Disclosure of Invention
The embodiment of the application aims to provide a root authority protection method of a cloud mobile phone, and aims to solve the problems that the existing security restriction method can prevent the user authority from being abused to a certain extent, but the advanced root authority of the mobile phone is easy to crack, so that the user security is threatened, and the existing cloud mobile phone security protection strategy is further improved.
The embodiment of the application is realized in such a way that a root authority protection method of a cloud mobile phone is provided, and the method comprises the following steps:
hiding kernel version information of the system file, hiding or removing the su executable file, and hiding or removing log file information of the recorded system process;
acquiring a system core process with root authority, acquiring a call request of an external tool of a system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
Modifying a return result of the system interface call based on the instrumentation module, and returning the user ID with root authority to be the ID for common authority;
When a process requests root rights, checking whether a rights requester is trusted or not through an identity verification mechanism;
When the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and root service is started, the root authority is granted to the trusted process, and when the trusted process is terminated, the su executable file is unloaded and the root service is closed.
Preferably, the method for hiding the kernel version information of the system file, hiding or removing the su executable file and hiding or removing the log file information of the recording system process is as follows:
Dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su executable file is replaced by the non-executable file through file mounting, or is hidden through a virtualization path when the file is mounted;
Based on kernel hooks, dynamically intercepting a read request applied to the system process record, and hiding log records of system process files related to root rights.
Preferably, a method for acquiring a system core process with root authority, acquiring a call request of a system external tool to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request is as follows:
monitoring a call request of a system core process with root authority based on eBPF programs;
filtering process information related to root through a Hook system call table in the kernel layer;
hijacking a key function of libc at a user layer, and hiding or intercepting the acquisition of the high-risk process information.
Preferably, the method for returning the user ID with root authority to the common authority for the ID based on the returned result of the instrumentation module modification to the system interface call is as follows:
obtaining a pile inserting module, dynamically switching the state of the dynamic pile inserting module, and starting camouflage when detecting that a memory scanning tool starts to run;
and based on the pile inserting module, acquiring a return result of the system interface call, and returning the user ID with root authority to be the ID for common authority.
Preferably, when a process requests a root rights, the method for checking whether the rights requester is trusted through an identity verification mechanism is as follows:
Acquiring a package name and a signature hash of a process initiating a request;
acquiring a process white list, and checking the matching condition of the package name and the signature hash in the process white list;
And when the packet name and the signature hash are completely matched and correspond to each other in the process white list, setting the process initiating the request as a trusted process.
Preferably, when the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and a root service is started, the root authority is granted to the trusted process, and when the trusted process is terminated, the method for unloading the su executable file and closing the root service further comprises the following steps:
Encrypting and storing the su executable file;
decrypting the su executable file to a memory when the checking result is trusted;
And starting a daemon process, monitoring the running condition of the trusted process, and triggering a cleaning action and deleting all temporary files when the trusted process exits.
Another object of the embodiment of the present application is to provide a root authority protection device of a cloud mobile phone, where the device includes:
the system file protection module is used for hiding kernel version information of the system file, hiding or removing the su executable file and hiding or removing log file information of the recorded system process;
The system process protection module is used for acquiring a system core process with root authority, acquiring a call request of an external tool of the system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
The system interface protection module is used for modifying a return result of the system interface call based on the dynamic instrumentation and returning the user ID with root authority to be the ID for common authority;
The signature verification module is used for checking whether the signature of the authority requester is credible or not through an identity verification mechanism when the process requests the root authority;
The root service module is used for setting the process as a trusted process when the checking result is trusted, temporarily loading the su executable file and starting the root service, granting the root authority to the trusted process, and unloading the su executable file and closing the root service when the trusted process is terminated.
Preferably, the system file protection module includes:
the version information protection module is used for dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su file protection module is used for replacing a su executable file with an unexecutable file through file mounting or hiding the su executable file through a virtualization path during file mounting;
The system process protection module is used for dynamically intercepting a read request applied to the system process record based on the kernel hook and hiding the log record of the system process file related to the root authority.
It is another object of an embodiment of the present application to provide a computer readable storage medium, in which a computer program is stored, which when executed by a processor, causes the processor to execute the steps of the root authority protection method of a cloud mobile phone as described above.
Another object of an embodiment of the present application is to provide a cloud mobile phone system, including:
the cloud mobile phone root authority protection method comprises a memory and a processor, wherein the memory stores a computer program, and the computer program enables the processor to execute the steps of the cloud mobile phone root authority protection method when being executed by the processor.
The root permission protection method for the cloud mobile phone has the outstanding advantages that the root permission can be dynamically managed, authorized according to needs, the root permission is only granted when the trusted process runs, and immediately recovered after the end, so that the resident risk is reduced, temporary loading is carried out on the su executable file through memory decryption, no disc is dropped and no residue is left, and file scanning detection is avoided. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element or module from another element or module. For example, a first script may be referred to as a second script, and similarly, a second script may be referred to as a first script, without departing from the scope of the present application.
Fig. 1 is an application environment diagram of a root authority protection method of a cloud mobile phone according to an embodiment of the present application, as shown in fig. 1, in the application environment, the method includes a terminal 110 and a computer device 120.
The computer device 120 may be a desktop computer, an independent physical server or a terminal, or a server cluster formed by a plurality of physical servers, or may be a cloud server that provides basic cloud computing services such as a cloud server, a cloud database, a cloud storage, a CDN, and the like.
The terminal 110 may be a smart phone, a tablet computer, etc., but is not limited thereto. The terminal 110 and the computer device 120 may be connected through a network, and the present application is not limited herein.
As shown in fig. 2, in one embodiment, a root authority protection method of a cloud mobile phone is provided, and this embodiment is mainly illustrated by applying the method to the computer device 120 in fig. 1. The root authority protection method of the cloud mobile phone specifically comprises the following steps:
step S10, hiding the kernel version information of the system file, hiding or removing the su executable file, and hiding or removing the log file information of the recorded system process.
In this embodiment, the system file is first protected, so as to prevent the external tool from detecting the root authority of the system. Through the step, kernel version information, su executable files and record files of system processes of the file system can be hidden respectively, so that root information hiding with wider coverage in the file system is realized, and meanwhile, the influence on system performance is reduced.
Step S20, a system core process with root authority is obtained, a call request of a system external tool to the system core process is obtained, the call request is set as a high-risk request, and a return value of the high-risk request is dynamically hidden or removed.
In this embodiment, the system process is protected. By modifying the return value of the system process call, the system process with root authority can be hidden, and by modifying the system call, the identification information of the process is dynamically changed, so that the root related information is ensured not to be exposed to an external detection tool, and the effect of disguising the root authority is achieved.
And step S30, modifying a return result of the system interface call based on the instrumentation module, and returning the user ID with root authority to be the user ID with common authority.
In this embodiment, the system call interface is further protected. For example, xposed frames can be used to call the hook system, intercept geteuid, getuid, getppid and other return values, and modify the root user ID to a common user ID without root rights for hiding. For example, for a hook_ geteuid system call, it is always returned to a non-zero value.
Step S40, when the process requests the root rights, checking whether the rights requester is trusted or not through an identity verification mechanism.
And step S50, when the checking result is trusted, setting the process as a trusted process, temporarily loading the su executable file and starting a root service, granting the root authority to the trusted process, and when the trusted process is terminated, unloading the su executable file and closing the root service.
In the embodiment, through identity verification and temporary authority management, the hidden grant and the safety recovery of the cloud mobile phone root authority are realized. The method has the core advantages of dynamic property and invisibility, and finally, the effect of resisting the main stream root detection scheme can be achieved, and the system safety is further improved.
The protection scheme provided by the application can dynamically manage the root rights, authorize the root rights as required, grant the root rights only when the trusted process runs, immediately recycle the root rights after the root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs or residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
Taken together, the above means enable the present application to combat mainstream detection schemes. For example, by bypassing SAFETYNET detection by camouflaging the build. FINGERPRINT and the like, the kernel module conceals the process memory map of the Xposedbridge. Jar to counter Xposed detection, thereby having good effect.
In a preferred embodiment, the method for hiding the kernel version information of the system file, hiding or removing the su executable file, and hiding or removing the log file information of the recording system process is as follows:
Dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su executable file is replaced by the non-executable file through file mounting, or is hidden through a virtualization path when the file is mounted;
Based on kernel hooks, dynamically intercepting a read request applied to the system process record, and hiding log records of system process files related to root rights.
In embodiments of the present application, the kernel version of the display may be dynamically modified by modifying, for example, a/proc/version file or other system file. The output of the kernel information can be intercepted and disguised by using the kernel-level hook technology, so that the kernel information acquired through uname or other tools cannot accurately reflect the real kernel version, and the root information is hidden. The location of su executable files may be replaced or hidden using file system mount technology. The su executable file may be hidden by replacing it with a non-executable file or by a virtualized path at mount time. For example, the actual su file is stored in an inaccessible path, and the su is replaced by a disguised path through the mounting technology, so that the external system cannot directly access or execute. The content of the/proc/[ pid ]/cmdline file, for example, may be modified, and the identification information of the root application or process deleted or disguised. The read requests of the files are intercepted through the kernel hook, the stored process information is dynamically changed, and the records of the processes and the applications related to the root rights are hidden.
In a preferred embodiment, a system core process with root authority is obtained, a call request of an external tool of the system to the system core process is obtained, the call request is set as a high-risk request, and the method for dynamically hiding or removing the return value of the high-risk request is as follows:
monitoring a call request of a system core process with root authority based on eBPF programs;
filtering process information related to root through a Hook system call table in the kernel layer;
hijacking a key function of libc at a user layer, and hiding or intercepting the acquisition of the high-risk process information.
In the embodiment of the application, the method is used for monitoring the call of an external tool to a system core process zygote and the like, intercepting high-risk requests such as root permission checking and the like, and hiding a return value. The security of the system can be further improved by monitoring requests that call ptrace attached to the core process, access sensitive files, or execute specific system calls, and hiding the structure of these requests through eBPF programs.
In a preferred embodiment, the method for returning the user ID with root authority to the common authority for the ID based on the modification of the return result of the instrumentation module to the system interface call is as follows:
obtaining a pile inserting module, dynamically switching the state of the dynamic pile inserting module, and starting camouflage when detecting that a memory scanning tool starts to run;
and based on the pile inserting module, acquiring a return result of the system interface call, and returning the user ID with root authority to be the ID for common authority.
In the embodiment of the application, the dynamic pile inserting module is adopted, and the pile inserting module can be protected by means of code signature and the like, so that the pile inserting module is prevented from being detected by a memory scanning tool and the like, the state of the pile inserting module is dynamically switched, and camouflage is started when the scanning tool is detected to run, so that the system safety is improved.
In a preferred embodiment, when a process requests a root rights, the method for checking whether the rights requester is trusted by an authentication mechanism is as follows:
Acquiring a package name and a signature hash of a process initiating a request;
acquiring a process white list, and checking the matching condition of the package name and the signature hash in the process white list;
And when the packet name and the signature hash are completely matched and correspond to each other in the process white list, setting the process initiating the request as a trusted process.
In the embodiment of the application, a trusted process white list is preset in the system and is used for placing a trusted application process in the white list, wherein the white list comprises a plurality of packet names and signature hashes corresponding to the packet names, and the trusted application process can be considered as a trusted process if and only if the packet names and the signature hashes exist in the white list and are completely corresponding to the packet names and the signature hashes.
In a preferred embodiment, when the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and a root service is started, and the root authority is granted to the trusted process, when the trusted process is terminated, the method for unloading the su executable file and closing the root service further comprises:
Encrypting and storing the su executable file;
decrypting the su executable file to a memory when the checking result is trusted;
And starting a daemon process, monitoring the running condition of the trusted process, and triggering a cleaning action and deleting all temporary files when the trusted process exits.
In the embodiment of the application, the root authority is only temporarily granted when the trusted process runs, and the process is automatically recovered after being terminated. In this process, the su binary file is stored encrypted on the hard disk. After the process passes the verification, the process decrypts the process to the memory to avoid the disc drop. During the daemon monitoring process, a daemon needs to be started, for example, monitoring is performed through inotify, and when the target process exits, a cleaning action is triggered. Deleting the temporary file and terminating the related process, and recovering the permission.
As shown in fig. 3, in one embodiment, a root authority protection device of a cloud mobile phone is provided, where the root authority protection device of the cloud mobile phone may be integrated in the computer device 120, and specifically may include a system file protection module 510, a system process protection module 520, a system interface protection module 530, a signature verification module 540, and a root service module 550.
The system file protection module 510 is configured to hide kernel version information of a system file, hide or remove a su executable file, and hide or remove log file information of a recording system process;
The system process protection module 520 is configured to obtain a system core process with root rights, obtain a call request of an external tool of the system to the system core process, set the call request as a high-risk request, and dynamically hide or remove a return value of the high-risk request;
the system interface protection module 530 is configured to modify a return result of the system interface call based on the dynamic instrumentation, and return the user ID with root authority to the ID with common authority;
The signature verification module 540 is configured to check, when the process requests the root rights, whether the signature of the rights requester is trusted or not through an identity verification mechanism;
the root service module 550 is configured to set the process as a trusted process when the checking result is trusted, temporarily load the su executable file and start the root service, grant the root authority to the trusted process, and unload the su executable file and close the root service when the trusted process is terminated.
In the embodiment of the present application, the explanation and the explanation of the root authority protection device of the cloud mobile phone may refer to the explanation of the corresponding method, and the description of the root authority protection method of the cloud mobile phone is referred to the above, and is not repeated here.
In the embodiment of the application, the device can dynamically manage the Root rights, authorize the Root rights as required, grant the Root rights only when the trusted process runs, recover the Root rights immediately after the Root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs and residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
In one embodiment the system file guard module comprises:
the version information protection module is used for dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su file protection module is used for replacing a su executable file with an unexecutable file through file mounting or hiding the su executable file through a virtualization path during file mounting;
The system process protection module is used for dynamically intercepting a read request applied to the system process record based on the kernel hook and hiding the log record of the system process file related to the root authority.
In the embodiment of the present application, the explanation of the above modules may refer to the explanation of the corresponding methods, and will not be repeated here.
FIG. 4 illustrates an internal block diagram of a computer device in one embodiment. The computer device may be in particular the computer device 120 of fig. 1. As shown in fig. 4, the computer device includes a processor, a memory, a network interface, an input device, and a display screen connected by a system bus. The memory includes a nonvolatile storage medium and an internal memory. The nonvolatile storage medium of the computer device stores an operating system and also can store a computer program, and when the computer program is executed by the processor, the processor can realize the root authority protection method of the cloud mobile phone. The internal memory can also store a computer program, and when the computer program is executed by the processor, the processor can be enabled to execute the root authority protection method of the cloud mobile phone. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, the root authority protection device of the cloud mobile phone provided by the application can be implemented in a form of a computer program, and the computer program can run on a computer device as shown in fig. 4. The memory of the computer device may store various program modules of the Root authority protection apparatus of the cloud mobile phone, for example, a system file protection module 510, a system process protection module 520, a system interface protection module 530, a signature verification module 540, and a Root service module 550 shown in fig. 3. The computer program formed by the program modules enables the processor to execute the steps in the root permission protection method of the cloud mobile phone according to the embodiments of the application described in the specification.
For example, the computer device shown in fig. 4 may execute step S10 through the system file protection module 510 in the root authority protection device of the cloud mobile phone shown in fig. 3. The computer device may perform step S20 through the system process guard module 520. And so on.
In one embodiment, a cloud mobile phone system is provided, where the system includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the computer program when executed by the processor causes the processor to perform the steps of the root rights protection method of the cloud mobile phone as described above.
In the embodiment of the present application, the description of the root authority protection method of the cloud mobile phone is referred to above, and will not be repeated here.
In the embodiment of the application, the system can dynamically manage the root rights, authorize the root rights as required, grant the root rights only when the trusted process runs, recover the root rights immediately after the root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs and residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
In one embodiment, a computer readable storage medium is provided, and a computer program is stored on the computer readable storage medium, where the computer program when executed by a processor causes the processor to execute the steps of the root authority protection method of the cloud mobile phone.
In the embodiment of the present application, the description of the root authority protection method of the cloud mobile phone is referred to above, and will not be repeated here.
In the embodiment of the application, based on the program operated by the method stored in the storage medium of the embodiment of the application, the root authority can be dynamically managed, authorized according to the need, the root authority is only granted when the trusted process operates, and immediately recovered after the end, thus reducing the resident risk, and the su executable file is temporarily loaded through memory decryption without dropping and residue, thus avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
It should be understood that, although the steps in the flowcharts of the embodiments of the present application are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.