CN103970540A - Method and device for safely calling key function - Google Patents
Method and device for safely calling key function Download PDFInfo
- Publication number
- CN103970540A CN103970540A CN201410205877.4A CN201410205877A CN103970540A CN 103970540 A CN103970540 A CN 103970540A CN 201410205877 A CN201410205877 A CN 201410205877A CN 103970540 A CN103970540 A CN 103970540A
- Authority
- CN
- China
- Prior art keywords
- key functions
- verification
- calling
- generating piece
- generating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Lock And Its Accessories (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a method and device for safely calling a key function. The method for safely calling the key function comprises the steps of performing unlocking check on the process of calling the key function when the key function is called, and if the check passes, generating a generating widget required by running; when the key function calls the function inside the key function, and the generating widget is detected, skipping the unlocking check; when calling of the key function is finished, locking the process, and destroying the generating widget. According to the method and device, the safety of the system is improved.
Description
Technical field
The embodiment of the present invention relates to field of computer technology, relates in particular to a kind of Key Functions secure calling method and device.
Background technology
Operating system (Operating System, be called for short OS) be management and the computer program of controlling computer hardware and software resource, be the most basic system software running directly on " bare machine ", any other software all must could move under the support of operating system.Operating system is the interface of user and computing machine, is also the interface of computer hardware and other softwares simultaneously.The function of operating system comprises hardware, software and the data resource of managing computer system, control program operation, improve man-machine interface, for other application software provides support etc., the all resources of computer system are played a role to greatest extent, various forms of user interfaces are provided, have made user have a good working environment, for the exploitation of other software provides necessary service and corresponding interface.In fact, user is without operating of contacts system, computer hardware resource in operating system management, while is according to the resource request of application program, for its Resources allocation, as: central processing unit (Central Processing Unit the is called for short CPU) time divided, opening up of memory headroom, calls printer etc.
Rights management, refers generally to according to safety rule or the security strategy of system setting, and user can access and can only access own authorized resource.Root authority can be understood as a concept (higher than Administrator right) with SYSTEM authority.Root authority is the super keeper in Linux and unix system, this authority has the sovereign power of whole system, he can operate all objects, so a lot of hackers are in intrusion system, all to, privilege-escalation to Root authority, by the method for windows, understand and namely add the disabled user of oneself to Administrators user group.Administrator is the super keeper in Windows NT kernel system, also have high authority, and SYSTEM user's group can be understood as the authority of computer system self.Can operate all objects, all processes are operated.Bad Rights Management System, must leave system vulnerability, gives hacker's chance.A lot of software can easily pass through URL(uniform resource locator) (Uniform Resource Locator is called for short URL) intrusion, SQL injects isotype, the acquisition unauthorized data of easily going beyond one's commission.Even system data is modified, deleted, bring about great losses.
Prior art is generally controlled and the control of authority of process by user right, carrys out calling of limited subscriber or process.User or process have corresponding authority, and invoked procedure is only tested to this authority.Through the function level after user or process authorization check, call and can carry out.
The problem of prior art is, if user or process obtain higher-rights with illegal means, just can carry out all function calls, and system risk improves greatly.
Summary of the invention
The embodiment of the present invention provides a kind of Key Functions secure calling method and device, to overcome the larger problem of system risk in prior art.
First aspect, the embodiment of the present invention provides a kind of Key Functions secure calling method, comprising:
While calling Key Functions, to calling the process of described Key Functions, carry out release verification, if verification pass through, the required generating piece of generating run;
When described Key Functions calls the function of described Key Functions inside, if described generating piece detected, skip release verification;
When described Key Functions calls after end, described process is locked, and destroy described generating piece.
In conjunction with first aspect, in the first implementation of first aspect, also comprise:
If verification is not passed through, forbid calling described Key Functions.
In conjunction with the first implementation of first aspect or first aspect, in the second implementation of first aspect, described in to calling the process of described Key Functions, carry out release verification while calling described Key Functions, comprising:
Use the mode of function call stack verification to carry out release verification to described process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to described process.
In conjunction with the second implementation of first aspect, in the third implementation of first aspect, described in described generating piece detected after, comprising:
Whether legally detect described generating piece, if it is legal described generating piece to be detected, continues to call, otherwise return.
Second aspect, the embodiment of the present invention provides a kind of Key Functions safe calling device, comprising:
Correction verification module, carries out release verification to calling the process of described Key Functions when calling Key Functions, if verification pass through, the required generating piece of generating run;
Processing module, when calling the function of described Key Functions inside when described Key Functions, if described generating piece detected, skips release verification;
Described processing module, also, for calling after end when described Key Functions, locks to described process, and destroys described generating piece.
In conjunction with second aspect, in the first implementation of second aspect, described processing module, also for:
If verification is not passed through, forbid calling described Key Functions.
In conjunction with the first implementation of second aspect or second aspect, in the second implementation of second aspect, described correction verification module, specifically for:
Use the mode of function call stack verification to carry out release verification to described process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to described process.
In conjunction with the second implementation of second aspect, in the third implementation of second aspect, described processing module, also for:
Whether legally detect described generating piece, if it is legal described generating piece to be detected, continues to call, otherwise return.
Embodiment of the present invention Key Functions secure calling method and device, to calling the process of Key Functions, carry out release verification when calling Key Functions, if detect process verification pass through, the required generating piece of generating run, when Key Functions calls the function of Key Functions inside, if generating piece detected, skip release verification, when Key Functions calls after end, process is locked, and destroy generating piece, by the verification to function call, limited illegally calling of function, realized the security that function level is called, solved the larger problem of system risk in prior art.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the process flow diagram of Key Functions secure calling method embodiment mono-of the present invention;
Fig. 2 is the structural representation of the safe calling device embodiment mono-of Key Functions of the present invention;
Fig. 3 is the structural representation of the safe invocation facility embodiment mono-of Key Functions of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the process flow diagram of Key Functions secure calling method embodiment mono-of the present invention, and as shown in Figure 1, the method for the present embodiment can comprise:
Step 101, to calling the process of Key Functions, carry out release verification while calling Key Functions, if verification pass through, the required generating piece of generating run.
Step 102, when Key Functions calls the function of Key Functions inside, if generating piece detected, skip release verification.
Step 103, when Key Functions calls after end, process is locked, and destroys generating piece.
Alternatively, the method for the present embodiment, also comprises:
If verification is not passed through, forbid calling Key Functions.
Particularly, there is the verification function of process release in the entrance of the Key Functions calling, and can, to whether verification is carried out in release, when calling Key Functions, to calling the process of Key Functions, carry out release verification.If release verification failure is just thought illegally to call, forbid this Key Functions to call, thus the security of protection system.If release verification succeeds, the required generating piece of generating run, continues to carry out and calls, and Key Functions carries out the locking of this process again while calling end.The embodiment of the present invention can also be not limited to user right for the Key Functions of other characteristics or business, and corresponding detection rule can be changed in conjunction with concrete service conditions.Different detection rules, will separate, and such as obtaining authority and formatting hard disk, is exactly two different things, can not control with same locking and de-locking.
For example, suppose to exist process to carry the standard A PI function f unc1 of power, detection and authentication that function f unc1 has fully been carried out to standard, can guarantee security.Function f unc1 has called the inside the Key Functions func2 of the power of carrying, and Key Functions func3, func4 etc. that func2 has called the power of putting forward carry out corresponding function setting.Function f unc1 can carry out release verification to putting forward power function before calling func2, when calling func3, func4 etc., all can carry out release verification.When func2 is called, can carry out comprehensive verification to release, if verification is passed through, the required generating piece of generating run, and when func2 calls func3, func4, the generating piece that has existed verification to pass through as found, skip release verification, reduce the impact on operational efficiency.When function f unc1 has called func2, again to putting forward power function, lock, destroy corresponding generating piece simultaneously.Thereby can guarantee by the power of the carrying operation of API, all cannot not put forward power, can stop so the illegal lifting of authority.
When some Key Functions is normally used, the function that calls these Key Functions is general just fixing several, generally there will not be other caller.By restriction, call, can reduce risk that Key Functions illegally called in conjunction with the authority of process, better protection system safety.
Alternatively, while calling Key Functions, to calling before the process of Key Functions carries out release verification, also comprise:
Use the mode of function call stack verification to carry out release verification to process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to process.
Particularly, process release can adopt the combination of following two kinds of modes or two kinds of modes: the mode of function call stack verification, can by which function call in function call stack by checking, described in verification, whether process can release, if there is no the current function that calls this Key Functions in described function call stack, verification failure, forbids calling; Use the mode of current process sign and the locking key of system time generating solution, the effective period of solution locking key is very short, can guarantee that like this release verification can not lose efficacy.
The mode of using current process sign and the locking key of system time generating solution, detailed process can be for example: time during release is x1, process ID is y1, by encryption key function f 1 (x1, y1), is calculated and is generated key key1.Acquisition time x2 during judgement, process ID is y2, by decryption function f2 (x2, y2), is calculated and is generated key key2, and record current time x2.Can adopt key1 to encrypt key2 deciphering to known plaintext, judge whether above-mentioned encrypting and decrypting matches, as identical with original plaintext in the plaintext after deciphering, successful decryption is described, just judge and allow to carry out.During this decruption key of function discover, judgement acquisition time x3, compares and judges whether before the deadline with x2 below, if calculated and generated key key3 by decryption function f2 (x3, y3) before the deadline.If now key3 equals key2, judge successfully, otherwise forbid calling.Can effectively guarantee the control in cycle like this.In actual mechanical process, can also by other means, have more than and be limited to this.
Alternatively, after generating piece being detected, comprising:
Whether legally detect generating piece, if it is legal generating piece to be detected, continues to call, otherwise return.
Particularly, after release verification is passed through, when Key Functions calls the function of this Key Functions inside, can first detect generating piece, after if generating piece being detected, the legitimacy that can also detect again generating piece, further guarantees the security of function call, and whether the time of for example detecting this generating piece lost efficacy.If illegal, extremely return.
The present embodiment, to calling the process of Key Functions, carry out release detection check when calling Key Functions, if detect process release verification pass through, the required generating piece of generating run, when Key Functions calls the function of Key Functions inside, if generating piece detected, skip release detection check, when Key Functions calls after end, process is locked, and destroy generating piece, by the verification to function call, limited illegally calling of function, realized the security that function level is called, solved the larger problem of system risk in prior art.
Fig. 2 is the structural representation of the safe calling device embodiment mono-of Key Functions of the present invention, as shown in Figure 2, the safe calling device 20 of Key Functions of the present embodiment can comprise: correction verification module 201 and processing module 202, wherein, correction verification module 201, to calling the process of described Key Functions, carry out release verification when calling Key Functions, if verification pass through, the required generating piece of generating run; Processing module 202, when calling the function of described Key Functions inside when described Key Functions, if described generating piece detected, skips release verification; Processing module 202, also, for calling after end when described Key Functions, locks to described process, and destroys described generating piece.
Alternatively, processing module 202, also for:
If verification is not passed through, forbid calling described Key Functions.
Alternatively, correction verification module 201, specifically for:
Use the mode of function call stack verification to carry out release verification to described process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to described process.
Alternatively, processing module 202, also for:
Whether legally detect described generating piece, if it is legal described generating piece to be detected, continues to call, otherwise return.
The device of the present embodiment, can be for the technical scheme of embodiment of the method shown in execution graph 1, and it realizes principle and technique effect is similar, repeats no more herein.
Fig. 3 is the structural representation of the safe invocation facility embodiment mono-of Key Functions of the present invention.As shown in Figure 3, the safe invocation facility 30 of Key Functions that the present embodiment provides comprises processor 301 and storer 302.Instruction is carried out in storer 302 storages, when Key Functions calls 30 operation safely, between processor 301 and storer 302, communicate by letter, processor 301 calls the execution instruction in storer 302, for the technical scheme described in manner of execution embodiment mono-, it realizes principle and technique effect is similar, repeats no more herein.
In the several embodiment that provide in the application, should be understood that disclosed equipment and method can realize by another way.For example, apparatus embodiments described above is only schematic, for example, the division of described unit or module, be only that a kind of logic function is divided, during actual realization, can have other dividing mode, for example a plurality of unit or module can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, the indirect coupling of equipment or module or communication connection can be electrically, machinery or other form.
The described module as separating component explanation can or can not be also physically to separate, and the parts that show as module can be or can not be also physical modules, can be positioned at a place, or also can be distributed in a plurality of network element.Can select according to the actual needs some or all of module wherein to realize the object of the present embodiment scheme.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of programmed instruction.Aforesaid program can be stored in a computer read/write memory medium.This program, when carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit above; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (8)
1. a Key Functions secure calling method, is characterized in that, comprising:
While calling Key Functions, to calling the process of described Key Functions, carry out release verification, if verification pass through, the required generating piece of generating run;
When described Key Functions calls the function of described Key Functions inside, if described generating piece detected, skip release verification;
When described Key Functions calls after end, described process is locked, and destroy described generating piece.
2. method according to claim 1, is characterized in that, also comprises:
If verification is not passed through, forbid calling described Key Functions.
3. method according to claim 1 and 2, is characterized in that, described in to calling the process of described Key Functions, carry out release verification while calling described Key Functions, comprising:
Use the mode of function call stack verification to carry out release verification to described process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to described process.
4. method according to claim 3, is characterized in that, described in described generating piece detected after, comprising:
Whether legally detect described generating piece, if it is legal described generating piece to be detected, continues to call, otherwise return.
5. the safe calling device of Key Functions, is characterized in that, comprising:
Correction verification module, carries out release verification to calling the process of described Key Functions when calling Key Functions, if verification pass through, the required generating piece of generating run;
Processing module, when calling the function of described Key Functions inside when described Key Functions, if described generating piece detected, skips release verification;
Described processing module, also, for calling after end when described Key Functions, locks to described process, and destroys described generating piece.
6. device according to claim 5, is characterized in that, described processing module, also for:
If verification is not passed through, forbid calling described Key Functions.
7. according to the device described in claim 5 or 6, it is characterized in that, described correction verification module, specifically for:
Use the mode of function call stack verification to carry out release verification to described process; Or,
Use the mode of process identification (PID) and the locking key of system time generating solution to carry out release verification to described process.
8. device according to claim 7, is characterized in that, described processing module, also for:
Whether legally detect described generating piece, if it is legal described generating piece to be detected, continues to call, otherwise return.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410205877.4A CN103970540B (en) | 2014-05-15 | 2014-05-15 | Key Functions secure calling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410205877.4A CN103970540B (en) | 2014-05-15 | 2014-05-15 | Key Functions secure calling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103970540A true CN103970540A (en) | 2014-08-06 |
| CN103970540B CN103970540B (en) | 2018-02-06 |
Family
ID=51240080
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410205877.4A Expired - Fee Related CN103970540B (en) | 2014-05-15 | 2014-05-15 | Key Functions secure calling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103970540B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105426239A (en) * | 2015-11-03 | 2016-03-23 | 大唐微电子技术有限公司 | Method and device for invoking local method in Java card |
| CN106934272A (en) * | 2017-02-09 | 2017-07-07 | 北京奇虎科技有限公司 | The method of calibration and device of a kind of application message |
| CN109474617A (en) * | 2018-12-17 | 2019-03-15 | 武汉斗鱼鱼乐网络科技有限公司 | Call method, device, terminal and the storage medium of function in a kind of SO file |
| CN109492379A (en) * | 2018-11-28 | 2019-03-19 | 北京云纵信息技术有限公司 | A kind of data safety call method and device |
| CN111209561A (en) * | 2018-11-21 | 2020-05-29 | 成都鼎桥通信技术有限公司 | Application calling method and device of terminal equipment and terminal equipment |
| CN113918955A (en) * | 2021-09-29 | 2022-01-11 | 杭州默安科技有限公司 | Linux kernel vulnerability permission promotion detection blocking method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机***工程研究所 | Independent transparent security audit protection method facing real-time database |
-
2014
- 2014-05-15 CN CN201410205877.4A patent/CN103970540B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机***工程研究所 | Independent transparent security audit protection method facing real-time database |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105426239A (en) * | 2015-11-03 | 2016-03-23 | 大唐微电子技术有限公司 | Method and device for invoking local method in Java card |
| CN106934272A (en) * | 2017-02-09 | 2017-07-07 | 北京奇虎科技有限公司 | The method of calibration and device of a kind of application message |
| CN111209561A (en) * | 2018-11-21 | 2020-05-29 | 成都鼎桥通信技术有限公司 | Application calling method and device of terminal equipment and terminal equipment |
| CN111209561B (en) * | 2018-11-21 | 2023-01-31 | 成都鼎桥通信技术有限公司 | Application calling method and device of terminal equipment and terminal equipment |
| CN109492379A (en) * | 2018-11-28 | 2019-03-19 | 北京云纵信息技术有限公司 | A kind of data safety call method and device |
| CN109474617A (en) * | 2018-12-17 | 2019-03-15 | 武汉斗鱼鱼乐网络科技有限公司 | Call method, device, terminal and the storage medium of function in a kind of SO file |
| CN109474617B (en) * | 2018-12-17 | 2021-07-23 | 武汉斗鱼鱼乐网络科技有限公司 | Method, device, terminal and storage medium for calling functions in SO file |
| CN113918955A (en) * | 2021-09-29 | 2022-01-11 | 杭州默安科技有限公司 | Linux kernel vulnerability permission promotion detection blocking method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103970540B (en) | 2018-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| US20210294879A1 (en) | Securing executable code integrity using auto-derivative key | |
| EP2907071B1 (en) | Secure data handling by a virtual machine | |
| JP4729575B2 (en) | Ensuring software security | |
| JP6227772B2 (en) | Method and apparatus for protecting a dynamic library | |
| CN103970540A (en) | Method and device for safely calling key function | |
| CN105260663A (en) | Secure storage service system and method based on TrustZone technology | |
| CN102110213B (en) | Detection of hidden object in computer system | |
| US7712135B2 (en) | Pre-emptive anti-virus protection of computing systems | |
| CN102948114A (en) | Single-use authentication methods for accessing encrypted data | |
| KR20110096554A (en) | Client computer for protecting confidential file, server computer therefor, method therefor, and computer program | |
| WO2008109106A1 (en) | Method and system for preventing unauthorized access and distribution of digital data | |
| CN1969500A (en) | Securing software | |
| CN104202296A (en) | Trusted security enhancement method for domestic operating system | |
| US20170201528A1 (en) | Method for providing trusted service based on secure area and apparatus using the same | |
| US8782809B2 (en) | Limiting information leakage and piracy due to virtual machine cloning | |
| EP3563548B1 (en) | Historic data breach detection | |
| US20160335433A1 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| CN104955043B (en) | A kind of intelligent terminal security protection system | |
| KR101859823B1 (en) | Ransomware prevention technique using key backup | |
| CN113127141B (en) | Container system management method and device, terminal equipment and storage medium | |
| US20220067175A1 (en) | Encryption converter | |
| JP2007179357A (en) | Method for installing computer program | |
| Jarvis et al. | Inside a targeted point-of-sale data breach | |
| CN104866761A (en) | High-security Android intelligent terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180206 Termination date: 20200515 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |