CN103514401A - Method and device for defense by utilization of sandbox technology and security browser - Google Patents

Method and device for defense by utilization of sandbox technology and security browser Download PDF

Info

Publication number
CN103514401A
CN103514401A CN201310447652.5A CN201310447652A CN103514401A CN 103514401 A CN103514401 A CN 103514401A CN 201310447652 A CN201310447652 A CN 201310447652A CN 103514401 A CN103514401 A CN 103514401A
Authority
CN
China
Prior art keywords
destination object
sandbox
operated
file
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310447652.5A
Other languages
Chinese (zh)
Inventor
范纪鍠
潘剑锋
孙晓骏
路健华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310447652.5A priority Critical patent/CN103514401A/en
Publication of CN103514401A publication Critical patent/CN103514401A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

The invention provides a method and device for defense by the utilization of the sandbox technology and a security browser in order to solve the problems of the sandbox technology selected by a user in the prior art. The method includes the steps that before operations are executed on a target object, the following defense steps are triggered, the defense includes the steps that for the target object to be operated, whether a sandbox needs to be led in execution of the target object is judged automatically, if yes, execution of the target object is completed in the sandbox, and if on, execution of the target object is completed outside the sandbox. According to the method and device for defense by the utilization of the sandbox technology and the security browser, before a user performs the operations on the target object, whether the sandbox needs to be led in execution of the target object is judged automatically so as to help the user to determine which risky programs need to be operated in the sandbox.

Description

The method, device and the secure browser that utilize sandbox technology to be on the defensive
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of method of utilizing sandbox technology to be on the defensive, device and a kind of secure browser.
Background technology
At computer safety field, sandbox (also referred to as sandbox) is a kind of isolation operating mechanism of program, its objective is the authority of restriction untrusted process.Sandbox technology is often used in not after tested or the incredible CLIENT PROGRAM of execution.For fear of insincere program, may destroy the operation of other program, sandbox technology is by for insincere CLIENT PROGRAM provides virtualized disk, internal memory and Internet resources, and this virtual means are transparent to CLIENT PROGRAM.Because the resource in sandbox is virtualized (or indirectly being changed), thus the malicious act of the insincere program in sandbox tend to be limited in sandbox, thereby the original state of protection system.
Specifically, sandbox technology can be put into a program sandbox operation, the All Files that this program creates, revises, deletes like this and registration table all can be virtualized redirected, that is to say that all operations is all virtual, real file and registration table can not changed, and can guarantee that like this virus cannot change destruction system to system core position.
At present sandbox technology provides the sandbox of two types: a kind of is ad hoc type sandbox, for example: Chrome(browser) utilize sandbox technology that render engine or Flash are placed in sandbox and are moved, to guarantee the safety of browser; Also having a kind of is universal sandbox, for example: the another kind of browser of Sandboxie() offer sandbox of user, allow user select voluntarily software program to put into sandbox operation.
Compare with ad hoc type sandbox, the above-mentioned universal sandbox of being selected by user, for user provides more dirigibility, is very easy to user's use.But there is following problem in the mode that this user of allowing selects:
The first, user must judge which is that risky program need to be placed on operation in sandbox, if user does not understand the characteristic of program, just may select mistake voluntarily;
The second, use mistakenly sandbox, as by just in the edit routine of editing files is placed sandbox, can cause File lose;
The 3rd, the mode ease for use that user selects is voluntarily not high, and complicated operation does not meet user's operating habit.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of method of utilizing sandbox technology to be on the defensive, device and secure browser, to solve the existing problem of the sandbox technology of being selected voluntarily by user in prior art.
In order to address the above problem, the invention discloses a kind of method of utilizing sandbox technology to be on the defensive, comprising:
Before to destination object executable operations, trigger following defence step:
Treat the destination object of operation, whether the execution of destination object needs to import sandbox described in automatic decision, if so, in sandbox, completes the execution of this destination object; If not, at sandbox, complete the execution of this destination object outward.
Wherein, when the execution of destination object described in automatic decision need to import sandbox:
If described destination object is target program, this target program is imported to sandbox, in sandbox, complete the operation of this target program;
If described destination object is file destination, the associated program of carrying out this file destination is imported to sandbox, in sandbox, by described associated program, move this file destination;
If described destination object is the information of user's input, the associated program that receives this user's input information is imported to sandbox, in sandbox, according to this user's input information, move described associated program; Packets of information purse rope location and/or the keyword of described user's input.
Wherein, the described defence step that triggers before to destination object executable operations, comprising:
If described destination object is target program, described target program is downloaded to and before client is moved this target program, trigger defence step after client; And/or, before downloading described target program, trigger defence step;
If described destination object is file destination, before moving this file destination, client triggers defence step after described file destination or the associated program of carrying out this file destination being downloaded to client; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger defence step;
If described destination object is the information of user's input, when inputting described information, user triggers defence step.
Preferably, described automatic decision comprises: whether destination object to be operated described in judgement meets preset matched rule, if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
Preferably, before whether destination object to be operated meets preset matched rule described in judgement, also comprise: create the process for the execution of destination object described in automatic decision; Whether the parent process that judges described process is in sandbox, and if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
Preferably, before described in judgement, whether destination object to be operated meets preset matched rule, also comprise: judge whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
Preferably, before described in judgement, whether destination object to be operated meets preset matched rule, also comprise: described in judgement, whether destination object to be operated is in white list, if not in white list,, destination object to be operated is unknown object, and described in continuing to judge, whether destination object to be operated meets preset matched rule; If in white list, do not need to import sandbox.
Preferably, before described in judgement, whether destination object to be operated meets preset matched rule, also comprise: described in judgement, whether destination object to be operated is in blacklist, if in blacklist, the execution of destination object to be operated need to import sandbox described in; If not in blacklist, described in continuing to judge, whether destination object to be operated meets preset matched rule.
Preferably, whether destination object to be operated described in judgement meets preset matched rule, comprising: inquire about preset database, the presetting rule in destination object described to be operated and this database is compared, if inquired, meet matched rule in this database; If do not inquired, do not meet matched rule.
Preferably, when the described destination object wait operating is target program and/or file destination, whether destination object to be operated meets preset matched rule described in judgement, comprising: whether the relevant information that judges described destination object meets preset matched rule; And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule.
Wherein, the relevant information of described destination object comprises file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of destination object and/or downloads source; Describedly come the relevant information of source program comprise coming file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of source program and/or download source.
Preferably, when the described destination object wait operating is the information of user's input, whether destination object to be operated meets preset matched rule described in judgement, comprising: whether the information that judges described user's input meets preset matched rule.
Preferably, according to the request of client, by the execution of destination object to be operated described in server end automatic decision, whether need to import sandbox; And/or, by the execution of destination object to be operated described in client automatic decision, whether need to import sandbox.
Preferably, if described in the execution of destination object to be operated need to import sandbox, before importing sandbox, also comprise: eject reminding window prompting user and whether import sandbox.
The present invention also provides a kind of device that utilizes sandbox technology to be on the defensive, and comprising:
Judgement trigger module, for before to destination object executable operations, triggers described automatic decision module;
Automatic decision module, for treating the destination object of operation, whether the execution of destination object needs to import sandbox described in automatic decision, if so, in sandbox, completes the execution of this destination object; If not, at sandbox, complete the execution of this destination object outward.
Wherein, when the execution of destination object described in automatic decision need to import sandbox:
If described destination object is target program, described automatic decision module imports sandbox by this target program, completes the operation of this target program in sandbox;
If described destination object is file destination, described automatic decision module imports sandbox by the associated program of carrying out this file destination, in sandbox, by described associated program, moves this file destination;
If described destination object is the information of user's input, described automatic decision module imports sandbox by the associated program that receives this user's input information, in sandbox, according to this user's input information, moves described associated program; Packets of information purse rope location and/or the keyword of described user's input.
Wherein, if described destination object is target program, described judgement trigger module triggered automatic decision module after described target program is downloaded to client before client is moved this target program; And/or, before downloading described target program, trigger automatic decision module;
If described destination object is file destination, described judgement trigger module triggered automatic decision module after described file destination or the associated program of carrying out this file destination are downloaded to client before client is moved this file destination; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger automatic decision module;
If described destination object is the information of user's input, described judgement trigger module triggers automatic decision module when user inputs described information.
Preferably, described automatic decision module comprises: rule judgment submodule, for destination object to be operated described in judging, whether meet preset matched rule, and if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
Preferably, described automatic decision module also comprises: parent process judgement submodule, after the process creating for the execution of destination object described in automatic decision, judges that the parent process of described process is whether in sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
Preferably, described automatic decision module also comprises: user selects to judge submodule, and for judging whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
Preferably, described automatic decision module also comprises: white list judgement submodule, whether be used for destination object to be operated described in judging at white list, if not in white list,, destination object to be operated is unknown object, triggers described rule judgment submodule and continues destination object to be operated described in judgement and whether meet preset matched rule; If in white list, do not need to import sandbox.
Preferably, described automatic decision module also comprises: blacklist judgement submodule, and for destination object to be operated described in judging, whether at blacklist, if in blacklist, the execution of destination object to be operated need to import sandbox described in; If not in blacklist, trigger described rule judgment submodule and continue destination object to be operated described in judgement and whether meet preset matched rule.
Preferably, when the described destination object wait operating is target program and/or file destination, described rule judgment submodule judges whether the relevant information of described destination object meets preset matched rule; And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule;
Wherein, the relevant information of described destination object comprises file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of destination object and/or downloads source; Describedly come the relevant information of source program comprise coming file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of source program and/or download source;
When the described destination object wait operating is the information of user's input, described rule judgment submodule judges whether the information that described user inputs meets preset matched rule.
Preferably, described device also comprises: reminding module, for when described in when the execution of the destination object operating need to import sandbox, before importing sandbox, eject reminding window prompting user and whether import sandbox.
The present invention also provides a kind of secure browser, comprises the device that utilizes sandbox technology to be on the defensive as above.
Compared with prior art, the present invention includes following advantage:
First, the invention provides a kind of method of intelligent decision, can be before user to be to destination object executable operations, whether the execution of destination object needs to import sandbox described in automatic decision, brings thus following advantage:
The first, can help user to determine which risky program need to move in sandbox, and not need user to judge voluntarily;
The second, avoid in the program placement sandbox of safe devoid of risk, moving the loss that causes user data;
The 3rd, without user's participation, therefore do not affect user's operation, ease for use is high.
Secondly, destination object of the present invention can be not only target program, can also be the information of file destination or user's input.Therefore, the present invention not only can carry out automatic decision to some software programs, can also whether carry out safely automatic decision to the execution of the files such as picture, but also can carry out automatic decision to information such as the network address of user's input, keywords, if network address or keyword are certain web films, open a new browser and in sandbox, go to browse this website.
Accompanying drawing explanation
Fig. 1 is a kind of method flow diagram that utilizes sandbox technology to be on the defensive described in the embodiment of the present invention;
Fig. 2 is a kind of method flow diagram that utilizes sandbox technology to be on the defensive described in the preferred embodiment of the present invention;
Fig. 3 is a kind of structure drawing of device that utilizes sandbox technology to be on the defensive described in the preferred embodiment of the present invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with the drawings and specific embodiments, the present invention is further detailed explanation.
For the system that has adopted sandbox technology, the invention provides a kind of method of intelligent decision, can be before user be to destination object executable operations, described in automatic decision, whether the execution of destination object needs to import sandbox, thereby which risky program help user determines, need in sandbox, move.
Below by embodiment, be elaborated.
With reference to Fig. 1, it is a kind of method flow diagram that utilizes sandbox technology to be on the defensive described in the embodiment of the present invention.
Step 101, before to destination object executable operations, triggers following defence step;
Step 102, treats the destination object of operation, and whether the execution of destination object needs to import sandbox described in automatic decision;
If so, perform step 103; If not, perform step 104.
Step 103 if need to import sandbox, completes the execution of this destination object in sandbox.
Step 104, if do not need to import sandbox, completes the execution of this destination object outward at sandbox.
According to normal treatment scheme, carry out this destination object.
Preferably, if described in the execution of destination object to be operated need to import sandbox, before importing sandbox, can also eject reminding window prompting user and whether import sandbox, to facilitate user to carry out free selection according to the result of automatic decision.
In above-described embodiment, described destination object includes but not limited to the information of target program, file destination and user's input.Be elaborated respectively below.
(1) target program
Described target program is often referred to executable file, as e-book, online player, serial number gencration device etc.
User can trigger the execution of step 102 in several ways, triggering mode includes but not limited to: target program is downloaded to after client, by double-clicking or click modes such as " opening " in right-click menu before client is moved this target program, can trigger step 102 and carry out automatic decision, thereby prevent that the operation of rogue program from destroying system; And/or, before downloading target program, trigger, thereby just defendd in advance before rogue program is downloaded to client.In addition, target program that can on-line operation for some also can trigger defence protection before operation.In a word, before to any operation of target program, all can carry out automatic decision, with the security of protection system.
For being judged as, need to import the target program that sandbox is carried out, the described execution that completes this target program in sandbox refers to: this target program is imported to sandbox, complete the operation of this target program in sandbox.For example, for the pornographic player on certain website, this player is put into sandbox and move.
(2) file destination
Described file destination is often referred to the not executable file such as picture, and the execution of this file destination need to be completed by associated program.For example, for picture, need to start Photo Browser and browse, described Photo Browser is the associated program of this picture file.
For being judged as, need to import the file destination that sandbox is carried out, the described execution that completes this file destination in sandbox refers to: the associated program of carrying out this file destination is imported to sandbox, in sandbox, by described associated program, move this file destination.For example, for incredible picture file, Photo Browser can be imported to sandbox and open this picture.
For file destination, user also can trigger the execution of step 102 in several ways, triggering mode includes but not limited to: described file destination or the associated program of carrying out this file destination are downloaded to after client, before client is moved this file destination, trigger; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger.In a word, before to any operation of file destination, all can carry out automatic decision, with the security of protection system.
(3) information of user's input
The information of user input comprises the information such as network address that user inputs, keyword.
If the information that described destination object is user input conventionally triggers step 102 and carries out Prevention-Security when user inputs described information, judge whether secure and trusted of the information such as network address that user inputs, keyword, if insincere, perform step 103.
For being judged as, need to import the user's input information that sandbox is carried out, the described execution that completes this user's input information in sandbox refers to: the associated program that receives this user's input information is imported to sandbox, in sandbox, according to this user's input information, move described associated program.For example, for there being suspicious network address, newly open a browser and be linked to website corresponding to this network address in sandbox, described browser program is the associated program that receives network address input.
In conjunction with above-mentioned (1), (2), (3), the destination object no matter user will operate is any, and whether method shown in Fig. 1 can its execution of automatic decision need to import sandbox.The automatic judging method that the embodiment of the present invention provides includes but not limited to: whether destination object to be operated described in judgement meets preset matched rule, if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
Particularly, described judgement can be: inquire about preset database, the presetting rule in destination object described to be operated and this database is compared, if inquired, meet matched rule in this database; If do not inquired, do not meet matched rule.Be the rule of having stored various judgements in database, or the feature of directly having stored the object that meets matched rule, if destination object to be operated described in inquiring in database shows that the execution of this destination object need to import sandbox.
For different destination objects, corresponding matched rule is also different:
1), when the described destination object wait operating is target program and/or file destination, whether destination object to be operated meets preset matched rule described in judgement, comprising: whether the relevant information that judges described destination object meets preset matched rule; And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule.
Wherein, the relevant information of described destination object comprises:
The file path of destination object, and/or
Enciphered data (as MD5), and/or
File attribute (as name of product, version information, signature publisher, file size etc.), and/or
Icon eigenwert (as icon cryptographic hash), and/or
File characteristic value (as file cryptographic hash), and/or
Download source (as from which website downloaded);
Accordingly, describedly come the relevant information of source program to comprise:
Carry out the file path of source program, and/or
Enciphered data (as MD5), and/or
File attribute (as name of product, version information, signature publisher, file size etc.), and/or
Icon eigenwert (as icon cryptographic hash), and/or
File characteristic value (as file cryptographic hash), and/or
Download source (as from which website downloaded).
Relevant information based on above-mentioned destination object and the relevant information of carrying out source program, described matched rule can be:
Example 1: for the pornographic player on website, matched rule is as follows:
Come source program to be: browser program or explorer;
The filename of target: comprise " Japanese AV " or " erotica "
The file icon of target: be specific player icon;
The file size of target: may be limited to a scope, such as: 1MB~10MB;
The file of target is described: such as xxxx adult player, xxxx special player.
The player that meets above-mentioned rule is judged to be pornographic player.
Example 2: for the risky e-book of the unknown, matched rule is as follows:
File destination title: the key word that comprises " e-book ";
The eigenwert of file destination icon comprises: the feature of the icon of e-book.
For the e-book that meets above-mentioned rule, be judged to be risky e-book.
Example 3: for the risky serial number gencration device of the unknown, matched rule is as follows:
File destination title: have the key word that comprises " serial number gencration device " or " keygen " or " cracker " or " shredder ";
The eigenwert of file destination icon comprises: the feature of the icon of serial number gencration device.
To meeting the serial number gencration device of above-mentioned rule, can be judged as risky serial number gencration device.
Except above-mentioned several matched rules of enumerating, can also there is other multiple rule, as carry out fuzzy matching or mate in full, preferentially carry out the coupling of file name, etc., depending on concrete application, at this, will not enumerate.
2), when the described destination object wait operating is the information of user's input, whether destination object to be operated meets preset matched rule described in judgement, comprising: whether the information that judges described user's input meets preset matched rule.
For example, judge whether the network address of user's input is the network address of some porn sites, or judge whether the keyword of user's input comprises the information such as " Japanese AV " or " erotica ".Whether the information of inputting by user, just can prejudge out the webpage that maybe will search for next step website that will browse of user needs to put into sandbox.
Based on the above-mentioned various matched rules of enumerating, preferred, before destination object is carried out to the automatic decision of above-mentioned matched rule, can also preferentially carry out following automatic decision, be listed below:
1) before described in judgement, whether destination object to be operated meets preset matched rule:
Create the process for the execution of destination object described in automatic decision;
Whether the parent process that judges described process is in sandbox, and if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
If the process of the described execution for automatic decision destination object exists parent process, should be called subprocess for the process of automatic decision.If parent process has imported in sandbox, illustrate that this parent process is insincere, the subprocess that this parent process is called is so also incredible, so subprocess also should import sandbox, carries out.
2) before described in judgement, whether destination object to be operated meets preset matched rule:
Judge whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
Be that user can participate in selecting whether put into sandbox, if user initiatively selects to put into sandbox, do not need to carry out the automatic decision of matched rule.
3) before described in judgement, whether destination object to be operated meets preset matched rule:
Described in judgement, whether destination object to be operated in white list, if not in white list, described in destination object to be operated be unknown object, continue destination object to be operated described in judgement and whether meet preset matched rule; If in white list, do not need to import sandbox.
In described white list, listed safer destination object, the destination object in white list can not import sandbox and directly carry out.If destination object to be operated, in described white list, can be exempted the automatic decision of matched rule.If destination object to be operated is not in described white list, described in indicating, destination object to be operated is unknown object, also needs further to carry out automatic decision.
4) before described in judgement, whether destination object to be operated meets preset matched rule:
Described in judgement, whether destination object to be operated in blacklist, if in blacklist, the execution of destination object to be operated need to import sandbox described in; If not in blacklist, described in continuing to judge, whether destination object to be operated meets preset matched rule.
In described blacklist, listed believable destination object scarcely, if destination object to be operated in described blacklist, directly imports sandbox, carried out; If but not in blacklist, the certain safety of destination object to be operated described in can not getting rid of, therefore also needs to proceed the judgement of matched rule.
In actual applications, if destination object to be operated in blacklist, also can directly be tackled and not put into sandbox, these can be selected by user.
Above-mentioned 1) to 4) can before the judgement of matched rule, use separately, also can combine and use before the judgement of matched rule.
Based on foregoing, in actual applications, the embodiment of the present invention also provides following two kinds of implementations:
Whether the first, according to the request of client, need to import sandbox by the execution of destination object to be operated described in server end automatic decision;
Specifically, server end has been stored the various rules of automatic decision, if target program to be operated or file destination have downloaded to client, when user clicks execution, server is issued in the request that client can will judge, by server, carries out automatic decision.Or before server is downloaded target program or file destination, server, according to the download request of client, judges whether to import sandbox and downloads.Or when user inputs network address, keyword, server carries out automatic decision according to user's input.
Whether the second, need to import sandbox by the execution of destination object to be operated described in client automatic decision.
In this case, client stores the various rules of automatic decision, and regularly from server, upgrade, client can be carried out automatic decision before user operates destination object.
In sum, above-described embodiment provides a kind of method of intelligent decision, can be before user to be to destination object executable operations, and whether the execution of destination object needs to import sandbox described in automatic decision, brings thus following advantage:
The first, can help user to determine which risky program need to move in sandbox, and not need user to judge voluntarily;
The second, avoid in the program placement sandbox of safe devoid of risk, moving the loss that causes user data;
The 3rd, without user's participation, therefore do not affect user's operation, ease for use is high.
Based on foregoing, the present invention also provides the preferred embodiment shown in Fig. 2.
With reference to Fig. 2, it is a kind of method flow diagram that utilizes sandbox technology to be on the defensive described in the preferred embodiment of the present invention.
The destination object of take is that target program is example, destination object be file destination and user's input information situation similarly, no longer describe in detail.
The judgement flow process that target program whole to be operated enters sandbox is automatically as follows:
Step 201, establishment process;
Step 202, judges that parent process is whether in sandbox;
If parent process, in sandbox, jumps to step 208;
If parent process, not in sandbox, continues step 203.
Step 203, judges whether user selects the execution of target program described to be operated to import sandbox;
If user has selected the execution of target program described to be operated to import sandbox, jump to step 208;
If the non-selected execution by target program described to be operated of user imports sandbox, continue step 204.
Step 204, whether target program to be operated is in white list described in judgement;
If in white list, jump to step 209;
If not in white list, be unknown program, continue step 205.
Step 205, whether destination object to be operated is in blacklist described in judgement;
If in blacklist, jump to step 208;
If not in blacklist, continue step 206.
Step 206, judges whether described target program is the program of particular type;
According to various matched rules, determine whether the program of particular type;
If so, continue step 207;
If not, jump to step 209.
Step 207, ejects this target program of reminding window prompting user and will import execution in sandbox;
If user selects to import, this target program is added to sandbox operation list.
Step 208, starts the writing of the file/registration table of target program, deletes, in the operational motion guiding sandbox such as modification, and judgement flow process finishes.
Step 209 is moved target program (non-sandbox mode) under general environment, and judgement flow process finishes.
It should be noted that, above-mentioned steps 203 to the order of step 205 also can be changed, but all need to be before step 206.
It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not subject to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
Based on foregoing, the present invention also provides corresponding device embodiment, as shown in Figure 3.
With reference to Fig. 3, it is a kind of structure drawing of device that utilizes sandbox technology to be on the defensive described in the preferred embodiment of the present invention.
Described device can comprise with lower module:
Judgement trigger module 31, for before to destination object executable operations, triggers described automatic decision module 32;
Automatic decision module 32, for treating the destination object of operation, whether the execution of destination object needs to import sandbox described in automatic decision, if so, in sandbox, completes the execution of this destination object; If not, at sandbox, complete the execution of this destination object outward.
Wherein, described destination object includes but not limited to: target program, file destination, the information of user's input.
When the execution of destination object described in automatic decision need to import sandbox:
If described destination object is target program, described automatic decision module 32 imports sandbox by this target program, completes the operation of this target program in sandbox;
If described destination object is file destination, described automatic decision module 32 imports sandbox by the associated program of carrying out this file destination, in sandbox, by described associated program, moves this file destination;
If described destination object is the information of user's input, described automatic decision module 32 imports sandbox by the associated program that receives this user's input information, in sandbox, according to this user's input information, moves described associated program; Packets of information purse rope location and/or the keyword of described user's input.
And if described destination object is target program, described judgement trigger module 31 triggered automatic decision module 32 after described target program is downloaded to client before client is moved this target program; And/or, before downloading described target program, trigger automatic decision module 32;
If described destination object is file destination, described judgement trigger module 31 triggered automatic decision module 32 after described file destination or the associated program of carrying out this file destination are downloaded to client before client is moved this file destination; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger automatic decision module 32;
If described destination object is the information of user's input, described judgement trigger module 31 triggers automatic decision module 32 when user inputs described information.
Further, described automatic decision module 32 can comprise:
Whether rule judgment submodule 321, meet preset matched rule for destination object to be operated described in judging, if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
Further, when the described destination object wait operating is target program and/or file destination, described rule judgment submodule 321 judges whether the relevant information of described destination object meets preset matched rule; And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule;
Wherein, the relevant information of described destination object comprises file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of destination object and/or downloads source; Describedly come the relevant information of source program comprise coming file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of source program and/or download source;
When the described destination object wait operating is the information of user's input, described rule judgment submodule 321 judges whether the information that described user inputs meets preset matched rule.
Preferably, described automatic decision module 32 can also comprise:
Parent process judgement submodule 322, after the process creating for the execution of destination object described in automatic decision, whether the parent process that judges described process is in sandbox, and if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
Preferably, described automatic decision module 32 can also comprise:
User selects to judge submodule 323, and for judging whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
Preferably, described automatic decision module 32 can also comprise:
White list judgement submodule 324, whether be used for destination object to be operated described in judging at white list, if not in white list,, destination object to be operated is unknown object, triggers described rule judgment submodule and continues destination object to be operated described in judgement and whether meet preset matched rule; If in white list, do not need to import sandbox.
Preferably, described automatic decision module 32 can also comprise:
Blacklist judgement submodule 325, for destination object to be operated described in judging, whether at blacklist, if in blacklist, the execution of destination object to be operated need to import sandbox described in; If not in blacklist, trigger described rule judgment submodule and continue destination object to be operated described in judgement and whether meet preset matched rule.
Preferably, described device can also comprise:
Reminding module 33, for when described in when the execution of the destination object operating need to import sandbox, before importing sandbox, eject reminding window prompting user and whether import sandbox.
For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
Above-mentionedly utilize the device that sandbox technology is on the defensive can be deployed in server end, also can be deployed in client, before user is to destination object executable operations, described in automatic decision, whether the execution of destination object needs to import sandbox, help user to determine which risky program need to move in sandbox, avoid will safe devoid of risk program place the loss that operation in sandbox causes user data, and due to the participation without user, therefore do not affect user's operation, ease for use is high.
The device that utilizes sandbox technology to be on the defensive based on above-mentioned, the embodiment of the present invention also provides a kind of secure browser, this browser comprises the device that carries out system defence with sandbox technology as described in above-mentioned Fig. 3 embodiment, and can adopt the execution of the destination object that method automatic decision described in Fig. 1 or Fig. 2 is to be operated whether to need to import sandbox.Specific descriptions can, referring to the related content of above-mentioned Fig. 1, Fig. 2 and Fig. 3, no longer describe in detail.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and each embodiment stresses is the difference with other embodiment, between each embodiment identical similar part mutually referring to.
Finally, also it should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.
And, "and/or" above represented both to have comprised herein " with " relation, also comprised the relation of "or", wherein: if option A and option b be " with " relation, represent can to comprise option A and option b in certain embodiment simultaneously; If option A and option b are the relations of "or", represent can comprise separately option A in certain embodiment, or comprise separately option b.
Above to a kind of method, device and secure browser that utilizes sandbox technology to be on the defensive provided by the present invention, be described in detail, applied specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention meanwhile.

Claims (19)

1. a method of utilizing sandbox technology to be on the defensive, is characterized in that, comprising:
Before to destination object executable operations, trigger defence step;
Treat the destination object of operation, judge whether the execution of described destination object needs to import sandbox;
If described destination object, in white list, moves destination object in non-sandbox mode;
If described destination object not in white list, described in destination object to be operated be unknown object, and described in judgement destination object to be operated whether in blacklist;
If described destination object is in blacklist, the execution of described destination object need to import sandbox, and by the writing of the file/registration table of target program, delete, in the operational motion guiding sandbox such as modification;
If described destination object is not in blacklist, described in judgement, whether destination object to be operated meets preset matched rule, as meet, think that described destination object is the program of particular type, eject this target program of reminding window prompting user and will import execution in sandbox.
2. method according to claim 1, is characterized in that, comprise,
The various rules of server end storage automatic decision, according to the request of client, whether the execution by destination object described in server end automatic decision needs to import sandbox, and/or, the various rules of client stores automatic decision, and regularly from server, upgrade, client was carried out automatic decision before user operates destination object, by the execution of destination object to be operated described in client automatic decision, whether needed to import sandbox.
3. method according to claim 1, is characterized in that, when the execution of the described destination object of judgement need to import sandbox:
If described destination object is target program, this target program is imported to sandbox, in sandbox, complete the operation of this target program;
If described destination object is file destination, the associated program of carrying out this file destination is imported to sandbox, in sandbox, by described associated program, move this file destination;
If described destination object is the information of user's input, the associated program that receives this user's input information is imported to sandbox, in sandbox, according to this user's input information, move described associated program; Packets of information purse rope location and/or the keyword of described user's input.
4. method according to claim 1, is characterized in that, when the execution of the described destination object of judgement need to import sandbox, described step comprises:
If described destination object is target program, described target program is downloaded to and before client is moved this target program, trigger defence step after client; And/or, before downloading described target program, trigger defence step;
If described destination object is file destination, before moving this file destination, client triggers defence step after described file destination or the associated program of carrying out this file destination being downloaded to client; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger defence step;
If described destination object is the information of user's input, when inputting described information, user triggers defence step.
5. according to the arbitrary described method of claim 1 to 4, it is characterized in that, whether destination object to be operated meets preset matched rule and comprises described in described judgement:
Whether destination object to be operated described in judgement meets preset matched rule, if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
6. method according to claim 5, is characterized in that, before whether destination object to be operated meets preset matched rule described in judgement, also comprises:
Create the process for the execution of destination object described in automatic decision;
Whether the parent process that judges described process is in sandbox, and if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
7. method according to claim 5, is characterized in that, before whether destination object to be operated meets preset matched rule described in judgement, also comprises:
Judge whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, continue destination object to be operated described in judgement and whether meet preset matched rule.
8. method according to claim 5, is characterized in that, whether destination object to be operated meets preset matched rule described in judgement, comprising:
Inquire about preset database, the presetting rule in destination object described to be operated and this database is compared, if inquired, meet matched rule in this database; If do not inquired, do not meet matched rule.
9. method according to claim 5, is characterized in that, when the described destination object wait operating is target program and/or file destination, whether destination object to be operated meets preset matched rule described in judgement, comprising:
Whether the relevant information that judges described destination object meets preset matched rule;
And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule.
10. method according to claim 1, is characterized in that:
The relevant information of described destination object comprises file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of destination object and/or downloads source;
Describedly come the relevant information of source program comprise coming file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of source program and/or download source.
11. methods according to claim 5, it is characterized in that, when the described destination object wait operating is the information of user's input, whether destination object to be operated meets preset matched rule described in judgement, comprising: whether the information that judges described user's input meets preset matched rule.
12. 1 kinds of devices that utilize sandbox technology to be on the defensive, is characterized in that, comprising:
Judgement trigger module, for before to destination object executable operations, triggers described automatic decision module;
Automatic decision module, for treating the destination object of operation, judges whether the execution of described destination object needs to import sandbox;
If described destination object, in white list, moves destination object in non-sandbox mode;
If described destination object not in white list, described in destination object to be operated be unknown object, and described in judgement destination object to be operated whether in blacklist;
If described destination object is in blacklist, the execution of described destination object need to import sandbox, and by the writing of the file/registration table of target program, delete, in the operational motion guiding sandbox such as modification;
If described destination object is not in blacklist, described in judgement, whether destination object to be operated meets preset matched rule, as meet, think that described destination object is the program of particular type, eject this target program of reminding window prompting user and will import execution in sandbox.
13. devices according to claim 12, is characterized in that, whether the various rules of server end storage automatic decision, according to the request of client, need to import sandbox by the execution of destination object to be operated described in server end automatic decision, and/or;
The various rules of client stores automatic decision, and regularly upgrading from server, client was carried out automatic decision before user operates destination object, by the execution of destination object to be operated described in client automatic decision, whether needed to import sandbox.
14. devices according to claim 12, is characterized in that, when the execution of destination object described in automatic decision need to import sandbox:
If described destination object is target program, described automatic decision module imports sandbox by this target program, completes the operation of this target program in sandbox;
If described destination object is file destination, described automatic decision module imports sandbox by the associated program of carrying out this file destination, in sandbox, by described associated program, moves this file destination;
If described destination object is the information of user's input, described automatic decision module imports sandbox by the associated program that receives this user's input information, in sandbox, according to this user's input information, moves described associated program; Packets of information purse rope location and/or the keyword of described user's input.
15. devices according to claim 12, is characterized in that:
If described destination object is target program, described judgement trigger module triggered automatic decision module after described target program is downloaded to client before client is moved this target program; And/or, before downloading described target program, trigger automatic decision module;
If described destination object is file destination, described judgement trigger module triggered automatic decision module after described file destination or the associated program of carrying out this file destination are downloaded to client before client is moved this file destination; And/or, before downloading described file destination or carrying out online the associated program of this file destination, trigger automatic decision module;
If described destination object is the information of user's input, described judgement trigger module triggers automatic decision module when user inputs described information.
16. according to claim 12 to 15 arbitrary described devices, it is characterized in that, described automatic decision module comprises:
Whether rule judgment submodule, meet preset matched rule for destination object to be operated described in judging, if met, the execution of destination object to be operated need to import sandbox described in; If do not met, do not need to import sandbox.
17. devices according to claim 16, is characterized in that, described automatic decision module also comprises:
Parent process judgement submodule, after the process creating for the execution of destination object described in automatic decision, whether the parent process that judges described process is in sandbox, and if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
18. devices according to claim 16, is characterized in that, described automatic decision module also comprises:
User selects to judge submodule, and for judging whether user selects the execution of destination object described to be operated to import sandbox, if so, the execution of destination object to be operated need to import sandbox described in; If not, triggering described rule judgment submodule continues destination object to be operated described in judgement and whether meets preset matched rule.
19. devices according to claim 16, is characterized in that:
When the described destination object wait operating is target program and/or file destination, described rule judgment submodule judges whether the relevant information of described destination object meets preset matched rule; And/or, judge whether the relevant information of carrying out source program of described destination object meets preset matched rule;
Wherein, the relevant information of described destination object comprises file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of destination object and/or downloads source; Describedly come the relevant information of source program comprise coming file path and/or enciphered data and/or file attribute and/or icon eigenwert and/or the file characteristic value of source program and/or download source;
When the described destination object wait operating is the information of user's input, described rule judgment submodule judges whether the information that described user inputs meets preset matched rule.
CN201310447652.5A 2011-04-21 2011-04-21 Method and device for defense by utilization of sandbox technology and security browser Pending CN103514401A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310447652.5A CN103514401A (en) 2011-04-21 2011-04-21 Method and device for defense by utilization of sandbox technology and security browser

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310447652.5A CN103514401A (en) 2011-04-21 2011-04-21 Method and device for defense by utilization of sandbox technology and security browser

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201110100859.6A Division CN102184356B (en) 2011-04-21 2011-04-21 Method, device and safety browser by utilizing sandbox technology to defend

Publications (1)

Publication Number Publication Date
CN103514401A true CN103514401A (en) 2014-01-15

Family

ID=49897107

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310447652.5A Pending CN103514401A (en) 2011-04-21 2011-04-21 Method and device for defense by utilization of sandbox technology and security browser

Country Status (1)

Country Link
CN (1) CN103514401A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105338017A (en) * 2014-06-30 2016-02-17 北京新媒传信科技有限公司 WEB defense method and system
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN103763316B (en) * 2014-01-16 2016-10-26 中国联合网络通信集团有限公司 The method of a kind of web page contents filtration and Provider Equipment
CN106682501A (en) * 2016-12-20 2017-05-17 深圳市九洲电器有限公司 Set-top-box application program management method and system
CN112434284A (en) * 2020-10-29 2021-03-02 格物钛(上海)智能科技有限公司 Machine learning training platform implementation based on sandbox environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US20060048099A1 (en) * 2004-08-27 2006-03-02 Microsoft Corporation Debugging applications under different permissions
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing
CN101253487A (en) * 2005-09-01 2008-08-27 微软公司 Resource based dynamic security authorization
US20100138639A1 (en) * 2008-12-02 2010-06-03 Microsoft Corporation Sandboxed execution of plug-ins

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing
US20060048099A1 (en) * 2004-08-27 2006-03-02 Microsoft Corporation Debugging applications under different permissions
CN101253487A (en) * 2005-09-01 2008-08-27 微软公司 Resource based dynamic security authorization
US20100138639A1 (en) * 2008-12-02 2010-06-03 Microsoft Corporation Sandboxed execution of plug-ins

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763316B (en) * 2014-01-16 2016-10-26 中国联合网络通信集团有限公司 The method of a kind of web page contents filtration and Provider Equipment
CN105338017A (en) * 2014-06-30 2016-02-17 北京新媒传信科技有限公司 WEB defense method and system
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN106682501A (en) * 2016-12-20 2017-05-17 深圳市九洲电器有限公司 Set-top-box application program management method and system
CN112434284A (en) * 2020-10-29 2021-03-02 格物钛(上海)智能科技有限公司 Machine learning training platform implementation based on sandbox environment
CN112434284B (en) * 2020-10-29 2022-05-17 格物钛(上海)智能科技有限公司 Machine learning training platform implementation based on sandbox environment

Similar Documents

Publication Publication Date Title
CN102184356B (en) Method, device and safety browser by utilizing sandbox technology to defend
Iqbal et al. The ad wars: retrospective measurement and analysis of anti-adblock filter lists
US11601442B2 (en) System and method associated with expedient detection and reconstruction of cyber events in a compact scenario representation using provenance tags and customizable policy
JP6644001B2 (en) Virus processing method, apparatus, system, device, and computer storage medium
Xue et al. Detection and classification of malicious JavaScript via attack behavior modelling
CN103281325A (en) Method and device for processing file based on cloud security
CN103020524A (en) Computer virus monitoring system
JP6726429B2 (en) System and method for detecting domain generation algorithm (DGA) malware
CN103473501B (en) A kind of Malware method for tracing based on cloud security
Wang et al. Webranz: web page randomization for better advertisement delivery and web-bot prevention
CN103514401A (en) Method and device for defense by utilization of sandbox technology and security browser
CN103049695A (en) Computer virus monitoring method and device
Rashid et al. Discovering" unknown known" security requirements
CN106203108A (en) Linux white list system protection method based on kernel module and device
Akrout et al. An automated black box approach for web vulnerability identification and attack scenario generation
Cao et al. JShield: Towards real-time and vulnerability-based detection of polluted drive-by download attacks
CN103942488A (en) Method and device for defense by utilization of sandbox technology and safe browser
Pedro et al. From prompt injections to sql injection attacks: How protected is your llm-integrated web application?
Zhao et al. Private browsing mode not really that private: Dealing with privacy breach caused by browser extensions
Sajid et al. symbSODA: Configurable and verifiable orchestration automation for active malware deception
Chen et al. Improving web content blocking with event-loop-turn granularity javascript signatures
Fan et al. Privacy theft malware multi‐process collaboration analysis
CN104050411A (en) Active defense method
Picazo-Sanchez et al. DeDup. js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication.
KR20110070012A (en) System and method for updating signature database and client terminal database updating apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140115