CN116861410A - Method for isolating multiple processes and terminal equipment - Google Patents

Method for isolating multiple processes and terminal equipment Download PDF

Info

Publication number
CN116861410A
CN116861410A CN202210310950.9A CN202210310950A CN116861410A CN 116861410 A CN116861410 A CN 116861410A CN 202210310950 A CN202210310950 A CN 202210310950A CN 116861410 A CN116861410 A CN 116861410A
Authority
CN
China
Prior art keywords
open
application
security
linux
hook function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210310950.9A
Other languages
Chinese (zh)
Inventor
沈晴霓
陈博言
毛伟
陈唯
汪硕
李家欣
付鹏程
吴中海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210310950.9A priority Critical patent/CN116861410A/en
Publication of CN116861410A publication Critical patent/CN116861410A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a method and terminal equipment for isolating a multi-open process, which can enhance the safety of the multi-open process. The method comprises the following steps: the method comprises the steps that a linux security module calls a first safety hook function from a linux kernel, and the first safety hook function is used for judging whether a first process to be created is a multi-open process or not; the linux security module modifies parameters pointed by a security pointer of a first process according to whether the first process is a multi-open process or not; the linux kernel calls a second safety hook function when the first process is created, and the second safety hook function is used for determining parameters pointed by a safety pointer; if the parameter pointed by the security pointer indicates that the first process is a multi-open process, the linux kernel is enabled to add the first process into the newly-built namespace.

Description

Method for isolating multiple processes and terminal equipment
Technical Field
The present application relates to the field of terminal software, and more particularly, to a method and terminal device for isolating multiple processes.
Background
An Operating System (OS) is a computer program that manages and controls computer hardware and software resources, and is the most basic system software that runs directly on a "bare computer", and any other software must run with the support of the operating system. With the continuous development of the mobile internet, smart phones are becoming popular, and mobile phone operating systems become an important component of an operating system family.
The Android (Android) operating system is based on a linux kernel, is mainly used in the field of mobile equipment, and is a mobile terminal operating system with the highest market share at present. The native Android operating system can only support to start one process instance, and cannot realize to start two or more process instances of the same application software at the same time. However, a user often needs to start one application program to start multiple process instances, for example, start a WeChat application to start two process instances, and log in two different WeChat accounts for use. In order to support the requirement of users, some mobile phone manufacturers have provided application double-opening technology, and application software developers also provide a technical scheme for realizing application double-opening. However, the existing multi-application scheme has the problems of high resource expense, insufficient universality and compatibility, insufficient safety and the like.
Disclosure of Invention
The application provides a method and terminal equipment for isolating a multi-open process, which can enhance the safety of the multi-open process.
In a first aspect, a method for isolating multiple open processes is provided, applicable to a linux-based system, such as an android system, and includes: the method comprises the steps that a linux security module calls a first safety hook function from a linux kernel, wherein the first safety hook function is used for judging whether a first process to be created is a multi-open process or not; the linux security module modifies parameters pointed by a security pointer of the first process according to whether the first process is a multi-open process or not; the linux kernel calls a second safety hook function when the first process is created, wherein the second safety hook function is used for determining parameters pointed by the safety pointer; if the parameter pointed by the safety pointer indicates that the first process is a multi-start process, the linux kernel is enabled to add the first process into a newly-built namespace, and the newly-built namespace comprises a process identification namespace and a file system mounting point namespace.
Based on the technical scheme, if the newly built multi-open process (the first process) is added into the new pid nalmespace, the multi-open process in the new pid nalmespace cannot access other established processes through the pid, and process identification naming space isolation between the newly built multi-open process and other processes can be achieved. The newly built multi-open process is added into the new mnt nano space, so that the file system mounting point namespaces of the newly built multi-open process and other processes can be isolated; setting a private mount point in an mnt nacespace where a newly built multi-open process is located, wherein a private mount event cannot be transmitted to other mnt nacespace; therefore, other processes cannot access the files in the private mount point of the newly-built multi-open process, and the private folder of the multi-open process can be realized. In addition, the technical scheme of the embodiment of the application is realized in the linux kernel, is not easy to bypass by an attacker, and has stronger security. Therefore, the embodiment of the application can realize the isolation of the multi-open process from the namesespace of other processes, thereby enhancing the safety of the multi-open process.
In one possible implementation manner, the linux security module modifies a parameter pointed by a security pointer of the first process according to whether the first process is a multi-open process, including: if the first process is a multi-open process, the linux security module modifies the parameter pointed by the security pointer of the first process to be a first parameter; and if the first process is not a multi-open process, the linux security module modifies the parameter pointed by the security pointer of the first process into a second parameter.
In one possible implementation manner, the determining whether the first process to be created is a multi-open process includes: if the first process and the second process are different processes, and the application identifier of the first process is the same as the application identifier of the second process, judging that the first process is a multi-open process, wherein the second process is a process established in the linux kernel; and if the first process and the second process are different processes and the application identifier of the first process is different from the application identifier of the second process, judging that the first process is not a multi-open process.
In one possible implementation, before the linux kernel calls a second safety hook function when creating the first process, the method further includes: and inserting the second safety hook function into the source code of the linux kernel.
In a second aspect, a terminal device is provided, an operating system of the terminal device is a linux-based system, such as an android system, and the terminal device includes a security module and an isolation module, where the security module may be a linux security module in the first aspect, and the isolation module may be a linux kernel in the first aspect. The security module is used for calling a first safety hook function from the isolation module, and the first safety hook function is used for judging whether a first process to be created is a multi-open process or not; the safety module is also used for modifying parameters pointed by a safety pointer of the first process according to whether the first process is a multi-open process or not; the isolation module is used for calling a second safety hook function when the first process is created, and the second safety hook function is used for determining parameters pointed by the safety pointer; the isolation module is further configured to add the first process to a new namespace if the parameter pointed by the security pointer indicates that the first process is a multi-open process, where the new namespace includes a new process identifier namespace and a file system mount point namespace.
In one possible implementation, the security module is specifically configured to: if the first process is a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process to be a first parameter; and if the first process is not a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process into a second parameter.
In one possible implementation manner, if the first process and the second process are different processes, and the application identifier of the first process is the same as the application identifier of the second process, judging that the first process is a multi-open process, wherein the second process is a process created in the isolation module; and if the first process and the second process are different processes and the application identifier of the first process is different from the application identifier of the second process, judging that the first process is not a multi-open process.
In one possible implementation, the second safety hook function is inserted into the source code of the isolation module.
In a third aspect, there is provided an electronic device comprising a processor and a transceiver for receiving computer code or instructions and transmitting to the processor, the processor executing the computer code or instructions to implement a method as in any one of the possible implementations of the first aspect.
In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a communication device, causes the communication device to implement a method as in any one of the possible implementations of the above aspect.
In a fifth aspect, there is provided a computer program product comprising instructions which, when executed by a computer, cause a communication device to implement a method as in any one of the possible implementations of the above aspect.
The solutions provided in the second aspect to the fifth aspect are used to implement or cooperate to implement the method provided in the first aspect, so that the same or corresponding beneficial effects as those in the first aspect can be achieved, and no further description is given here.
Drawings
FIG. 1 is a schematic diagram of a typical application virtualization architecture.
Fig. 2 is an application scenario diagram of a method for isolating multiple processes according to an embodiment of the present application.
FIG. 3 is a schematic flow chart of a method of isolating multi-split processes according to an embodiment of the application.
FIG. 4 is a schematic flow diagram of adding the first process to newly created pid and mnt naspace.
Fig. 5 is a schematic flow chart of a process of judging whether or not a first process to be created is a multi-open process.
Fig. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical scheme of the application will be described below with reference to the accompanying drawings.
First, a linux security module, a namespace, and an application multi-scope related to an application embodiment are briefly described.
linux security module (linux secrity module, LSM): is a lightweight universal access control framework. The method enables various different security access control models to be realized in the form of a Linux loadable kernel module (Linux kernel module), and a user can select a proper security module to load the kernel according to own requirements, so that the flexibility and usability of a Linux security access control mechanism are improved.
Namespaces (namespaces): is a method for isolating kernel-level resources provided by Linux. Namespaces can be classified into the following types according to the kind of isolated resources:
(1) Process identification (process identifier, pid) namespace (pid namespace): the pid of different processes is isolated, and the pid in different pid nano space has semantic isolation. If the CLONE_NEWPID flag is added to the parameter clone_flag of the CLONE system call, a new pid nalespace is created.
(2) Inter-process communication mechanism namespace (ipc namespace): the method has the function of isolating the process groups divided into different ipc nano spaces from communication in the modes of message queues, shared memories and semaphores.
(3) File system mount point namespace (mnt namespace): the Linux kernel realizes the isolation of the environments of the root file systems through the mnt nano space, different mnt_nano space correspond to different root file systems, and different file system mount trees are organized to form different file system directory structures. When a new process is created, the namespace of the parent process is copied, and if the CLONE_NEWNS flag is added to the parameter clone_flag of the CLONE system call, a new mnt nalmespace is created. Modifications to namespaces are visible to processes belonging to the same mnt namespace and invisible to processes of other namespaces.
(4) Network namespace (net namespace): a netnaspace provides a process with a view of a completely independent network protocol stack, including network device interfaces, ipv4 and ipv6 protocol stacks, ip routing tables, firewall rules, network programming interfaces (sockets), etc. A netnaspace provides a stand-alone network environment, just as a stand-alone system.
(5) UNIX timeshared operating system namespaces (uts nasmespace): isolating hostnames from domain names.
(6) User namespace (user namespace): the user identifier and the user group identifier are isolated. In different user nasspace, the user identifier (uid) and the user group identifier (gid) of the same user may be different.
(7) Control group namespace (control groups namespace, CGroup namespace): the CGroup root directory is used for limiting, controlling and separating resources of a process group.
The application is multiple: the method refers to that an application logs in on the same terminal equipment by using a plurality of users or accounts simultaneously, and a plurality of process instances of the same application are started in the system. In an Android (Android) system, the same application of a plurality of accounts can be started without mutual influence, such as multiple social account applications. The application multi-open may also be referred to as a process multi-open or multi-open process.
An Operating System (OS) is a computer program that manages and controls computer hardware and software resources, and is the most basic system software that runs directly on a "bare computer", and any other software must run with the support of the operating system. With the continuous development of the mobile internet, smart phones are becoming popular, and mobile phone operating systems become an important component of an operating system family.
The Android operating system is based on a linux kernel, is mainly used in the field of mobile equipment, and is a mobile terminal operating system with the highest market share at present. The original Android operating system can only support to start one process instance, and double-opening or multiple-opening of the same application software cannot be realized. However, a user often needs to start one application program to start multiple process instances, for example, start a WeChat application to start two process instances, and log in two different WeChat accounts for use. To support this demand by users, there are some handset vendors that have supported the need to apply double or multiple opening, such as the application double opening technology provided by millet companies. Some third party application developers also offer application dual-opening functionality, such as the parallel space of Yong Yang Anfeng (Beijing) technology Co., ltd.
Currently, the millet's grapefruit system (MIUI) supports the application of the double-opening function. According to the scheme, a multi-user mechanism of an Android system is utilized, and an original application program and a new double-open application program can coexist on the device by modifying and adjusting an Android frame (Android framework). In the operation mode, the user finds an application double-opening function entry in the system 'setting', opens a switch beside the application needing double opening, or clicks a corresponding entry, clicks 'opening' in a newly opened window, and clicks a newly added double-opening application icon on the main screen.
Other mobile phone manufacturers also provide Android application multi-opening implementation schemes, for example, an Android application multi-opening implementation method provided by a TCL company, and an Android frame layer code is modified by using an application multi-process instance compatibility method. The method can add multi-process instance compatible codes in the data packet management service (package manger service), event management service (activity manager service) and other systems so as to support double-process instances of specific several applications. Such as dual process instances supporting WeChat, QQ, strange, and Taobao applications. A mobile phone developer positioned in a system development layer can carry out customized development on an Android system, and can realize the compatibility of application double-process examples on the premise of having system privileges. The method is realized from the Android frame layer, so that confusion or misleading breakdown can not be caused to the application and the Android system, the multi-open application program can be safely realized, the execution of the original application program can not be influenced, and the realization is simple and feasible.
The application double-opening function provided by the mobile phone manufacturer has low learning cost for the user, and the cognitive load is not brought to the user in the use process. However, this solution has the following drawbacks:
(1) The application scene is very limited, and the application in the double-open white list can be double-open only, and the application outside the double-open white list is not provided with a double-open entrance. Moreover, the scheme can only double-open the supported application programs, only supports double-process examples of the application, and does not support three or more process examples of the application running simultaneously.
(2) Modifications to the android framework can present some potential problems with respect to compatibility. For example, in the millet provided scenario, the panning application with the user feedback of the MIUI 12 double on cannot load pictures. The scheme provided by the TCL requires a mobile phone developer of a system development layer to perform customized development on the Android system, and the Android frame layer needs to be modified along with updating of the Android version.
(3) The safety and isolation are insufficient. The scheme provided by the mobile phone manufacturer does not realize isolation of the system resources of the double-open application stratum, the pid of the double-open application process is mutually visible, the underlying file system does not realize isolation, and isolation based on Linux kernel support is not provided. Existing research shows that an attacker can access and attack other programs through pid through a multi-open application with malicious code added, or steal or destroy private data of a user. In addition, the existing research shows that some loopholes exist in the Android multi-user mechanism, and some attacks can bypass the Android multi-user mechanism to access files of other users.
At present, application software developers also provide a technical scheme for realizing application double-opening. For example, a parallel space proposed by Yong Yang Anfeng (Beijing) technology Co., ltd and a virtual application (VirtualApp) engine proposed by Jining, inc. of Lolo network technology Co., ltd. In implementation, most developers employ the solution of Android application level virtualization (app virtualization) because application software developers need to cover as much of the users as possible, and the application double-open solution they provide cannot request special system rights. The virtualization scheme is to virtualize the runtime of the android application program, and comprises the steps of virtualizing the android frame and virtualizing the file system. Android application level virtualization allows a host application to load and launch the Android application package files (application package file, APK) of any client application in a virtual execution environment without installation. By the technology, two copies of the same application program can run in parallel in an unmodified Android system. The virtual machine-like environment created by the host application plays a role of a proxy, interacting with the client application and Android system services. On the one hand, it provides a normal execution environment for client applications and manages their lifecycle and all requests. On the other hand, it must hide the identity of the client application from the system services.
The principle of this implementation is closer to a container. The existing products in the market at present mainly adopt a VirtualApp engine and a droidplug engine, and a user interface is added on the basis of the engines to provide for users. Among these, virtualApp and droidplug are the two most popular application virtualization engines, which both support multiple copies of the same application running. As shown in fig. 1, a typical application virtualization architecture is shown, in fig. 1, a host application (host app) provides an independent execution space for each client application, shares the same user identifier with the client application (guest app), and in the figure, the user identifiers of the client applications a' and a "and the host application are 1, but the process identifiers are different. The core of the multi-open software is a virtualization engine, which is positioned between a client application program and Android framework in the figure and is responsible for intercepting the access of the client application program to the Android system service, completing the interception of a class loader (ClassLoader) and the lifecycle management of a Component (Component), the client application program does not need to be installed, and a plurality of instances can be installed.
The scheme is similar to the application double-opening function provided by a mobile phone manufacturer in user experience. The method is more flexible in the application specifically supporting double-opening, and can be used for double-opening except for a few financial applications which cannot be double-opened according to related laws and regulations and partial applications with poor compatibility. In terms of the use experience, a two-way application is just like two different applications from the original application. The user does not have obvious perception in the process of using the double-open application, and simultaneously can see two application programs in the multi-task interface of the system.
The application software developer provides the application double-opening function, the learning cost of the user is lower, the use process can not bring cognitive burden to the user, the double-opening application and the original application data are better in isolation degree, and the two operations can not be mutually influenced. However, this solution also has the following drawbacks:
(1) The compatibility can also have problems, because the virtualization engine is required to intercept the access of the client application program to the Android system service, some problems may exist in realization, part of the client application programs cannot be started in the multi-split software due to the compatibility, and part of the client application programs which can be normally started may have errors;
(2) The performance of the multi-open client application program is not high, based on the application virtualization scheme, the host application is required to apply resources for the client application program and perform certain resource scheduling, the Android system service is invisible to the client application program, the resources allocated by the client application program are relatively limited, and the performance is reduced;
(3) Security and isolation are problematic, since the host application is the same as the user identifier (uid) of the client application, and therefore, different sandboxed isolation mechanisms of different wids of the Android system are actually violated, malicious client applications may perform a right-raising attack. Furthermore, an attacker can repackage and load malicious client applications using Android application virtualization. For example, security specialists find that some of the latest methods of malware to repackage apply to application virtualization, which implements each malicious function as a client application, and uses host applications to schedule and control malicious client applications. In this way, the malicious application can update the module without reinstalling it; in addition, all of its malicious client applications are further encrypted to circumvent static analysis, which constitutes a significant challenge to current antivirus engines, and application virtualization will become a propagation channel for next generation Android malware. Because a large number of rights are required and isolation is not achieved, a large potential safety hazard exists.
In summary, the existing multi-application scheme mainly has the following problems. Firstly, some applications have larger resource expenditure, a new set of system needs to be virtualized based on a virtualization scheme, and the amount of CPU and memory resources occupied by the multi-application is larger and not light enough; second, the versatility and compatibility of the solution is not sufficient. In addition, some schemes only support application double-opening, but do not support simultaneous opening of processes of more than two identical applications; thirdly, the security is insufficient, in the current multi-open scheme, the multi-open process can still access other processes through the pid of the process, the multi-open process and the original process share a file system, and the current multi-open scheme does not realize the isolation of the multi-open process from the memory and the file system of the original process; fourth, none of the current solutions provides linux kernel level support, and only the Android frame layer or the Android kernel is modified by the current solution, and the linux kernel is not modified, so that the linux bottom layer does not provide multi-opening function and security support for applications.
Therefore, the embodiment of the application provides a method for isolating a multi-open process, which can enhance the safety of the multi-open process. The method is suitable for an Android system and can also be suitable for other systems based on linux. Fig. 2 is a schematic diagram of an application scenario of a method for isolating multiple processes according to an embodiment of the present application. The process A and the multi-open process A 'can access system services concurrently, but under the control of the multi-open process isolation framework provided by the application, the process A and the multi-open process A' respectively have own private resources and running environments. In addition, the process A and the multi-open process A' also have a common running environment, and the multi-open process isolation framework realizes the resource isolation and sharing of the multi-open process and the original process.
Referring now to FIG. 3, a schematic flow chart diagram of a method 300 for isolating multiple processes is shown, according to an embodiment of the present application.
310, the linux security module invokes a first safety hook function from the linux kernel, where the first safety hook function is used to determine whether a first process to be created is a multi-open process. Wherein the linux security module is newly built. The first safety hook function may be a security_task_alloc function. It should be appreciated that the first safety hook function is initially empty in the linux kernel, and code is added to the first safety hook function to realize whether the first process to be created is a multi-open process.
Specifically, the linux creates a system call do_fork function of the new process, which calls a process copy function to copy resources from the parent process to the child process, and the security_task_alloc function is located in the copy process function in the linux source code. The linux security module may call a certain security_task_alloc function from the linux kernel to intercept (hook), and determine whether the first process to be created is a multi-open process of the same application in the security_task_alloc function.
In different systems, the logic for determining whether the first process to be created currently is a multi-open process may not be exactly the same, but the basic method is to determine whether there is the same process in the current system as the application of the first process to be created. If the application identifier (application identification, app id) of the second process in the current system is the same as the application identifier of the first process, and the second process is a different process from the first process, the first process is judged to be a multi-open process, wherein the second process is a process already created in the linux kernel, and the second process may be one or more. If the second process and the first process in the current system are different processes and the application identifier of the second process is different from the application identifier of the first process, judging that the first process is not a multi-open process; in other words, if the application identifier of the second process is different from the application identifier of the first process, it is determined that the first process is not a multi-open process. That is, if all the processes created in the linux kernel have no process with the same application identifier as the first process, it is determined that the first process is not a multi-open process.
320, the linux security module modifies a parameter pointed by a security (security) pointer of the first process according to whether the first process is a multi-open process. The security pointer may be a pointer in a task structure (task_struct) structure of the first process to be created.
Optionally, if the first process is a multi-open process, the linux security module modifies a parameter pointed by a security pointer of the first process to be a first parameter; if the first process is not a multi-open process, the linux security module modifies the parameter pointed by the security pointer of the first process to be a second parameter. The first parameter and the second parameter are used for marking whether the first process to be created is a multi-open process.
Illustratively, if the first process is a multi-open process, the security pointer in the task_struct structure of the first process to be created is pointed to a boolean (pool) type constant with the correct value (true); if the first process is not a multi-open process, the security pointer in the task_struct structure of the first process to be created is pointed to a pool type constant with an error (false) value. In this case, the first parameter is a bool type constant having a value true, and the second parameter is a bool type constant having a value false.
330, the linux kernel calls a second safety hook function when creating the first process, where the second safety hook function is used to determine a parameter pointed to by a safety pointer of the first process. The second safety hook function is newly inserted in the source code of the linux kernel, that is, the second safety hook function may be newly built by a system developer.
Specifically, in the copy_process function of kernel/fork. C, a copy namespace function of kernel/nsproxy. C is called to copy the namespace of the parent process to the child process. The second safety hook function is a hook function newly built in the copy_nacespace function.
340, if it is determined by the second safety hook function that the parameter pointed by the safety pointer of the first process indicates that the first process is a multi-open process, according to the isolation requirement, the linux kernel is enabled to add the first process into a newly-built namespace, where the newly-built namespace includes a process identification namespace (pid namespace) and a file system mount point namespace (mnt namespace). The newly created namespaces may also include other namespaces such as network namespaces.
Optionally, if the parameter pointed by the security pointer of the first process is the first parameter, the linux kernel adds the first process to the newly created pid and mnt naspace. If the parameter pointed by the safety pointer of the first process is the second parameter, the second safety hook function returns directly.
It should be appreciated that different mnt nasspatial defaults to the directory where the shared library file and common runtime resource reside, so that the common runtime resource and shared library file can be accessed by the multi-open process program.
As shown in fig. 4, a schematic flow chart of adding the first process to newly created pid and mnt naspace is shown. If it is determined by the second safety hook function that the safety pointer in the task_struct structure of the first process points to a constant value of the trunk type of true, the linux kernel adds CLONE_NEWPID and CLONE_NEWNS for the clone_flags flag bit, and adds the first process into a newly built pid and mnt nalmespace. If the safe pointer in the task_struct structure of the first process is determined to be a constant of the bool type with the false pointing value by the second safe hook function, the second safe hook function returns directly.
In the technical scheme provided by the embodiment of the application, if the newly-built multi-open process (the first process) is added into the new pid nano space, the multi-open process in the new pid nano space cannot access other established processes through the pid, so that process identification namespaces of the newly-built multi-open process and other processes can be isolated. The newly built multi-open process is added into the new mnt nano space, so that the file system mounting point namespaces of the newly built multi-open process and other processes can be isolated; setting a private mount point in an mnt nacespace where a newly built multi-open process is located, wherein a private mount event cannot be transmitted to other mnt nacespace; therefore, other processes cannot access the files in the private mount point of the newly-built multi-open process, and the private folder of the multi-open process can be realized. In addition, the technical scheme of the embodiment of the application is realized in the linux kernel, is not easy to bypass by an attacker, and has stronger security. Therefore, the embodiment of the application can realize the isolation of the multi-open process from the namesespace of other processes, thereby enhancing the safety of the multi-open process.
The following illustrates an application example of the technical solution provided by the embodiment of the present application.
In one implementation mode, the technical scheme provided by the application can be applied to the existing Android system, and aiming at the application double-opening scheme of the existing Android multi-user mechanism, the technical scheme provided by the application can be used for safety enhancement. The current application double-open scheme based on a multi-user mechanism does not realize isolation of inter-process pid and a file system, so that a malicious double-open process may attack an original process. The embodiment of the application can realize the isolation of the pid and the file system mounting point of the double-open process and the original process by utilizing the pid nano space mechanism and the mnt nano space mechanism provided by the linux kernel, and provides better safety and isolation.
In an exemplary embodiment, in a dual-open scheme based on multi-user application, the technical scheme provided by the embodiment of the application can be deployed in the linux kernel layer of the android system.
In the Andrioid system, there is a fixed app id for each application, and the user identifiers (uid) of the different processes are different. The Andrioid system has supported multiple users from version 4.0, each with an independent user number (user id). The calculation method of uid is uid=user id 100000+app id. For example, if the user id of a user is 1 and the app id of an opened application is 1014, the uid=1×100000+1014= 101014.
Firstly, adding codes into a first safety hook function, enabling the first safety hook function to determine (recover) a user id and an app id of a first process through a user id of the first process to be created, and judging whether the first process is a multi-open process according to the user id and the app id of the first process.
Specifically, the calculation method of the user id can be determined by the following formula (1):
user id=uid/100000 (1)
wherein "/" denotes rounding.
The calculation method of the app id can be determined by the following formula (2):
user id=uid%100000 (2)
wherein "%" represents the remainder.
As shown in fig. 5, a schematic flow chart of a process of judging whether or not a first process to be created is a multi-open process is shown. The specific process comprises the following steps:
(1) Calling a first safety hook function, wherein the first safety hook function can calculate a user id and an app id of a first process according to the formula (1) and the formula (2);
(2) Traversing all processes in the system, and judging whether the processes with the same app id as the first process and different user ids exist;
(3) If the established process in the system has a process which is the same as the app id of the first process but different from the user id, judging that the first process is a multi-open process, and pointing a security pointer in a task_struct structure of the first process to be established to a bool type constant with a value of true;
If the process which is created in the system is not the same as the app id of the first process, judging that the first process is not a multi-open process, and pointing the security pointer in the task_struct structure of the first process to be created to a Bool type constant with the value of false.
Inserting a second safety hook function into the source code of the linux kernel, wherein the linux kernel calls the second safety hook function when creating the first process, and the second safety hook function is used for determining parameters pointed by a safety pointer of the first process.
If the security pointer in the task_struct structure of the first process points to a constant of the class type with the value false, the linux kernel adds CLONE_NEWPID and CLONE_NEWNS for the zone_flags flag bit, and adds the first process into a newly built pid and an mnt nalmespace.
In the creation process of the multi-open process, the multi-open process is added into new pid and mnt nalmespace, and the pid and file system mounting points can be isolated on the basis of a multi-user scheme of the existing Android system. The application can resist most of attacks aiming at the application multi-open platform, and in the existing application multi-open scheme, the newly created multi-open process and the created process share most of resources, which may cause an attacker to carry out malicious attacks. Possible attack patterns include: malicious programs running on the application multi-open platform can be written, rights files can be edited to achieve rights, then local data of WeChat are accessed, or a dynamic library is injected into a WeChat process, so that user data can be stolen and controlled. The application can isolate the file system mounting point through the mnt nano space, not only can isolate the authority file, but also can isolate the user data of the WeChat, thereby effectively avoiding the attack.
The technical scheme provided by the application can be deployed and implemented on public large-screen equipment, such as intelligent large-screen. When user a is using the wisdom large screen, running the aiqi art on the large screen to watch the video. At this time, user B also wishes to run the same application on the wisdom large screen. User B may attempt to snoop user a's private information through his aide program. Therefore, user a wishes that user B initiated the aide program not to see user a's program through the pid nor to access its own private folder to achieve isolation of the pid from the file system.
The method for isolating the multi-open process provided by the application can realize the requirements. In implementation, when a process is created by the LSM module, the application judges whether the processes which have the same app id but belong to different users exist in the current system, if so, when the process is allocated with the NAmespace resource, the processes are added into new pid NAmespace and mnt NAmespace, and the love programs of the user B and the user A belong to different pid NAmespace and mnt NAmespace.
The technical scheme provided by the application can also be implemented on an intelligent vehicle central control large screen which runs as a hong Monte system. The current mobile phone supports the function of a super terminal, and can automatically find equipment which is registered nearby and is the same as an account number, so that the super terminal is formed. Multiple users can throw the application running at the mobile phone end to the large control screen in the intelligent car through the function of the super terminal, and therefore safety problems can be caused. Malicious users may attack application programs of other users through disguised multi-open applications, access files of other users, and reveal private information.
The application can enhance the safety and isolation of the super terminal function of the vehicle-mounted system. In implementation, when the vehicle-mounted system creates a process through the super terminal, the application can judge whether the process needs to be isolated in the safety hook function called by the LSM. If necessary, the process is added to the new pid and mnt naspace when the process is allocated a naspace resource.
In summary, the scheme for isolating the multi-open process based on the kernel level of the LSM and the nano space provided by the application overcomes the problems of insufficient isolation or large occupied resource amount of the isolation scheme in the conventional multi-open process scheme, and can perform kernel level security enhancement on the application multi-open scheme of the current part of Android system. Compared with the existing general application multi-opening scheme, the method for isolating the multi-opening process has the advantages that:
(1) Lightweight. Compared with the current application multi-opening scheme based on virtualization, the application has relatively smaller memory occupation amount and disk occupation amount based on the Namespace mechanism provided by linux, including pid Namespace and mnntNamespace.
(2) And the safety is stronger. The application is based on the LSM mechanism of linux, judges whether the process to be created is a multi-open process through the safety hook function in the kernel, if the process to be created is a multi-open process, adds the process to be created into new pid and mnt nalmespace. The application is realized in the kernel, is not easy to be hijacked or bypassed by an attacker, and has stronger security.
(3) Better isolation. The application realizes the pid isolation and the file system mount point isolation among multiple processes based on the pid nano space and the mnt nano space mechanisms of linux.
(4) Compatibility. The application does not directly modify the linux kernel, but realizes all functions by means of one LSM module. Therefore, the method can be compatible with most of linux kernel versions, can be compatible with most of Android systems of the versions, and has better compatibility.
(5) And (5) expandability. The application can adapt other judgment logic in the safety hook function so as to determine whether to add the process to be created into a new nacespace for certain isolation, and has certain expandability.
At present, no scheme for isolating multiple processes by utilizing LSM and nasesace mechanisms of a linux kernel exists. The scheme for isolating the multi-open process based on the kernel level of the LSM and the nano space not only enhances the safety and isolation of the multi-open application, but also has the advantages of small cost and light weight.
The method for isolating the multi-open process provided by the embodiment of the application is introduced above, and the terminal equipment to which the method for isolating the multi-open process is applied is introduced below.
The embodiment of the application provides a terminal device, as shown in fig. 6, and a schematic structural diagram of a terminal device 600 of the embodiment of the application is shown.
The operating system of the terminal device is a linux-based system, such as an android system, and the terminal device 600 includes: the security module 610 and the isolation module 620, where the security module 610 may be a linux security module described in the method for isolating multiple open processes provided by the present application, and the isolation module 620 may be a linux kernel described in the method for isolating multiple open processes provided by the present application.
The security module 610 is configured to call a first safety hook function from the isolation module 620, where the first safety hook function is used to determine whether a first process to be created is a multi-open process;
the security module 610 is further configured to modify a parameter pointed to by a security pointer of the first process according to whether the first process is a multi-open process;
the isolation module 620 is configured to call a second safety hook function when the first process is created, where the second safety hook function is used to determine a parameter pointed by the safety pointer;
the isolation module 620 is further configured to add the first process to a new namespace if the parameter pointed to by the security pointer indicates that the first process is a multi-start process, where the new namespace includes a new process identifier namespace and a file system mount point namespace.
Optionally, the security module 610 is specifically configured to: if the first process is a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process to be a first parameter; and if the first process is not a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process into a second parameter.
Optionally, if the first process and the second process are different processes, and the application identifier of the first process is the same as the application identifier of the second process, the first process is judged to be a multi-open process, wherein the second process is a process created in the isolation module; and if the first process and the second process are different processes and the application identifier of the first process is different from the application identifier of the second process, judging that the first process is not a multi-open process.
Optionally, the second safety hook function is inserted into the source code of the isolation module. An embodiment of the present application provides an electronic device 700, and as shown in fig. 7, a schematic block diagram of the electronic device 700 according to an embodiment of the present application is shown.
The apparatus 700 includes: a processor 710 and a transceiver 720, said transceiver 720 being adapted to receive computer code or instructions and to transmit them to said processor 710, said processor 710 executing said computer code or instructions as a method in any possible implementation of an embodiment of the application.
The processor 710 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (application specific integrated circuit, ASIC), an off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
The embodiment of the application also provides a computer readable storage medium, on which a computer program for implementing the method in the above method embodiment is stored. The computer program, when run on a computer or processor, causes the computer or processor to perform the method of the method embodiments described above.
Embodiments of the present application also provide a computer program product comprising computer program code for causing the method of the above-described method embodiments to be performed when said computer program code is run on a computer.
The embodiment of the application also provides a chip, which comprises a processor, wherein the processor is connected with a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the chip executes the method in the embodiment of the method.
In addition, the term "and/or" in the present application is merely an association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship; the term "at least one" in the present application may mean "one" and "two or more", for example, A, B and C may mean: the seven cases are that A alone, B alone, C alone, A and B together, A and C together, C and B together, A and B together, and C together.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation is not intended to be limiting.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system, apparatus and unit described above may refer to the corresponding process in the foregoing method embodiment, which is not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A method of isolating multiple open processes, suitable for use in a linux-based system, comprising:
the method comprises the steps that a linux security module calls a first safety hook function from a linux kernel, wherein the first safety hook function is used for judging whether a first process to be created is a multi-open process or not;
the linux security module modifies parameters pointed by a security pointer of the first process according to whether the first process is a multi-open process or not;
the linux kernel calls a second safety hook function when the first process is created, wherein the second safety hook function is used for determining parameters pointed by the safety pointer;
if the parameter pointed by the safety pointer indicates that the first process is a multi-start process, the linux kernel is enabled to add the first process into a newly-built namespace, wherein the newly-built namespace comprises a newly-built process identification namespace and a file system mounting point namespace.
2. The method of claim 1, wherein the linux security module modifying a parameter pointed to by a security pointer of the first process according to whether the first process is a multi-open process comprises:
if the first process is a multi-open process, the linux security module modifies the parameter pointed by the security pointer of the first process to be a first parameter;
and if the first process is not a multi-open process, the linux security module modifies the parameter pointed by the security pointer of the first process into a second parameter.
3. The method according to claim 1 or 2, wherein the determining whether the first process to be created is a multi-open process comprises:
if the first process and the second process are different processes, and the application identifier of the first process is the same as the application identifier of the second process, judging that the first process is a multi-open process, wherein the second process is a process established in the linux kernel;
and if the first process and the second process are different processes and the application identifier of the first process is different from the application identifier of the second process, judging that the first process is not a multi-open process.
4. A method according to any one of claims 1 to 3, wherein before the linux kernel calls a second safety hook function when creating the first process, the method further comprises:
and inserting the second safety hook function into the source code of the linux kernel.
5. A terminal device, wherein an operating system of the terminal device is a linux-based system, comprising: a security module and an isolation module;
the security module is used for calling a first safety hook function from the isolation module, and the first safety hook function is used for judging whether a first process to be created is a multi-open process or not;
the safety module is also used for modifying parameters pointed by a safety pointer of the first process according to whether the first process is a multi-open process or not;
the isolation module is used for calling a second safety hook function when the first process is created, and the second safety hook function is used for determining parameters pointed by the safety pointer;
the isolation module is further configured to add the first process to a new namespace if the parameter pointed by the security pointer indicates that the first process is a multi-open process, where the new namespace includes a new process identifier namespace and a file system mount point namespace.
6. The terminal device according to claim 5, wherein the security module is specifically configured to:
if the first process is a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process to be a first parameter;
and if the first process is not a multi-open process, the security module modifies the parameter pointed by the security pointer of the first process into a second parameter.
7. Terminal device according to claim 5 or 6, characterized in that,
if the first process and the second process are different processes, and the application identifier of the first process is the same as the application identifier of the second process, judging that the first process is a multi-open process, wherein the second process is a process established in the isolation module;
and if the first process and the second process are different processes and the application identifier of the first process is different from the application identifier of the second process, judging that the first process is not a multi-open process.
8. Terminal device according to any of the claims 5 to 7, characterized in that,
and the second safety hook function is inserted into the source code of the isolation module.
9. An electronic device, comprising: a processor and a transceiver for receiving computer code or instructions and transmitting to the processor, the processor executing the computer code or instructions to implement the method of any one of claims 1 to 4.
10. A computer-readable storage medium, comprising:
the computer readable storage medium has a computer program stored therein;
the computer program, when run on a computer or a processor, causes the computer or the processor to perform the method of any of claims 1 to 4.
11. A computer program product comprising a computer program which, when executed, causes the method of any one of claims 1 to 4 to be implemented.
CN202210310950.9A 2022-03-28 2022-03-28 Method for isolating multiple processes and terminal equipment Pending CN116861410A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210310950.9A CN116861410A (en) 2022-03-28 2022-03-28 Method for isolating multiple processes and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210310950.9A CN116861410A (en) 2022-03-28 2022-03-28 Method for isolating multiple processes and terminal equipment

Publications (1)

Publication Number Publication Date
CN116861410A true CN116861410A (en) 2023-10-10

Family

ID=88223897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210310950.9A Pending CN116861410A (en) 2022-03-28 2022-03-28 Method for isolating multiple processes and terminal equipment

Country Status (1)

Country Link
CN (1) CN116861410A (en)

Similar Documents

Publication Publication Date Title
CN109086100B (en) High-security credible mobile terminal security system architecture and security service method
US11200080B1 (en) Late load technique for deploying a virtualization layer underneath a running operating system
JP6248153B2 (en) Activate trust level
CN108475217B (en) System and method for auditing virtual machines
US10255088B2 (en) Modification of write-protected memory using code patching
US10025924B1 (en) Taskless containers for enhanced isolation of users and multi-tenant applications
US20050102679A1 (en) Techniques for permitting access across a context barrier in a small footprint device using global data structures
US10083129B2 (en) Code loading hardening by hypervisor page table switching
JP2010514028A (en) A system that enables multiple execution environments to share a single data process
US10360386B2 (en) Hardware enforcement of providing separate operating system environments for mobile devices
WO2004079547A2 (en) Customized execution environment and operating system capable of supporting same
CN108509251A (en) A kind of safety virtualization system suitable for credible performing environment
EP3178032B1 (en) Embedding secret data in code
EP3785149B1 (en) Memory assignment for guest operating systems
EP3308274B1 (en) Executing services in containers
Heiser Secure embedded systems need microkernels
CN116861410A (en) Method for isolating multiple processes and terminal equipment
US20120254968A1 (en) Systems and methods for implementing security services
Nazar et al. Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service
Moucha et al. A hypervisor-based bus system for usage control
Sabanal et al. Digging Deep Into The Flash Sandboxes
Zamani et al. Android Basic Architecture including Operating System using their Application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination