CN120105407A - A cloud phone root permission protection method, device, storage medium and cloud phone system - Google Patents

A cloud phone root permission protection method, device, storage medium and cloud phone system Download PDF

Info

Publication number
CN120105407A
CN120105407A CN202510169960.9A CN202510169960A CN120105407A CN 120105407 A CN120105407 A CN 120105407A CN 202510169960 A CN202510169960 A CN 202510169960A CN 120105407 A CN120105407 A CN 120105407A
Authority
CN
China
Prior art keywords
root
file
hiding
trusted
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510169960.9A
Other languages
Chinese (zh)
Inventor
潘文俊
易洲
苏宏营
郝竟伊
申奥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sharetronic Data Technology Co ltd
Original Assignee
Sharetronic Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sharetronic Data Technology Co ltd filed Critical Sharetronic Data Technology Co ltd
Priority to CN202510169960.9A priority Critical patent/CN120105407A/en
Publication of CN120105407A publication Critical patent/CN120105407A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明适用于云平台技术领域,提供了一种云手机的root权限防护方法、装置、存储介质及云手机系统。所述方法包括:隐藏系统文件的内核版本信息,隐藏或移除su可执行文件,隐藏或移除记录系统进程的日志文件信息;获取具有root权限的系统核心进程,动态隐藏或移除所述高危请求的返回值;将具有root权限的用户ID返回为普通权限的用于ID;当进程请求root权限时,通过身份验证机制检查权限请求方是否可信,将root权限授予该所述可信进程;当所述可信进程终止时,卸载所述su可执行文件并关闭root服务。本申请提供了多层次root,能够对于root权限进行动态管理,按需授权,仅在可信进程运行时授予Root权限,结束后立即回收,减少常驻风险。

The present invention is applicable to the field of cloud platform technology, and provides a root permission protection method, device, storage medium and cloud phone system for cloud phones. The method includes: hiding the kernel version information of system files, hiding or removing su executable files, hiding or removing log file information recording system processes; obtaining the system core process with root permissions, dynamically hiding or removing the return value of the high-risk request; returning the user ID with root permissions to the user ID of ordinary permissions; when the process requests root permissions, checking whether the permission requester is trustworthy through the identity authentication mechanism, and granting root permissions to the trusted process; when the trusted process terminates, uninstalling the su executable file and shutting down the root service. The present application provides a multi-level root, which can dynamically manage root permissions, authorize on demand, grant root permissions only when the trusted process is running, and reclaim them immediately after the end, reducing resident risks.

Description

Root permission protection method and device of cloud mobile phone, storage medium and cloud mobile phone system
Technical Field
The invention belongs to the technical field of cloud platforms, and particularly relates to a root permission protection method and device of a cloud mobile phone, a storage medium and a cloud mobile phone system.
Background
With the development of cloud computing and virtualization technologies, cloud mobile phones have become popular mobile device management and application execution platforms in recent years.
Cloud handsets are a type of mobile device based on cloud computing and virtualization technology, where a user can access and use virtual handsets on any internet-connected device by hosting and managing the handset systems and applications through a remote server. Unlike traditional physical mobile phones, cloud mobile phones do not have actual hardware devices, but rather simulate a virtual mobile phone environment through cloud computing resources.
However, because the cloud mobile phone adopts a virtualized environment, the virtualized environment is easy to be utilized by malicious software, so that the permission of some users is lost or abused, sensitive information is easy to be stolen, and the data security of the users is threatened. The existing security limiting method such as authority separation, fine granularity access control, sandbox technology and the like can avoid the problems to a certain extent, but still has the problem that the advanced root authority of the mobile phone is broken so as to threaten the security of a user, so that the existing cloud mobile phone security protection strategy is to be further improved.
Disclosure of Invention
The embodiment of the application aims to provide a root authority protection method of a cloud mobile phone, and aims to solve the problems that the existing security restriction method can prevent the user authority from being abused to a certain extent, but the advanced root authority of the mobile phone is easy to crack, so that the user security is threatened, and the existing cloud mobile phone security protection strategy is further improved.
The embodiment of the application is realized in such a way that a root authority protection method of a cloud mobile phone is provided, and the method comprises the following steps:
hiding kernel version information of the system file, hiding or removing the su executable file, and hiding or removing log file information of the recorded system process;
acquiring a system core process with root authority, acquiring a call request of an external tool of a system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
Modifying a return result of the system interface call based on the instrumentation module, and returning the user ID with root authority to be the ID for common authority;
When a process requests root rights, checking whether a rights requester is trusted or not through an identity verification mechanism;
When the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and root service is started, the root authority is granted to the trusted process, and when the trusted process is terminated, the su executable file is unloaded and the root service is closed.
Preferably, the method for hiding the kernel version information of the system file, hiding or removing the su executable file and hiding or removing the log file information of the recording system process is as follows:
Dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su executable file is replaced by the non-executable file through file mounting, or is hidden through a virtualization path when the file is mounted;
Based on kernel hooks, dynamically intercepting a read request applied to the system process record, and hiding log records of system process files related to root rights.
Preferably, a method for acquiring a system core process with root authority, acquiring a call request of a system external tool to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request is as follows:
monitoring a call request of a system core process with root authority based on eBPF programs;
filtering process information related to root through a Hook system call table in the kernel layer;
hijacking a key function of libc at a user layer, and hiding or intercepting the acquisition of the high-risk process information.
Preferably, the method for returning the user ID with root authority to the common authority for the ID based on the returned result of the instrumentation module modification to the system interface call is as follows:
obtaining a pile inserting module, dynamically switching the state of the dynamic pile inserting module, and starting camouflage when detecting that a memory scanning tool starts to run;
and based on the pile inserting module, acquiring a return result of the system interface call, and returning the user ID with root authority to be the ID for common authority.
Preferably, when a process requests a root rights, the method for checking whether the rights requester is trusted through an identity verification mechanism is as follows:
Acquiring a package name and a signature hash of a process initiating a request;
acquiring a process white list, and checking the matching condition of the package name and the signature hash in the process white list;
And when the packet name and the signature hash are completely matched and correspond to each other in the process white list, setting the process initiating the request as a trusted process.
Preferably, when the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and a root service is started, the root authority is granted to the trusted process, and when the trusted process is terminated, the method for unloading the su executable file and closing the root service further comprises the following steps:
Encrypting and storing the su executable file;
decrypting the su executable file to a memory when the checking result is trusted;
And starting a daemon process, monitoring the running condition of the trusted process, and triggering a cleaning action and deleting all temporary files when the trusted process exits.
Another object of the embodiment of the present application is to provide a root authority protection device of a cloud mobile phone, where the device includes:
the system file protection module is used for hiding kernel version information of the system file, hiding or removing the su executable file and hiding or removing log file information of the recorded system process;
The system process protection module is used for acquiring a system core process with root authority, acquiring a call request of an external tool of the system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
The system interface protection module is used for modifying a return result of the system interface call based on the dynamic instrumentation and returning the user ID with root authority to be the ID for common authority;
The signature verification module is used for checking whether the signature of the authority requester is credible or not through an identity verification mechanism when the process requests the root authority;
The root service module is used for setting the process as a trusted process when the checking result is trusted, temporarily loading the su executable file and starting the root service, granting the root authority to the trusted process, and unloading the su executable file and closing the root service when the trusted process is terminated.
Preferably, the system file protection module includes:
the version information protection module is used for dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su file protection module is used for replacing a su executable file with an unexecutable file through file mounting or hiding the su executable file through a virtualization path during file mounting;
The system process protection module is used for dynamically intercepting a read request applied to the system process record based on the kernel hook and hiding the log record of the system process file related to the root authority.
It is another object of an embodiment of the present application to provide a computer readable storage medium, in which a computer program is stored, which when executed by a processor, causes the processor to execute the steps of the root authority protection method of a cloud mobile phone as described above.
Another object of an embodiment of the present application is to provide a cloud mobile phone system, including:
the cloud mobile phone root authority protection method comprises a memory and a processor, wherein the memory stores a computer program, and the computer program enables the processor to execute the steps of the cloud mobile phone root authority protection method when being executed by the processor.
The root permission protection method for the cloud mobile phone has the outstanding advantages that the root permission can be dynamically managed, authorized according to needs, the root permission is only granted when the trusted process runs, and immediately recovered after the end, so that the resident risk is reduced, temporary loading is carried out on the su executable file through memory decryption, no disc is dropped and no residue is left, and file scanning detection is avoided. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
Drawings
Fig. 1 is an application environment diagram of a root authority protection method of a cloud mobile phone, which is provided by an embodiment of the application;
Fig. 2 is a flowchart of a root authority protection method of a cloud mobile phone provided by an embodiment of the present application;
Fig. 3 is a structural block diagram of a root authority protection device of a cloud mobile phone, which is provided by the embodiment of the application;
FIG. 4 is a block diagram of the internal architecture of a computer device in one embodiment.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element or module from another element or module. For example, a first script may be referred to as a second script, and similarly, a second script may be referred to as a first script, without departing from the scope of the present application.
Fig. 1 is an application environment diagram of a root authority protection method of a cloud mobile phone according to an embodiment of the present application, as shown in fig. 1, in the application environment, the method includes a terminal 110 and a computer device 120.
The computer device 120 may be a desktop computer, an independent physical server or a terminal, or a server cluster formed by a plurality of physical servers, or may be a cloud server that provides basic cloud computing services such as a cloud server, a cloud database, a cloud storage, a CDN, and the like.
The terminal 110 may be a smart phone, a tablet computer, etc., but is not limited thereto. The terminal 110 and the computer device 120 may be connected through a network, and the present application is not limited herein.
As shown in fig. 2, in one embodiment, a root authority protection method of a cloud mobile phone is provided, and this embodiment is mainly illustrated by applying the method to the computer device 120 in fig. 1. The root authority protection method of the cloud mobile phone specifically comprises the following steps:
step S10, hiding the kernel version information of the system file, hiding or removing the su executable file, and hiding or removing the log file information of the recorded system process.
In this embodiment, the system file is first protected, so as to prevent the external tool from detecting the root authority of the system. Through the step, kernel version information, su executable files and record files of system processes of the file system can be hidden respectively, so that root information hiding with wider coverage in the file system is realized, and meanwhile, the influence on system performance is reduced.
Step S20, a system core process with root authority is obtained, a call request of a system external tool to the system core process is obtained, the call request is set as a high-risk request, and a return value of the high-risk request is dynamically hidden or removed.
In this embodiment, the system process is protected. By modifying the return value of the system process call, the system process with root authority can be hidden, and by modifying the system call, the identification information of the process is dynamically changed, so that the root related information is ensured not to be exposed to an external detection tool, and the effect of disguising the root authority is achieved.
And step S30, modifying a return result of the system interface call based on the instrumentation module, and returning the user ID with root authority to be the user ID with common authority.
In this embodiment, the system call interface is further protected. For example, xposed frames can be used to call the hook system, intercept geteuid, getuid, getppid and other return values, and modify the root user ID to a common user ID without root rights for hiding. For example, for a hook_ geteuid system call, it is always returned to a non-zero value.
Step S40, when the process requests the root rights, checking whether the rights requester is trusted or not through an identity verification mechanism.
And step S50, when the checking result is trusted, setting the process as a trusted process, temporarily loading the su executable file and starting a root service, granting the root authority to the trusted process, and when the trusted process is terminated, unloading the su executable file and closing the root service.
In the embodiment, through identity verification and temporary authority management, the hidden grant and the safety recovery of the cloud mobile phone root authority are realized. The method has the core advantages of dynamic property and invisibility, and finally, the effect of resisting the main stream root detection scheme can be achieved, and the system safety is further improved.
The protection scheme provided by the application can dynamically manage the root rights, authorize the root rights as required, grant the root rights only when the trusted process runs, immediately recycle the root rights after the root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs or residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
Taken together, the above means enable the present application to combat mainstream detection schemes. For example, by bypassing SAFETYNET detection by camouflaging the build. FINGERPRINT and the like, the kernel module conceals the process memory map of the Xposedbridge. Jar to counter Xposed detection, thereby having good effect.
In a preferred embodiment, the method for hiding the kernel version information of the system file, hiding or removing the su executable file, and hiding or removing the log file information of the recording system process is as follows:
Dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su executable file is replaced by the non-executable file through file mounting, or is hidden through a virtualization path when the file is mounted;
Based on kernel hooks, dynamically intercepting a read request applied to the system process record, and hiding log records of system process files related to root rights.
In embodiments of the present application, the kernel version of the display may be dynamically modified by modifying, for example, a/proc/version file or other system file. The output of the kernel information can be intercepted and disguised by using the kernel-level hook technology, so that the kernel information acquired through uname or other tools cannot accurately reflect the real kernel version, and the root information is hidden. The location of su executable files may be replaced or hidden using file system mount technology. The su executable file may be hidden by replacing it with a non-executable file or by a virtualized path at mount time. For example, the actual su file is stored in an inaccessible path, and the su is replaced by a disguised path through the mounting technology, so that the external system cannot directly access or execute. The content of the/proc/[ pid ]/cmdline file, for example, may be modified, and the identification information of the root application or process deleted or disguised. The read requests of the files are intercepted through the kernel hook, the stored process information is dynamically changed, and the records of the processes and the applications related to the root rights are hidden.
In a preferred embodiment, a system core process with root authority is obtained, a call request of an external tool of the system to the system core process is obtained, the call request is set as a high-risk request, and the method for dynamically hiding or removing the return value of the high-risk request is as follows:
monitoring a call request of a system core process with root authority based on eBPF programs;
filtering process information related to root through a Hook system call table in the kernel layer;
hijacking a key function of libc at a user layer, and hiding or intercepting the acquisition of the high-risk process information.
In the embodiment of the application, the method is used for monitoring the call of an external tool to a system core process zygote and the like, intercepting high-risk requests such as root permission checking and the like, and hiding a return value. The security of the system can be further improved by monitoring requests that call ptrace attached to the core process, access sensitive files, or execute specific system calls, and hiding the structure of these requests through eBPF programs.
In a preferred embodiment, the method for returning the user ID with root authority to the common authority for the ID based on the modification of the return result of the instrumentation module to the system interface call is as follows:
obtaining a pile inserting module, dynamically switching the state of the dynamic pile inserting module, and starting camouflage when detecting that a memory scanning tool starts to run;
and based on the pile inserting module, acquiring a return result of the system interface call, and returning the user ID with root authority to be the ID for common authority.
In the embodiment of the application, the dynamic pile inserting module is adopted, and the pile inserting module can be protected by means of code signature and the like, so that the pile inserting module is prevented from being detected by a memory scanning tool and the like, the state of the pile inserting module is dynamically switched, and camouflage is started when the scanning tool is detected to run, so that the system safety is improved.
In a preferred embodiment, when a process requests a root rights, the method for checking whether the rights requester is trusted by an authentication mechanism is as follows:
Acquiring a package name and a signature hash of a process initiating a request;
acquiring a process white list, and checking the matching condition of the package name and the signature hash in the process white list;
And when the packet name and the signature hash are completely matched and correspond to each other in the process white list, setting the process initiating the request as a trusted process.
In the embodiment of the application, a trusted process white list is preset in the system and is used for placing a trusted application process in the white list, wherein the white list comprises a plurality of packet names and signature hashes corresponding to the packet names, and the trusted application process can be considered as a trusted process if and only if the packet names and the signature hashes exist in the white list and are completely corresponding to the packet names and the signature hashes.
In a preferred embodiment, when the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and a root service is started, and the root authority is granted to the trusted process, when the trusted process is terminated, the method for unloading the su executable file and closing the root service further comprises:
Encrypting and storing the su executable file;
decrypting the su executable file to a memory when the checking result is trusted;
And starting a daemon process, monitoring the running condition of the trusted process, and triggering a cleaning action and deleting all temporary files when the trusted process exits.
In the embodiment of the application, the root authority is only temporarily granted when the trusted process runs, and the process is automatically recovered after being terminated. In this process, the su binary file is stored encrypted on the hard disk. After the process passes the verification, the process decrypts the process to the memory to avoid the disc drop. During the daemon monitoring process, a daemon needs to be started, for example, monitoring is performed through inotify, and when the target process exits, a cleaning action is triggered. Deleting the temporary file and terminating the related process, and recovering the permission.
As shown in fig. 3, in one embodiment, a root authority protection device of a cloud mobile phone is provided, where the root authority protection device of the cloud mobile phone may be integrated in the computer device 120, and specifically may include a system file protection module 510, a system process protection module 520, a system interface protection module 530, a signature verification module 540, and a root service module 550.
The system file protection module 510 is configured to hide kernel version information of a system file, hide or remove a su executable file, and hide or remove log file information of a recording system process;
The system process protection module 520 is configured to obtain a system core process with root rights, obtain a call request of an external tool of the system to the system core process, set the call request as a high-risk request, and dynamically hide or remove a return value of the high-risk request;
the system interface protection module 530 is configured to modify a return result of the system interface call based on the dynamic instrumentation, and return the user ID with root authority to the ID with common authority;
The signature verification module 540 is configured to check, when the process requests the root rights, whether the signature of the rights requester is trusted or not through an identity verification mechanism;
the root service module 550 is configured to set the process as a trusted process when the checking result is trusted, temporarily load the su executable file and start the root service, grant the root authority to the trusted process, and unload the su executable file and close the root service when the trusted process is terminated.
In the embodiment of the present application, the explanation and the explanation of the root authority protection device of the cloud mobile phone may refer to the explanation of the corresponding method, and the description of the root authority protection method of the cloud mobile phone is referred to the above, and is not repeated here.
In the embodiment of the application, the device can dynamically manage the Root rights, authorize the Root rights as required, grant the Root rights only when the trusted process runs, recover the Root rights immediately after the Root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs and residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
In one embodiment the system file guard module comprises:
the version information protection module is used for dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su file protection module is used for replacing a su executable file with an unexecutable file through file mounting or hiding the su executable file through a virtualization path during file mounting;
The system process protection module is used for dynamically intercepting a read request applied to the system process record based on the kernel hook and hiding the log record of the system process file related to the root authority.
In the embodiment of the present application, the explanation of the above modules may refer to the explanation of the corresponding methods, and will not be repeated here.
FIG. 4 illustrates an internal block diagram of a computer device in one embodiment. The computer device may be in particular the computer device 120 of fig. 1. As shown in fig. 4, the computer device includes a processor, a memory, a network interface, an input device, and a display screen connected by a system bus. The memory includes a nonvolatile storage medium and an internal memory. The nonvolatile storage medium of the computer device stores an operating system and also can store a computer program, and when the computer program is executed by the processor, the processor can realize the root authority protection method of the cloud mobile phone. The internal memory can also store a computer program, and when the computer program is executed by the processor, the processor can be enabled to execute the root authority protection method of the cloud mobile phone. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, the root authority protection device of the cloud mobile phone provided by the application can be implemented in a form of a computer program, and the computer program can run on a computer device as shown in fig. 4. The memory of the computer device may store various program modules of the Root authority protection apparatus of the cloud mobile phone, for example, a system file protection module 510, a system process protection module 520, a system interface protection module 530, a signature verification module 540, and a Root service module 550 shown in fig. 3. The computer program formed by the program modules enables the processor to execute the steps in the root permission protection method of the cloud mobile phone according to the embodiments of the application described in the specification.
For example, the computer device shown in fig. 4 may execute step S10 through the system file protection module 510 in the root authority protection device of the cloud mobile phone shown in fig. 3. The computer device may perform step S20 through the system process guard module 520. And so on.
In one embodiment, a cloud mobile phone system is provided, where the system includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the computer program when executed by the processor causes the processor to perform the steps of the root rights protection method of the cloud mobile phone as described above.
In the embodiment of the present application, the description of the root authority protection method of the cloud mobile phone is referred to above, and will not be repeated here.
In the embodiment of the application, the system can dynamically manage the root rights, authorize the root rights as required, grant the root rights only when the trusted process runs, recover the root rights immediately after the root rights are ended, reduce resident risk, and temporarily load the su executable file through memory decryption without dropping discs and residues, thereby avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
In one embodiment, a computer readable storage medium is provided, and a computer program is stored on the computer readable storage medium, where the computer program when executed by a processor causes the processor to execute the steps of the root authority protection method of the cloud mobile phone.
In the embodiment of the present application, the description of the root authority protection method of the cloud mobile phone is referred to above, and will not be repeated here.
In the embodiment of the application, based on the program operated by the method stored in the storage medium of the embodiment of the application, the root authority can be dynamically managed, authorized according to the need, the root authority is only granted when the trusted process operates, and immediately recovered after the end, thus reducing the resident risk, and the su executable file is temporarily loaded through memory decryption without dropping and residue, thus avoiding file scanning detection. The method provides multi-level concealment, conceals root marks in a kernel layer, modifies an application layer API (application program interface) to return a result through pile insertion in a user layer, and resists a user state detection tool. And filtering proc and log information simultaneously to block detection based on the process list and the log. And root service is started only when authorized, so that the method has light resource occupation. The instrumentation module is decoupled from the rights management service, facilitating dynamic updating of policies.
It should be understood that, although the steps in the flowcharts of the embodiments of the present application are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (10)

1. The root authority protection method of the cloud mobile phone is characterized by comprising the following steps of:
hiding kernel version information of the system file, hiding or removing the su executable file, and hiding or removing log file information of the recorded system process;
acquiring a system core process with root authority, acquiring a call request of an external tool of a system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
Modifying a return result of the system interface call based on the instrumentation module, and returning the user ID with root authority to be the ID for common authority;
When a process requests root rights, checking whether a rights requester is trusted or not through an identity verification mechanism;
When the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and root service is started, the root authority is granted to the trusted process, and when the trusted process is terminated, the su executable file is unloaded and the root service is closed.
2. The root permission protection method of the cloud mobile phone according to claim 1, wherein the method for hiding kernel version information of a system file, hiding or removing a su executable file, and hiding or removing log file information of a recording system process is as follows:
Dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su executable file is replaced by the non-executable file through file mounting, or is hidden through a virtualization path when the file is mounted;
Based on kernel hooks, dynamically intercepting a read request applied to the system process record, and hiding log records of system process files related to root rights.
3. The root permission protection method of the cloud mobile phone according to claim 1, wherein the method for acquiring the system core process with the root permission, acquiring the call request of the system external tool to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing the return value of the high-risk request is as follows:
monitoring a call request of a system core process with root authority based on eBPF programs;
filtering process information related to root through a Hook system call table in the kernel layer;
hijacking a key function of libc at a user layer, and hiding or intercepting the acquisition of the high-risk process information.
4. The root permission protection method of the cloud mobile phone according to claim 1, wherein the method for returning the user ID with the root permission as the common permission for the ID based on the modification of the return result of the system interface call by the instrumentation module is as follows:
obtaining a pile inserting module, dynamically switching the state of the dynamic pile inserting module, and starting camouflage when detecting that a memory scanning tool starts to run;
and based on the pile inserting module, acquiring a return result of the system interface call, and returning the user ID with root authority to be the ID for common authority.
5. The root permission protection method of the cloud mobile phone according to claim 1, wherein when a process requests a root permission, the method for checking whether a permission requester is trusted through an identity verification mechanism is as follows:
Acquiring a package name and a signature hash of a process initiating a request;
acquiring a process white list, and checking the matching condition of the package name and the signature hash in the process white list;
And when the packet name and the signature hash are completely matched and correspond to each other in the process white list, setting the process initiating the request as a trusted process.
6. The root permission protection method of the cloud mobile phone according to claim 1, wherein when the checking result is trusted, the process is set as a trusted process, the su executable file is temporarily loaded and a root service is started, and the root permission is granted to the trusted process, and when the trusted process is terminated, the method for unloading the su executable file and closing the root service further comprises:
Encrypting and storing the su executable file;
decrypting the su executable file to a memory when the checking result is trusted;
And starting a daemon process, monitoring the running condition of the trusted process, and triggering a cleaning action and deleting all temporary files when the trusted process exits.
7. Root authority protection device of cloud cell-phone, its characterized in that, the device includes:
the system file protection module is used for hiding kernel version information of the system file, hiding or removing the su executable file and hiding or removing log file information of the recorded system process;
The system process protection module is used for acquiring a system core process with root authority, acquiring a call request of an external tool of the system to the system core process, setting the call request as a high-risk request, and dynamically hiding or removing a return value of the high-risk request;
The system interface protection module is used for modifying a return result of the system interface call based on the dynamic instrumentation and returning the user ID with root authority to be the ID for common authority;
The signature verification module is used for checking whether the signature of the authority requester is credible or not through an identity verification mechanism when the process requests the root authority;
The root service module is used for setting the process as a trusted process when the checking result is trusted, temporarily loading the su executable file and starting the root service, granting the root authority to the trusted process, and unloading the su executable file and closing the root service when the trusted process is terminated.
8. The root permission protection device of the cloud mobile phone as claimed in claim 7, wherein the system file protection module comprises:
the version information protection module is used for dynamically modifying the kernel version information contained in the system file, and intercepting and disguising the output of the kernel version information based on a kernel hook;
The su file protection module is used for replacing a su executable file with an unexecutable file through file mounting or hiding the su executable file through a virtualization path during file mounting;
The system process protection module is used for dynamically intercepting a read request applied to the system process record based on the kernel hook and hiding the log record of the system process file related to the root authority.
9. A computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the processor is caused to perform the steps of the root authority protection method of the cloud mobile phone according to any one of claims 1 to 6.
10. A cloud mobile phone system, the system comprising:
a memory and a processor, wherein the memory stores a computer program, and the computer program when executed by the processor causes the processor to execute the steps of the root authority protection method of the cloud mobile phone according to any one of claims 1 to 6.
CN202510169960.9A 2025-02-17 2025-02-17 A cloud phone root permission protection method, device, storage medium and cloud phone system Pending CN120105407A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510169960.9A CN120105407A (en) 2025-02-17 2025-02-17 A cloud phone root permission protection method, device, storage medium and cloud phone system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510169960.9A CN120105407A (en) 2025-02-17 2025-02-17 A cloud phone root permission protection method, device, storage medium and cloud phone system

Publications (1)

Publication Number Publication Date
CN120105407A true CN120105407A (en) 2025-06-06

Family

ID=95882285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510169960.9A Pending CN120105407A (en) 2025-02-17 2025-02-17 A cloud phone root permission protection method, device, storage medium and cloud phone system

Country Status (1)

Country Link
CN (1) CN120105407A (en)

Similar Documents

Publication Publication Date Title
EP3688652B1 (en) Device and method for data security with trusted execution environment
US7698744B2 (en) Secure system for allowing the execution of authorized computer program code
KR101700552B1 (en) Context based switching to a secure operating system environment
US20180189300A1 (en) Method and system for providing restricted access to a storage medium
US10783041B2 (en) Backup and recovery of data files using hard links
US20030221115A1 (en) Data protection system
US8375442B2 (en) Auditing a device
WO2007052388A1 (en) Method of protecting confidential file and confidential file protecting system
EP4121881B1 (en) Method and non-transitory computer-readable medium for protecting a folder from unauthorized file modification
US20060294105A1 (en) Method and system for enabling enterprises to use detachable memory devices that contain data and executable files in controlled and secure way
Yalew et al. Hail to the Thief: Protecting data from mobile ransomware with ransomsafedroid
CN101213561B (en) Confidential file protection method and confidential file protection device for security countermeasure application
CN120105407A (en) A cloud phone root permission protection method, device, storage medium and cloud phone system
US20200169581A1 (en) Endpoint security client embedded in storage drive firmware
CN117786658A (en) Unauthorized application determination method, electronic device, and computer-readable medium
CN117786683A (en) Application anti-ransomware system, method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination