application creates subprocess, should The process space of subprocess equally constructs generation by sub- couveuse 13, therefore, subprocess is also unable to escape monitoring unit 130 and is monitored.Cause And, the either own process of destination application, or the subprocess of its establishment, the event directly or indirectly triggered by they Behavior, can be monitored by the monitoring unit 130 of the present invention, realize that preferably Initiative Defense is better.

And the derivant, the file that destination application is voluntarily created, or the file of remote download are referred to, typically Refer to sensitive derivant, such as installation kit.The event can be captured by linking up with fClose () function.It is pointed out that working as After monitoring unit 130 captures the event behavior, can as the method previously described, sending further with remote layout bank interface please High in the clouds is asked, the safe class of the derivant, the present invention are judged using its black, white, grey safe class rule of conduct by high in the clouds After remote layout bank interface obtains high in the clouds result of determination, further pop-up asks the user whether to set up to the sensitive derivant Initiative Defense, thus just can further consolidate the effect of Initiative Defense.

Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the restriction of the event behavior to present invention monitoring.

According to the above-mentioned tactful and above-mentioned explanation with regard to event behavior of process, the active defense method of the present invention just can be right Various event behaviors are processed accordingly.It is exemplified below several typical application examples：

(1) application to the fine interception of destination application：

After part rogue program is mounted, the state within the quite a long time in normally using benumbs user Safety consciousness.But, after one rapid lapse of time of operation, the destination application is attempted causing user from backstage one note of insertion Concern, reach advertisement and swindle effect.After sandbox example to the destination application application present invention, by monitoring Corresponding hook monitoring of the plug-in unit to note handling function in unit 130, once destination application produces the thing of note operation Part behavior, just can capture this event behavior, and then, monitoring unit 130 notifies to be used as system service fortune by its interactive interface Capable interactive module, is warned from interactive module to user interface pop-up.After user clicks the process strategy of " refusal ", by converse feedback To monitoring unit 130, wherein linking up with plug-in unit accordingly just can hinder actually occurring for the event behavior, the mesh for averting risks is reached 's.

(2) application of malicious file is discharged to destination application.

Destination application is a Games Software, is downloaded and discharges malice attached bag, and adjust by way of checking and updating The attached bag is installed with systemic-function.After the present invention establishes the sandbox running environment of Initiative Defense to the destination application, Its event behavior downloaded file and produced can be monitored, is alerted accordingly by interactive module pop-up.User instruction is refused Afterwards, in monitoring unit 130, corresponding hook plug-in unit just can directly delete this document, or the installation row for only refusing this document For.

In the present invention, for such malice attached bag, it is considered as sensitive derivant, to derivant with the presence or absence of malice Judge, can remotely be judged by using predetermined safe class.Specifically, when detecting generation derivant When, the characteristic information of corresponding file or its signature etc is sent to into high in the clouds by remote layout bank interface, and from high in the clouds Its safe class is obtained, if black, grey application, then advises that user's refusal is installed in pop-up；If white application, then can permit Permitted which to pass through.By this method, just it is capable of achieving the Prevention-Security to sensitive derivant.If high in the clouds can't detect the derivant Relative recording, this method can be required for its upload this document, and unknown applications are denoted as by high in the clouds, accordingly, should with ash With being marked, for future use.

(3) application invaded by subprocess.

Monitored destination application creates subprocess in running, and subprocess further discharges malicious event Behavior.When monitoring unit 130 monitors destination application establishment subprocess, that is, the entrance of subprocess is obtained, in theory The monitoring of event behavior to the subprocess is loaded in the subprocess in the way of inline hook.However, subprocess due to Hatched by sub- couveuse 13, therefore, the new process hatched by sub- couveuse 13 will load the prison prior to the subprocess Control unit 130, it is not necessary to the monitoring to the subprocess can also be realized using inline hook.As can be seen that either by target The event behavior that program process is directly triggered, or between the subprocess created by destination application process is triggered Take over a job part behavior, can monitored unit 130 successfully monitor.

From above-mentioned analysis, the sandbox running environment of institute of the present invention construction, with highly efficient feasibility.

The present invention is further realized for ease of those skilled in the art, cloud server is disclosed further below and is set with terminal The standby related content for realizing that installation kit safe class judges that how to cooperate：

As it was previously stated, the characteristic information of cloud server is sent to by client by remote layout bank interface, including： The bag name of Android installation kits, and/or, version number, and/or, digital signature, and/or, the spy of Android component receiver Levy, and/or, the feature of Android component service, and/or, the feature of Android component activity, and/or, can hold Instruction or character string in style of writing part, and/or, the MD5 values (signature) of each file under Android installation kit catalogues.

The client of the method for the present invention or device is realized, specified characteristic information is uploaded onto the server into (high in the clouds), Search in the preset rule base of server with specified single feature information or its combine match feature record；Wherein, Record comprising feature in the preset rule base of the server and feature records corresponding level of security, wrap in every feature record The combination of information containing single feature or characteristic information；

Thousands of feature records are prefixed in server end rule base, wherein, certain is listed in first feature record The Android installation kit bag names of virus, list the Android installation kit versions of certain normal use in Article 2 feature record Number and its digital signature MD5 values, Article 3 feature record in list certain normal use Android installation kit bag names and Its receiver feature, list in Article 4 feature record the Android installation kit bag names of certain wooden horse, version number and its Specific character string in ELF files, etc..

With regard to the mark of safe class, i.e., black, white (safety) or grey (unknown, suspicious) three kinds of marks can be further Be expressed as：

Safety：The application is a normal behavior applied, do not have any threat user mobile phone safe；

It is dangerous：There is security risk in the application, it is possible to the application inherently Malware；It is also possible to the application originally Being normal software that regular company issues, but it is because there are security breaches, causes the privacy of user, mobile phone safe to be subject to prestige The side of body；

With caution：The application is a normal application, but be there are problems that, for example, user's imprudence can be allowed to be detained Take, or have disagreeableness advertisement to be complained；After this kind of application is found, user can be pointed out to use with caution and inform this Using possible behavior, but decided in its sole discretion the application whether is removed by user；

Wooden horse：The application is virus, wooden horse or other Malwares, here for being referred to generally simply as wooden horse, but not Represent the application only wooden horse.

It should be appreciated that the cooperation between high in the clouds and client, can be by those skilled in the art according to disclosed Content further expand, convert, additions and deletions and improve.Thus, disclosure recited above should not be construed as the side for realizing the present invention The restriction of method and device.

Through test, the present invention has broader range of application and application effect relative to prior art, below slightly Illustrate：

As HOOK frameworks have been made service platform by the present invention, as terminal configuration monitoring in the way of linking up with plug-in unit Unit 130, therefore, its loading only needs to depend on corresponding configuration file, efficient administration and is easily achieved, to technical staff Speech, some simple function calls only need to write the configuration that configuration file is capable of achieving hook plug-in unit, and HOOK reentries, concurrency performance It is high.

Loading to monitoring unit 130 and destination application is successively realized using host application, then by prison Monitoring is set up in event behavior of the control unit 130 to destination application, it is possible to achieve to Java functions, the extension of Native functions Hook.

In sum, the invention enables destination application can be run in safer sandbox running environment.

The above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims

1. a kind of program process hatching control, it is characterised in that comprise the following steps：

Operation control module is injecting for closing the pass that campaign management services are connected with former couveuse to system service process Disconnected module；

By the control module using former couveuse constructor couveuse；

Initiating to run application program for campaign management services in system service process registers is received by the control module Request, and application features information is extracted from the request, based on this feature information from number is arranged known to Local or Remote Whether should be limited or be prohibited according to the application program corresponding to middle inspection this feature information, when which is should to be limited or should be banned During application program only, the sub- couveuse is passed it to；

2. program process hatching control according to claim 1, it is characterised in that the control module is held The leader process of the request of campaign management services during row, is obtained, is comprised the steps：

The request initiated to run application program of the campaign management services is monitored using the socket of the former couveuse.

3. program process hatching control according to claim 2, it is characterised in that the control module is utilized The step of former couveuse constructor couveuse, perform after control module and former couveuse are set up and be connected.

4. program process hatching control according to claim 2, it is characterised in that the operation control module The step of shut-off module is injected to system service process, set up control module with original in the socket using former couveuse After the step of connection of couveuse, and perform the shut-off module to close campaign management services based on the former couveuse set The connection maintained by interface.

5. program process hatching control according to claim 2, it is characterised in that the sub- couveuse is set up There is corresponding socket, the control module sets up the connection with the sub- couveuse by sub- couveuse socket, with to the son The described request of couveuse transmission.

6. program process hatching control according to claim 5, it is characterised in that the control module foundation Pre-set data determination and the request is passed to into sub- couveuse or former couveuse.

7. program process hatching control according to claim 6, it is characterised in that described to pre-set data, The selected results of the former couveuse and sub- couveuse are given birth to based on application program receive user to be run via user interface Into.

8. program process hatching control according to claim 5, it is characterised in that the sub- couveuse is from original After couveuse hatching, that is, the socket described in which is constructed, the corresponding data storage of the socket is in corresponding file.

9. program process hatching control according to claim 8, it is characterised in that the set of the sub- couveuse Interface document is stored in local directory.

10. program process hatching control according to claim 9, it is characterised in that the sub- couveuse Socket file is stored in system directory/dev/socket.

11. program process hatching controls according to claim 9, it is characterised in that the sub- couveuse The title of socket file is identical with the process title of the sub- couveuse.

12. program process hatching controls according to claim 1, it is characterised in that the control module profit Comprised the steps with the process of former couveuse constructor couveuse：

Replicate the executable code of former couveuse；

Run amended executable code to realize the construction of the sub- couveuse.

13. program process hatching controls according to claim 12, it is characterised in that adjust outside the realization Call instruction, for calling outside monitoring unit, to realize that the process space constructed to current sub- couveuse is occurred Event behavior monitoring.

14. program process hatching controls according to claim 12, it is characterised in that the control module profit During with former couveuse constructor couveuse, also include in the executable code inserting for realizing sub- couveuse self-correcting The code tested.

The 15. program process hatching controls according to any one in claim 1 to 14, it is characterised in that The method also comprises the steps：

For application program to be run, data are pre-seted by control module foundation the request of campaign management services is passed to into correlation Former couveuse and many sub- couveuses in one, think that corresponding couveuse is selected in the operation of the application program.

The 16. program process hatching controls according to any one in claim 1 to 14, it is characterised in that The sub- couveuse utilizes fork functions to hatch for running the new process of the application program.

The 17. program process hatching controls according to any one in claim 1 to 14, it is characterised in that To the shut-off module of system service process injection, which is used to realize that the function of its at least part of function is contained in shared library text In part.

The 18. program process hatching controls according to any one in claim 1 to 14, it is characterised in that The system service process be SystemServer processes, the former couveuse be Zygote processes, the campaign management services Process is ActivityManagerService processes.

The 19. program process hatching controls according to any one in claim 1 to 14, it is characterised in that The control module determines whether to meet the request initiated by the campaign management services according to known setting data.

A kind of 20. program process hatch control device, it is characterised in that include：

Control module, is configured to：

For utilizing former couveuse constructor couveuse；

For receive the campaign management services in system service process registers to run application program and the request initiated, and from Application features information is extracted in the request, the spy is checked based on this feature information from setting data known to Local or Remote Whether the corresponding application program of reference breath should be limited or be prohibited, when which is should to be limited or answer forbidden application program When, pass it to the sub- couveuse；

21. program process according to claim 20 hatch control device, it is characterised in that

The control module includes adapter, and which is configured to perform following function：

The control module is operation application program using the socket monitoring campaign management services of the former couveuse And the request initiated.

22. program process according to claim 21 hatch control devices, it is characterised in that the adapter also by It is configured to be responsible for system service process injecting for closing the shut-off module that campaign management services are connected with former couveuse.

23. program process according to claim 21 hatch control devices, it is characterised in that the adapter also by It is configured to perform following function：The socket having by sub- couveuse sets up the company of the control module and the sub- couveuse Connect, with to the described request of the sub- couveuse transmission.

24. program process according to claim 23 hatch control devices, it is characterised in that the control module according to The request is passed to into sub- couveuse or former couveuse according to data determination is pre-seted.

25. program process according to claim 24 hatch control device, it is characterised in that described to pre-set number According to via user interface based on application program receive user to be run to the selected results of the former couveuse and sub- couveuse Generate.

26. program process according to claim 23 hatch control device, it is characterised in that the sub- couveuse The corresponding data storage of socket is in corresponding file.

27. program process according to claim 26 hatch control device, it is characterised in that the sub- couveuse Socket file is stored in local directory.

28. program process according to claim 27 hatch control device, it is characterised in that the sub- couveuse Socket file is stored in system directory/dev/socket.

29. program process according to claim 27 hatch control device, it is characterised in that the sub- couveuse The title of socket file is identical with the process title of the sub- couveuse.

30. program process according to claim 29 hatch control device, it is characterised in that the control module bag Constructor is included, for utilizing former couveuse constructor couveuse, the constructor to be configured to perform following function：

Replicate the executable code of former couveuse；

Run amended executable code to realize the construction of the sub- couveuse.

31. program process according to claim 30 hatch control device, it is characterised in that adjust outside the realization Call instruction, for calling outside monitoring unit, to realize that the process space constructed to current sub- couveuse is occurred Event behavior monitoring.

32. program process according to claim 30 hatch control devices, it is characterised in that the constructor also by It is configured for performing following function：Insert in the executable code for realizing the code of sub- couveuse self checking.

The 33. program process hatching control devices according to any one in claim 20 to 32, it is characterised in that The shut-off module is configured with shared library file, and the shared library file includes for realizing at least part of of the shut-off module The function of function.

The 34. program process hatching control devices according to any one in claim 20 to 32, it is characterised in that The system service process be SystemServer processes, the former couveuse be Zygote processes, the campaign management services Process is ActivityManagerService processes.